In the last three years, cyber criminals increasingly targeted law firms of various sizes. In 2017, the DLA Piper data breach left one of the top US law firms inactive for two days with lawyers struggling to retrieve files up to nine days. Moreover, two smaller law firms have been sued in court, New York County and Northern District Court of Illinois, for not maintaining data security. In short, maintaining secure data environments is not simply a “best practice” but increasingly becoming a legal requirement for protecting attorney-client confidentiality.

What are the industry standard and regulatory cybersecurity requirements?

You’re an attorney, so you want the cold, hard facts. You’re regulated even if you don’t always realize it.

• The New York Department of Financial Services (NY DFS) Cybersecurity Rule considers law firms vendors because they manage money when settling claims.
• The Health Insurance Portability and Availability (HIPAA) rule considers law firms “business associates” because they engage with personal health information (PHI) as part of personal injury claims.
• The Gramm-Leach-Bliley Act (GLBA) incorporates law firms, albeit indirectly, as business partners to the extent that they maintain a client’s financial information.
• The Payment Card Industry Data Security Standard (PCI DSS) applies to law firms since they accept, store, and transmit cardholder data (CD), defined as personally identifiable information (PII) such as primary account number (PAN) in conjunction with any of the following: cardholder name, expiration date, or service code.
• The Federal Reserve System considers law firms a service provider since they manage financial information for clients and connect to banks.
• The Federal Deposit Insurance Corporation (FDIC) also considers law firms as service providers for maintaining and distributing funds.

From a legal standpoint, you’re a regulated entity that needs to consider cybersecurity and its financial implications.

What does cybersecurity mean to attorney-client privilege?

One of the fundamental principles of the law is to keep your client’s confidential discussions with you private. The law prides itself on the trust between attorneys and their clients.

You’re maintaining your client’s confidential information in digital form today. Whether you began your career with a stenopad or with a smartphone, you’re collecting, storing, and transmitting these communications by email or a website. The American Bar Association updated its Rule 1.1 Competence with comment 8 that specifically incorporates maintaining updated information about the benefits and risks inherent in relevant technology.

Setting aside regulatory fines, you also need to think about whether you’re maintaining data confidentiality, integrity, and availability to maintain your license.

What are the tort and contractual liability claims after a data breach?

Taking a look at the lawsuits brought forth so far provides insight into the legal issues that impact your firm:

Breach of Contract

If your contract states that you will maintain files on behalf of your clients, then data corruption arising out of a ransomware or malware attack can corrupt those files. Thus, you’re in breach of contract and potentially liable for malpractice under the contract’s data retention clause.

Negligence

If you don’t maintain basic information security protections, you can be sued for negligence for not meeting the primary standard of due care. A data breach can place trade secrets, personal information, or financial information at risk leading to clients’ financial loss.

Breach of Fiduciary Duty

You’re collecting fees and have a fiduciary duty to act in your clients’ best interests. If you’re not maintaining a secure data environment and a breach occurs, you can be considered in breach of that fiduciary duty when cybercriminals obtain the information. Moreover, if you’re handling financial transactions on behalf of your clients, you’re putting that information at risk which increases the likelihood a court will find you in breach.

Malpractice

While the other causes of action listed above relate to malpractice, malpractice itself can be defined separately. Insecure email, which places your clients’ secure communications at risk, can lead to a man-in-the-middle attack. If that happens, then you can be sued directly for malpractice.

What are the “best practices” for cybersecurity?

While the American Bar Association (ABA) has a cybersecurity task force, it does not offer specific best practices or IT audit requirements. Thus, you need to determine the security controls that protect client data.

Cyber Insurance

The cybersecurity industry keeps saying that data breaches are no longer “ifs” but “whens.” As a lawyer, you know that the minute something goes wrong, people want to sue. Finding the right cyber insurance policy can protect your financial assets from the inevitable lawsuit.

Security Updates

While the Microsoft update notifications may get in the way of billables, you need to take the time to update all systems, software, and networks. Continuously monitoring your data environment can help you prioritize the time consuming and overwhelming number of alerts so that you focus on the most important updates first.

Firewall

Your firewall acts as the first line of defense against cyber criminals by keeping them out of the data environment. However, you need to make sure that you update the software regularly and configure it appropriately.

Password Policy

Most people have poor password hygiene. Since cyber criminals can purchase downloadable programs on the internet that let them scan systems and networks for the most often-used passwords, weak passwords can lead to a data breach.

Multi-Factor Authentication (MFA)

If you’re not using MFA, you want to start. Multi-Factor Authentication means that users not only login with a password, but that they also need to have secondary verification (like a code sent to a smartphone or a biometric) to complete the login process.

Encryption

Encryption scrambles information so that even if a cybercriminal obtains it, they shouldn’t be able to read the data.You should be ensuring that all information is encrypted, whether in-transit (during sending) or at-rest (while storing). Thus, you want to encrypt all email conversations to ensure that only the intended party can read it.

Virtual Private Network (VPN)

Lawyers work long hours, and with the ability to work from home, you have more remote employees than ever. You want to use a VPN to help secure those connections. VPNs encrypt data over networks so that when employees are accessing databases and company documents, even if cybercriminals manage to obtain the information, they won’t be able to read it.

Anti-Malware/Anti-Ransomware

This seems like a basic protection. However, after installing the software you need to make sure that all computers update to the most recent notifications on a regular basis. You should also make sure that you’re running regular total system scans.

How Zeguro Helps Protect Law Firms from Lawsuits

At Zeguro, we understand the financial, operational, and reputational impact a data breach can have on a law firm. With that in mind, we offer a comprehensive end-to-end solution that helps find the IT risks, shows you how to close the gaps, and directs you to right cyber insurance policy.

Protect yourself and your firm today.