Legal intelligence newsletter JD Supra has published an article advising lawyers on what to do in the event that client files are compromised in a data breach.
Data breaches attacks on public institutions and private businesses are becoming increasingly common as hackers find more and more ways to monetize these attacks, either by selling the data on Dark Net markets or by demanding cryptocurrency ransoms to restore data or systems.
In the past two weeks, computer systems belonging to the Jackson County officials and the Boston public defenders’ office were seized up by ransomware attacks.
As well, hackers used malware to switch off pots of molten aluminum and interrupt operations at Norsk Hydro smelters in North America and Europe.
According to JD Supra, law firms have been similarly attacked:
“In 2017, DLA Piper was hacked by the NotPetya malware, and until the breach was resolved, the 4,400-attorney law firm was reduced to conducting business by text message and cell phone. The reported scope of the damage remediation included 15,000 hours of overtime IT assistance, but no reported loss of client confidential information.”
As well, “22% of law firms reported a cyberattack or data breach in 2017, up from 14% the year before.”
Hackers have also attempted to cheat securities markets by hacking legal firms:
“Back in 2016, The Wall Street Journal reported that two major New York-based law firms were hacked in what was believed to have been a state-sponsored attack focused on front-running the equities markets by gaining advance knowledge of upcoming mergers and acquisitions.”
Experts have also warned that, as large firms with good budgets tighten their cybersecurity, hackers are trolling for smaller but still profitable targets.
JD Supra also warns that workaday firms could be hit:
“If that can be done on such grand matters, who is to say it can’t be done to uncover your client’s real settlement posture in that next big case, or your litigation defense plan in that class action you’re defending?”
The newsletter then provides a synopsis of recommendations issued by the American Bar Association last October with regards to how lawyers should responsibly respond to data breaches:
“…mid-October of last year the American Bar Association (“ABA”) stepped in and issued ABA Formal Opinion 483 (“ABA Opinion”), guiding lawyers in their ethical duties to secure client data in this electronic world.”
The opinion described lawyers’ duty of competence, duty of communication, and the duty of confidentiality in the event of a breach.
Traditionally, competence has referred to keeping abreast of laws governing the legal profession.
Today, it can also entail being sure one understands the secure use of information technologies, which can be accomplished via one’s own study or the retaining of experts.
ABA outlines the following ethical duties in coping with/preventing a data breach of client records:
- Monitoring for data breaches (where data removed or maliciously encrypted): efforts should be reasonable and preventions in place; complex, rotating passwords and 2-factor authentication should be used; security software should be kept updated; logs should be set to maximum retention in terms of period and depth; access logs should be regularly checked for signs of unauthorized activity.
- Stopping breaches, restoring systems, determining what happened: draft and regularly rehearse a “Breach Response Plan” that defines personal roles and procedures to address a possible data breach, including use of outside assistance; additional requirements set by clients should be considered in the plan, including “at rest and in motion” data encryption requirements (meaning all data deposited or transmitted by the client must be encrypted) or breach disclosure requirements different than those set by the ABA; breach plan should also consider that, during the course of mitigating or investigating a breach, experts or law enforcement may come in contact with client data- clients should be briefed on these risks.
- Providing notice to client: client must be kept “reasonably informed” regarding any data security breach, and should be notified of a breach even before the scope has been entirely understood; updates should also be furnished; local and national regulations stipulate different breach disclosure time frames, for example, 60 days or “without unreasonable delay.”
Data has now become the world’s largest commodity. As markets for data heat up and as more and more devices go online, the threat of a data breach only increases.
JD authors accordingly warn that it is important that lawyers, understand, “the types of data you work with, and keep yourself abreast of what laws, regulations, and contractual provisions govern its loss.”
The article provided should be understood as just a step in that direction:
“That potential breadth is very large, and this article only briefly touches upon additional requirements that may arise under certain of those federal and state laws and regulations.”