Panama Papers Fallout: What If Your Lawyer Gets Hacked?

As the latest wave of high-profile breaches shows, all the sensitive information law firms handle makes them attractive cyberattack targets. Here’s what can happen and what you should do about it.

InformationWeek (May 31, 2016) – Your company has likely spent a lot of time, effort, and money keeping its security systems, policies, and practices up to date. Can the same be said of your law firm?

The legal industry isn’t exactly known for its technology leadership, which should be of concern, especially from a security perspective. Don’t assume that your data is safe, in other words. Be prepared to do your own due diligence.

“Law firms retain a lot of sensitive corporate data that would be extremely valuable to hackers or outside parties. In particular, hackers are interested in corporate legal information, intellectual property from their clients, information on directors and officers of corporate clients, settlement terms, and more,” said Jacob Olcott, the former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security committee, and current VP at Bitsight Technologies, in an interview.

“Since law firms often deal with highly sensitive information, they are a clear target for hackers trying to earn money on the black market. In addition, hacktivists may be interested in the information held by a law firm for political purposes.”

Recent high-profile breaches are an example. In March 2016, American Lawyer reported that two of America’s most prestigious M&A law firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges, had been hacked for insider trading purposes. Cravath was the only firm to comment publicly on the matter.

In April 2016, Panamanian firm Mossack Fonseca admitted it had been hacked. A hacktivist reportedly leaked 11.5 million documents, totaling 2.6 terabytes of data, to German newspaper Süddeutsche Zeitung. The trove is collectively called the Panama Papers. These documents reveal details about shell companies, their high-profile owners, and parties that helped them evade taxes and remain anonymous. However, as always, the stories making headlines are few and far between. No company, including a law firm, wants to advertise its vulnerability.

“Many top law firms have pretty good structural security. However, they drop the ball in two places: They use less sophisticated local counsel and give them sensitive documents, and they don’t put sufficient checks on their people,” said Jay Edelson, founder and CEO at law firm Edelson PC, in an interview.

The actual scope of attacks is difficult to gauge. For example, in its 2015 Annual Security Report, Cisco named the legal industry No. 7 in its list of top 10 company types at risk for Web malware infections. According to an American Bar Association (ABA) 2015 Legal Technology Survey Report, 15% of the 880 lawyer respondents said their firms had experienced a security breach, and 23% of them said they didn’t know if they had. More than four in ten (42%) said their computers had been affected by a virus, while 23% said they didn’t know. The larger the law firm, the greater the increase in breaches.

“Law firms represent a critical component of most companies’ supply chain[s],” said BitSight’s Olcott. “Most companies are focused on managing the cyber risk of their supply chain, and one of the first organizations they start with is their law firm.”

Popular Attack Vectors

Social engineering and phishing top the list of popular attack vectors facing law firms, because they are effective and often not obvious until it’s too late.

“All the technology in the world can’t protect you from employees who click on things they shouldn’t. And in their defense, attackers now do a lot more advanced reconnaissance. They write well-crafted emails that look legitimate and even reference current cases obtained from public record filings and [the] attorneys of record,” said Sharon Nelson, an attorney and president of digital forensics, information technology, and information security company Sensei Enterprises.

According to the ABA Journal, most major law firms have been breached. When a breach occurs, it isn’t discovered for eight or nine months. In some cases, firms remain unaware of a breach until the FBI brings it to their attention.

“The biggest threat currently appears to be financially motivated criminal hackers. Many recent attacks appear linked to Eastern European organized crime syndicates,” said Jason Straight, an attorney, senior VP of cyber risk solutions, and chief privacy officer at legal and business services provider UnitedLex, in an interview. “Nation states [and] organized crime networks [are] looking to engage in insider trading, front-running, extortion, or blackmail. Business rivals [are] looking for competitive intel, [and] even activists with an ax to grind [are looking].”

Social engineering and phishing can be particularly problematic because employees may not be trained to recognize their characteristics.

“Because many federal and state courts are now working with electronic filing and other types of court records, it’s especially important that lawyers not just open something appearing to be from a court without knowing it is definitely related to a matter and that they have validated the sender,” said Angie Singer Keating, CEO of data security solution provider Reclamere.

Of course there are the usual vulnerabilities that generally plague businesses, such as failing to update and patch software, update antivirus software, do penetration tests and regular audits, train employees on an ongoing basis, or encrypt documents and communications. In addition, like other businesses, laptops and cellphones are lost, and paper documents remain at risk.

“A criminal who understands the value of the stolen information in his hands is likely to attempt to sell it for financial gain. After that, the information could be used for a variety of purposes depending on other factors [including] seeking tax refunds, illegal immigration, issuance of counterfeit documents, identity theft, or even economic espionage or blackmailing,” said Francoise Gilbert, a partner at law firm Greenberg Traurig, in an interview.

What to Do About It

Attorneys are obligated to make “reasonable efforts” to safeguard their clients’ information, according to the ABA Rules of Professional Conduct, which leave a lot open to interpretation. Don’t take your law firm’s security policies and practices for granted. Instead, endeavor to understand them and make sure security is built into the relationship.

“The comments provided in ABA Model Rule 1.6 state that a lawyer must make reasonable efforts to protect inadvertent or unauthorized disclosure of information related to the representation of [a] client. These factors include adding safeguards, [such as] special security measures to transmit and store data,” said Graham Jackson, general counsel at IT security education and certification consortium (ISC)2, in an interview. “If the data exposed includes [personally identifying information], healthcare, or financial information, law firms must review the relevant federal and state statutes, including any data breach notification laws, to determine whether the data loss requires notification.”

Another rule, ABA Model Rule 1.4, may require a lawyer to notify his or her client even if the data loss does not trigger a data breach notification, Jackson said. That particular rule governs communication. It requires lawyers to keep their clients reasonably informed about the status of their case.

Whether or not a law firm has a legal duty to disclose that fact to anyone other than the clients affected “probably depends on their own contractual obligations with their clients and state laws,” said BitSight Technologies’ Olcott. “I would expect that most corporate clients would require their law firm to notify them of any potential data loss or breaches.”

John Cooney, a partner at law firm Ruskin Moscou Faltischek, said in an interview that, in addition to complying with federal and state breach notification laws and filing regulatory responses, law firms’ legal obligations include assessing potential litigation, including shareholder derivative and class actions.

“The respective laws and obligations are complicated. Which ones a law firm has to comply with depend on the type of information that was accessed, as well as the state in which the client resides or does business,” said Cooney.

There’s also the issue of cyber-security insurance. At the present time, lawyers and law firms are not required to have it, but, in some cases, it can make the difference between a law firm being solvent or insolvent. Only 11% of respondents participating in the ABA’s 2015 Legal Technology Survey Reportsaid their firms had cyber-security insurance.

“When a potential client is evaluating law firms, one of the first questions concerning cyber-security should be whether the law firm has cyber-security insurance,” said Cooney. “If not, that law firm should be eliminated from consideration.”

Law firms that get cyber-security insurance are typically subjected to a rigorous evaluation and underwriting process prior to being insured. What that means to clients is that a third party has evaluated the firm’s security practices, and that the firm has properly evaluated different cyber risks, Cooney said.

Depending on the policy, insurance may cover first-party costs, including forensic investigation, breach notification, cyber-extortion payments, credit monitoring of affected parties, crisis management and public relations expenses, and third-party expenses. There is also coverage for the fines and penalties proposed by various regulatory bodies or the payment card industry, according to Daniel Lazarz, a broker at insurance company Swett and Crawford, in an interview.

“Law firm clients should not only ask about the firm’s cyber-security measures, but also what means they have to bear the cost of a breach,” said Lazarz. “Without proper coverage or financial means, services and damages that would be provided to the client might not be available, leaving the client to bear the cost.”

In other words, it’s wise to understand how a law firm protects its clients’ information, and to determine whether the policies and practices complement or diverge from your own.

Bottom Line

Law firms are attractive targets because they handle a lot of sensitive information that has monetary value on Wall Street, on the black market, and in the political arena. While law firms have an ethical duty to protect their clients’ information in a “reasonable” fashion, the definition of “reasonable” varies from firm to firm.

Clearly, no law firm wants to suffer the fallout of a breach, but their methods of effectively keeping data safe and dealing with a breach can vary significantly. Rather than leaving the matter to chance, it’s wise to understand the details of how a law firm will protect your data and, in the event of a breach, how they’ll handle it.

View the live article on InformationWeek here.