Mind the Back Door: Protecting Client Information from Cybersecurity Threats and Disclosure

You’ve  just  returned  to  your  law  firm  from  a  long  holiday  weekend  and  are  looking  through  your  email.  You  find  a  note from  your  financial  institution  regarding  a  large  transfer  of  money  from  one  of  your  trust  accounts.  The  figure  is  in  the high-end of six figures and you nearly spill your coffee running over to your bookkeeper’s office.

He  knows  nothing  about  it.  It’s  time  to  push  the  panic  button.  Eventually  you  figure  out  that  your  bookkeeper  received an  email  with  a  poisoned  attachment  and  his  account  was  compromised.  Over  the  weekend  criminals  used  his credentials to steal a lot of your money, and you are very unlikely to ever see it again.

You have just been the latest victim of a growing cybersecurity crisis that is beginning to target law firms. This is not fiction or FUD (fear, uncertainty and doubt) – this is a story straight from recent news.

Anyone  who  reads  the  newspaper  or  listens  to  the  news  cannot  help  but  be  aware  of  the  number  of  organizations  that are  being  victimized  every  day  by  our  cyber  adversaries.  The  year  2014  has  been  dubbed  the  “year  of  the  data breach.”

Among  small  businesses,  law  firms  are  an  increasingly  popular  target  for  hackers  for  two  reasons:  Hackers  infiltrate law   firms’   networks   to   gain   access   to   their   clients’   networks,   and   are   very   aware   of   the   wealth   of   confidential information  that  lawyers  amass  and  use  in  representing  their  clients  —  from  attorney  work  product,  firm  business  and employee  records,  to  attorney  client  data,  trade  secrets  and  PII.    Lawyers  also  store  reams  of  e-discovery  records, both civil and criminal, from opposing and third parties generated through discovery.

As   corporations   and   other   organizations   beef   up   their   cybersecurity,   hackers   have   used   law   firms   as   a   virtual backdoor  into  their  clients’  confidential  information.  In  2012,  China-based  hackers  overcame  the  “secure”  computer networks  of  seven  major  Canadian  law  firms  to  destroy  data  and  steal  sensitive  client  information  in  a  coordinated attempt to derail a corporate acquisition.

External  attacks  are  not  the  only  risk.  Internal  threats  from  corporation  or  law  firm  employees,  whether  intentional  or negligent,  are  equally  likely  and  as  devastating.    A  Seattle  law  firm  employee  recently  emailed  the  highly  confidential files  of  nearly  8,000  special  education  students  to  a  student’s  parent  —  likely  violating  federal  law  and  the  firm’s ethical  duties.    Luckily,  the  recipient  recognized  the  mistake  and  returned  the  files.    The  Seattle  School  District promptly  fired  the  law  firm  and  called  in  the  US  Department  of  Education  to  investigate  the  mechanism  and  exact cause of the barely averted disaster.

In  response  to  the  rise  in  cyberbreaches,  the  American  Bar  Association  (ABA)  has  issued  new  regulations  encouraging all   organizations   to   “develop,   implement,   and   maintain   an   appropriate   cybersecurity   program   that   applies   with applicable  legal  and  ethical  obligations,  and  is  tailored  to  the  nature  and  scope  of  the  organization,  and  the  data  and systems to be protected.”

The  ABA’s  Cybersecurity  Task  Force  also  recommends  constant  monitoring  of  computer  logs  to  detect  and  respond to  threats.  Without  monitoring,  the  compromise  of  one-work  station  can  mutate  into  a  large  scale  theft  of  confidential client and proprietary information.

Their  new  resolution  reflects  the  many  sources  of  the  legal  profession’s  responsibility  to  provide  data  security:   regulatory,  contractual,  common  law,  and  ethical.    Of  these,  the  ethical  duty,  grounded  in  the  Rules  of  Professional Responsibility, is most broadly applicable. 

Comments  to  Model  Code  of  Professional  Responsibility  (MCPR)  put  greater  onus  on  lawyers  to  understand  the ramifications  of  practicing  law  in  the  virtual  world.    They  now  require  an  attorney  to  “keep  abreast  of  changes  in  the law  and  its  practice”  as  well  as  “the  benefits  and  risks  associated  with  relevant  technology”  (ABA  Model  Rule  1.1 Comment 8 (2012)).

They  also  require  a  lawyer  “to  make  reasonable  efforts  to  prevent  the  inadvertent  or  unauthorized  disclosure  of,  or unauthorized access to, information relating to the representation of a client.”

To  meet  regulatory  and  ethical  obligations  in  the  dynamic  environment  of  information  technology,  an  attorney’s  only safe  course  is  to  employ  cybersecurity  best  practices.  Industry  standards  abound  for  cybersecurity  storage  of  data, and  access  to  and  use  of  that  data.  But  for  many  practitioners  those  industry  standards  may  be  neither  reasonable  in scale   nor   scope   given   foreseeable   threats.      What   is   an   attorney   to   do?      Based   upon   the   ABA’s   Cybersecurity Handbook  (Rhodes  and  Polley,  The  ABA  Cybersecurity  Handbook,  American  Bar  Association  (2013)),  and  our  extensive experience, we have a specific set of tailored suggestions we would gladly share with your firm by appointment.

The  advent  of  technology  has  been  a  boon  to  the  practice  of  law.    Discovery  no  longer  means  sitting  in  a  cold warehouse  with  boxes  of  poorly  organized  documents.  The  boon,  however,  has  not  come  without  risks.  If  you  use technology  in  practicing  law,  you  now  shoulder  the  duty  to  understand  the  risks  it  creates  to  your  clients,  and  the obligation  to  reasonably  protect  them.    Reasonable  protections  means  employing  best  practices  appropriate  to  the sensitivity  of  the  data  involved,  scale,  regulatory  requirements,  among  other  considerations.    Crafting  appropriate  best practices  is  and  will  continue  to  be  an  ongoing  challenge  to  the  practice  of  law  that  will  require  closer  work  between information security professionals and lawyers.

Authors:  Suzanne  Skinner,  an  attorney,  and  David  Matthews,  a  cybersecurity,  risk  management  and  incident  response expert.  Both  are  Associates  with  CI,  an  information  security  consulting  and  managed  services  firm,  specializing  in critical infrastructure cybersecurity. Please contact CI for a consultation appointment

//]]>