Law Firms’ Data Duty: Protecting Client Information From Cybercriminals

July 11, 2017

The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as victims, including a prominent law firm.

This attack acts as an unfortunate reminder that the Internet of Things, along with our dependence on technology, has created a host of new legal and ethical challenges for attorneys. Chief among them is the duty owed to clients to keep their information secure.

Put simply, cyberattacks against law firms are a rapidly growing problem that we must collectively work to manage. And we need to do a better job of it. The 2016 ABA TECHREPORT indicated that, overall:

  • 21 percent of law firms reported having no data security policy;
  • Under 20 percent reported having an incident response plan;
  • 37 percent of firms reported downtime or loss of billable hours after a breach;
  • Only 17 percent of attorneys reported they have cyber coverage; and
  • Only 18 percent of law firms reported they have had a full security assessment.

The Threat

Cyberattacks against law firms have only just begun. The cybercriminals executing these attacks understand that law firms are the white whale of cyber victims. Client information is highly confidential and highly lucrative to cybercriminals. The financial and personally identifiable information that an individual company keeps for business operations is nothing compared to the treasure trove of sensitive data law firms maintain on behalf of their hundreds, or even thousands, of clients. Further, law firms possess data that, if stolen, would provide cybercriminals the information necessary to engage in a variety of nefarious activities, such as insider trading, intellectual property theft and corporate espionage.

Law firms are vulnerable to attack in several ways — via mobile devices, home networks, spear phishing, business email compromise and failure to install security patches, to name a few. The vigilant execution of advanced defenses against vulnerabilities must remain a priority. 

In addition to securing the network, a host of legal and regulatory challenges continue to evolve and demand constant analysis. Aside from the more well-known regulations — the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, EU’s General Data Protection Regulation, and the Telephone Consumer Protection Act — federal and state agencies regularly promulgate and enforce new standards that must be met. This legal regime is further complicated by emerging American Bar Association and state ethical obligations.

Despite continued best efforts to safeguard client information, law firms remain at risk of attack by hackers and those who find opportunity in law firms’ cybersecurity failings. The industry recently found itself targeted by plaintiffs’ attorneys who exploit data breaches by claiming law firms failed to take reasonable steps to maintain data security. Thus, in addition to the cyberthreat itself, the looming threat of class action lawsuits must be considered as law firms develop and implement data security practices.  

Our Response

As with every incident, the McGuireWoods data privacy and security team monitors the Petya/NotPetya attack as it develops and we stand ready to assist anyone affected. We provide solutions across industries — including solutions for law firms and colleagues in the legal profession. 

In our experience, few businesses maintain an incident response plan that adequately addresses the decision points and considerations presented by distributed ransomware or other advanced threats, or have policies and procedures in place to ensure legal, regulatory and ethical compliance. We can help.

We have publicly offered some preventative measures that firms can take immediately. But we can also provide insight into our internal data privacy and security practices and how we use those practices to protect our clients’ most sensitive information (e.g., enforcing encryption for data at rest and in transit, performing regular security awareness training, using data loss protection functionality, conducting security audits, and aligning our information security plan with the firm’s strategic plan). 

Our clients trust us with their most valuable information. They deserve the highest level of data security protection. No law firm is immune to the sophisticated threats today’s cybercriminals develop and propagate, but implementing cybersecurity programs and incident response plans now can significantly reduce the risk of breach, improve response protocols and mitigate financial and reputational loss.