This interview was originally published on July 8, 2016. In light of recent cybersecurity incidents targeting the legal industry—and the growing claims of malpractice against firms that fail to protect client data from such attacks—we’re republishing the piece once more. After three years, the questions it addresses remain as pressing as ever—questions of attorney competence, of what constitutes a reasonable standard of care with regard to law firm cybersecurity, and of what price is to be paid when that standard isn’t met.
About a year ago, at a moment the world appeared to be nearing #peakcybercrime, we posed the question: What if your law firm is the next Ashley Madison? This was provocative shorthand for, "your client's data gets sprayed indiscriminately across the internet by hackers -- now what?"
Well, for all intents and purposes, the Panamanian law firm Mossack Fonseca was Ashley Madison -- the nightmare victim of what Edward Snowden described as "the biggest leak in the history of data journalism."
And that's not the half of it. Since then, two of the highest profile firms in the world admitted to breaches of client data, and news broke that a Russian hacker going by the nom de guerre Oleras targeted at least 50 more elite firms, including titans like McDermott Will & Emery and Kirkland Ellis.
"Told you so" is little consolation in times like these and, besides, everyone knew this was coming. The more alarming thing is that seemingly few know what to do about it, and even fewer seem to care.
Answering the whys -- why is law firm security so porous? why is no one doing anything about it? -- is the thesis of an eye-opening academic paper arguing that, while it is widely known that law firms are low-hanging fruit for cybercriminals, the absence of substantive regulation governing cybersecurity, either from market forces or the bar itself, makes for a world where, for those suffering breaches, there are few consequences and little accountability.
On the occasion of that paper's publication, we spoke with the paper's author, Eli Wald, a former practicing attorney who is now among the most preeminent legal scholars in the field on the topic. Our conversation, which will be posted in three parts, will give you cold sweats. The full paper can be read here.
Logikcull: There’s a general assumption that law firm cybersecurity practices aren’t very strong. On the other hand, recent studies have indicated that up to 80% of legal organizations say they are confident in their cybersecurity infrastructure. Which assumption is more accurate?
Eli Wald: The first assumption is more accurate -- that is, that cybersecurity practices at law firms are generally not very strong. It’s hard for me to speculate why law firms are so confident in their infrastructures. But I will venture one guess: lawyers in general tend to delegate cybersecurity concerns and responsibility for infrastructure to others, usually the IT group, and so they may not know how vulnerable they are.
Part of the argument I make in the paper is that lawyers ought to be more involved and more informed, not in the day-to-day maintenance, necessarily, but about the big picture decisions pertaining to cybersecurity infrastructure. I would bet that, if lawyers knew more about cybersecurity, they would be less confident in it.
"If lawyers knew more about cybersecurity, they would be less confident in their own infrastructures."
Logikcull: You spent some time practicing at a large law firm. What was your perception of the situation when you were on the inside?
Wald: I’ve been on the faculty here at the University of Denver for nearly 15 years. Cybersecurity was obviously not front and center at the time. Cybersecurity at the time meant blocking your associates from playing games online and using unsecured websites. So instead of focusing on my personal experience, I should say that I’ve spent the last few years talking to practicing attorneys and my students, both before and after they join the program. And based on those discussions, my sense is, of course, law firms are well aware of cybersecurity concerns, and many, to be sure, do a lot and try to stay on top of ensuring that the cybersecurity infrastructure is sufficient.
There is no inconsistency in saying that law firms and attorneys are well aware of these threats and on the other hand realizing that lawyers perhaps don’t know enough about specifics, and don’t do enough to manage the threat.
"Law firms and attorneys are well aware of these threats on the one hand and, on the other, they perhaps don't know enough about specifics, or enough to manage the threats."
Logikcull: In your paper, you make the argument that law firms are highly attractive targets to hackers. Can you explain why that’s the case?
Wald: There are three primary reasons why law firms are indeed attractive targets to hackers. The first reason is that law firms and lawyers collect from their clients and handle very valuable information. This in part is the very definition of what we lawyers do. Rather than collect every piece of information that our clients possess, we tend to seek out in the context of representing our clients, and in order to effectively represent them, the important information that pertains to the representation. That’s an obvious statement to even those who know just a bit about the practice of law. Of course we collect and handle very valuable information -- that’s part of why we grant our clients, and why the profession has long acknowledged, the protection of confidentiality, privilege and work product.
However, from the perspective of hackers, exactly because lawyers handle such valuable and sensitive information belonging to clients, law firms become a one-stop shop.
"From the perspective of hackers, exactly because lawyers handle such valuable and sensitive information belonging to clients, law firms become a one-stop shop."
What do we mean by that? Suppose one hacker could target a client -- perhaps a large, Fortune 500 company. Even if the hacker can succeed into hacking into the systems of the client, there might be vast amounts of information, significant components of which could be useless and worthless to the hacker. So the hacker, after a successful hack, would have to sort through potentially massive quantities of information, and select the valuable, substantive info.
Law firms, by the very nature of the services they provide, only hold, maintain and handle the very valuable information. Hacking a law firm, then, is much more efficient than hacking the client itself. So, to sum up, lawyers collect and handle sensitive information -- it’s what we lawyers do. And because we do that, we allow hackers an opportunity to select, by hacking us, a target that would spare the hacker the need to sort through less valuable information.
"Hacking a law firm, then, is much more efficient than hacking the client itself."
Reason two is that clients, often the “entity” clients lawyers often represent, have had the first-mover advantage vis-a-vis law firms, meaning, they’re usually harder to hack. They have better underlying cybersecurity infrastructures. They have people who are involved in maintaining it that are not just the IT people. They have invested more time and energy. They have better systems in place already. In other words, they are harder to hack.
So compared to their clients, lawyers easier targets.
Finally, the third reason is that we lawyers live in a day and age where the market for legal services is highly competitive. It’s not that in the past we did not work hard, but since the mid-80s, we’ve seen a significant increase in the competitiveness of the market for legal services. And a result, we’ve come to the point where lawyers are increasingly offering services 24/7. Of course, we lawyers are people -- we have our families and other priorities. It’s certainly not a surprise that part of how we adapt to this 24/7 culture is to resort increasingly to the use of technology that, in turn, renders us more vulnerable.
Logikcull: How much of the weakness in the cybersecurity infrastructure is just due to the human error that arises from that 24/7 culture?
Wald: It would be hard to quantify, but I will say this: when it comes to cybersecurity, the entire infrastructure is only as strong as the weakest link. And we know that the weakest link tends to be people. It doesn’t necessarily just mean lawyers -- they work with a significant support apparatus. All it takes is one mistake -- one person downloading or accessing compromised sites or materials. Or one person responding to a phishing attack.
So, to the extent that lawyers and the professionals that work with them are overworked, and to the extent that this overload causes people to make mistakes, it’s possible that the 24/7 culture aggravates cybersecurity concerns. But it’s more likely that lack of sufficient training that law firms perform, both with the lawyers and the professionals that assist them, is such that, to be blunt -- even if you catch the lawyers and their assistants between 9 and 5 on a Monday after they’ve had a three-day weekend -- it is quite possible that the lack of sufficient cyber-training would cause them to make an error that they are perhaps more prone to make if they’re also tired.