Cybersecurity events, including hacking, are on the rise at law firms. A major professional liability insurer estimates that as many as 80% of the largest law firms in the U.S. have experienced data breaches recently.[1] Nor is external hacking the only threat faced by law firms. Some data breaches may be attributable to employee negligence, such as a law firm employee leaving a laptop, cell phone or other electronic device in a taxi, car trunk, coffee shop or other public place. Moreover, information stored in the cloud, or transmitted via unsecured servers may be vulnerable to unauthorized intrusions.
As explained below, recent law firm data breaches have included the outside hacking by Chinese nationals into the computers of the mergers & acquisitions groups at two major law firms, resulting in significant insider trading and an enforcement case by the U.S. Securities & Exchange Commission against the overseas nationals (but not the law firms). In addition, former clients of a Chicago law firm have filed a federal class action against the law firm alleging that they were injured because of the firm’s failure to maintain data security.
These alarming developments have been accompanied by an increase in government scrutiny of regulated industries and the lawyers who serve them. In addition, the organized bar has issued recent ethics opinions which may presage a trend toward enhanced vigilance by lawyers on encryption and other cybersecurity requirements. This article will analyze recent developments in lawyer cybersecurity and explain the nascent but growing trend toward stepped-up scrutiny of law firm data protection, including by state ethics regulators and the organized bar.
Recent Law Firm Data Breaches
2016 abounded with news of law firm data breaches, none of it happy. The data breach of Panamanian law firm Mossack Fonseca made international headlines, embarrassing the firm’s roster of affluent and politically powerful clients.[2] This infamous data breach shined an unwelcome spotlight on the Mossack Fonseca firm and its international clients, whom the Panamanian lawyers had apparently helped set up off-shore entities to evade their respective countries’ income taxes on eye-popping wealth.
In March 2016, the Wall Street Journal reported that two major U.S. law firms had been hacked by outsiders running an insider trading scheme seeking to benefit from non-public confidential information about potential mergers and acquisitions by the firms’ clients.[3] The firms were identified as Cravath, Swaine & Moore and Weil, Gotshal & Manges. On December 27, 2016, the U.S. Securities & Exchange Commission announced an enforcement action in U.S. District Court against three Chinese nationals charged with insider trading based on hacked non-public information stolen from two New York based law firms.[4] According to the SEC complaint, the Chinese hackers targeted the mergers and acquisitions departments of the firms, where they installed malware on the firm’s networks, compromised accounts that enabled access to all email accounts at the firm and accessed dozens of gigabytes of emails from remote internet locations. Armed with the ill-gotten data, the Chinese nationals went on a trading frenzy in the stocks of the M & A targets, reaping profits in excess of $1 million, at some point moving the markets by trading in up to 25% of all trades in the target stocks.
And as if 2016 didn’t contain enough bad news for lawyers, on April 15, 2016, a former client of Chicago law firm Johnson & Bell filed a federal class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity.[5] The class action alleges malpractice in that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security, by its failure to properly encrypt an online attorney time tracking system and the use of a virtual private network known as VPN.[6] According to the federal complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorney’s fees without providing industry standard protection for client confidentiality.”[7]
Aside from the fact that this is apparently the first client class action against a law firm alleging cyber-insecurity, the Johnson & Bell suit is noteworthy in that the law firm was not hacked and there were no actual known data breaches. Rather, the purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration, thereby reducing the likelihood that there will be additional reports on the case in the short term.
New Cybersecurity Regulations
As will be explained in the following two sections of this article, primary regulators, particularly in health care, insurance and financial services, have begun to regulate companies in these industries to require specific cybersecurity protections. These industry regulations will indirectly, and in some instances, directly, affect lawyers as service providers to companies in regulated industries. In addition, law firms themselves are directly subject to regulation by courts and the organized bar, which have begun to impose ethical requirements on lawyers to adhere to standards of cybersecurity in order to maintain client confidentiality. As will be seen, the trend is growing toward enhanced scrutiny of lawyers’ cybersecurity measures.
According to financial services attorneys Jeff Kern and Christopher Bosch, financial firms have been obligated to implement cybersecurity measures since enactment of the Gramm-Leach-Bliley Act of 1999.[8] Kern and Bosch write that the Gramm-Leach-Bliley safeguards rule “sets forth high-level cybersecurity directives, but mainly delegates rule-making authority to various government regulators to promulgate information security rules applicable to entities under their respective jurisdictions.”[9] In the financial services sector, information security regulations are promulgated by the Office of the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, and other agencies. Federally-regulated broker-dealers, investment companies and registered investment advisors must comply with SEC Regulation S-P, which requires regulated entities to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.”[10] In addition, the National Institute of Standards and Technology has issued a non-binding Framework for Improving Critical Infrastructure Cybersecurity, a voluntary risk-based cybersecurity framework.[11]
Nor have state regulators been idle. Massachusetts enacted a pioneering data protection law in 2010 known as “Standards for the Protection of Personal Information of Residents of the Commonwealth,” which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls, such as firewalls, to protect sensitive consumer information.[12] The Massachusetts regulations established minimum standards for safeguarding of personal information in order to ensure the confidentiality of customer information and protect against threats or hazards to such information.[13] The Massachusetts standards are unique in that they reach across all industries and are not restricted to a single industry. Rather the Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that it is written in one or more readily accessible parts,” and contains safeguards to protect and encrypt confidential consumer information.[14] The Massachusetts law requires secure user authentication protocols, control of data security passwords, restricted access to active users, unique and complex passwords and encryption of all transmitted records and files.
New York Governor Andrew Cuomo, in December 2016, announced the promulgation of cybersecurity regulations by the New York Department of Financial Services, effective March 1, 2017. The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, holding companies and premium finance agencies. The New York DFS regulations require encryption of all non-public information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer (“CISO”), who must report directly to the board of directors and issue an annual report, setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.[15] Of particular interest to law firms who represent financial institutions is §500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.”[16] Thus, covered entities, including insurance companies, who provide access to personal identifying information to third-party vendors must certify not only that their own information systems are adequate, but that the information security systems of vendors with whom they do business are also secure and protected. In other words, vendors who do business with regulated financial service companies will soon be expected to comply with the cybersecurity standards of their represented clients. Nor does the New York DFS rule appear to be an isolated outlier. To the contrary, the organized bar is already advising lawyers to exercise care and scrutiny in protecting client’s confidential data.
Regulatory Enforcement
Particularly in the financial services industry, regulators have been stepping up their enforcement of cybersecurity breaches, often with significant fines and penalties. For example, the SEC, in 2016, announced a settlement with Morgan Stanley Smith Barney in a case in which over 700,000 customer accounts containing personal identifying information (PII), such as social security numbers and dates of birth, were accessed by a single financial advisor, who decided that it would be a good idea to store these data on his own personal website. The financial advisor sustained a data breach, compromising the confidential customer information, whereupon he was terminated by the firm. Although Morgan Stanley contacted the FBI within two weeks of learning of the breach, the SEC claimed that the firm was responsible for the breach and extracted a $1 million fine.
In a recent financial industry regulatory enforcement action, registered broker dealer Sterne Agee agreed to pay a fine of $225,000 for its failure to encrypt confidential data on a laptop that was left in a restaurant, thereby exposing the personal identifying information of 350,000 customers. This conduct was found by FINRA to violate regulation SP and FINRA Rules 3010 and 2010. Thus, there has been a definite uptick in regulatory enforcement of data breaches.
The Organized Bar and Cybersecurity
Law firms’ clients are not the only entities subject to regulatory scrutiny of their cybersecurity measures. The organized bar is now starting to look carefully at lawyers’ ethical and professional liability responsibilities to ensure the security of client data. Moreover, some jurisdictions, notably Florida, are imposing mandatory continuing legal education requirements for lawyers to learn technology. Lawyers’ duties of competence and confidence are embodied in ABA Model Rules 1.1 and 1.6. ABA Model Rule 1.1 provides that: “A lawyer shall provide competent representation to a client.”[17] New York’s counterpart is similar, and further provides, in a comment, that: “To maintain the requisite knowledge and skill, a lawyer should…keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.”[18] A lawyer’s ethical duty of confidentiality is imposed by ABA Model Rule 1.6 which provides broadly that: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).”[19]
The New York Rules of Professional Conduct further require lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[20]
California’s Standing Committee on Professional Responsibility and Conduct issued an ethics opinion in 2015 concluding that an attorney lacking required e-discovery competence to handle a complex litigation must either acquire the requisite skill or associate with technical consultants or competent counsel to bring her up to speed on technology.[21] Effective January 1, 2017, Florida has mandated continuing legal education on maintaining technological competence, including use of encryption and other technology to preserve client confidential data.[22]
In March 2017, the New York County Lawyers Association issued its opinion on lawyers’ ethical duty to ensure technological competence.[23] According to NYCLA ethics opinion 749, lawyers are required by the Rules of Professional Conduct to keep up with technological developments, “cannot knowingly reveal client confidential information, and must exercise reasonable care to ensure that the lawyers, employees, associates and others whose services are utilized by the lawyer not disclose or use client confidential information.”[24] Significantly, the NYCLA ethics opinion recognizes a duty on the part of lawyers to prevent unauthorized data breaches:
The risks associated with transmission of client confidential information electronically include disclosure through hacking or technological inadvertence. A lawyer’s duty of technological competence may include having the requisite technological knowledge to reduce the risk of disclosure of client information through hacking or errors in technology where the practice requires the use of technology to competently represent the client.[25]
Thus, the NYCLA ethics opinion suggests that lawyers have more at stake than potential loss of business, embarrassment or professional liability when it comes to maintaining the confidentiality of client confidential information. While this is just a recent development, and there have been no known prosecutions of lawyers or law firms, lawyers should be mindful of their ethical obligations to maintain client confidential data, whether in the cloud, in an email or in a portable device.
On May 22, 2017, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R, which addressed the ethics of “Securing Communication of Protected Client Information.” In its opinion, the ABA eschewed bright line rules, adopting instead “a fact-specific approach to business security obligations that requires a “process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”[26] The ABA opined that the decision whether to use encrypted e-mail is fact-specific, and that “lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters,” based upon a number of enumerated factors, including the sensitivity of the electronically-communicated information, the risk of cyber-intrusion and the needs of the client.[27] In addition, the ABA advised lawyers to understand clients’ needs for cyber-security, to vet outside vendors and conspicuously to label e-mail communications as privileged and confidential.
Conclusion
As we have seen, law firm data breaches are on the rise, running the gamut from an unencrypted cell phone or laptop left in a taxi or restaurant, up to organized hacking by insider trading rings trading in clients’ stocks. In 2016, we saw the public dissemination of confidential law firm data used to humiliate lawyers and their clients, the first client class action against a law firm alleging malpractice for inadequate data security, and the first Securities & Exchange Commission enforcement action against overseas nationals for hacking into and trading on confidential data pilfered from law firm computers.
2017 has brought us a comprehensive new regulation from the New York Department of Financial Services which appears to be a harbinger of things to come, as well as new ethics opinions from the organized bar suggesting that lawyers now have an ethical duty to maintain technical competence in order to maintain the security of client confidential information. These developments are forcing law firms to be cognizant of the very real and significant risks they face in the 21st century, and to acquire the technology sufficient to keep abreast with their clients’ cybersecurity needs.
——————————————————————–
[1] Barry R. Temkin is a Partner at Mound Cotton Wollan & Greengrass LLP, an Adjunct Professor at Fordham University School of Law and a Member of the New York County Lawyers Associations Committee on Professional Ethics. The views expressed in this article are those of the author alone.
[1] CNA Professional Counsel, Safe and Security: “Cybersecurity Practices for Law Firms,” HTTP://www.CNA.com/web/wcm/connect/61.
[2] See American Lawyer, April 4, 2016, “Panama Papers Put Spotlight on Law Firm Data Security.”
[3] Wall Street Journal, March 29, 2016, Bloomberg BNA, March 30, 2016.
[4] U.S. Securities & Exchange Commission, Litigation Release 22711/December 27, 2016, U.S. Securities & Exchange Commission v. Hong.
[5] Al Faikali, Data Security Law Journal, “Law Firm Data Security: The First Class Action,” December 12, 2016.
[6] Andrew Strickler, “Law Firm Hacking to Breed New Kind of Malpractice Suit,” Insurance Law 360, December 12, 2016.
[7] Andrew Strickler, “Law Firm Hacking to Breed New Kind of Malpractice Suit,” Insurance Law 360, December 12, 2016.
[8] Jeff Kern and Christopher Bosch, “New York State Department of Financial Services Cybersecurity Regulation Poised to Reshape Existing Regulatory Landscape,” Sheppard Mullin Government Contracts and Investigations Blog, January 31, 2017.
[9] Kern and Bosch, supra.
[10] SEC Regulation S-P, Privacy of Consumer Financial Information, 17 CFR §238.40.
[11] https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
[12] 201 CMR 17.00, Standards for Protection of Personal Information of Residents of the Commonwealth.
[13] 201 CMR 17.01, https://www.mass.gov/ocabr/docs/idtheft/201cmr1700.
[14] Id. at 17.03, Duty to Protect and Standards for Protecting Personal Information.
[15] New York 23 NYCRR §501 et. sec. See also, Barry R. Temkin, “New Cybersecurity Regulations: Impact on Representing Financial Institutions,” New York Law Journal, December 15, 2016.
[16] 23 NYCRR §500.11.
[17] ABA Model Rule 1.1, Competence.
[18] New York RPC 1.1, comment [8].
[19] ABA Model Rule 1.6(a).
[20] NYRPC 1.0. (c); at ABA Model Rule 1.6 (c).
[21] California Standing Committee on Professional Responsibility and Conduct Formal Opinion 2015-193.
[22] FL Rule 6-10.3(b), https://floridabar.org (requiring three credit hours of CLE in “approved technology programs” for every three year/thirty-three credit cycle.
[23] NYCLA Ethics Opinion 749, March 2017, www.nycla.org/NYCLA/Lawyersethicsopinions.
[24] Id. at p. 4.
[25] NYCLA Ethics Opinion at 4, www.nycla.org/ethics.
[26] ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R, May 22, 2017, at 4 (quoting from ABA Cybersecurity Handbook)