Recent Law Firm Data Breaches are Reigniting This Debate
Cyber attacks against some of the country’s top law firms are creating fresh concerns about protecting client data, and when lawyers should advise their clients that a breach has occurred.
The Wall Street Journal has reported that hackers have attacked the networks of Cravath Swaine & Moore LLP, Weil Gotshal & Manges LLP, and others. While the motives of the hackers it is currently unknown, collecting client data for insider trading purposes is one theory.
Why would a hacker go after a law firm? Because they are aggregators of valuable Trade Secrets and Intellectual Property, and frankly, some law firms have IT security infrastructures that are not as robust as their clients…making them a somewhat soft target. Cybersecurity experts have warned for years that law firms will become increasingly attractive targets for hackers.
The rules for disclosing data breaches involving banks and retailers, like Target and J.P. Morgan Chase & Co., are pretty clear, and these losses of consumer’s personally identifiable information (PII), like social security numbers, are quickly reported and the public is alerted. Law firms, however, do not typically store that type of PII, and so the regulations that would trigger a mandated notification in some industries may not apply to law firms. So it is not completely clear when a law firm has a legal requirement to disclose a breach to law-enforcement authorities or the public.
Does that mean law firms do not have to report a breach? Hardly. The American Bar Association added rules in 2012 that require lawyers to take reasonable steps to safeguard client data. The ABA also instructs lawyers to “keep abreast of changes in the law…including the benefits and risks associated with relevant technology.” Various state bar associations also have their own ethics codes that require lawyers to keep client information confidential, and lawyers that violate those rules can be hit with monetary penalties and discipline, including disbarment. The ethical mandate for disclosure, therefore, does seem clear.
The best answer to a potential law firm data breach is, of course, to have good defenses in place. So the first course of business for any firm is to conduct a comprehensive security risk assessment and then to address those risk issues that arise from the assessment. But even those law firms with the best information security profile can be compromised. Here are a few best practices…
- No Phishing! Incredibly, the most common attack method continues to be the infamous phishing scheme, in which legitimate-looking emails sent to key law firm employees are opened…and then really nasty malware is launched onto the firm’s IT network, resulting in a security compromise. Law firms must educate their employees about the risks associated with Phishing scams.
- Have a Plan. Your firm is likely to suffer a breach. So, you should plan accordingly. Have a documented Incident Response (IR) Plan in place. Train your key players on the plan, and practice it regularly.
- Have a Team. Assemble an IR team consisting of personnel from IT, Security, Insurance, HR, Public Relations, Communications, outside counsel, and forensic response. The best answer to a potential law firm data breach is, of course, to have good defenses in place. So the first course of business for any firm is to conduct a comprehensive security risk assessment and then to address those risk issues that arise from the assessment. But even those law firms with the best information security profile can be compromised. Here are a few best practices…