Counsel in law firms have clearly articulated ethical obligations to mitigate threats to “information relating to the representation of a client”. The ABA Model Rules of Professional Conduct (the “Rules”) and their various state analogs provide guidance as to the scope of their responsibility without regard to the nature of that information. The Rules are not as clear cut for in-house counsel, they too have an obligation to protect organizational data and any associated IP or work product.
That said, law firms have long been beneficiaries of the general perception that information in their possession is under the protection of an invisible legal shield. While it is true that the imprimatur of “privileged and confidential” holds weight in legal forums, it means absolutely nothing to those who present an ever evolving threat to work product and the crown jewels of the clients they represent.
It’s also certainly bears mentioning that the data protection strictures of Sarbanes Oxley sections 302 and 404 apply to corporate officers and directors in both legal and non-legal roles in a similar scope and nature to those of lawyers in firms, albeit under the rubric of regulatory requirements.
Data Breaches; Ransomware, Industrial Espionage
Data breaches are increasing in size and scope across all private and public sector domains the world over. Law firms however present an especially attractive target. Given the varied nature and practice areas of legal representation, a firm could easily be in simultaneous possession of sensitive IP for a patent prosecution matter and a patent litigation matter for the same client. If that firm were to suffer a catastrophic data breach it could easily have disastrous consequences not only for itself, but for its clients.
The targeting of specific laws firms representing entities whose IP was of interest has always been and will continue to be a threat. However in recent years, the trend has shifted from industrial espionage to one where ill-gotten gains are more fungible and less traceable. The use of ransomware such as the WannaCry type viruses are attractive to hackers because they do not target specific data, it targets all it can, crippling access through encryption. This approach can also be used against a broader range of victims.
In a data dependent, services driven discipline such as the legal profession, the inability to access data because it has been taken hostage incentivizes affected organizations and individuals to make quiet, rapid pay outs.
This nightmare scenario involving potentially catastrophic reputational harm and irreparable loss of goodwill of the firms and their clients can only be partly ameliorated by having cybersecurity riders as a part of malpractice and D&O coverage. The ripple effect of such exposure could cause shareholder derivative suits involving D&O liability for the corporate entity’s directors if they were negligent in concert with the firm representing them.
The data breach at Target is a classic example which did not involve outside counsel, but resulted in a shareholder derivative actions in which allegations levied against Target's directors and officers included a failure to implement and oversee an appropriate information security program and undue delay in giving customers notice of the breach.
Threat Mitigation Begins With Legal Counsel
There are those who would argue that cybersecurity risk mitigation measures are the purview of IT and information security professionals in the law firm and corporate environment. They would be only partially correct.
As previously alluded to, there are statutory and discretionary duty based standards that inform the data management activities of corporate IT groups. It is increasingly incumbent on lawyers and others in fiduciary capacities to articulate these standards in an IT actionable fashion at the strategic, operational and IT levels.
Cybersecurity strategies for both law firms and the clients should also include an incident response plan. Preparing for the statistical likelihood of a breach will necessitate a solid incident response plan to reassure investors, the market, clients etc., and that messaging needs to be carefully crafted to meet disclosure obligations without pushing the envelope on PR spin.
A Look At the ABA Model Rules
The Rules have been adopted in whole or in part by every state, with the exception of California. The sections most germane to the discussion about cybersecurity are Rules 1.1 and 1.6.
Rule 1.1 speaks to the basic competence of counsel in their respective practice areas. Rule 1.6 describes client confidentiality obligations generally. The salient section of Rule 1.6.(b)7(c) which states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”. If counsel takes on a litigation matter that involves complex data discovery or the receipt of sensitive IP, they are obligated to ensure the means by which they take in, store, collaborate on or transmit the data are reasonably calculated and competently implemented to prevent unintended disclosure.
Many state bar associations within the US have adopted model rules that in some form or fashion require lawyers to have the requisite knowledge and competence of the areas of law in which they practice. Many extraterritorial jurisdictions have or are promulgating data security guidance, which in many cases greatly expands upon traditional tenets that counsel must use reasonable care to protect client confidences and secrets.
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” - ABA Model Rule 1.6.(b)7(c).
How a Law Firm Got Bitten by Missing Bytes; the case of Shore v. Johnson & Bell
The unique case of Shore et al. v. Johnson & Bell Ltd., case number 1:16-cv-04363. Currently this is “the” textbook example of client cybersecurity expectations not aligning with law firm cybersecurity representations about the protection of client data.
Johnson & Bell is a Chicago based law firm with more than 100 lawyers practicing in a number of areas that was sued for a number of claims, all of which arose from allegations of insufficient IT security by the firm.
The firm marketed itself as providing representation in a variety of practice areas in which such representation would typically result in the handling of information including highly sensitive M&A, litigation and trade secret information in the course of its representation.
The complaint in the controversy alleges in part that Johnson & Bell “receives a vast amount of confidential client information, including financial records, trade secrets, sensitive communications, and PII” and that the firm stores its data and work product on networks with vulnerabilities that result in its “entire computer system and all the Confidential Client Information it contains” being exposed. The plaintiff points out, with great particularity, deficiencies including the following:The firm’s password policy management for some of its systems were inadequate.
The firm did not apply patches and updates to the network and computer operating systems
The firm’s billing systems subject to ransomware attack.
The firm’s email systems – were vulnerable to a “DROWN” attack, similar to the one that compromised Mossack Fonseca, resulting in the infamous Panama Papers debacle.
According to NIST reports, the vulnerabilities of the software allegedly used at Johnson & Bell could have facilitated unauthorized disclosure of information, unauthorized modification of data and a disruption of service...this is not what clients want to hear.
In a great twist of irony, it turns out that one of the defendant firm’s partners authored a comprehensive data security best practices white paper captioned, “Don't Let Cybersecurity Breaches Lead to Legal Malpractice: The Fax Is Back.” The plaintiffs were quick to take advantage of the opportunity to use the author’s numerous and thorough data and network security best practices recommendations, as being illustrative of the systemic deficiencies the plaintiff alleges resulted in harm to its data. It was labeled Exhibit 1 to the complaint.
Contrasting Plaintiff’s Actual Damages To the Defendant’s Loss of Goodwill
In summary the plaintiff’s complaint enumerates the following causes of action:
In its complaint, the plaintiff concedes that no actual harm caused by any data loss at all. Rather they assert that the fees paid for document management and custodianship services to the firm did not result in a delivery of commensurate services.
While it is true that the duty to protect confidences inures irrespective of the size of the organization, not all organizations are created equal and frankly some may simply not have the requisite resources or competencies to implement some of the recommendations suggested by many information security practitioners.
Loss of multiple client’s data can be an existential threat for a law firm. Is preserving your organization’s goodwill and market position worth rolling back your radically popular and beloved BYOD program?
Characterizing Security Threats
The complaint in the Johnson matter enumerates several significant concerns that are top of mind for corporate legal and IT executives. The bad guys target firms to get do a number of things including:
Getting insider information
Obtaining highly sensitive patent and other IP
Gathering sensitive and damaging information to trade on
Holding data hostage for ransom
Common threat vectors to firms come from a variety of areas, some of which are listed below:
Infrastructure – that which is within the physical and or legal control of the entity. This includes hosting vendors and other contracted service providers.
Missed SW/OS patches.
Policy – discretionary and non-discretionary policies.
Inadequate or misaligned policies with respect to the state of the business, regulatory environment.
Poorly implemented or managed BYOD polices.
No real visibility or auditability into the vendor/contractor or ecosystem.
Personnel Behavior (a function of internal and other polices)
Cybersecurity Action Plan Success Factors
Soft skills are vastly underrated in our technology centric culture, but many projects fail because of a lack of consensus and leadership. Whether you are a law firm or a corporate entity, plans to bolster security will have improved odds of success if they are predicated on a holistic governance approach that includes input and consensus and leadership from:
Low Hanging Fruit - The Importance of GAP Analyses
Charting a course to a desired organizational state from its present state means benchmarking must occur. Competently executed GAP analyses is a multi-disciplinary exercise that can help an organization quickly identify areas in policies, processes and infrastructure for incremental remediation. A key deliverable from this process is a roadmap that affords the organization an opportunity to triage the criticality of the areas identified for remediation.
Undertake regular reviews of their firm/client engagement and intake processes and even undertake a formal GAP analysis focusing on:
Once sufficient phases of a GAP analysis process are complete, the recommendations can be assessed for projected efficacy, operational impact implementation.
Formulate a Communications /Training / User Support Plan / Incident Response Plan
Developing a plan to around cybersecurity enhancement is not a trivial undertaking. Deeply entrenched organizational culture and behavior can present significant obstacles to the implementation and adoption of new policies, procedures and technologies. The GAP analyses should help to identify unique organizational requirements with respect to how best to enable communications, training and support of new technologies or rollbacks of beloved programs.
The many reasons a process may be stymied can include administrative inertia, “not built here syndrome”, natural human tendencies to protect fiefdoms, basic resistance to change and a litany of others. Nonetheless these are common organizational challenges that must be overcome to make the necessary technical, behavioral and organizational changes.
Communications plans for projects that involve shoring up enterprise wide risk must have clearly articulated objectives, benefits and ownership mandates. The responsibility to articulate the forgoing should belong squarely to the stakeholders with the greatest fiduciary and legal risk and pecuniary liability. These are the individuals who are most incentivized to ensure that the cybersecurity mandates of the designated project leaders are communicated and understood by the organization. In effect, this means the plan must be communicated and driven from the top down.
Pilot programs which include adequate testing, user feedback and training are an important precursor to any full blown roll out. This allows implementation teams to identify issues and adjust their approach in ways designed to improve adoption and institutionalization of recommendations throughout the enterprise.
Technology Use Case - Securing Client Data In Questionable Environments
As discussed in the Johnson & Bell case above, there were many allegations about the defendant’s infrastructure, but the one that resonates the most is the allegation that the defendant’s network deficiencies resulted in its “entire computer system and all the Confidential Client Information it contains” being exposed.
Had Johnson & Bell focused on incremental change, by securing end point devices, by implementing a point to point encrypted data environment like Cryptobox to management client data and work product for the functions listed below, they would have had an appreciable reduction in risk from day one. They would have had secure point to point transmission of content for:
Secure, auditable storage of content:
Litigation production histories.
SW & IP Escrow.
Secure content sharing and collaboration.
Communications – a secure facility for IM communications.
The adage “no person is an island” applies to the above scenario. While all data within the Cryptobox environment is 100% secure and is auditable by a proprietary built in block chain ledger system, it is incumbent on the devices to and from which the data is sent or received to have the appropriate level of security (anti-malware/virus software).
Cryptobox is a fully encrypted instant messaging, file storage, sharing and collaborative environment built on a platform initially designed and used by NATO organizations. The technology can be implemented as a turnkey solution to heighten data security with virtually no operational disruption to either law firms or the clients they serve.
As to the rest of the infrastructure, billing and email etc., the change recommendations that would be made would come out of the GAP analysis results.
How Easily Can Cryptobox Be Implemented?
Depending on the client requirements, we can have an organization up and running in less than an hour.
Typically it might involve the following steps:
We set you up and your law firm members or clients with Cryptobox accounts.
Each user designates a trustee for PW recovery.
You upload documents into workspaces you create.
You give people access to selected workspaces.
All user related activity and access to data is logged and stored in a unique block chain for the purpose of chain of custody.
One can change, limit or revoke access at any time to any object.
It is full auditable and defensible.
One may not be able to deal with the multiplicity of dynamic threats or vectors (paths from which attacks or risk are manifested), but one has an obligation to take reasonable measures to protect client data.
Contact a reputable vendor for a consultation as to how you can jump start your organization’s auditable, scalable and defensible cyber and data security plan.
Richard E. Davis, JD
Director of Operations & Solutions Architecture
Davis & Associates, LLC
535 Fifth Avenue, 4th Fl.
New York City, NY 10017
Veteran Owned and Proud of It