Last year, major incidents involving law firm data breaches brought attention to the weaknesses within law firm data security and the need for more effective plans and preparation. An American Bar Association (ABA) survey reveals that 26% of firms (with more than 500 attorneys) experienced some sort of data breach in 2016, up from 23% in 2015.
Recent Cybersecurity Incidents Involving Law Firms
- The hacking of Mossack Fonseca’s email server (aka Panama Papers) in April highlighted the vulnerabilities of law firms (and not to mention outed numerous world leaders and billionaires for tax evasion.) 11.5 million documents and 2.6 TB of data were illegally (and relatively easily) retrieved from the company’s outdated web servers.
- In December, 3 individuals were charged after hacking into at least seven law firms in 2014 with an aim to obtain inside information about prominent merger and acquisition deals. The hackers obtained roughly 40 gigabytes of confidential information over the course of eight days which they then used to purchase stock shares and profit $4 million.
- Last spring, several prestigious law firms representing major Wall Street banks and Fortune 500 companies admitted to security breaches.
- In February, Flashpoint Security alerted 48 top law firms that they had been targeted for a cyber attack. Flashpoint discovered phishing services being offered for sale to hackers who wanted to target law firms specifically.
In addition, details have recently been released of the first class-action lawsuit against a law firm for inadequate security measures. A complaint filed in April, Shore v. Johnson & Bell, alleges that the law firm engaged in “systematically exposing confidential client information and storing client data without adequate security.” There is no evidence the client’s information was actually compromised – only that it couldhave been. The Complaint alleges the law firm was negligent by using an application that the National Institute of Standard and Technology (NIST) noted as having a vulnerability, having inconsistent VPN security, and using an email system with outdated technology.
Again, there are no allegations that a breach occurred – only that the security was faulty. Causes of action include breach of contract (legal malpractice), negligence (legal malpractice), unjust enrichment, and breach of fiduciary duty. The lawyer who filed the complaint has also stated publicly that more lawsuits will be revealed.
Writing about this case, privacy attorney Al Saikali stated: “If the mere risk of harm at some point in the future is enough to allow a lawsuit to proceed, then every company in America should be concerned.” Note, though, that in several cases, the Federal Trade Commission (FTC) brought complaints against companies that failed to provide adequate data security even though there had been no data breaches. For example, see the FTC cases of Microsoft Passport and Guess.
Why Law Firms?
Law firms make excellent targets for fraudsters because of two major reasons.
First, the nature of client information that law firms possess is very useful for cyber criminals. Such information includes financial data, corporate strategies, trade secrets, and business transactions — not to mention confidential personal data as well as protected health information (PHI) under HIPAA.
Second, many firms lack a complete privacy and security program. Despite being obvious targets, 22% of law firms in an ALM Legal Intelligence study indicated that there was no organized plan in place to prepare or respond to a data breach. Only half of the law firms included in the study have a cyber security teams in place to handle the complex programs that are needed.
The 2016 ABA survey (see the chart below) reveals that many firms lack essential policies regarding the use of technology.
According to the ABA survey, “only 38% overall of responding attorneys report that their firms have a disaster recovery/business continuity plan.”
The percentage of firms that conduct security assessments is shockingly low. According to the ABA survey, “only 18% of law firms overall [report] that they had a full assessment. Affirmative responses generally increase by size of firm from 11% for solos to 21% for firms of 500+. For firms of 100-499, it’s 35%.”
According to a 2015 ILTA survey, 49% of law firms have security awareness training programs (86% of firms with 350+ attorneys). Such training is essential for law firms! All firms should have a program. In full disclosure: I provide security awareness training programs to law firms, so I’m biased on this point, but I think that if you look at the facts, the case for security awareness training is clear.
The legal industry needs to start moving faster on cybersecurity. The percentages of firms that are lacking critical components of a security program are way too high, especially given the degree of risk they face.
Preventing and Coping with the Data Security Breaches
As more high-level security measures are deployed, hackers are using a firm’s own employees as a tool. Phishing and spear-phishing have become a serious threat. Training employees on how to spot phishing risks is vital. In November, the New York Attorney General sent out a warning of a phishing scam email that pretended to be sent from his office to trick attorneys to respond. The email linked to a website that installed malware on the computer of the respondent.
Law firms must make cybersecurity a priority. As I’ve written before, a robust data security program is imperative for law firms of any size. Here are some recommendations for basic things all lawyers and law firms should be doing:
- Assess the risks. Do an assessment of the risks. Identify the vulnerabilities and what needs to be done to better protect against them. A data inventory should be done so the firm knows the various types of data that it is maintaining.
- Assign responsibility. Someone at the firm should be responsible for handling privacy issues. There should be a person responsible for data security. Every collection of data should have a person responsible for it (called a “data steward”). Everyone at the firm should know whom to call with any questions about privacy or security.
- Develop policies and procedures. Develop or improve policies and procedures for how various types of data are to be handled and protected. What are the policies regarding placing data on portable devices? Employee access to data? Encryption? BYOD? Social media use? How is any PHI identified and handled?
- Implement workforce security awareness training. Develop an annual security training program to ensure that everyone knows how to handle and protect data properly, the importance of privacy and security, and whom to call if there are any questions or concerns. As the article on the ABA site that discusses the 2016 ABA survey states: “Security awareness is essential to effective security. There cannot be effective security if users are not trained or do not understand the issues and the applicable security policies.”
- Develop an incident response plan. Develop a plan for responding to privacy and security incidents. This plan involves how to handle the investigation, who is responsible for which tasks, what laws and regulatory requirements need to be followed, what third party vendors are best to hire to help with certain tasks (forensic investigations, breach notification, etc.). The plan should also involve how to handle PR. Time will be very scare during an incident; it is best to be ready in advance rather than scrambling frantically after a breach. There should also be a plan for how to handle clients whose data is implicated.
- Look into cyber insurance. Law firms should look into insuring against the risks and understand what things are covered and what things are not covered by various policies.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.