“ALERT: “Criminal-Seeking-Hacker” Requests Network Breach for Insider Trading Operation” – read the title of a recent FBI alert sent to law firms. The mastermind at the root of this notice allegedly sought a hacker on an online forum to help him break into several large law firms. The attacker’s intent, apparently, was to gain access to privileged information and then utilize it in an insider trading scheme.
This is just one example of the rapidly increasing number of cyber attacks on law firms, which are often ill prepared to defend themselves against malicious hackers and data breaches.
Most people have by now seen the many news reports of recent high-profile cyber attacks, including those at organizations such as JP Morgan, Target, Home Depot, Sony, and the Office of Personnel Management (OPM). Unfortunately, this intense media coverage often lulls smaller and lower-profile organizations into thinking they are not a target. That isn’t the case though, especially for law firms. An estimated 80 major law firms were hacked in 2011, and according to the 2015 American Bar Association Legal Technology Survey Report, 25 percent of firms with 100 attorneys or more fell victim to an attack in the preceding year. Firms filing international claims must be particularly cautious, given the attack on the Gipson, Hoffman & Pancione firm. That firm filed a claim alleging the Chinese government was stealing software from the firm’s client, and subsequently the firm fended off an attack that originated from Chinese servers.
Law firms do not even need to be specific targets to feel the effects of a breach. Oftentimes, a “breach” can occur through inadvertence or accident. Take, for instance, the accidental disclosure of sensitive information in the recent Apple v. Samsung litigation, the failed hard-drive wipe in Kyko Global, the botched discovery response in Victor Stanley, or the ever present risk of the “lost laptop” problem. All of these examples demonstrate that is it not only the malicious hacker that law firms need to protect their sensitive data from. The FBI’s recent alert and countless other media reports of cyber attacks on law firms underscore the importance of cybersecurity.
Since Delta Risk is focused on protecting corporate clients, like law firms, from malicious attacks and ensuring their data security, our VP of Commercial Services, Joseph Abrenio, was invited to speak at the International Legal Technology Association’s LegalSEC (Legal Security) summit in June. Abrenio will be presenting as part of the Red Team Desktop Exercise–Live session.
As Abrenio puts it, “Confidentiality is the bedrock of the lawyer-client relationship. If that trust is broken [through a theft of electronic information], those clients as well as others may never be able to trust that law firm again.” Abrenio joined Delta Risk as general counsel after serving as the head of LeClairRyan’s Data Privacy and Security practice, and he utilizes his expertise in security and privacy to advise clients on their cyber management needs. His presentation at LegalSEC will highlight the types of threats law firms face and also methods to prevent and resolve those issues.
In preparation for the conference, and because of the rapid growth of cyber risks to law firms, Abrenio and his associate, Nicholas Dwyer, have published a new white paper on this topic. Dwyer is a second year law student from Syracuse University College of Law, and is an up and coming cyber and legal expert externing at Delta Risk, providingresearch and writing support.
The white paper covers several cyber related areas relevant to law firms. It starts by canvasing several recent data security incidents pertinent to the legal field. The paper then discusses various legal and ethical responsibilities of lawyers. Both inadvertent disclosures and malicious cyber attacks raise issues of legal liability and ethical obligations for lawyers and their firms. Generally, a law firm is held to a reasonable standard of care, that is, the firm must take reasonable steps to protect confidential client information.
Several cases have explored what precautions are required and appropriate. Individual lawyers have a similar responsibility regarding their ethical obligations. Recently, the ABA updated several of the Model Rules of Professional Conduct to reflect the change to a more digital legal marketplace. Many states have adopted the new cyber related rules, and now require lawyers to take particular steps regarding client information. Finally, the white paper includes several suggestions for firms to implement to improve their security. You can download the complete whitepaper here.
In addition to security and regulatory compliance consulting, Delta Risk offers a variety of services to give you the peace of mind that your sensitive and confidential information is protected. Delta Risk’s Managed Security Services include network monitoring and alerts for material, relevant threats. If your law firm or company is facing cybersecurity challenges, please contact us for help.