An attack on a file-sharing company used by Big Law firms highlights the importance of vetting third-party vendors to better safeguard confidential client data, privacy and cybersecurity professionals say.
Both Jones Day and Goodwin Procter were affected in recent weeks by a breach at Accellion, which provides file transfer and other services for law firms and businesses. Jones Day, which revealed its breach Tuesday, declined to comment on next steps.
Law firms are particularly attractive targets for hackers because they often work with large companies whose confidential or proprietary data can be sold to other bad actors on the dark web, said Neil Daswani, co-director of Stanford University’s Advanced Security Certification Program.
“Third-party compromises are one of the most common threats,” Daswani said. “It’s especially important for law firms to set the right example if they want to attract business.”
In addition to adhering to requirements built into agreements and contracts, attorneys are ethically bound to keep certain information private, said Andrea Matwyshyn, associate dean of innovation and professor at Penn State Law.
“Our whole business is built on trust,” Matwyshyn said. “Lawyers have an obligation to maintain the confidentiality of their clients.”
That ethical requirement means attorneys are required in many circumstances to report such losses of confidential data to current and past clients, though requirements vary by state, said David Opderbeck, a law professor at Seton Hall University and co-director of the school’s Gibbons Institute of Law, Science & Technology.
The American Bar Association’s Formal Opinion 483, for example, doesn’t require notice to former clients but does provide recommendations for managing that relationship, Opderbeck said.
Law firms affected by data breaches will also have to contend with state data breach notification statutes if personal information is compromised and may also have to notify cyber insurers and malpractice carriers, he said.
Sectoral laws such as the Health Insurance Portability and Accountability Act, and international statutes such as Europe’s General Data Protection Regulation, could also come into play depending on the type of information accessed, said Chris Ballod, associate managing director of cyber risk at Kroll.
“This can get pretty complicated, especially for law firms that with a lot of different types of information,” Ballod said. “It’s important to address these issues ahead of time and have a plan.”
Law firms can hire vendors to see if corporate or confidential information has been leaked to the dark web, but it’s “extremely challenging” to track where that data goes once it’s breached, said Anne Hasenstab, director of executive risk and cybersecurity at Ward Insurance in Portland, Ore.
“You can’t always track who’s seen that information,” Hasenstab said. “But it’s important to keep that conversation open with the affected customer so they can do their own preparation and investigation.”
Firms should continually vet third-party vendors for risks, including monitoring the news for potential vulnerabilities, said Najarian Peters, a law professor at the University of Kansas.
Having an incident response plan in place is critical, as are policies for third-party management, but those things should be viewed as an ongoing commitment and not as the ticking of a box, she said.
“A service may be outsourced to a vendor, but the risk and responsibility are not,” Peters said.
Large, sophisticated technology companies may have subgroups focused exclusively on third-party vetting, Daswani said. Although that would increase costs, it could pay off for law firms to take a similar approach, he said.
Law firms can hire security consultants to join the contract negotiation process involving third-party vendors, Matwyshyn said. They should also leverage services such as SecurityScorecard to get a handle on the practices of their providers and rate the risks of companies they work with, Daswani said.
In the event of a breach or serious cyber incident, law firms should engage external counsel, even if they think they can handle the legal issues themselves.
“That bolsters the strength of attorney-client privilege,” Ballod said. “You also gain the perspective and expertise of people who’ve been through this before.”