by Greg Behan, Esq.
A 2013 report by cybersecurity company Mandiant stated that a Chinese military unit was responsible for hacking into 141 organizations since as early as 2006; law firms comprised 4 of these entities. Unfortunately, law firms make prime hacking targets. Hackers are able to steal confidential valuable data on multiple companies by breaking into a single network. Moreover, law firms’ increased mobility and sharing of documents through the internet make them susceptible to increased cyber attacks. FBI cyber security expert Mary Galligan noted that hackers are targeting hundreds of law firms more and more for just these reasons.
Hackers may attempt to steal a variety of information or otherwise compromise a firm’s data or infrastructure. For example, the Chinese hackers that are the subject of Mandiant’s report sought to steal intellectual property. Mandiant General Counsel Shane McGee noted that hackers also are interested in stealing competitive information, e.g., positions in commercial transactions or mergers and acquisitions that might later be used to undermine these deals. In another instance, a hacker collective broke into the email system of a Virginia law firm and posted its confidential email on YouTube and other sites. The hackers also rendered the firm’s website non-operational and swapped out the firm’s home page for a video of hip-hop performer KRS-One.
What can firms do to prevent a successful cyber attack? Galligan recommends “having up-to-date network diagrams, physical access logs, and legal notices upon logging in.” She also recommends that “Firewalls, intrusion detection systems, remote access servers, virtual private networks, and web servers . . . be logged.” General Counsel and in-house cybersecurity attorney for Bank of America Richard Borden recommends that firms have an “information security plan” and that they “actually follow” it. For instance, a firm should consider how it handles information being submitted via mobile devices. Importantly, is that information being encrypted? Perhaps foremost, firms should train attorneys and other employees on the risk of cyber attacks, e.g., law firm employees should know that even if they recognize the sender of an e-mail; they should not click on a link or attachment unless they are able to verify or were expecting to receive the attachment.
Firms also may consider storing confidential data with a certified third party. For example, a SOC 2 security certification confirms a certified party’s security, confidentiality, process integrity and privacy of information.
Law firms have a duty to protect their clients’ confidential data, as set forth in Model Rules of Professional Conduct 1.1 and 1.6. Commentary to Rule 1.1 states, “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” to “provide competent representation.” And Rule 1.6 describes a lawyer’s duty of confidentiality toward her client.