Lawyers help their clients as they negotiate confidential business transactions, hold intellectual property, manage funds and litigate disputes, among many other business activities. In the ordinary course of business, lawyers also maintain numerous confidential documents and data of and about their clients.
As a result, lawyers have a big bull’s-eye drawn on their backs, visible to cybercriminals. The worst part is that most lawyers do not realize how vulnerable they are, since few lawyers understand IT security and cyber-risks. As a result, many do not properly protect that confidential information.
It is not clear whether lawyers understand whether they have a duty to report a cyberintrusion. Even though we frequently read headlines about cyberintrusions, reporting them has changed over the years. Before the existence of the Internet as we know it today, about 20-plus years ago, less than 10 percent of IT crime was reported around the world. I think that was because businesses did not want to admit they were that vulnerable.
For instance, a large outsourcing company might not report to the police or FBI the theft of customer data it was managing, since it likely would lead to a loss of confidence by their customers. Or a large bank might have mislabeled a cyberloss as merely a software glitch. Law firms today have similar confidence concerns.
Does the Size of Law Practice Affect Risk?
In the U.S., about 60 percent of lawyers practice in groups of five or fewer, according to surveys from the American Bar Association. Even if lawyers understand and appreciate the risk of their data being vulnerable, most of them do not have the resources to properly protect themselves from cyberintrusions.
“If you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim. … The question is, what are you doing to mitigate it?” asked Chad Pinson, a managing director at Stroz Friedberg, according to a Bloomberg report.
At least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011, according to Mandiant, the same Bloomberg report noted.
Just like other businesses, law firms have a duty to report to their clients about cyberintrusions. In fact, 47 states require notice to those affected. Law firms are not exempt, but many lawyers do not appear to understand the disclosure obligation.
Law Firm Attacked
In one example of a response to a cyberattack, a law firm did inform its clients. On Feb. 27, 2015, the California law firm Ziprick and Cramer sent a letter to clients advising them as follows:”Unfortunately, on or around January 25, 2015, our firm was the victim of a single cyberattack, by a relatively new variant of a Cryptolocker-type virus (which is a fairly sophisticated form of ransomware, which is apparently being used by criminals around the world). It infected one of our workstations (with the virus encrypting data on the workstation), and then traveled to the in-house server where data was also encrypted on shared folders (collectively, the ‘Computer’).”At the time the letter was sent, no ransom had been demanded, but the law firm offered its clients free credit monitoring and reported the incident to the FBI. The Department of Homeland Security discourages paying ransomware, since there is no guarantee that the bad guys will unencrypt the data.
Citigroup Cyber Intelligence Report
A recent internal report from Citigroup’s cyberintelligence center was referenced in a March 27, 2015, New York Times article, which notes a reluctance “to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry.”
As a result of this hesitancy to report cyberintrusions, there is no way to know whether such attacks are on the rise. Citigroup’s report seems to track how companies failed to report cyberintrusions for many years before laws required such reporting. Among other specifics in the Citigroup report are these examples of law firms that have experienced cyberattacks in 2012:Fried Frank was the victim of a so-called watering hole attack in 2012 in which hackers infected its website with malware, an intrusive program that can be transferred to visitors to the site.
Covington & Burling, a large firm based in Washington, was used in a phishing campaign that appears to have been orchestrated by a “China-based group” of hackers. The campaign, which typically involves sending fake but realistic looking email, may have been an effort to learn more about the law firm’s prominent corporate clients, given its work for military contractors and energy companies, including its work on several solar energy projects at the time.However there has been no confirmation from Fried Frank or Covington & Burling that their systems were breached.
ABA to the Rescue?
The ABA established a Cybersecurity Task Force, which published an “ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals.” Among other things, according to the ABA, the handbook”provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyberattack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.Publications like this ABA handbook are great resources, but lawyers first must appreciate the risks and learn how to communicate with IT folks, so they can reduce their vulnerability. If their law firms’ systems suffer cyberintrusions, they must follow the law, just like any other business.