Don’t Let Cybersecurity Breaches Lead to Legal Malpractice: The Fax Is Back
By Joseph R. Marconi & Brian C. Langs(1)
Johnson & Bell, Ltd.
E-mail and wire fraud risks increase in a cloud-based world. Data management safeguards can prevent possible legal malpractice from cyber-security breaches.
It’s cloud’s illusions that I recall
I really don’t know clouds at all…
— Judy Collins
Back in July of 2011, we warned of a then popular e-mail/fraudulent check scheme whereby lawyers would receive e-mails from alleged potential foreign clients looking to collect debts from customers. Those scammers convinced the unsuspecting lawyers to deposit fraudulent “settlement checks” into client accounts and wire the “clients’ share” to foreign accounts after the bogus checks cleared. When the frauds were eventually uncovered by the banks, the lawyers were left with liability to the banks for the fraudulent check and wire transfers.2 Since then, newer, more complex electronic scams have surfaced whereby hackers intercept e-mails between lawyers and clients that contain wire transfer instructions. After intercepting such an e-mail, the hacker changes the instructions in the e-mail to wire money to his own untraceable account. The hacker forwards his bogus wiring instructions to the unsuspecting recipient, all while “masking” his identity as the sender and making it appear to the recipient as if the instruction came from the correct sender, whether lawyer or client.
Attorneys Present a Target for Sophisticated Hackers & Wire Fraud
Depending on your firm’s sophistication and budget, the type of transaction involved, and the needs of your client, there are some preventative measures that can be considered with regard to protecting your firm and your clients from this and other wire transfer and electronic fraud schemes. Prevention techniques can include hiring a third-party e-mail encryption service provider or sending sensitive wire transfer instructions via facsimile rather than e-mail.3
This and other even more sophisticated electronic scams are becoming more prevalent. Given the confidential and valuable information passed between clients and their lawyers due to the attorney-client privilege, lawyers’ and law firms’ computer and e-mail accounts have become favorite targets. Whether an attorney transfers or stores confidential client information using password-protected corporate e-mail systems, “cloud computing,”4 third-party off-site network administrator vendors, third-party hosted e-discovery management platforms, or a variety of other electronic data transfer or data storage solutions available through the Internet, the attorney inevitably faces an inherent risk that confidential client information will be susceptible to theft by a hacker or by an unscrupulous third-party employee. In the absence of reasonable, preventative, and precautionary measures, the lawyer also risks losses for the firm and its clients associated with such a theft.
Understanding how and why lawyers and law firms may be exposed to cybercrime is the first step in prevention. Because of the ever increasing capabilities of cloud computing and, with it, the proliferation of everyday use of mobile devices—such as smartphones, tablets, and laptops—lawyers and law firms put sensitive client material at risk simply by falling asleep on the train home or finishing a brief on the redeye. A misplaced smartphone or briefcase can result in serious consequences if a device ends up in the wrong hands. In addition, mobile devices and both cloud-based and in-firm corporate networks and email systems are susceptible to electronic hacking where a hacker will illegally gain access to electronic information using a variety of more sophisticated methods. Law firms and lawyers present a particularly appealing target for hackers because the mandatory confidentiality of the attorney-client relationship creates a virtual treasure trove of sensitive client information—such as social security numbers, medical information, trade secrets, wire transfer instructions, privileged litigation communications and strategy, and internal corporate strategies—much of which can be very valuable to an array of criminal enterprises.
Professional Obligations of Attorneys in the Cloud
Illinois Rule of Professional Conduct 1.6(a) requires a lawyer practicing in Illinois to make reasonable efforts to ensure the confidentiality of client information, including electronically stored client information.5 However, to be competitive in today’s legal services market, lawyers and law firms must utilize the cost-saving and organizational advantages technology allows them to offer recurring and prospective clients. While technology utilization is necessary, the prudent lawyer will also realize that the use of technology to electronically store and transfer sensitive client information necessitates proactive implementation of safeguards that will help in the prevention and defense of this information’s electronic theft. The extent and levels of necessary safeguards will likely be determined by the size of the law firm and its areas of practice, among other considerations. Depending on the specific needs of a firm or solo practitioner, there is a vast selection of cyber security precautions available but every law firm utilizing the technology discussed in this article should at least consider undertaking the following.6
Implement Data Management Safeguards
Every law firm should maintain computer-use policies requiring employees to use and routinely update passwords for e-mail, document management systems, mobile devices, and laptops. Intranets, extranets, and Citrix-like virtual desktops also invariably require password protection. In today’s corporate environments, while all networks and company laptops probably employ anti-virus protection, employees using personal laptops to perform work outside of the office must be required to install similar anti-virus protection. Firm policies should include periodic inspections of mobile devices and personal laptops to ensure that employees do not turn off password and/or anti-virus protection functions out of convenience or technical incompetence. Other safeguards may include limiting who may access particular materials electronically and when they may share, print, or alter data. Finally, every firm’s computer-use policy should communicate to its employees, (1) the seriousness of the firm’s confidentiality obligation to its clients, (2) the very real possibility of a cyber-attack, and (3) the procedure for reporting a potential data breach or suspected disclosure.
Address Firm Data Retention Policies
A law firm likely houses an incredible amount of data through its electronic document management system and its corporate network and e-mail system. It should maintain clear policies regarding the length of time certain types of data will be stored, the strength of security to be maintained for certain stored data, and the procedures for eliminating unnecessary or outdated data. Just as a law firm is routinely required to destroy or shred sensitive hard copy materials, it must have procedures in place to completely remove and destroy sensitive electronic data from firm databases and to destroy unwanted or out of date firm equipment that may have housed sensitive information.
In conclusion, attorneys can and should take the necessary precautions to minimize the likelihood of cyber-security breaches, not only to give their clients peace of mind, but also to better shield themselves from third-party and first-party liabilities if a theft of information or other security breach actually occurs.
Joe is a shareholder of Johnson & Bell, Ltd., and the chairman of the business litigation/transaction group and co-chair of the employment group. He appreciates Johnson & Bell associate, Brian C. Langs, for his assistance in the drafting of this article.
For the full article, see Joseph R. Marconi and Victor J. Pioli, Lawyers are Increasingly the Targets of Email/Fraudulent Check Schemes, ISBA Mutual Insurance Company Liability Minute, (July 13, 2011 12:46 PM), http://www.isbamutual.com/liability-minute/lawyers-are-increasingly-the-targets-of-emailfraud.
For more detailed information and recommendations regarding protecting your firm and your clients from e-mail interception and other types of check and wire transfer fraud, see Ronald Trubiana, Title Agents and Lawyers: Be Wary and Protect Yourselves, THE TRUSTED ADVISOR, October 2010, http://www.atgf.com/tools-publications/trusted-adviser/check-and-wire-transfer-fraud-growth-industry (last visited July 25, 2014); ALTA Best Practices Frequently Asked Questions: Best Practices #3: Email Encryption, ATTORNEYS’ TITLE GUARANTY FUND, http://www.atgf.com/tools-publications/alta-best-practices-frequently-asked-questions (last vistied July 25, 2014); Ronald Trubiana, Update from ATG Administration: Five Ways to Reduce Exposure to Wire Fraud, THE TRUSTED ADVISOR, April 2010, http://www.atgf.com/tools-publications/trusted-adviser/five-ways-reduce-exposure-wire-fraud (last visited July 25, 2014).
“Cloud computing” can include receiving and sending e-mails on a smartphone or tablet; using a web-based email platform like Gmail, Yahoo! or Microsoft Outlook Web Access; or using products like Google Docs, Microsoft Office 365, Dropbox, SharePoint intranets/extranets, and Citrix Desktop as a Service (“DaaS”). As Formal Opinion 2011-200 of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility aptly remarks, “cloud computing is merely a fancy way of saying stuff’s not on your computer.”
See Ill. State Bar Ass’n Adv. Op. Prof’l. Conduct Nos. 96-10, 10-01; see also State Bar Ariz. Ethics Op. 09-04; N.Y. State Bar Ass’n Ethics Adv. Op. 842; Mass. Bar Ass’n Ethics Op.12-03; Pa. Bar Ass’n Form. Op. 2011-200 (all discussing substantially similar versions of subsection (a) of IRCP 1.6, entitled “Confidentiality of Information,” and its applicability to a lawyer’s ethical duty to protect electronically stored or transferred confidential client information).
Much of the content below making particular suggestions for precautionary actions by law firms was taken from two excellent articles: Seth L. Laver, Understanding and Protecting Against Cyber Risk, FOR THE DEFENSE (DRI’s Monthly Magazine), July 2012 at 46–49 and Rene L. Siemens and David L. Beck, Cyber Insurance—Mitigating Loss from Cyber Attacks, PERSPECTIVES ON INSURANCE RECOVERY NEWSLETTER, Summer 2012, http://www.pillsburylaw.com/publications/cyber-insurancemitigating-loss-from-cyber-attacks (last visited July 8, 2014). Both articles are recommended readings that provide detailed discussion of many of the issues raised in this article.