Login | January 22, 2025
Cybersecurity no longer just advisable practice, but an essential one
DANIEL A. COTTER
Law Bulletin columnist
Published: January 23, 2017
Law firms are rich targets for cybersecurity breaches and attacks from hackers. In April 2016, Chicago-based law firm Edelson P.C. filed a putative class-action lawsuit against Johnson & Bell Ltd. alleging the firm implemented inadequate information security measures.
In late November, reports emerged identifying a large number of law firm e-mails that were found on the dark web. Earlier this year, Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP were announced to have been breached by Chinese hackers.
This column addresses some of the considerations law firms should make and steps they should take to assess their vulnerabilities and address them.
The complaint filed by Edelson alleges the existence of a “number of significant data security vulnerabilities” that would permit hackers to gain access to Johnson & Bell’s clients’ data, although it does not allege the existence of any actual data breach.
In particular, Edelson alleges Johnson & Bell had vulnerabilities in its e-mail system, time-entry system and virtual private network. According to the Dec. 13 report in InsideCounsel, Edelson managing partner Jay Edelson claimed it was “the first class-action against a law firm alleging inadequate data security measures,” but makes it clear that this suit will not be the last.
Johnson & Bell filed a motion to dismiss in which it stated all of the alleged vulnerabilities identified in the complaint had been addressed. The motion further stated that the complaint should be dismissed because it failed to identify an actual judiciable controversy since it did “not allege that confidential information was ever compromised.” The matter is now in arbitration.
The dark web and law firm e-mails
A Nov. 30 report from InsideCounsel analyzed the potential exposure that lawyers and other employees at law firms create every time they use their law firm e-mails to sign up for activities such as fantasy football leagues or services such as Dropbox.
Those e-mails are used by hackers to attempt to penetrate the law firm’s systems through phishing attacks and other methods. The article raises the question of whether law firms’ policies on data security and privacy adequately address the risks of these behaviors.
Protorion Systems used its software and searched the dark web for law firms’ e-mail addresses and found that, as of Oct. 27 of last year for the top 10 law firms by number of compromises, more than 27,000 hits were found where a law firm e-mail and password were located on the dark web.
The firm with the largest number of compromises, more than 5,000, was DLA Piper. These results do not reflect actual breaches and may be overstated because it includes data relating to individuals no longer employed at those firms, but it nonetheless demonstrates the vulnerabilities in the law firms’ systems and their policies and procedures.
Last March, the Wall Street Journal reported on a number of New York law firms, including Cravath and Weil Gotshal who had been hacked. It was later reported China was behind the attacks. One possible motive behind the breaches was to obtain insider information on pending deals that the law firms were handling. The March report stated:
“Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.”
In late December, the Justice Department announced the unsealing of an indictment against three individuals in Macau for trading on insider information gathered from the earlier breaches of the Wall Street law firms.
As noted in previous columns, lawyers have obligations under the Rules of Professional Conduct to take steps to guard against inadvertent or unauthorized disclosure, with Rule 1.6(e) providing:
“(e) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Comment 18 to the same rule now provides in pertinent part (the changes made to the comment in 2015 are underlined):
“[186] Paragraph (e) requires a lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.
“The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of [P]aragraph (e) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
“A client may require the lawyer to implement special security measures not required by this [r]ule or may give informed consent to forgo security measures that would otherwise be required by this [r]ule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these [r]ules.”
What is reasonable will depend on the facts and circumstances of a particular lawyer or law firm, including the types of information collected and the cost of employing such additional safeguards.
Nonetheless, every law firm should take affirmative steps to address its privacy and security policies and procedures. Some of these steps include:
Reviewing IT infrastructure and systems
How old is the firewall (and its virtual private network), e-mail exchange server and time entry systems you are using?
Who within the firm and outside it has access to those systems?
Have you updated those systems to include the latest versions and installed any vendor patches that have been delivered?
What version of exchange server are you using?
How are you monitoring those systems?
Are you using a hosted or internal system monitoring procedure (such as Solarwinds)?
Are you working with a third party to do security event and incident management for your firewall and other outward facing devices?
Reviewing your firm’s privacy and data security policies and procedures
Do you have a formal password protocol?
How often must lawyers and employees change system passwords?
Have you considered multi-factor authentication?
Do you do periodic internal and external penetration testing?
Lawyers should understand the technologies they use and the risks presented by practices such as cloud computing, credit card acceptance and Payment Card Industry compliance, and “bring your own device” policies.
A lawyer must also comply with other rules of professional conduct in connection with client sensitive or confidential information. For example, an attorney has an obligation to supervise third-party vendors providing technology services.
In addition, a lawyer has an obligation to warn clients about the risk of using electronic communications where there is a significant risk that a third party may gain access.
As technology changes, lawyers’ obligations to protect client information continue to evolve.
Lawyers must review their firm’s policies, procedures and practices and stay abreast of evolving technology to ensure that they are making reasonable efforts in their information security practices.
Illinois’ and other states’ rules of professional conduct impose affirmative duties on lawyers to do so.
Daniel A. Cotter is a partner at Butler Rubin Saltarelli & Boyd LLP and an adjunct professor at The John Marshall Law School, where he teaches SCOTUS Judicial Biographies. The article contains his opinions and is not to be attributed to anyone else. He can be reached at dcotter@butlerrubin.com.