Must a Lawyer Protect Client Confidences From Cyber Attacks?

Technology is integral to a lawyer’s ability to engage in the practice of law. Whether we are scheduling meetings with clients by email or text message, conducting due diligence in an electronic data room, using a database to produce electronic discovery in a litigation or government investigation, or filing pleadings in court, transactional and litigation lawyers alike rely on technology to represent clients. As a result, law firms are attractive targets for hackers who seek the information lawyers regularly maintain on behalf of clients, including documents and communications relating to confidential financial data, contemplated business transactions, trade secrets, litigation strategy, and business strategy.

Increasingly corporate clients are auditing their outside law firms to assess their cybersecurity preparedness and ensure that their firms have implemented security measures that adequately mitigate the risk of a data breach. See Law Firm Cyber Security Scorecard, LogicForce (Q4 2017) (48 percent of law firms had their data security practices audited by at least one corporate client in the past year). These audits typically require detailed information about IT systems, data management policies, and e-discovery practices.

Lawyers are ethically bound to provide competent representation to their clients, and must demonstrate the legal knowledge, skill, thoroughness and preparation reasonably necessary for each client representation. This means lawyers must be competent in their use of technology to carry out the representation of each client, and must take appropriate measures to protect each client’s confidential information. As explained by the New York County Lawyer’s Association’s ethics committee, “[l]awyers should be aware of disclosure risks associated with the transmission of client confidential information by electronic means, and should possess the technological knowledge necessary to exercise reasonable care with respect to maintaining client confidentiality” to avoid inadvertent disclosure through interception or misdirection. New York County Ethics Op. 749 (emphasis added).

“Reasonable care” may differ from one law firm to the next based, in part, on the clients serviced by the firm. For example, lawyers who represent clients in the financial industry are under additional pressure to ensure that they have implemented adequate cybersecurity regimes. The two most recent nominees to the U.S. Securities and Exchange Commission both said they want to help the SEC increase its oversight of cybersecurity efforts at firms the commission regulates.

Moreover, as of March 2017, any institution covered by the New York Banking Law, Insurance Law or Financial Services Law must comply with the New York Department of Financial Services (“DFS”) Cybersecurity rules. The DFS Cybersecurity rules require covered institutions to develop a cybersecurity program, to meet certain reporting and certification requirements, to design procedures to ensure the security of the institution’s systems and nonpublic information that is accessible to third party service providers (such as their lawyers), and to make a risk assessment regarding appropriate controls for third party service procedures based on the specific facts and circumstances presented. 23 NYCRR 500, et seq. (2017). Law firms that currently represent, or wish to represent, institutions covered by the DFS Cybersecurity regulations will need to ensure that their internal cybersecurity regimes are responsive to their DFS-covered client’s cybersecurity needs.

Cyber Attacks Against Law Firms

Understanding past cyber-attacks that have involved law firms may help law firms to identify the current risk of interception and to mitigate exposure to a cyber-attack. Reported cyber-attacks against law firms typically have involved the use of malware to gain access to a law firm’s computer systems in order to (1) hold data hostage until a ransom is paid; (2) obtain nonpublic material information about pending business transactions for personal financial gain; or (3) obtain and disclose compromising information concerning clients and/or the firm as a form of activism (or “hacktivism”).

“Ransomware” describes malware that installs on a device without the user’s knowledge, encrypts files, and holds the user’s data hostage unless the ransom is paid, typically in the form of a cryptocurrency payment (e.g., bitcoin). See Casey Sullivan, DLA Piper’s Cyber Attack and Why it Matters, Big Law Business (June 28, 2017). Wiperware is similar to ransomware, except that rather than seeking financial gain the hacker seeks to destroy data and/or disable systems. See Jun Du, How NotPetya is So Very Different from WannaCry, (June 30, 2017).

The hack of Moses Afonso Ryan (“MAR”) illustrates a typical ransomware attack. On May 22, 2015, a lawyer at MAR, a 10-person Rhode Island law firm, clicked on an email that contained an encrypted virus that disabled the firm’s computer network for three months, during which time the firm negotiated a ransom and obtained the decryption tools to regain control of the system.

The hacker extorted over $25,000 in payments from the firm in exchange for release of encrypted documents and information. To add to the firm’s woes, its insurer paid only $20,000 under a sublimit in its business interruption policy. MAR sued the insurer for $700,000, which the firm alleged represented the reduction in year-to-year billing that the firm attributed to the hack. The case is still pending. See Complaint, Moses Afonso Ryan Ltd. v. Sentinel Ins. Co., No. 1:17-CV-00157-5-PAS (D.R.I. 2017).

“Hacktivism” was behind the widely reported hack of Mossack Fonseca (“MF”), a Panamanian law firm, in April 2016. MF suffered a hack that affected 2.6 terabytes of data – including 4.8 million email messages and 2.2 million pdfs – and resulted in the disclosure of confidential documents dating from the 1970s through late 2015. As part of this “Panama Papers” hack, the hackers sought to expose high-ranking politicians who had hired the law firm to create offshore companies, which had the effect of avoiding certain taxes. The law firm had not updated its Outlook Web Access login since 2009 or its client login portal since 2013, leaving the firm vulnerable to a cyber-attack that exploited obsolete login protocols. See Matt Burgess and James Temperton, The security flaws at the heart of the Panama Papers, Wired (Apr. 6, 2016). A similar motivation may have been behind the 2016 hack of Appleby, a Bermuda-based law firm that announced some of its data had been “compromised” by a hack. See Appleby, Media coverage of the offshore sector (Oct. 24, 2017).

On October 13, 2016, the U.S. Attorney’s Office for the Southern District of New York charged three Chinese nationals with theft of data from at least two law firms over a period of 18 months. The defendants were accused of hacking into law firm networks and servers, targeting partners who worked on mergers and acquisitions, and buying stock in publicly traded companies that the hacked data revealed were the targets of deals. U.S. Attorney’s Office Southern District of New York, Press Release, “Manhattan U.S. Attorney Announces Arrest of Macau Resident and Unsealing of Charges Against Three Individuals for Insider Trading based on Information hacked from Prominent U.S. Law Firms.”

In June 2017, businesses across the globe – including Rosneft, A.P. Moller-Maersk, Merck & Co., Heritage Valley Health Systems, Cadbury, and certain DLA Piper law offices (excluding offices that were segmented from the rest of the firm’s system) – were the victim of a cyber-attack that was dubbed “NotPetya” or “Nyetya” by commentators. Nyetya appears to have originated from a Ukrainian software company that developed accounting software to assist with processing taxes. The company’s servers – which had not been updated since 2013 – were hacked after a password was stolen from an employee, permitting a hacker to inject a backdoor into the software and exploit automatic updates of the software to further spread the Nyetya malware. The firm warned that all computers sharing a network with its infected accounting software had been compromised by hackers. See Jack Stubbs and Matthias Williams, How ‘NotPetya’ cyber attack spread from Ukraine, and why it may still be a threat (Oct. 18, 2017).

Simultaneously, other malware called “FakeCry” spread through the software firm’s servers, and was similar to the May 2017 WannaCry ransomware that infected the British National Health Service and over 200,000 systems in 150 countries. Scott, M.E.Doc Servers Found Responsible for Spreading NotPetya Ransomware (July 7, 2017). WannaCry and Nyetya are both believed to have spread so widely because users had failed to install a Microsoft patch, or installed it incorrectly, or were operating outdated operating systems that were no longer supported by Microsoft. See Robert Hutton et al., Extortionists Mount Global Hacking Attack Seeking Ransom, Bloomberg (May 13, 2017).

These are just examples of reported hacks in the last two years. They demonstrate that firm or company size, revenue, practice and geography are not predictors of which firms will be targeted by hackers. Moreover, these examples suggest a range of vulnerabilities – failure to install software patches, outdated systems, inadequate insurance, and system accessibility across jurisdictions and extending to outside business partners – that law firms should review and consider addressing to mitigate the firm’s exposure to a cyber-attack.

What Determines the Reasonableness of a Law Firm’s Protective Measures?

Lawyers are not expected to guarantee the security of client information that is transmitted to or by the lawyer. Instead, they are expected to exercise “reasonable care” and employ reasonable protective measures, on a case-by-case basis, to mitigate the risk of disclosure through misdirection or interception. The American Bar Association concluded that the use of unencrypted email remains an acceptable method of attorney-client communication, but noted that with the proliferation of cyber-threats and fact sensitive requirements under the Model Rules, “particularly strong protective measures, like encryption, are warranted in some circumstances.” See ABA Formal Ethics Op. 477R.

“Reasonable care” – the standard of care required to fulfill a lawyer’s duty of technological competence in a specific engagement – will vary depending on (i) the client’s request to implement specific security measures; (ii) the sensitivity of the client’s information; (iii) the client’s risk tolerance for cyber intrusion; (iv) the means by which client information is transmitted; (v) the security measures available to protect the transmissions; (vi) the determination of which information constitutes confidential client information; (vii) the measures taken to protect any transmission of client information to other vendors; and (viii) the training of lawyers and staff in cybersecurity measures and breach response. The challenge for lawyers is establishing security protocols that reasonably protect client data based on the client’s cyber-risk profile, and ensuring that the firm remains vigilant in enforcing and updating its security measures.

How Can Law Firms Meet Their Duty of Technological Competence?

There is no one-size-fits-all approach to law firm data security, nor any requirement that law firms implement every possible security feature and preventive measure currently available in the market. Security measures that may be prudent in a large firm that regularly handles matters requiring the collection of a large volume of personally identifiable information, or that has clients that must comply with DFS cybersecurity regulations or similar, may not be feasible or sensible for a small boutique firm with a different type of law practice. When developing internal data security policies and procedures, law firms should identify measures that will increase the security of client information and meet their client’s specific security needs without compromising the lawyers’ ability to competently represent clients.

Accordingly, although there are a range of cybersecurity measures that a firm could implement, breach response plans that could be formulated, and cybersecurity insurance that could be purchased, there is nothing to suggest that any or all of these measures are reasonably necessary to meet a lawyer’s duty of technological competence in the firm’s particular circumstances. There are, however, general guidelines and steps that each lawyer or law firm should consider.

• Address pertinent cybersecurity issues in the initial client meeting, and possibly in the engagement letter. For example, if the potential client has requested communications occur through a specific means, use of shared files, or other means of transmitting data electronically during the representation, make reference to that request in the engagement letter and obtain the client’s acknowledgement and consent to the transmission protocols to be used.

• If the firm has received NIST Framework or ISO 27001 certification or similar, reference the certification in the engagement letter, and consider having the client acknowledge the certification obtained. The NIST Cybersecurity Framework provides a set of industry standards and best practices to manage cybersecurity risks. ISO 27001 provides an international model for creating, operating and maintaining an information security management system. See Phillip Yannella, Law Firms Are Seeking Data Security Certification, Big Law Business (Aug. 19, 2016).

• Develop policies and procedures governing how information is handled at the firm. Comprehensive information handling procedures should reflect the range of features and protocols defining data management at the firm – including identification of the systems used, archived systems, users, the nature of the information retained, classification of data as it is saved in the firm’s system, pertinent document retention and destruction policies and litigation holds, and storage in other media (e.g., storage in personal devices pursuant to firm “Bring Your Own Device” policies, storage with third-party vendors, and shared drives). This information will help determine reasonable security measures. For example, if the firm regularly receives personally identifiable information or personal health information from its clients, it may wish to segregate those records from other client files.

• Implement a cybersecurity program (including a breach response plan) to mitigate the threat of a data breach, meet applicable regulatory requirements, and ensure the firm can respond quickly and effectively to a data breach such that it can return to normal functioning and service of clients quickly. The program should include training employees in cyber-hack prevention.

• Consider whether the firm should invest time and money into a security assessment, penetration testing, or other assessment of the firm’s cybersecurity preparedness, and consider scheduling practice breach responses exercises.

• In multi-office law firms, weigh the costs and benefits of segmenting networks and limiting file access to necessary personnel. Contemplate implementing different layers of access for different segments of the network in order to stem the ability of malware to spread. Also consider segmentation by employee group (for example, have contract attorneys operate in a limited environment with limited access).

• Obtain appropriate cybersecurity insurance, carefully reviewing coverage triggers and sublimits and the apportionment of coverage between the cyber policy, professional liability policy and any property loss policies. For example, if the cyber coverage broadly excludes claims arising from a failure to render professional services, consider that based on a lawyer’s duty to protect a client’s confidential information, a data breach could be deemed a failure to fulfill the duty to protect confidential information and arguably excluded under this broad policy language.

• Be vigilant about updating operating systems to ensure that they remain supported, watch closely for patch updates, and deploy fixes immediately and correctly.

A lawyer’s duty of reasonable care requires that they consider the security of technology used in their practice. Where a lawyer has a direct or indirect duty to comply with specific cybersecurity measures, the lawyer should identify the client information subject to the enhanced security and consider additional security measures to mitigate the risk of interception and improve the firm’s ability to respond if a breach occurs. Moreover, lawyers must consistently assess and reassess their cybersecurity preparedness, particularly as the use of technological applications in their law practices increases and hackers become even more adept at stealing information.