On the heels of reports of data breach at some of the most prominent -- and shadowy -- law firms in the world, and increasingly routine headline-making cyberattacks on household names, data security in the legal space has come front and center. Well, "front and center" in terms of window-dressing and lip service, certainly. It's less clear what, if anything, most in the legal community are actually doing to protect the sensitive information with which they're entrusted. There are, to be sure, many exceptions where forward-thinking firms and practitioners are pioneering ways to secure the large amounts of ESI they now routinely handle.
But many others practice as if paper folders and lock boxes are still the norm.
In fact, there is a general consensus that law firm data security, on the whole, is just plain bad. This is, after all, the industry that recently gave us what Edward Snowden described as the "biggest leak in the history of data journalism." But what's also abundantly clear is that, for a number of reasons, the overall level of concern is low. Consider a recent Hyperion Research poll, where 80 percent of responding legal organizations said they were "confident" in their existing security infrastructure.
In other words, cybersecurity in the legal space is a travesty and few seem to care.
Nobody has articulated why this is the state of affairs with more clarity or thoroughness than Eli Wald, a law professor at the University of Denver and author of a startling new law review article asserting that penalties for failures to protect client data are largely non-existent or without teeth. In the forthcoming paper, the former Paul Weiss attorney turned ethics scholar also argues for bar groups to adopt strict cybersecurity regulations that directly bear on attorneys' professional and ethical duties.
Below, we've summarized its main points, paraphrasing key sections and quoting others. Footnotes and citations are omitted for brevity. A draft of the full paper, which has been read by the 159 people who care about this stuff, can be downloaded here.
On why law firms are prime targets for hackers
- Lawyers are "likely targets" for hackers because they collect and store large amounts of sensitive client data -- trade secrets, IP, confidential business dealings and the like. The rule of thumb is, the larger the firm, the bigger the target.
- Law firms are clearinghouses for the sensitive data of many entities and, thus, represent efficient targets for hackers.
Large law firms are wearing bullseyes
- "For hackers, large law firms are a one-stop shop, serving as filters of low value material, because BigLaw will tend to receive from its clients and store only a subset of their vast information, namely, the valuable portion of it."
- Thus, while large law firms, which might be relatively secure compared to smaller firms, may be tougher targets to breach, the payoff may be worth the extra effort.
Compared to their clients, law firms are low-hanging fruit
- Lawyers are “perceived to have fewer security resources than their clients, and have less of an understanding of and appreciation for cyber risk.”
- Lawyers’ cyber vulnerability leaves them open not only to attacks seeking sensitive client data, but also those that disrupt internal systems in attempts to coerce ransom payments.
- While sophisticated clients of large law firms are likely to take their own steps to protect discovery data, small clients of small law firms may not have the same wherewithal, and are thus doubly vulnerable.
- "Worse, small businesses and individuals may erroneously assume that lawyers know enough, or at least more than them about cybersecurity and that their information will be secure with their attorneys. Therefore, they insufficiently inquire and supervise their lawyers’ cyber practices."
- A post-Great Recession "24/7" culture where firms are now expected to service clients at all hours has pressured these firms to increasingly turn to outsourcing and artificial intelligence, which may increase the risk of data breach.
Who is attacking legal professionals?
Due to lack of real consequences, law firms shrug at the threat of malpractice, or being fired
- Recent changes to professional rules of conduct, such as those made to Comment 8 of Rule 1.1 of the ABA Model Rules, appear to be unnecessary because one would expect that a client's reaction to data breach -- withholding business, firing the firm or suing -- would provide enough incentive.
- However, "liability rules (e.g., malpractice suits) and market controls (e.g., termination of the attorney-client relationship) are not likely to effectively regulate lawyers’ cybersecurity conduct." This is because:
- Malpractice suits are hard to successfully pursue. For one, the plaintiff must show it suffered damages. That's often difficult due to absence of facts about what data was lost, the value of that information, and the harm suffered from losing it.
- For this reason, there are few malpractice cases arising from failures to protect confidential data (although we know of at least one).
- "The same challenges... limit the ability of clients to fire or otherwise sanction a law firm for failing to protect confidential information."
- Often, clients do not take action against their firms because they're not aware of the breach. And, aside from some state and federal regulations, attorneys generally have no duty to report data breaches to clients.
- Because lawyers face few actual consequences for prospective failures to protect client data, data about attacks isn't collected, which "diminishes... the prospects of effective liability rules and market controls developing in the future."
Despite under-regulation and lacking liability rules, law firms face pressure to bolster cybersecurity
- These pressures arise from the prospect of having to disgorge fees; demands from powerful clients that security must be improved; standards imposed by liability insurers attempting to mitigate the risk they assume; and peer pressure, such as from young lawyers who are more technically adept and security savvy.
Absent regulation, some lawyers are likely to try to get away with insufficient cybersecurity because...
- When it's done right, data security can be expensive. Costs may include those associated with organization-wide training and updating IT infrastructure.
- Even when these costs can be recovered, some "lawyers are notoriously technophobic. To be sure, some lawyers are at the forefront of using new technological advances to better serve clients. Yet the legal profession has a long, documented history of resisting technological advances due to ignorance, vanity, status envy, and independence, which suggests that, left to their own devices, lawyers are unlikely to implement the necessary cybersecurity measures to protect clients’ information."
- Some cybersecurity protections, including those related to limiting access to personal devices and networks, limiting the use of physical media, following sound password procedures, are perceived to be cumbersome -- and usually are.
But here's the good news...
- According to a Verizon Data Breach Investigation Report, 97% of attacks can be thwarted by common security practices that law firms of any size can employ.
- Lawyers should conduct a management-level risk analysis to see where they are most vulnerable, and then delegate execution of correctives to IT and security experts.
- Firm-wide training and developing a culture of security are essential, as lawyers and their staffs are often the weakest link.
The full paper, which also addresses the shortcomings of professional and ethical rules as they are currently written and steps the ABA and other authorities can take to incentivize better security practices, can be read here.