I’ve looked at clouds from both sides now
From up and down and still somehow
It’s cloud’s illusions that I recall
I really don’t know clouds at all …
Judy Collins
Back in July of 2011, we warned of a then popular e-mail/fraudulent check scheme whereby lawyers would receive e-mails from alleged potential foreign clients looking to collect debts from customers. Those scammers convinced the unsuspecting lawyer to deposit fraudulent “settlement checks” into a client account and wire the “client’s share” to some foreign account after the bogus check cleared. When the fraud was eventually uncovered by the bank, the lawyer was left with liability to the bank for the fraudulent check and wire transfer.[1] Since then, newer, more complex electronic scams have surfaced whereby hackers intercept emails between lawyers and clients which contain wire transfer instructions. After intercepting such an email, the hacker changes the instructions in the e-mail to wire money to his own untraceable account. The hacker forwards his bogus wiring instructions to the unsuspecting recipient, all while “masking” his identity as the sender and making it appear to the recipient as if the instruction came from the correct sender, whether lawyer or client.
This and other even more sophisticated electronic scams are becoming more prevalent. Given the confidential and valuable information passed between clients and their lawyers due to the attorney/client privilege, lawyers’ and law firms’ computer and e-mail accounts have become favorite targets. Whether an attorney transfers or stores client confidential information using password protected corporate e-mail systems, “cloud computing,”[2] third-party off-site network administrator vendors, third-party hosted e-discovery management platforms, or any one of the swath of other electronic data transfer or data storage solutions available through the Internet, the attorney inevitably faces an inherent risk that client confidential information will be susceptible to theft by a hacker or by an unscrupulous third-party employee. In the absence of reasonable, preventative, and precautionary measures, the lawyer also risks losses for the firm and its clients associated with such a theft.
Understanding how and why lawyers and law firms may be exposed to cybercrime is the first step in prevention. Because of the ever increasing capabilities of cloud computing, and with it, the proliferation of everyday use of mobile devices—such as smartphones, tablets, and laptops—lawyers and law firms put sensitive client material at risk simply by falling asleep on the train home or by finishing a brief on the redeye. A misplaced smartphone or briefcase can result in serious consequences if a device ends up in the wrong hands. In addition, mobile devices and both cloud-based and in firm corporate networks and email systems are susceptible to “electronic hacking” where a “hacker” will illegally gain access to electronic information using a variety of more sophisticated methods.
Law firms and lawyers present a particularly appealing target for hackers because the mandatory confidentiality of the attorney-client relationship creates a virtual treasure trove of sensitive client information—such as social security numbers, medical information, trade secrets, privileged litigation communications and strategy, and internal corporate strategies—much of which can be very valuable to an array of criminal enterprises.
Illinois Rule of Professional Conduct (“IRPC”) 1.6(a) requires a lawyer practicing in Illinois to make reasonable efforts to ensure the confidentiality of client information, including electronically stored client information.[3] However, to be competitive in today’s legal services market, lawyers and law firms must no doubt utilize the cost-saving and organizational advantages technology allows them to offer recurring and prospective clients. While technology utilization is necessary, the prudent lawyer will also realize that the use of technology to electronically store and transfer sensitive client information necessitates proactive implementation of safeguards that will help in the prevention and defense of this information’s electronic theft. The extent and levels of necessary safeguards will likely be determined by the size of the law firm and its areas of practice, among other considerations. Depending on the specific needs of a firm or solo practitioner, there is a vast selection of cyber security precautions available, but every law firm utilizing the technology discussed in this article should at least consider undertaking the following.[4]
Implement Data Management Safeguards. Every law firm should maintain computer-use policies requiring employees to use and routinely update passwords for e-mail, document management systems, mobile devices, and laptops. Intranets, extranets, and Citrix-like virtual desktops also invariably require password protection. In today’s corporate environments, while all networks and company laptops probably employ anti-virus protection, employees using personal laptops to perform work outside of the office must be required to install similar anti-virus protection. Firm policies should include periodic inspections of mobile devices and personal laptops to ensure that employees do not turn off password and/or anti-virus protection functions out of convenience or technical incompetence. Other safeguards may include limiting who may access particular materials electronically and when they may share, print, or alter data. Finally, every firm’s computer-use policy should communicate to its employees, (1) the seriousness of the firm’s confidentiality obligation to its clients, (2) the very real possibility of a cyber-attack, and (3) the procedure for reporting a potential data breach or suspected disclosure.
Address Firm Data Retention Policies. A law firm likely houses an incredible amount of data through its electronic document management system and its corporate network and email system. Id. It should maintain clear policies regarding the length of time certain types of data will be stored, the strength of security to be maintained for certain stored data, and the procedures for eliminating unnecessary or outdated data. Just as a law firm is routinely required to destroy or shred sensitive hard copy materials, it must have procedures in place to completely remove and destroy sensitive electronic data from firm databases and to destroy unwanted or out of date firm equipment which may have housed sensitive information.
In conclusion, attorneys can and should take the necessary precautions to minimize the likelihood of cyber-security breaches, not only to give their clients a piece of mind, but also to better shield themselves from third-party and first-party liabilities if a theft of information or other security breach actually occurs.
[1] For the full article, see Joseph R. Marconi and Victor J. Pioli, Lawyers are Increasingly the targets of Email/Fraudulent Check Schemes, ISBA Mutual Insurance Company Liability Minute, (July 13, 2011 12:46 PM), http://www.isbamutual.com/liability-minute/lawyers-are-increasingly-the-targets-of-emailfraud.
[2] “Cloud computing” can include receiving and sending e-mails on a smartphone or tablet; using a web-based email platform like Gmail, Yahoo! or Microsoft Outlook Web Access; or using products like Google Docs, Microsoft Office 365, Dropbox, SharePoint intranets/extranets, and Citrix Desktop as a Service (“DaaS”). As Formal Opinion 2011-200 of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility aptly remarks, “cloud computing is merely a fancy way of saying stuff’s not on your computer.”
[3] See Ill. State Bar Ass’n Adv. Op. Prof’l. Conduct Nos. 96-10, 10-01; see also State Bar Ariz. Ethics Op. 09-04; N.Y. State Bar Ass’n Adv. Op. 842; Mass. Bar Ass’n Ethics Op.12-03; Pa. Bar Ass’n Form. Op. 2011-200 (all discussing substantially identical versions of IRCP 1.6(a), entitled “Confidentiality of Information,” and its applicability to a lawyer’s ethical duty to protect electronically stored or transferred confidential client information).
[4] Much of the content below making particular suggestions for precautionary actions by law firms was taken from two excellent articles: Seth L. Laver, Understanding and Protecting Against Cyber Risk, For The Defense (DRI’s Monthly Magazine), July 2012 at 46–49 and Rene L. Siemens and David L. Beck, Cyber Insurance—Mitigating Loss from Cyber Attacks, Perspectives on Insurance Recovery Newsletter, Summer 2012. Both articles are recommended readings that provide detailed discussion of many of the issues raised in this article.
For more information about our Professional Liability practice, please click here.