Mind the Back Door: Protecting Client Information from Cybersecurity Threats and Disclosure

You’ve just returned to your law firm from a long holiday weekend and are looking through your email. You find a note from your financial institution regarding a large transfer of money from one of your trust accounts. The figure is in the high-end of six figures and you nearly spill your coffee running over to your bookkeeper’s office.

He knows nothing about it. It’s time to push the panic button. Eventually you figure out that your bookkeeper received an email with a poisoned attachment and his account was compromised. Over the weekend criminals used his credentials to steal a lot of your money, and you are very unlikely to ever see it again.

You have just been the latest victim of a growing cybersecurity crisis that is beginning to target law firms. This is not fiction or FUD (fear, uncertainty and doubt) – this is a story straight from recent news.

Anyone who reads the newspaper or listens to the news cannot help but be aware of the number of organizations that are being victimized every day by our cyber adversaries. The year 2014 has been dubbed the “year of the data breach.”

Among small businesses, law firms are an increasingly popular target for hackers for two reasons: Hackers infiltrate law firms’ networks to gain access to their clients’ networks, and are very aware of the wealth of confidential information that lawyers amass and use in representing their clients — from attorney work product, firm business and employee records, to attorney client data, trade secrets and PII. Lawyers also store reams of e-discovery records, both civil and criminal, from opposing and third parties generated through discovery.

As corporations and other organizations beef up their cybersecurity, hackers have used law firms as a virtual backdoor into their clients’ confidential information. In 2012, China-based hackers overcame the “secure” computer networks of seven major Canadian law firms to destroy data and steal sensitive client information in a coordinated attempt to derail a corporate acquisition.

External attacks are not the only risk. Internal threats from corporation or law firm employees, whether intentional or negligent, are equally likely and as devastating. A Seattle law firm employee recently emailed the highly confidential files of nearly 8,000 special education students to a student’s parent — likely violating federal law and the firm’s ethical duties. Luckily, the recipient recognized the mistake and returned the files. The Seattle School District promptly fired the law firm and called in the US Department of Education to investigate the mechanism and exact cause of the barely averted disaster.

In response to the rise in cyberbreaches, the American Bar Association (ABA) has issued new regulations encouraging all organizations to “develop, implement, and maintain an appropriate cybersecurity program that applies with applicable legal and ethical obligations, and is tailored to the nature and scope of the organization, and the data and systems to be protected.”

The ABA’s Cybersecurity Task Force also recommends constant monitoring of computer logs to detect and respond to threats. Without monitoring, the compromise of one-work station can mutate into a large scale theft of confidential client and proprietary information.

Their new resolution reflects the many sources of the legal profession’s responsibility to provide data security: regulatory, contractual, common law, and ethical. Of these, the ethical duty, grounded in the Rules of Professional Responsibility, is most broadly applicable. 

Comments to Model Code of Professional Responsibility (MCPR) put greater onus on lawyers to understand the ramifications of practicing law in the virtual world. They now require an attorney to “keep abreast of changes in the law and its practice” as well as “the benefits and risks associated with relevant technology” (ABA Model Rule 1.1 Comment 8 (2012)).

They also require a lawyer “to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

To meet regulatory and ethical obligations in the dynamic environment of information technology, an attorney’s only safe course is to employ cybersecurity best practices. Industry standards abound for cybersecurity storage of data, and access to and use of that data. But for many practitioners those industry standards may be neither reasonable in scale nor scope given foreseeable threats.  What is an attorney to do?  Based upon the ABA’s Cybersecurity Handbook (Rhodes and Polley, The ABA Cybersecurity Handbook, American Bar Association (2013)), and our extensive experience, we have a specific set of tailored suggestions we would gladly share with your firm by appointment.

The advent of technology has been a boon to the practice of law. Discovery no longer means sitting in a cold warehouse with boxes of poorly organized documents. The boon, however, has not come without risks. If you use technology in practicing law, you now shoulder the duty to understand the risks it creates to your clients, and the obligation to reasonably protect them. Reasonable protections means employing best practices appropriate to the sensitivity of the data involved, scale, regulatory requirements, among other considerations. Crafting appropriate best practices is and will continue to be an ongoing challenge to the practice of law that will require closer work between information security professionals and lawyers.

 

Authors: Suzanne Skinner, an attorney, and David Matthews, a cybersecurity, risk management and incident response expert. Both are Associates with CI, an information security consulting and managed services firm, specializing in critical infrastructure cybersecurity. Please contact CI for a consultation appointment

Michael K Hamilton

Michael K Hamilton CISSP

The CISO