You've Been Hacked: How Does Your Firm Recover?
Thursday, July 21, 2016
Posted by: Jason Krause
This week, intelligence agencies have told the White House they now have “high confidence” that the Russian government was behind the theft of emails and documents from the Democratic National Committee. The breach was a high-profile embarrassment for the organization, forcing DNC chair Debbie Wasserman Schultz to resign. But it is only the latest sign that many organizations are vulnerable to a data breach.
Recovering from a data breach is a technical question. But it is also an ethical, practical question. For example, what is your duty to make your clients whole? How do you repair your reputation? And how can a law firm or business protect against financial losses following a hack?
Unfortunately, the legal industry is a prime target for cyber criminals. The Panama Papers leak earlier this year was perhaps the biggest security breach in history, with more than 11.5 million documents, or 2.6 terabytes of data leaked to a German newspaper. The victim of the breach, Panamanian law firm Mossack Fonseca, was just one of the most recent cybersecurity incidents involving a law firm, a list that includes some of the oldest and most respected American law firms.
The challenge is that technology is changing faster than the profession can keep up. “Technology is advancing at a logarithmic rate,” says Jack Marshall, president of the consulting firm ProEthics, in Alexandria, Virginia. “I hate to say it, but for a law firm, it is a nearly impossible task to take the necessary and steps to stay ahead of security risks. Some people see going back to paper and files as the only way to truly secure their data.”
Happily, others say that there are services and resources which can help even small or mid-sized businesses survive in this environment. “Smaller law firms will be obsolete if they cannot manage a breach,” says Jessica Robinson, of PurePoint, who works as an Outsourced Chief Security Officer (CSO), who helps companies mitigate cyber risks. “I am passionate about this issue, because I believe that a small law firm can manage security and can survive in our current environment- if they take the right steps.”
Your Duty is Clear
Marshall notes that law firms are under no obligation to report cyber breaches to clients, but that individual lawyers likely have an obligation. ABA Model Rules of Professional Conduct 1.6, Confidentiality of Information, states that lawyers shall not disclose private information and shall make reasonable efforts to prevent any such disclosures. In addition, forty-seven states have their own laws about when companies, including law firms, must disclose a breach. These laws typically require companies to disclose data thefts when an entity gets unauthorized access to “personal information,” a term whose definition that varies by state.
The American Bar Association added a model rule in 2012 that requires lawyers to take reasonable care to prevent unauthorized disclosure or access to information related to a client. The ABA also instructs lawyers to “keep abreast of changes in the law…including the benefits and risks associated with relevant technology.”
However, Marshall says that lawyers should not rely on their state bar association ethics opinions regarding the use of technology in their work. He says that no rules committee can ever hope to keep up with the emerging risks in Internet technology. “By the time the rules process is done and they find that something is safe, technology has changed and what was safe six months ago is no longer secure,” he says.
How to Respond
Marshall and Robinson believe that communicating a loss to a client is good policy and good public relations policy. However, The New York Times reported earlier this year that “the legal profession almost never publicly discloses a breach.”
Robinson says that every firm must have an outside counsel who understands cybersecurity issues and can provide an independent analysis. She also suggests forming relationships with cyber security law experts (IT professionals, lawyers, and cyber breach coaches) prior to an incident. “As a prevention tactic, get a retainer in place with an incident response firm and a law firm that specializes in cyber security lawyers will let you when to notify and how to notify government officials,” she says. “You need someone who can honestly tell you when and how to disclose a breach to clients or the public. Perhaps you don’t need to report; or maybe you do. But you need an honest, outside opinion.”
Organizations may also consider hiring a breach coach, a professional who can assist in managing a data event, work with organizations to isolate the affected data, notify customers, retain necessary forensics professionals and manage crisis communications. Robinson says that a cyber incident response team can shorten response time to the incident or breach, stop what is triggering the breach in partnership with IT, and manage communications with clients and (where necessary) law enforcement.
She says an organization that has suffered an incident should not panic, but should assess the results soberly and carefully. First, what is the scope of the breach or incident? Is the perpetrator an inside source, or is it an attack from outside? Did the perpetrator target all client data, or was the attack tied to a specific matter? Most importantly, determine what allowed the breach to happen. Robinson points out that, according to research, 95% of all breaches involve someone making a mistake.
Marshall says that some firms are hesitant to contact their insurance carriers, but that it is actually a responsible and prudent early step. Insurance investigators can help identify the scope the problem and the risk posed to the firm or business. “Contacting insurance is the ethical thing to do because you are being responsible,” he says. “Once you understand your exposure, then you can call the client what you know.”
Another common oversight is that businesses fail to confirm what is in their contract with clients, which increasingly includes language regarding data protection. Businesses also often fail to investigate their reporting duty under all of the pertinent rules. For example, states all have different laws on reporting, but many firms and their clients also operate under rules imposed by state, federal, or industry regulators.
Marshall says that the challenge for legal professionals will be to keep up with never-ending change. He notes that in the recent controversy regarding Hillary Clinton’s allegedly careless management of her personal email, her legal team tried to argue that she was following a precedent set by other Secretaries of State. “Any time you have to argue that you are just doing what your predecessor did nine years ago, then you have already lost the argument,” he says. “If you are just doing what others did before you, then you are behind the times. You have to be on the cutting edge to survive.”
Marshall says that lawyers are loath to tell clients about a data breach because it may irreparably harm their reputations. But he points out that covering up a breach is often worse than the breach itself. And most state bar associations have been reluctant to disbar attorneys who fail to protect against cybercrimes except in the most egregious situations. “I think that bar associations understand that we all make mistakes,” he says. “Unless you fall for something so dumb and obvious, like the Nigerian Prince email scam, you are not likely to lose your license.”
However, the threat is growing and more law firms large and small must now consider how to respond to the very real possibility that their most precious commodity- client data- is being targeted. “A lot of law firms still tell me that they don’t have to worry because they don’t work with the big guys- their clients are not Fortune 500,” says Robinson. “That’s not true. Everyone is a potential target.”
Jessica Robinson will be hosting a Cybersecurity webinar - August 2 - 1pm EST - http://bit.ly/29AlrS8