Law firms and law departments have a fiduciary duty to protect client data. However, their mission to maintain the confidentiality of this sensitive information is challenged every day by emerging cyber threats. Law firms are an attractive target for cyber criminals because their client data is a treasure trove for personal healthcare information, financial information, business information (like mergers and acquisitions), patent and trade secrets, litigation plans, and all confidential information between clients and attorneys.
Of course, not all data leaks are a result of a malicious attack. It can come from human error and unintentional disclosures.
Here’s an excerpt from the white paper, “Threats to Client Confidentiality In A Digital Legal World,” covering specific case law involving unintentional disclosures.
Many may not realize it, but an attack is not the only threat to a law firm’s data security. Unintentionally disclosing data may not seem as blameworthy as a hacker infiltrating a network to steal data, but it can have just as damaging ramifications.
Two cases that dealt with unintentional disclosures and their resulting effects illustrate this. Victor Stanley, Inc. v. Creative Pipe, Inc. involved a poorly executed response to a discovery request. The defendant’s attorney conducted a search of the client’s electronic documents and the documents the attorney turned over included privileged information. Because of the questionable way the defense handled the discovery request search and how they dealt with the problems of the disclosure, the court determined the balancing test it employed weighed against the defense. The inadvertently disclosed documents were no longer privileged. The defense’s technical failures exposed their clients privileged information to their adversaries.
The other case, Kyko Global, Inc. v. Prithvi Info. Solutions, involved a botched destruction of data. The defense counsel reformatted a computer hard drive and installed a new operating system in an attempt to delete any existing data. The plaintiff then obtained this hard drive and was able to recover privileged information from it.
Unlike the court in Victor Stanley, this court found the intention to destroy the data in this case was sufficient to maintain the information’s privileged status. The court’s decision saved the defense counsel from their failure to properly safeguard their client’s confidential information. Law firms can also get in trouble with the ease with which information can be disseminated through technology.
While missed redactions and inadvertent disclosures happen from time to time in the discovery process, technology can exacerbate the problem. A survey conducted by Consilio showed “inadvertent disclosure” of confidential information as the biggest fear of employing cloud-based applications among nearly 150 legal technology professionals.
In the complex Apple v. Samsung patent litigation, a problem emerged when a junior associate at the law firm representing Samsung failed to redact sensitive information in a document, and then placed it on a server accessible to some Samsung employees. The document was swiftly taken down, but in the two days it was accessible, many unauthorized Samsung personnel accessed and retained copies of the document.
The real issue arose when the firm – once alerted to the problem – did not reach out to Apple or Nokia to properly rectify the situation. The court ordered Samsung’s firm to pay the costs of the motion and associated discovery fees as sanctions against the firm.
These sanctions were imposed in lieu of Apple and Nokia’s proposed sanctions of banning the firm from representing their opponents for ten years, among other suggestions. Law firms need to have procedures in place to prevent inadvertent disclosures, as well as policies and well-tested incident response plans to promptly resolve any disclosures that occur.
Download the complete white paper now to learn more about this important and timely topic.
You can also download our white paper, “Cyber Due Diligence,” to learn about the steps your firm can take to reduce your cyber security risks.