Every lawyer dreads falling victim to a ransomware, malware, or phishing attack. But an even worse fate is suffering a data breach without having a plan in place, a panel of privacy practitioners told the audience May 31 at a recent American Bar Association conference.
Firms can’t rely on just cybersecurity measures to protect them, because lawyers themselves are often to blame when hackers get through the gates. Steven M. Puiszis, the deputy general counsel and privacy and security officer at Hinshaw & Culbertson LLP in Chicago, said it’s common wisdom among security experts that “the amateurs hack systems; the professionals hack people.” Jason Warmbir, vice president at Willis Towers Watson in Chicago, where he leads the midwest region’s cyber privacy liability team, said “[h]umans are really our biggest weaknesses across any institution.” So law firms may be one click away from disaster.
To comply with their ethical obligations, lawyers must be aware of how to prevent a potential breach of their client’s confidential information and have a plan in place if malware strikes.
What’s the Plan?
Puiszis discussed the elements of an incident response plan, which is intended to allow a law firm to respond to a breach in a coordinated fashion. Those elements include:
- Confirmation there is a real breach and not a false alarm.
- Containment and mitigation of the harm.
- Evaluation of the scope and impact of the problem.
- Eradication of malware.
- Third-party forensic examination of the network to verify its security.
- Notification to affected clients, government/regulatory/law enforcement authorities, professional liability insurer, and cyber insurance carrier.
Once a team is assembled to respond to a data breach, they should practice by running through a mock breach response, Puiszis said.
William R. Sampson, a privacy and data security practitioner in Shook Hardy & Bacon LLP’s Kansas City office, reviewed DLA Piper’s response to a data breach last year. In less than two weeks, DLA sent out three communications to clients. While the first two messages were “hardly chock-full of information,” Sampson said, the firm appeared to be reacting appropriately to the breach. Sampson attributed DLA’s success to good planning (early breach detection and ability to shut down the entire system), good backup systems, buy-in from firm leadership (who approved 15,000 hours of overtime), and increasing the level of detail in the communications without over-promising.
Know What You’ve Agreed To
Some lawyers read a client’s outside counsel guidelines closely, others don’t. The guidelines are rules a corporate client’s lawyers must follow. But they may require a heightened level of compliance with specific security measures beyond what is required under the Model Rules of Professional Conduct, the panel said.
For instance, client guidelines and state data breach notification laws are likely to impose data breach reporting obligations that are triggered “long before” a lawyer’s duty to keep a client informed under Model Rule 1.4 comes into play, Puiszis said.
If the guidelines require that a law firm indemnify a client for any harm, Puiszis said, he tries to qualify it by agreeing that the firm will indemnify the client only “to the extent covered by our professional liability insurance.”
You’re Insured, Right?
Warmbir said insurance is intended to respond to the disruption of the network, not just to nefarious hacking. Insurance can cover the costs arising from a data breach, which includes legal, forensics, public relations, and regulatory aspects.
But certain types of social engineering scams may not be covered by cyber insurance policies, Warmbir cautioned. Social engineering is when someone pretends to be someone else, usually to get money. For example, someone may call or email a lawyer pretending to be a client and will instruct the lawyer to modify wiring instructions for an impending payment. Warmbir said cyber insurance policies don’t usually cover the transfer of money, but a separate crime policy would provide primary coverage.
Cyber extortion is also a “big component” of cyber insurance policies, Warmbir said. After a hacker deploys ransomware and demands payment in bitcoin, for example, some companies pay it and move on and others won’t.
On the Horizon
Sampson thinks it’s clear lawyers have an ethical duty to vet a third-party discovery vendor, for example, to make sure the vendor’s security measures will reasonably protect a client’s confidential information. But courts are now faced with whether lawyers have an ethical obligation to vet an opposing law firm’s security practices—particularly a modest-sized firm whose data security and protection capabilities are unknown to the lawyer—before producing a client’s confidential information to that firm during discovery. Sampson thinks the responsibilities are the same as with third-party vendors.
Puiszis said another issue is whether a lawyer has a responsibility to vet local counsel’s data security and protection practices before sending them a client’s confidential information. Sampson said one approach is to exclude local counsel from any discovery responsibilities, but he acknowledged that becomes problematic at trial.
Puiszis said he thinks there would need to be more than simple negligence in order to trigger disciplinary action for a lawyer’s actions regarding a data breach. But how much more?
Are lawyers competent enough to know whom to call to address data breach issues? Puiszis asked. He said the “current rule of risk management in law firms is ‘never make a problem worse.’ You always want to make a problem smaller, not bigger.”
Rule 1.6(c) says a lawyer must protect against the inadvertent disclosure of a client’s confidential information and the commentary says a client may require the lawyer to employ additional safeguards. Sampson said he thought an ethical complaint would have “some teeth to it” if a lawyer failed to comply with specific terms of a client’s guidelines that resulted in a loss to the client, such as failing to encrypt all of the client’s data as required by the guidelines. Puiszis said that a client’s guidelines could be relied upon as the basis for asserting that a lawyer breached the standard of care given the obligations of Rule 1.6(c).
Another risk firms face, Puiszis said, is that a client will claim that a law firm was deceptive in agreeing to its outside counsel guidelines while knowing the firm couldn’t comply.
Alice Neece Mine, assistant executive director of the North Carolina State Bar, moderated the panel. The panel was part of the ABA’s 44th National Conference on Professional Responsibility, in Louisville, Kentucky.