All organizations can become victims of cybersecurity incidents. Per the National Institute of Standards and Technology, a cybersecurity incident is an event that jeopardizes the integrity, confidentiality, or availability of information, or violates an information system’s security policies. A cybersecurity incident results from the actions of hackers, ransomware attackers, and threat actors. Threat actors can be someone in a foreign country out of reach of U.S. authorities or someone within your organization or neighborhood. Such attacks are not a mere annoyance; they are a hazard and can be dangerous.
The New Zealand cybersecurity software company Emsisoft reports that over the course of 2023, 180 schools and school districts, 46 hospital systems, and 95 government organizations in the United States were affected by ransomware attacks. However, this is only a fraction of the incidents because events are not always reported or disclosed. These attacks cause not only economic harm but also denial of critical services.
Law firms, of course, are not immune from this havoc. The American Bar Association (ABA) 2022 Cybersecurity Tech Report states that in 2021, 25% of law firms reported having previously suffered a data breach. Holding valuable, sensitive information and trust accounts with clients’ money, law firms are great targets for potential hackers. In 2020, the New York law firm Grubman Shire Meiselas & Sacks was hit with a $21 million ransomware demand. The stolen information included 757 gigabytes of private documents and correspondence of famous clients, including Bruce Springsteen, Madonna, Elton John, and Lady Gaga. However, when the hackers discovered files in the cache related to U.S. President Donald Trump, they increased their demand to $42 million.
Law firms that experience an attack face a Hobson’s choice: pay the money or risk having their clients’ sensitive information aired publicly. Furthermore, law firms that experience such data breaches may be responsible for violating privacy under state and federal statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), and can be subject to fines, legal actions, damage to reputation, and ethics violations.
Cybersecurity compliance and breach response raise ethical issues that are rarely speedy, easy, and binary. Furthermore, the professional responsibility duties are more complex and more rapidly evolving than other areas of legal practice in that technology and the law intersect in ways that are diffuse and fluid. The implications for our relationships with our clients and our reputation in the legal community may be of a different scale and scope than what arises when contemplating more traditional ethical issues.
The ethical rules governing lawyers in the midst of a cybersecurity event are not new but require more contextualized attention. Attorneys can choose to be leaders for this new form of business risk or be luddites who make all of it worse for clients, their firm, and ultimately themselves. Several of the ABA Model Rules of Professional Conduct guide attorneys as they make that choice. For example:
Rule 1.1: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.
Comment [8] to Rule 1.1: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, …
Rule 1.1 is explicit about the competence we need. In the context of cybersecurity events, this includes being technically competent by keeping abreast of the risks related to technology. Dealing with a cybersecurity situation may involve law enforcement, privacy law compliance, technology expertise, information technology (IT) procedural compliance, agreement adherence or negotiation, and corporate reporting obligations. No one person can be an expert in all such areas. Especially because trade control, HIPAA, Europe’s General Data Protection Regulation (GDPR), the U.S. Securities and Exchange Commission, etc. may involve not only international and federal laws, but state laws on various topics such as privacy.
Data privacy laws often give a state’s attorney general the authority to investigate violations of the law, both civilly and criminally. It is best to acknowledge the need for assistance, and it is appropriate to recognize the need to invite other professionals to help with the circumstances. See:
Rule 1.6(c): A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
In determining the reasonableness of a lawyer’s efforts, comment 18 to Rule 1.6 is clear that, as lawyers, we must consider the likelihood of disclosure of clients’ sensitive information. With the number of breaches that have occurred in law firms to date, the likelihood of disclosure is undisputably high.
ABA Formal Opinion 483 deals squarely with data breaches and cyber threats of lawyers and law firms and describes how a lawyer should keep abreast of technology: “Lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data,” especially client data. It is therefore appropriate to inquire what data the client thinks are sensitive. As the concept of data confidentiality moves more toward data security as a concept, the data considered sensitive will grow. However, as attorneys, we know that certain client data must be of highest priority to protect, for example, as ABA Rule 1.15 explains, IOLTA accounts and assets. Attorneys must always be good stewards and guardians of client monies. Breach of Rule 1.15 is one of the most common sources of disbarment.
There are many examples of lawyers failing to comply with these ethical rules. On August 1, 2023, the publication Above the Law, published the article “Law Firm Data Breaches Surge in 2023.” The article lists Kirkland & Ellis, K&L Gates, Proskauer Rose, and others as law firm successful targets of the ransomware attacks. Similarly, in April 2023, the ABA, the source of the model rules, was hacked. To keep from being the next headline, lawyers need to understand the challenges, risks, and impacts of cybersecurity events, the different ways that they occur, and how they play out. Here is what you need to know:
Email phishing remains one of the top starting points for breaches, information disclosure, and fraud. Phishing attempts against payroll departments to change the direct deposit information of employees are common. Phishing for credentials is a major cause of intellectual property loss of some of the largest well-funded tech companies. Phishing is the starting point for many ransomware attacks, which are opportunistic and can monetize the access gained into the systems of organizations.
There is a common business desire to make work-related data and services accessible from individually owned and managed personal computers and devices to improve productivity, especially from home. But these devices are generally not secured sufficiently compared to business computers, which have been provided by the law firm, and can be common starting points for mailbox compromise.
Productivity workers prioritize user experience and efficiency and commonly approach permissions to data and resources from a productivity perspective—they want access to be fast and efficient. Unfortunately, this approach leads to the common problem of excessive permissions. A threat actor is anyone who is motivated to attack or compromise information systems. They can be insiders, e-crime syndicates, nation-state groups, or even the kid in your neighborhood.
Threat actors make it critical to reduce access where possible because they are heavily focused on becoming an “authorized user” to bypass most security protections. In these situations, the other part of the permissions equation is to limit the scope of damage if a threat actor does gain access. Employees, including lawyers and the normal users in a law firm, should not be logging into a computer as an administrator and running a browser, email, or other productivity software in an administrative context. Organizations must be purposeful when access is granted to data and services.
The use of passwords needs to go away long term, but multi-factor authentication can address some— though not all—of the risk associated with password use. Nonetheless, strong multi-factor authentication should be used everywhere it can be supported.
To deal with a ransomware attack, should it occur, law firms’ IT departments must maintain immutable backups. Disaster recovery planning is not sufficient for ransomware preparedness because it assumes IT services are healthy and can help facilitate transferring services to a safe location. But, in a ransomware attack, core services may be non-functional. It is impossible to perform a recovery from backup if it is inaccessible as a result of the ransomware attack. Testing a recovery from backup prior to such an attack is essential to getting back to business.
Communicating at the moment of a breach is also critical. This assumes that in advance of a breach or ransomware attack, people have been identified who will be activated to respond. Make sure there is an out-of-band communication method from which such contacts can receive notice and information, and test the out-of-band communication system with the plan contacts quarterly.
Engage with a cyber insurance provider and obtain insurance coverage. Cyber insurance providers can help assess a firm’s security posture and help make recommendations that will provide significant risk reduction. After all, the insurance provider is incentivized to help as a way to reduce the claims that need to be paid out.
Finally, assume a cyber breach will occur and plan for a response. It’s not a matter of IF—it’s the reality of WHEN. Preparedness can include holding tabletop exercises that put responsible contact persons in a firm through the paces of a mock breach. A tabletop failure is a success because it allows for lessons learned and improvement. Lawyers being prepared for a data breach, just like they prepare for trial or a difficult negotiation, will invariably result in meeting the ABA Model Rules of Professional Conduct in the context of a cybersecurity attack.
Rachel E. Greene, Esquire, is the owner of Greene IP PLLC where she helps clients develop and execute intellectual property strategy to align with their business goals. She is a member of the Hon. Nancy F. Atlas Intellectual Property American Inn of Court in Houston, Texas.
Joel Bruesch is the AVP/Deputy CISO-Cybersecurity at BMC Software, Inc. in Houston, Texas.
Irene Kosturakis, Esquire, is the area vice president and chief intellectual property counsel at BMC Software, Inc. in Houston, Texas. She is the immediate past president of the Honorable Nancy F. Atlas Intellectual Property American Inn of Court.
The views expressed in this article are those of the authors and do not necessarily reflect the views of their respective organizations.