In today’s world of remote business operations, one of the questions that has been constant from many business sectors – but particularly law firms – is, “What level of liability (if any) would a law firm have if a hacker took control of a law firms files?”
This question is highly relevant – especially considering reports that hackers have become more active than before in light of the COVID-19 pandemic.
According to the American Bar Association, one in four law firms with at least 100 attorneys have experienced data breaches that involved hackers.
In addition, the Department of Justice believes that at least 25% of all law firms have been subjected to, or experienced, some form of a data breach involving hackers.
Taking Reasonable Measures to Protect Client Data
Though hackers have become more active during a time of virtual business, they still rely on the basic hacker methods of ransomware, malware, phishing, spoofing, and, in some instances, sniffers.
Unfortunately, it appears that, for many firms (particularly smaller firms), cyber security is not a top consideration until the firm is the victim of a cyber-attack. For that reason, we will provide brief information regarding some of the different means and methods of hackers and their use of ransomware, wiperwear, and hacktivists.
What is “Ransomware?”
Ransomware is a form of malware that installs on a device without the user’s knowledge. Once the hacker has access to the device, they threaten to hold the victim’s data hostage or publish the data unless a ransom is paid. Usually, these ransoms are demanded in dollar value but required to be paid in cryptocurrency such as Bitcoin.
What is “Wiperware?”
Wiperware is similar to ransomware except that the hacker once accessing the device or server threatens to destroy the data or the entire system. Just like ransomware, the demands in wiperware hacks are usually for money and the request is to be paid via Bitcoin.
What is a “Hacktivists?”
A “hacktivist” is a form of hacker who will use one of the forms of malware to access a device or server, but their motivation is somewhat different.
Usually, a hacktivist disagrees with some social or political cause that a law firm or business supports, or appears to support, and their demand usually includes actions to be taken by the business (as well as money.)
Ethical Obligations and the ABA Model Rules
Now that we have a general understanding of some of the issues that we face in regard to cyber security in the legal community (especially as we switch our businesses to primarily virtual operations because of COVID-19) we must review the ABA rules that specifically impose a level of relative liability on law firms nationwide.
When considering the fact that these hacking methods are not a new phenomenon, and analyzing attorneys’ duties from an ethical perspective, it is highly likely that a law firm would be held liable in the event of a data breach if the attorney had not taken reasonable steps to protect the client’s data.
- Attorneys nationwide have an ethical obligation to be competent in all respects of the representation of a client.
- Attorneys also have an obligation to maintain the confidentiality of client information and documents received by the attorney.
- Finally, an attorney has an obligation to maintain open communication with the client and inform the client of any material defects that would contribute to the client making an informed decision regarding continued representation.
“Lawyer’s Duty to Inform”
The American Bar Association has urged attorneys to notify clients in the event of a data breach and to keep clients updated on subsequent investigations.
Bottom line, best practice is to tell your clients when you have reason to believe that their data has been exposed in a cyberattack.
ABA Opinion Issued October 1995
According to an opinion issued by the American Bar Association in October of 1995, title access of non-lawyers to lawyer databases, Opinion 95–398, the American Bar Association held in that opinion that attorneys can and may be held liable for data breaches based upon hacking.
ABA Model Rule 1.4
In this opinion, the American Bar Association relied first on Model Rule 1.4 which covers lawyer-client communications. Based upon the Model Rule of Professional Conduct 1.4, the American Bar Association is of the opinion that if a law firm’s database is compromised, the attorney must immediately inform the client.
ABA Model Rule 1.6
The ABA went further and applied Model Rule of Professional Conduct 1.6, which deals with attorney-client confidentiality, and the ABA is of the opinion that the lawyer is restricted from revealing a client’s confidential information unless the client consents with express authorization.
ABA Model Rule 5.3
Next, the ABA applied Model Rule of Professional Conduct 5.3, which they believe enforces the obligation of an attorney to make reasonable efforts to ensure that the firm has measures in effect that non–attorney conduct is compatible with the above reference attorney obligations.
Takeaway from the ABA 1995 Opinion:
In short in the 1995 opinion based upon:
- ABA Model Rule 1.4;
- ABA Model Rule 1.6; and
- ABA Model Rule 5.3.
The American Bar Association concluded that because the attorney has an ethical duty to protect a client confidential information which includes:
- email communications;
- credit card information;
- bank statements; and
- any other information obtained from the client related to representation.
Further, because attorneys have an ethical duty to ensure that non-attorney staff and contractors conduct themselves in a manner consistent with the attorney’s ethical obligations, the attorney can also be held responsible for a data breach in the event that they do have an IT company or cyber security company who doesn’t properly conduct themselves (generally meaning: making reasonable efforts to protect the client’s information.)
“Duty of Competence”
ABA Model Rule 1.1 and Opinion 483
In 2018, the American Bar Association issued another opinion dated October 17, 2018, which is formal opinion 483.
In the opinion, the ABA found that Model Rule 1.1 – which required duty of competence in the representation of a client (which includes legal knowledge, skill, thoroughness, and preparation) – imposes a mandate on the attorney to have a level of competence, not only in the areas of law but in the technology that it requires in order to provide the legal service to the client.
In sum, the advice given to the attorney by the 2018 opinion was that the attorney must remain competent and was required to keep abreast not only of the changes in the law, but also changes in practice.
We do acknowledge that, while the American Bar Association’s opinions issue strong guidance for attorneys, each state has adopted its own version of a professional code of conduct for attorneys.
While we do not see much difference in the rules relied upon by the ABA in coming to their decisions, it is worth pointing out that provisions in some states governing the issue may be inconsistent with the American Bar Association’s conclusion.
Guidance Varies by State
New York County Bar Opinion 749
In New York, the New York County Lawyers Association issued a formal opinion numbered 749 on February 21, 2017.
In that opinion, the New York County Lawyers Association advised that an attorney does have a duty of technological competence to the extent that the technology is pertinent to representation.
The New York County Bar went on further in that opinion to explain to attorneys that their interpretation of ethical obligation included encryption of communication transferred through public databases.
Their encryption rule also covered information that was electronically stored within law firms and on mobile devices used by members of the firms.
New York – Title 23 NYCRR Section 500
In a similar vein, the New York State Department of Finance issued a rule in 2017 under title 23 NYCRR Section 500 that required the development of a cyber security program oversight of designated employees as well as an annual certificate of compliance.
The reason why we found this Department of Finance regulation informative and instructive for the operations of law firms and obligations related to cyber security is because many law firms accept electronic forms of payment from credit cards and wires, which in light of that the Department of Finance regulation, would then become applicable to the broader operation of a law firm.
In California, the California Standing Committee of Professional Responsibility and Conduct issued a formal opinion numbered 2015-93 that inform California attorneys about the ethical obligations requiring competency related to facilitating litigation as well as electronic discovery. What that opinion went on to inform the attorneys is that cyber security is not something that can be taken as a secondary priority – especially in light of the fact that many courts in the United States have long been in the process of implementing electronic filing and discovery mechanisms.
The Supreme Court of Florida, in an opinion from September 29, 2016, amended their attorneys’ Professional Rules of Conduct that mandates that a Florida licensed attorney take three (3) hours of approved technology as a CLE. The Florida Supreme Court further issued a mandate that Florida attorneys must adhere to the Florida state cybersecurity rules.
Massachusetts implemented a regulation under Massachusetts General Law, Chapter 93, 201, CM R17 which requires encryption of personal information stored or held on portable devices or transmitted across public networks.
Finally, we will cover the state of Nevada. The Nevada data policy and protection law – which is cited as in Rule 6038. 220 – requires the encryption of personal information during electronic transmission.
Basically, having explored several state laws rules and regulations that would apply to law firms and attorneys, it is consistent that attorneys have an obligation to place cyber security mechanisms within their firm’s operation protocol.
Even more importantly, as a licensed attorney, the opinions appeared to indicate that just because a law firm has an IT company or cyber security company that supervises or reviews their tech operations, that would not be sufficient to shield the attorney from liability.
This is because, as the American Bar Association noted, the individual attorney has an obligation to ensure that non-attorney employees are conducting the business of the firm in a matter that is consistent with the attorney’s ethical obligation which, here, would be protecting clients’ data.
Theory of Liability
One of the main questions that has been left open at this point is, under what theory of liability could an attorney be pursued in court for a data breach and will that differ from state to state.
Based upon the facts and circumstances of the case (and based upon the ethical considerations) an attorney can be held liable for professional an attorney also can be held liable on various torts related to the improper handling of a law firm hack and breach of client data.
However, the law is clear that no matter what area of liability an attorney for a petitioner decides to pursue, there will be many colorable avenues for a claim to be made.
Insurance Litigation Related to Law Firm Data Breaches
There are many instances where firms of all sizes have been subjected to data breaches by hackers and there are some instances of litigation related to these data breaches. These types of conflicts usually play out behind the scenes, but recently these conflicts have been spilling out into the courtroom.
Law Firm Sued for Concealing Data Hack
Hiscox Insurance Company v. Warden Grier, LLP., Docket #20-cv-00237 (2020).
Hiscox Insurance offers coverage for cyber attacks and hired the personal injury law firm of Warden Grier LLP to represent policyholders for more than 15 years.
In the matter of Hiscox Insurance Company v. Warden Grier, LLP., the insurance company sued the law firm of Warden Grier related to a data breach that was perpetrated by a hacker group name Dark Overload.
The basis of the claim was an allegation that the law firm quietly paid a ransom to Dark Overload to retrieve the firm’s data without alerting Hiscox Insurance or the affected clients.
According to the law firm, they believed that acquiescing to the hackers’ demands would protect the data from being released. Nevertheless, a Hiscox employee discovered that some of the information had been leaked on the dark web.
Hiscox claims that Warden Grier breached its “contractual, legal, ethical, and fiduciary duties” by failing to protect its clients’ data and by not informing Hiscox or its policyholders about the breach.
According to a report released by Hiscox, 61% of companies based in the U.K., the U.S., and Europe, reported being the victim of one or more cyber attacks in 2018. That number was up from 45% in 2017.
Law Firm Seeks Reimbursement from Insurance Company for Bitcoin Ransom and Lost Billables
Moses Afonso Ryan, LTD. v. Sentinel Insurance Company, Docket #17-cv-00157 (2018).
This ten (10) attorney firm – which is based in Rhode Island – was attacked by ransomware in 2015 when a lawyer in the firm clicked on an infected email attachment. The hacker demanded $25,000 in Bitcoin from the partners.
The firm of Moses Afonso Ryan ultimately paid the hackers the $25,000 and attempted to recoup their funds from their insurance provider, Sentinel Insurance Company, in light of their coverage for lost income.
The law firm sought payment from their insurance policy, not only for the money paid out to the hackers but for the loss of business that occurred as a result of the system not being fully operable for almost a year after the hacking incident.
According to the firm, in addition to the $25,000 paid to the hackers, the firm was seeking reimbursement for over $700,000 in lost billings during the time the firm was shut down.
The insurance company refused to compensate the firm arguing that the hacking was not covered in all respects. The insurance company did provide the firm with $20,000 of reimbursement and is now in litigation regarding the claim of the firm’s $700,000 in revenue.
According to the Sentinel Insurance Company, the insurer has no legal obligation to cover other ransomware losses and the policy coverage for lost business income applies only when there is physical loss or damage to property at the business premises.
Big Law Targeted in Ransomware and Malware Attacks
It is not only the smaller firms that have been subjected to hacking on a broader scale, as many people may be familiar with the 2016 hacking that included many major law firms; among them being Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.
In 2016, these firms, in addition to others, were hacked by Chinese Nationals. In that incident, the hackers obtained access to emails in the server accounts of the law firms’ partners and transferred the information to outside servers.
The hackers used that information to perpetrate insider trading crimes for which the hackers benefited $4,000,000. The reason why the public was able to obtain that information is because this was one of the rare instances where the U.S. attorney’s office was able to track, identify, and prosecute the hackers.
On October 13, 2016, the U.S. Attorney’s Office for the Southern District of New York arrested the three Chinese Nationals related to the hacking of the two or three firms that were associated in this instance.
It is worth noting that in this instance, the hackers were not interested in having the firms meet their financial demands. Instead, their goal was retrieving lucrative information regarding some of the firm’s corporate clients which allowed them to reap rewards through insider trading.
The DLA Piper Hack
There was another instance that comes to mind which differs from the basic modus operandum of hackers – where they generally seek to seize files or servers and demand payment.
In May of 2017, the law firm of DLA Piper and others were attacked by this ransomware that affected 230,000 service systems in over 150 countries.
In that case, the hackers were more focused on gleaning information that will be valuable on the black market such as:
- social security numbers;
- dates of birth;
- photo identifications; and
- Other information that would allow financial transactions to be conducted with other people’s identity.
DLA Piper hacking is like the one faced by Proskauer in 2016 which was not as broad, but just as damaging.
In 2016, hackers were able to send an email request to the human resources department of Proskauer requesting copies of the employees W-2s which their human resource department responded to.
In that instance, the email clearly appeared to have been sent by a partner and was consistent with emails that had been previously sent by the specific partner.
“The Panama Papers”
Yet another instance of hacking that took place in April of 2016 involved the Panamanian firm of Mossack Fonseca. This firm was breached, and the hackers were able to retrieve 4.8 million emails and 22,000,000 PDF files. This hack was dubbed the “Panama Papers” and received extensive media coverage.
2020 REvil Ransomware Attack
In 2020, celebrity attorney Alan Grubman – whose firm represents musicians and artists such as Elton John, Madonna, Bruce Springsteen, Lady Gaga, Lizo, and allegedly United States President Donald Trump – was hacked in a textbook ransomware operation with the hackers initially demanded $21 million dollars only to raise the stakes and demand $42 million when their demands were not met.
The threat is that they will release dirty laundry related to president trump as well as information related to certain musicians. So far, to show that they truly have access to Grubman’s servers, the hackers have begun releasing some of the firms privileged business contracts related to musicians on the dark web.
10 Solutions to Ensure Your Firm’s Protection
For many attorneys who are considering new ways to operate their businesses in light of the COVID-19 restrictions, and the advisory guidelines issued by the Center for Disease Control and individual state governments, the question becomes, “What are possible solutions that will be sufficient to possibly protect a law firm from liability in this day and age and beyond?”
- Draft a “Business Associate Agreement” or “Data Security Agreement” – An attorney needs to be sure to have a business associate agreement or data security agreement in place with any businesses that will be transmitting information to and from the farm.
- Review Your Firms Insurance Policy – Most importantly attorneys must determine what insurance may cover liability. This is because the causes of action related to a data breach cannot only include variations of negligence or reckless failure to protect, but it can also include failure to notify clients of the breach. While many firms have general casualty liability, direct office insurance, a cyber policy or kidnap and ransom insurance, the attorney must analyze the policy of the firm to be sure that whatever policy the attorney has would cover data negligence, a data breach itself, and the associated negative publicity. Attorneys should ask the insurance company if a ransom paid to a hacker would be covered by their policy.
- Be Aware of “Uninsured Criminal Acts” – The attorney also has to be sure that a data breach will not be considered an “uninsured criminal act” (which not envisioned by insurance coverage and for which the attorney took no steps to secure against prior to the point of the data breach actually occurring.)
- Implement Cyber Security Program – The attorney must also implement a cyber security program to mitigate any data breach as well as to satisfy regulatory and compliance requirements in order to isolate itself from cyberattacks as best as possible and to be compliant with any insurance policy regulations.
- Train Employees on Cyber Security Measures – The attorney should also train employees on cyber security measures. These things should include instructing employees to independently verify the identity of a sender of email before they open it. It is important to double-check email addresses – since scammers often employ “look-alike” domain names. Instruct employees to ignore links and email attachments from unknown sources and require all employees ensure that anti–malware antivirus software on their individual computers and devices is working.
- Develop and Implement Cyberattack Protocol – It is also important that all businesses (specifically law firms) have a cyberattack protocol or playbook in place where each employee is familiar with the steps that should be taken in short–order in the event of a cyber-attack.
- Segment Your Network – For firms with multiple offices (even those with remote offices), it may be a good idea to segment your networks and limit access to layers for different segments. Th4ese segmented networks would act as roadblocks or checkpoints for malware to pass through before infecting a firm’s entire network.
- Routine Data Backup and Maintenance – All firms should check their backup systems periodically to ensure that, where needed, these systems would be available and fully operable.
- Establish an Offsite Backup Location – It is also important for firms to establish an offsite backup location. Many firms have found reasonably priced cloud-based backup systems they are operated by major companies with very strong security policies.
- Learn the Computer Fraud and Abuse Act of 1986 – Law firms – no matter which area practice they are in – should become familiar with the Computer Fraud and Abuse Act of 1986. This Act would greatly assist in implementing a cybersecurity policy and/or supervising a contracted cybersecurity company (since it would explain the parameters in which the federal government would step in.) More importantly it will give the firm insight regarding what information should be preserved in order to best assist the federal government is investigating a possible cyber-attack.
A final note of cautionary advice to law firms would be to have a member of the firm assigned to occasionally scour the dark web as it is not uncommon for information that is gleaned from law firm cyberattacks to be sold and exchanged on the dark web in one of the instances cited above; particularly, the Hiscox case.
There, the only way that the client found that it’s attorney’s office had been hacked was because an employee of Hiscox was scouring the web and came across information related to Hiscox that should not have been posted.
That was the trigger that alerted the client to reach out to their attorneys. Only then did they learn that the firm had been the victim of a cyber-attack.
Importance of Contracting with an IT or Cyber Security Firm
There have been many instances where smaller firms or larger firms have come under cyber-attack and the employee’s first instinct is to attempt to fix the problems themselves.
Firms usually take this point of view because they are unaware that the firm has been subjected to a cyber-attack which, if gone unnoticed, may deepen the problem and unknowingly allow access to additional components of the firm’s server or staff devices.
In light of recent cyber-attacks (both on private businesses and government entities – including The United States Department of Defense and the Department of Health among other businesses and entities), the United States Department of Justice issued a memorandum in April of 2020 with direction for regional and local U.S. Attorney’s Offices to focus on cyber-attacks of businesses and government institutions.
Why Would Hackers Find Law Firms of Great Interest?
The answer to that question is simple law firms or a treasure trove for information where, in some instances, hackers may have to download sniffers and wait for people to allow them a level of access in order to gain:
- tax returns;
- social security numbers;
- credit card information; and
- bank account information.
Law firms are known for obtaining this information and retaining it for several years which makes it very lucrative for hackers to access the information and demand ransom which allows the hackers to be compensated (in some instances) multiple times for one successful hack.
Our firm has represented cybersecurity companies in instances where the government has not specifically created a policy on whether the payment of the ransom amount is legal. If you or someone you love is looking for an attorney to represent them in a federal matter related to ransomware or malware, call us now at (212) 736-3900.