Trial Magazine

Former FBI Director Robert Mueller famously said in 2012, “I am convinced that there are only two types of com­panies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”¹

Law firms are moving deeper into the digital world—as they should—to keep up with the requirements of newer, technologically advanced court systems; modern, digital offices; and clients who want attorneys to be as tech-savvy as they are.

As a result, firms face increased ­exposure to digital threats. With each passing year, it becomes more important for lawyers and their firm administrators to recognize and address potential technological weaknesses. Cybersecurity is not something you can just buy; no one-size-fits-all package can protect all firms. But here are some ways you can decrease your chances of a damaging cyberattack.

Law firms of all sizes host enormous amounts of information that is valuable to data thieves. Large corporate firms, for example, possess intellectual property, financial and buyout information, strategy documents, and sensitive government secrets that companies or “state actors”—such as China and Russia—may target through corporate espionage. In December, federal prosecutors indicted three Chinese stock traders who hacked into the systems of several large law firms to gather information on upcoming mergers and acquisitions.²

Firms that handle personal injury cases possess health care information, personally identifiable information for clients and employees, financial information such as bank statements and credit card numbers, and other sensitive material. Also, hackers who can lock down law firm files and hold them hostage know that law firms will pay to have data access restored.

Ethics Considerations

State bar associations do not expect attorneys to have the same level of knowledge as the National Security Agency in preventing data breaches. But in the event of a breach, the bar association wants to know if the firm had a basic understanding of cyberthreats and took reasonable precautions to protect confidential and sensitive client data. 

While several state bar associations acknowledge that “a lawyer cannot guarantee that client confidentiality will never be breached, whether by an employee or some other third-party,”³ every bar association that has addressed electronic files, email, or cloud computing imposes a reasonable care requirement on attorneys to protect the integrity and security of electronic files.⁴ In Alabama, for example, reasonable care includes making sure data is backed up and using ­firewalls and intrusion-detection ­software to prevent attacks.⁵

At least 20 state bar associations have addressed whether lawyers may use cloud computing, or cloud-based “­software-as-a-service­” (SaaS).⁶ Also known as “on-demand software,” SaaS allows a provider to host software on its own servers and deliver it to an end user via the internet, typically on a sub-scription basis. 

These bar associations allow the practice, but only if the lawyer uses reasonable care to ensure the confidentiality of the information on servers outside the firm’s direct control. Therefore, bar associations likely will expect firms to use the same reasonable care in protecting against cyberthreats.

Attorneys also should consider Model Rule of Professional Conduct 1.1 and its equivalent in their state. Model Rule 1.1 states that “a lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” 

Comment 8 to the rule extends this competency requirement to technology: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Several state bar ethics opinions echo this competence standard.⁷

Types of Cyberattacks 

Every two years, the amount of data in the digital universe doubles.⁸ The more data that is created, the more it is subject to breach. In 2015 alone, 705 million records were breached.⁹ 

Hacking. In 2016, it was reported that more than 1 billion Yahoo email accounts had been hacked.10 The attack occurred in 2013 and may have resulted in the theft of names, emails, passwords, phone numbers, and answers to ­security questions.¹¹ After this sort of attack, hackers typically sell the information on the “dark web”—a side of the ­internet that is not indexed by regular search engines and requires specific software to access. Thieves use this information to steal identities and more. When a large company such as Yahoo is hacked in this way, users can do very little, other than change their passwords and monitor their credit reports.

Phishing. Phishing continues to be one of the most common cyberattacks. Emails purporting to originate from authentic websites ask for sensitive information, such as account numbers, Social Security numbers, or passwords. While you can still expect to receive regular emails from “princes” who need your assistance—and funds—to secure their rightful fortune, phishing attacks are becoming more sophisticated. 

For example, security experts now see ­phishing attacks with emails that spoof real email addresses within an organization by using logos and stolen email signature blocks, making them difficult to differentiate from authentic emails.

Ransomware. Everyone from information security companies and internet giants to ordinary members of the public have been attacked by ransomware. It is a type of virus that attaches to and locks down all the files on a computer system. They are “released” only when the hackers who wrote the program are paid. The virus usually is unleashed when an unsuspecting user opens an executable file or a Microsoft Word file with ­macros. Ransomware locks down any files on a network, including on network-attached storage, and even DropBox and other cloud-based folders that are mapped to the network computers’ hard drives.

Addressing Common Issues

Armed with some basic knowledge about the types of cyberthreats out there, you can look at ways to make your firm’s data more secure.

Cloud computing. Many attorneys are still afraid of “the cloud” even though cloud computing has become the standard in many industries for computing and data storage because of its cost savings and reliability. But a lawyer’s ethics duties require law firms to take reasonable precautions to protect a client’s confidential and sensitive information.

Attorneys must use only cloud-based service providers that have demonstrated appropriate data protection and provided assurances of overall data security. No service is impenetrable, but you should ask and obtain satisfactory answers to the following questions before selecting a cloud-based service provider:

• Will the data be encrypted?
• Who holds the encryption keys?
• Does the provider have a policy for use of the encryption keys?
• Is the data encrypted in transit and in storage?
• Might it be subject to international search and seizure?
• Has your client approved of data being stored in the cloud?
• Does the provider offer “litigation hold” technology, preventing data deletion?
• What auditing and security capabilities are available with the platform?

Bring your own device (BYOD). Individual laptops, cell phones, and tablets, which either contain confidential client information or provide access to a firm’s networks containing that information, are potential weak links in your firm’s defenses.

Devising and maintaining a clearly written BYOD policy, regulating use, and giving the firm ultimate control over all devices are important.

You should strongly consider installing software that can remotely wipe all data from devices when an employee leaves the firm. Mobile device management platforms that support “containerization”¹² of business and personal data, enhanced security controls, encryption key escrow,¹³ and tracking and management of mobile devices are extremely important. If you use cloud-based software such as DropBox or Office 365, you can erase all firm data within those applications from a device when necessary.

Encryption. Encryption is the process by which data is scrambled into code that can be deciphered only after using a “key” to unlock the data. Because all portable devices may be lost or stolen, encrypting them not only makes sense, but with today’s technology, it is an easy step toward mitigating the risk to critical data.

For instance, encrypting the data on your iPhone is as simple as going into “Settings,” entering a “Passcode,” and choosing “Require Passcode Immediately.” Under the “Passcode” setting, if you see “Data protection is enabled,” then your phone is encrypted when locked.

Vetting vendors. Breaches at Target, Home Depot, and Goodwill were all linked back to vendors those companies hired. Law firms use vendors for a variety of things, including facilities management, e-discovery, cloud application or storage providers, and information technology services.

Each service gives a third party full access to your firm’s system and to most of your case data. Some require you to send large portions of your clients’ data directly to the vendor. When retaining a third-party vendor, reserve the right to perform your due diligence and consider asking whether the vendor can provide the following: 

Penetration test report. Vendors who are holding client data on your behalf should have another third party conduct at least an annual penetration test. The penetration test shows areas of weakness, compromised accounts, missing security patches, or systems that are vulnerable and could act as a beachhead to the rest of the vendor’s network and your clients’ data.

Security policy. A detailed set of documents that govern daily operations of the vendor is important. Areas to check are: media disposal and reuse standards, encryption standards, password length and lockout after a number of incorrect password attempts, multifactor authentication, limits and requirements placed on their vendors, and auditing details. The policy also should include systems and controls to prevent, detect, and identify a breach. 

Business continuity plan. While data security is paramount, data availability is also essential. Data is not worth much if you and your clients can’t access it. Vendors should have sufficient plans for backup data centers and telecommunications lines to ensure a seamless business continuity plan.

Incident response plan. Breaches are now considered inevitable; all organizations should have plans for dealing with one. There should be complete transparency in all contracts, including provisions for timely notification of an incident. Incident response involves monitoring security events on a computer network and executing appropriate responses to those events. Many companies have specific guidelines for breach notification, and you’ll need to ensure your vendor’s policy aligns with that of your corporate clients.

Insurance. Breaches are expensive: Can your vendor foot the bill if it is breached? Ensure your vendors have an appropriate amount of insurance for cybersecurity issues, errors and omissions, and general liability.

Vendors may respond to these questions similarly, so consider hiring a third-party subject-matter expert to help you understand how each vendor is positioned to limit its risk and potential for exposure. It can take weeks, if not months, for a vendor to prepare and accumulate hundreds of pages of documentation for its response. Most important, firms need to understand their clients’ security requirements and ensure that vendors adhere to or exceed those standards.

Life in the digital world is life as we know it. Law firms must be on the defense against cyberattacks and vigilantly safeguard client data. Failure to do so will not only result in lost productivity and wasted time and resources, but it also raises potential ethics issues with your state bar association if you are not taking steps to protect your clients.

---

Tad Thomas is the founder of Thomas Law Offices in Louisville, Ky., and can be reached at tad@thomaslawoffices.com. Rich Smith is a senior consultant at LOGICFORCE in Nashville and can be reached at rsmith@logicforce.com. The views expressed in this article are the authors’ and do not constitute an endorsement of any product or service by Trial or AAJ.

---

Notes

1. Robert Mueller, Director, Fed. Bureau of Investigation, Speech at the RSA Cyber Security Conference in San Francisco, FBI.gov (Mar. 1, 2012), archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies.
2. Sara Randazzo & Dave Michaels, U.S. Charges Three Chinese Traders With Hacking Law Firms, Wall St. J. (Dec. 27, 2016), www.wsj.com/articles/u-s-charges-three-chinese-traders-with-hacking-law-firms-1482862000.
3. Ala. State Bar, Formal Op. 2010-02, at 15–16 (2010); State Bar of Ariz., Ethics Op. 09-4 (2009); N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 842 (2010).
4. Am. Bar Ass’n, Legal Tech. Res. Ctr., Cloud Ethics Opinions Around the U.S., www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html
5. Ala. State Bar, Formal Op. 2010-02, at 13 (2010).
6. Cloud Ethics Opinions Around the U.S., supra note 4.
7. Ky. Bar Ass’n, Formal Op. KBA E-437, at 3 (2014); N.H. Bar Ass’n Ethics Comm., Advisory Op. 2012-13/4 (2012); N.C. State Bar, 2011 Formal Ethics Op. 6 (2012).
8. The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, EMC Digital Universe & IDC Res. Inc. (Apr. 2014), www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm.
9. 2015 Data Breach Statistics—Breach Level Index Findings, Gemalto, safenet.gemalto.com/resources/data-protection/2015-data-breaches-infographic/.
10. Kate Conger, Yahoo Discloses Hack of 1 Billion Accounts, TechCrunch (Dec. 14, 2016), techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/.
11. Id.
12. Containerization is the method by which information technology professionals can segregate company data from personal data on mobile devices. Varun Taware, Containerization is a Winning Strategy for Smarter BYOD Management, Beta News (Apr. 20, 2015), betanews.com/2015/04/20/containerization-is-a-winning-strategy-for-smarter-byod-management/.
13. Encryption key escrow is an arrangement by which keys to decrypt data are held in escrow so a third party may gain access to encrypted data in some circumstances—for instance, an employer who wishes to access an employee’s encrypted files.