It’s not everyday that a brand new lawyer is asked to purchase $200 worth of Amazon gift cards as “client gifts” using the firm’s expense account. But the associate dutifully made the purchase, sending the card numbers to the return email address, which soon vanished forever–along with the firm’s money. Though it was only a $200 scam, it amounted to an easy score for a sly hacker, an embarrassing day for the duped associate and a potentially dangerous data breach for a large, reputable law firm.
Kyla Rowe, a former associate at that firm who now works for CEB, witnessed this garden-variety blunder. “I remember thinking, who would fall for this?” she said. Whereas Rowe saw the same email that day and reported it to IT right away, she’d expected that kind of mistake to be made by an old-school judge who may be more prone to slip up in today’s hi-tech world.
Though most cyber hackers don’t have a particular target when laying siege to a law firm, most of these data breaches end up finding just the right weak spot to take advantage of a professional who might have their guard up in court, only to be lowered every time they open their computer. “[Hackers are] just playing a numbers game and it’s just a matter of time before someone slips up,” Rowe said.
Often it feels like the law and technology move at frighteningly different speeds. Most lawyers’ battles rely on decades-old, rock-solid case law in order to do their jobs. Tech, on the other hand, moves perpetually forward at the speed of light–and so does the wisdom of hackers. Although technology provides lawyers with more efficient ways to store, transmit, process, and use documents and other data, it can also make valuable financial data, confidential client information, and other sensitive materials vulnerable if lawyers and their firms aren’t properly trained and prepared to implement a necessary plan for data encryption.
“I don’t know exactly what the norm is, but my sense is that it is only a minority of lawyers and firms that we really know to do like a directive advising on cybersecurity best practices,” said Stephanie Walker, a lawyer and Product Strategy Manager at CEB with a background in commercial, business and intellectual property litigation. “I would be surprised if a lot of people were doing it well.”
Hooked to a Higher Standard
Lawyers don’t have the luxury of making an innocent “oops” when it comes to client’s personal or legal information. They are obligated to protect their clients’ data, and law firms have to pay closer attention to confidentiality than the average business. Even in California, which passed the California Consumer Privacy Act in 2020 — which gives consumers more control over the personal information that businesses collect about them — lawyers are putting far more on the line when they screw up and expose themselves or their clients to harmful hacking.
“It becomes an actual ethical violation if you don’t understand the risks and the benefits of the tools that you’re using, which is kind of a different question than just a business protecting my client’s data,” Walker said.
From the ethics perspective, four rules generally govern the lawyer’s obligation to secure client data: the American Bar Association’s Model Rule 1.1, which requires a lawyer to provide competent representation; Rule 1.4, which involves a lawyer’s open communication with a client; Rule 1.6, which covers attorney-client confidentiality; and rules 5.1 through 5.3, which deal with an attorney’s associations with lawyers and nonlawyers.
If California attorneys fail to protect their client’s data, they have violated their duties of confidentiality and competence. Although California has not adopted a duty of tech competence in its rules of professional conduct, State Bar Formal Opinion No. 2015-193 requires attorneys involved in litigation matters to have competence in e-discovery or at least speak with professional consultants or counsel who do have the competence required to get their protections up to date.
ABA Formal Opinion 477R recommends that lawyers understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. Case by case, legal professionals are expected to “constantly analyze how they communicate electronically about client matters.”
“It all comes down to a standard of being reasonable,” said Sharon Needles, a cybersecurity attorney and co-host of the Digital Detectives podcast. “What is reasonable for law firms will depend in part on such things as their size and the sensitivity of the data they hold. But even a solo practitioner…may be held to a higher standard in spite of size. And no matter what the size of your firm, you are going to be held to a very high standard.”
Why Big Firms Take the Bait
Findings from a 2020 ABA Cybersecurity Tech Report show that 26% of law firms nationwide experienced a form of data breach last year. Law firms are prime targets for hackers and criminals for a variety of reasons, including valuable trade secrets, intellectual property, merger and acquisition details, personally identifiable information (PII), and confidential attorney-client-privileged data.
The consequences of data breaches often range from minor embarrassments to serious legal issues, including compromised communications due to phished or compromised email accounts or inability to access firm information due to ransomware (i.e., where hackers encrypt files and demand money to restore access). Public leaks of personal or business information are also a possible threat that can lead to loss of client confidence and malpractice lawsuits.
“We also have a duty of confidentiality towards our clients, and if someone had been able to uncover my browser history during a particularly fraught lawsuit or one where there were confidential issues, I wouldn’t want [hackers] to see my browser history,” Walker said. “Because they could probably piece together based on my research trail what some of the strategies were thinking about the case, or see what were the issues that that I cared more or less about.”
The number of respondents in the ABA study who reported that they do not know whether their firm has ever experienced a security breach is 21%, up from 19% reported in 2019.
Typically that means that the larger the firm is, the greater percentage of those unaware of whether their firms have ever experienced a breach (1% of solo respondents; 9% of firms of 2-9 attorneys; 28% of firms of 10-49 attorneys; 62% of firms of 100+ attorneys).
“The 2020 Survey largely reflects incremental progress in areas fundamental to adequate security, in an age which cries out for a much more robust response by the profession to the challenges at hand,” the ABA concluded in the study. “The balance of the year is an excellent opportunity for firms to anticipate the questions that will be asked in the 2021 Survey next March and take appropriate action now.”
Though lawyers could be considered easy targets for a data breach, it’s not necessarily because of lack of effort or care on their part in matters related to clients or their bosses. On the contrary, it could be that they care too much.
“I don’t know if the word like sloppy is correct, because I don’t think it’s necessarily like sloppiness, but there is this kind of pressure to respond really quickly to clients over email,” said Rowe, who admits she experienced a lot of pressure at her old firm to respond quickly to clients and other attorneys as a standard of good service.
“Multiple different meetings were dedicated to what is client service, and a lot of the message was that really quick email back so that the client knows that they are high on your priority list,” Rowe said. When glancing at the email, the compulsion to show you’re providing top-notch client service could mean sacrificing a little bit of extra scrutiny when it comes to screening your inbox.
How to Tackle Solutions
Of course, there are a multitude of ways a hacker can steal information from an attorney. Many law firms use a variety of cloud services to draft or store documents, record or process their bills, or conduct any other professional activities–all areas that can be breached. Even if your firm does not store any data in the cloud, what do you do if a desktop or laptop computer gets hacked or stolen?
One of the primary ways to shield information is through encryption. Encryption is basically a method of translating documents and other data into a language that only you know by converting readable text, documents, or other data into unreadable, scrambled code. Equally important is knowing the types of encryption you or your firm uses, whether it be simply encryption in transit, which is most frequently seen with websites (making sure the web pages you visit begin with “HTTPS”, not “HTTP,” which means its a secure page), or encryption of data at rest–a type of protection used to protect files stored on hard drives, thumb drives, laptops, and mobile devices.
There is also file-level encryption, which is even more secure because it allows each file on your computer, phone, or in cloud storage to be separately encrypted. The top level of cybersecurity so far is application layer encryption, where data is encrypted at all times, including when it is at rest and in transit. This is often used for an online billing or practice management systems, and all data is encrypted both when it is stored and when it is being used.
Another one of the most important things lawyers can do after learning how to stay up on cybersecurity is training their clients, who often don’t know whether their actions are secure. From their initial conversation with a client, lawyers should coach them on what methods of communication are safe to use when discussing legal matters. A client should always know who to expect contact from about their case and what methods they will use. Encrypted communication apps like Signal are a good way to send text or voice communications and are free to set up. Meanwhile, web browsers like Brave or Duck Duck Go are designed specifically not to track or hold onto your search history, unlike Google Chrome or Firefox (which also don’t block third parties from tracking you).
Clients should be told what steps they are expected to take to help preserve confidentiality — especially during the pandemic, when most people, including attorneys, have been working from home. And if the work-from-home wave has taught us anything, it’s that lawyers shouldn’t trust Zoom as a secure way to teleconference with a client.
Whatever methods you’re using, whether you’re a solo practitioner or an attorney at a big law firm, being proactive to avoid a data breach is an ethical responsibility that can’t simply wait for something bad to happen — you should count on it happening. Thinking ahead about protection plans allows lawyers to catch up to the speed of tech so that it continues to be a friend instead of a foe.
“Simply from the angle of gaining competence and also just good business practices, how prepared you are determines whether you are a good partner for your client, or not,” Walker said. “And if you want to be seen as someone who’s providing a valuable service, isn’t that an angle that you’re kind of obligated to worry about?”