As a profession, we must assess and prepare ourselves for the risks of a technologically connected world in order to continue in the tradition of serving our clients and keeping their confidences. We must be proactive not reactive. We must identify cybersecurity issues even before they arise and take steps to protect our clients, as we would in virtually any other area of rendering legal services.
Perhaps no principle of law is more sacrosanct and recognized than the attorney-client privilege. Cited by legal scholars and non-lawyers alike, the privilege fosters the free and open exchange of information between lawyer and client without fear of the repercussions of disclosure. Even more broadly, an attorney's duty to maintain a client's confidences further promotes trust in our profession. Cyberattacks on lawyers jeopardize our ability to preserve privileges and client confidences — valuable protections that we as lawyers provide to all of our clients. Inadvertent disclosures through a lack of diligence in protecting electronic communications are no less troubling.
Often, cybersecurity breaches against law firms are perpetuated by those seeking our clients' corporate secrets, such as plans for mergers and acquisitions. Instead of attempting to hack into a bank or other large corporation directly, the criminals target the law firms known to be representing those institutions. Two New York-based law firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges, both representing Fortune 500 companies and financial institutions, were reported to have been victims of cyberattacks in 2016.
In March 2016, the FBI's Cyber Division issued an alert (No. 160304-001) warning that a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms, presumably for insider trading. The criminals not only have their eyes set on attacking law firms; they are also brazenly posting want ads! As a profession we had best pay attention.
Access to a corporate client's secrets for possible financial gain is not the only motive for an attack on a law firm. You may recall the Panama Papers incident, a cyberbreach involving a law firm in Panama that represented wealthy individuals, politicians and public figures. Reportedly, 11.5 million documents, spanning decades of legal work, were accessed and released, detailing how wealthy clients utilized offshore banking to avoid paying taxes. The motive for the attack was not financial gain but embarrassment and exposure of clients' secrets.
Solo practitioners and smaller firms should not be lulled into the false thinking that they and their clients are immune to risks. Our entire profession in all areas must be on guard, including megafirms, smaller boutique firms and, yes, solo practitioners. We all have valuable and sensitive information that, if revealed, could harm our clients.
Consider the dire consequences if, in a high-profile criminal case, the lawyer's electronic communications with his or her client, his or her notes regarding the investigation of witnesses or his or her communications with co-counsel were accessed and posted on the internet prior to trial?
Would salacious information obtained by a divorce lawyer potentially be valuable to the opposing spouse in a contentious divorce proceeding or, alternatively, of interest to WikiLeaks? Contemplate the context of the labor lawyer providing advice to a union during an organizing campaign whose recruiting, training and entire organizing strategy is hacked and revealed to the target company. Does the sexually harassed employee who consults in private with a lawyer to explore his or her options deserve the lawyer's best efforts to protect confidences? No one can seriously dispute that all clients, both corporations and individuals, deserve our protection.
Cybersecurity incidents and breaches initiated by criminals are not the only cause of concern. Whether our electronic data is maliciously accessed by criminals, retained and disclosed by disgruntled former employees or inadvertently leaked through lack of staff training and flaws in or the absence of cybersecurity measures, any of these scenarios could be devastating to our clients, either financially, to their reputations or both.
Real-life examples of potentially preventable security lapses include:
- Careless use of the "reply all" function in Outlook, causing third parties or, worse yet, adverse counsel, to be copied on a communication that was intended to be privileged.
- Negligent use of the auto-complete email-address function by which confidential information is sent to an unintended recipient.
- Loss of a smartphone, tablet, flash drive or laptop containing confidential information.
- Inadvertent disclosure to a family member who, unbeknownst to the lawyer, shared or had access to an email, voicemail or text message.
- Lack of staff training on the danger of malicious links in emails, causing spyware to be imbedded into the law firm's software.
The internet is full of examples of security lapses. Not all incidents will be prevented. Regardless, as lawyers, we need to lead the way, not shy away from the challenges that technology poses.
Unfortunately, too often when we discuss the risks of technology, some lawyers feel they and their clients are best protected by not using technology at all, thus avoiding the risks. This is not ethical, practical or necessarily in the best interests of the clients we are committed to serve. Rule 1.1 of the Pennsylvania Rules of Professional Conduct requires a lawyer to provide competent representation. Comment [8] to that rule clarifies that the lawyer's duty to keep abreast of changes in the law and its practice includes the "benefits and risks associated with relevant technology." From a practical perspective, with many courts requiring or at least allowing e-filing, the lawyer resistant to technology will hamper his or her ability to serve clients. The lawyer without a working knowledge of technology or at least a desire to learn and get assistance will be unable to comply with even minimal requirements of e-discovery, including document-preservation requirements. Resistance to technology is not a solution.
Rather, we must adapt to the needs of the clients we serve, without imposing our own technological limitations on our clients. If our profession wishes to stay vital and of consequence to our clientele and in general, we must embrace technology while being savvy enough to protect against the risks reasonably.
There are steps all vigilant lawyers can and should take now to guard against a cybersecurity incident.
Develop a Security Culture
Cultivate a security culture in your practice and throughout your office. Educate yourself about technology so that you can better understand the risks and can become reasonably conversant in this area. For example, do you know the difference between a cyberincident and a cyberbreach? The distinction makes a significant difference to your responsibilities to clients. This is not something to be researched for the first time in the midst of a cyberbreach.
Accordingly, attend a continuing education or other class offered on technology or cybersecurity. Subscribe to a newsletter. Download a podcast offered by the Legal Talk Network or other trusted provider and listen while driving to work.
Given that many breaches occur through staff members who are heavy technology users, don't forget to include your staff in the education and training process. Conversely, if you are lucky enough to have an associate or staff member with a greater expertise or enthusiasm for technology than you, lean on and learn from that person.
Identify Security Risks
Next, identify the risks to your particular practice. What data do you maintain in electronic format? Do you maintain good computer habits, such as using firewalls and keeping anti-virus software up-to-date? Do you have policies and procedures in place to protect your mobile devices that contain privileged information? Do you use strong passwords and change them frequently? Do you encrypt electronic communications containing privileged or sensitive information? Have you identified a forensic IT professional or cybercounsel to provide assistance in the event of an incident or breach? Consider conducting an audit of your firm's system to identify your risks and ways to improve security.
Prepare an Incident-Response Plan
Prepare a written incident-response plan (IRP) appropriate to your firm's unique practice and risks. An IRP is like an evacuation plan for a cybersecurity incident. An IRP outlines your response to a data-security incident step-by-step. An IRP gives you some peace of mind that you are minimizing your own risk of harm, protecting your clients from exposure and complying with applicable laws.
Sample IRPs and advice on their components are widely available. For example, the Federal Trade Commission provides free data-breach-response guides on its website (www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-quide-business), including tips and sample client notification letters in the event of a breach. Many insurance carriers that offer cyberinsurance will also provide assistance to you in drafting or updating such a plan. As another free resource, the PBA's Professional Liability Committee is leading the discussion of cybersecurity and IRP planning in its Avoiding Legal Malpractice Seminars, held throughout Pennsylvania. An IRP that you understand and that is tailored to your firm's unique practices and risks is best.
Discuss Cybersecurity with Your Clients
Finally, talk to your clients, both individuals and corporations, about your and their use of technology. Addressing the use of technology in engagement letters is a good start, but the discussion should not end there. We must do more to ensure that our clients are protected in a way that is appropriate to the level of risk. Discussing potentially sensitive data and agreeing upon a means to protect it will likely be welcomed by and comforting to the clients.
As a profession, we need to prepare now, proactively, to guard against cyberthreats, both devious and inadvertent, that could erode trust and confidence in our services, including guarding the confidentiality of communications and information that are so vital to the services we provide. We can do this — we're lawyers!