Shortly before the New Year, the United States Attorney for the Southern District of New York unsealed an indictment against three Chinese hackers who allegedly stole information from two prominent U.S. law firms. According to the indictment the hackers stole upwards of 50 gigabytes of data from the two firms, which related to impending mergers of large public companies. The indictment alleges that the hackers subsequently traded on the non-public information related to the mergers and reaped profits of more than $2 million. Regardless of how this case unfolds, it is an important cautionary tale for both lawyers and clients about the risks of the practice of law in the digital age.
How the Hack Worked
According to reports, the hackers used a relatively basic tactic known as "spear-phishing." Through spear-phishing, the hackers sent personalized emails to partners at the victim law firms that included a link (containing malware) for the recipients to click. Once clicked, the malware embedded in the link allowed the hackers to obtain the security credentials of the recipients which, in turn, allowed the hackers to access the firm's email servers. The indictment alleges that the hackers were able to collect troves of confidential information and also attempted to hack several other firms of similar size and notoriety.
Ethical Implications for Lawyers
In addition to any civil liability, the obligation to protect against a data breach also implicates a lawyer's ethical duties of competence, confidentiality and proper supervision, all of which are discussed below.
Rule 1.1 of ABA Model Rules (the "Model Rules") requires a lawyer to provide "competent representation to a client." Comment [8] to Model Rule 1.1 advises that a lawyer's duty of competence requires that the lawyer "keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information." Rule 1.1 of the New York Rules of Professional Conduct (the "NY Rules") and its version of Comment [8] contain the same requirement, as do the ethics rules of most other states. See, e.g., Ca. R. Prof. Cond. 3-110.
Both the New York City and New York State bar associations addressed a lawyer's duty of competence in this area. In the context of lawyers who fall victim to internet scams, N.Y. City Formal Op. 2015-3 (2015) concluded that "the duty of competence includes a duty to exercise reasonable diligence in identifying and avoiding common Internet-based scams, particularly where those scams can harm other existing clients." N.Y. State Formal Op. 1020 (2014) similarly concluded that a lawyer dealing with electronically stored information must take "reasonable care to protect that information" as part of the lawyer's duty of confidentiality as well as her duty of competence. Thus, in the event of a data breach, a lawyer's duty of competence may be at issue depending on how the hackers infiltrated the law firm's network. A lawyer who fails to take reasonable precautions to protect against a data breach may find herself facing a malpractice suit or a grievance. See Kat Greene, NY Couple Says Attorney Negligent for Using AOL Email (Law360 Apr. 18, 2016); Iowa Sup. Ct. Att'y Disciplinary Bd. v. Wright, 840 N.W.2d 295 (Iowa 2013) (holding that attorney violated duty of competence by failing to conduct due diligence on potential internet scam).
In addition to the duty of competence, a lawyer also has ethical duties to maintain client confidences and to properly supervise other firm personnel. Model Rule 1.6 states that a lawyer "shall not reveal information related to the representation of a client unless the client gives informed consent" or unless the information may be disclosed under other specific exceptions in the rule. Unlike NY Rule 1.6, which prohibits a lawyer from knowingly revealing confidential information, Model Rule 1.6 does not contain any such knowledge requirement. This can be a significant distinction depending on where the data breach occurred. Rules 5.1-5.3 of the Model Rules and NY Rules require lawyers with various levels of authority to adequately supervise subordinates. Notably, NY Rule 5.1 imposes a requirement on law firms as well as lawyers to make "reasonable efforts to ensure that all lawyers in the firm conform to [the Rules]." The Model Rules contain no such requirement for law firms but impose the same supervision requirements on individual lawyers within the firm. In practice, this means that lawyers at all levels maintain some duty of supervision from the managing partner down to the newest associate.
Practical Implications
The main takeaway from the law firm hacking case is that a law firm's privacy protections are only as strong as its weakest link. In recent years, law firms have become a more regular target for hackers, largely because, in the eyes of a hacker, a law firm is a goldmine of sensitive information from countless sources. Further, the legal profession is often seen as "behind the times" when it comes to technology. As a result, law firms may have weaker privacy protections than many of their clients. From the client's perspective, this is a harrowing thought since the client has no choice but to entrust his lawyers with sensitive information necessary to carry out the representation.
Lawyers and law firms should therefore take their data security obligations seriously because the consequences of a breach could be dire. While any data breach and appropriate notices should be addressed on a case-by-case basis, lawyers and law firms should consider taking the following preventative steps:
- Implementing regular and mandatory training and awareness programs for all personnel regardless of seniority on the latest phishing techniques and what precautions the firm takes to protect against hacking;
- Conducting a security audit within the firm so that firm management can identify weak spots in the firm's infrastructure; and
- Formulating a response plan in the event of a data breach or other security incident
Additionally, lawyers with supervisory authority should resist the urge to delegate all data security responsibilities to a non-lawyer professional within the firm and should maintain a comprehensive understanding of the firm's security protocols.
We will continue to report on this case as it develops as well as any other interesting stories about cyber security in the legal profession.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
