Many lawyers hear “cybersecurity” and immediately tune out, thinking it does not pertain to them. However, they really should perk up their ears, as a security breach can have major ramifications for their practice. Corporate clients who do not insist their firms have security standards open themselves up to leaks of privileged information, and lawyers who do not ensure their firms are secure risk losing their largest corporate clients. Furthermore, not only can data be inadvertently exposed, but if data is not properly secured, firms may find themselves in violation of their ethical responsibilities. Below is the first of three real-world scenarios that could happen to any attorney and seriously impact a corporate client. Look for the next two scenarios in the coming months.
It is 9 p.m. A senior associate, Larry, is working on reviewing your documents for a large case, and the production deadline is tomorrow. Larry still has a few thousand documents to go, so to get a break and some needed caffeine, he leaves the office and hunkers down at the local coffee shop. Larry logs on to his mifi, which was provided by his law firm, and then enters security credentials and logs in on the document repository. He does another two hours of review while chugging down one espresso after another. Shaking from all the caffeine, Larry heads home. Once home, he boots up his home computer and logs back in on the document repository. He stays up a while longer and finally finishes reviewing the documents. Larry sends an email to the firm’s litigation support department indicating that they can begin to run the production. One of the directions is that all documents need to be labeled “For Attorneys’ Eyes Only” because a lot of the documents contain your company’s trade secrets. Larry shuts down his computer and hits the sack for some much needed rest.
The production gets done on time and is submitted to your adversary. Outside counsel moves on to other aspects of the case, not giving that production a second thought. However, several months later it is brought to your attention that certain trade secrets have somehow been leaked. You spend tens of thousands of dollars on forensic examinations and hours upon hours personally interviewing employees in an effort to find the leak. After an exhaustive search, it turns out that the information was stolen from Larry’s login credentials, as the senior associate at outside counsel. When you call Larry to find out what happened, he is honestly perplexed. He has never shared his credentials with anyone nor has he printed out any documents that could have been misplaced. What could have possibly gone wrong?
What Larry did was log in on the document repository from an unsecure network that was hacked. He violated no firm policies, but the trouble is that when he logged on to the firm-distributed mifi device, it was easily hacked by another patron while Larry was enjoying that last espresso. The hacker was able to obtain the credentials to the document repository and gain access to all of your sensitive documents. Now all those trade secrets you have spent millions to protect are in the public domain.
This hacking probably leads you to fire the firm, costing it an extremely profitable client. You may even have to consider embarking on costly litigation to recoup losses. How do you protect yourself from this and avoid endangering the relationships you have spent years building with trusted law firms? The answer is to work with your firms early on to ensure that they have adequate security policies in place to protect against such cyberthreats.
Firmwide policies should be drafted around working outside the office, and databases with very sensitive information should be locked so they can be viewed from secure locations only. However, it is not enough for your outside counsel to simply have these policies in place: Staff need to be trained on the policies and understand the implications if they are broken. All new employees must be made aware of the firm’s security policies, and all current employees should be trained on the policies and retrained every time the policies are changed. All of your outside counsel should be compliant and enforce any and all policies you have in place to protect your own data.
Adding to the firm’s predicament is that, in addition to losing you as a client, it may have violated its ethical obligations to you. The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (See ABA Rule 1.6: Confidentiality Of Information.) This does not mean that lawyers are subject to an ethics violation for every data breach, but this obligation does require active efforts on the part of outside counsel to evaluate and implement technological safeguards. The comment to the rule notes that, when evaluating whether an attorney’s efforts were reasonable, factors to be considered include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.” As a practical matter, this requires attorneys to make fact-specific evaluations regarding both the information to be protected and the various technological means of protecting them. This suggests that more sensitive information might be subject to greater, more costly or more cumbersome technological controls, such as access restrictions and copying limitations.
To meet this standard, when the firm purchased mifi devices for employees, it became the firm’s obligation to research the mifi devices and the network’s security. It is also the obligation of the firm to draft policies around the use of this technology before distributing devices to employees. If these steps were adequately taken, then an ethical violation probably would not exist. However, if the devices were purchased and distributed without much thought of potential security breaches, then the law firm may have an ethical problem on its hands. Also, because the database had very sensitive client data, it should have been locked down so that it could only be accessed on a secure network.
No attorney wants to expose a client’s secrets to the world, but most do not realize how easily that can happen. Attorneys need to take their heads out of the sand and proactively ensure the security of client data, and clients need to be aware of their firms’ policies and be the catalyst for improvements if needed. While no one expects attorneys to be technologically savvy enough to put proper firewalls around data, it is their responsibility to make sure they are working with their firms’ CIO to effectively protect client information. While we want to encourage people to function remotely so they can potentially work longer hours, there are inherent risks that must be considered. So perhaps the next time lawyers working on your case need a caffeine fix, they should bring that latte back to the office.