Double Jeopardy: How Law Firms Can Suffer Twice From a Cyber Attack
In September 2010, China-based hackers, determined to derail an Australian company’s acquisition, attacked one computer network after another, trying to find a weak point. Eventually, they found it – not in the Australian company, or in the potential target, but in the law firms handling the deal. They hit seven law firms, culling their clients’ sensitive information and other client confidences.
Such attacks are becoming increasingly common. Whereas companies have become more sophisticated and vigilant about protecting their and their customers’ confidential, attorneys lag behind, making them the weak link in the data security chain. A 2020 ABA survey reported that “the number of firms experiencing a security breach (such as a lost/stolen computer or smartphone, hacker, break-in, website exploit) increased over the prior year; 29% of respondents compared to 26% in 2019.” The same survey showed that only 34 percent of respondents maintained an incident response plan.
Although the link is weak, hackers see numerous benefits. From their confidential relationship with their clients, attorneys have inside details on patents, mergers, medical information, and other personal information. This information is subject to a host of regulatory protections, including HIPAA (health information), GLBA (financial institutions), FERPA (education), COPPA (online minors), and a wide variety of state privacy and consumer protection laws. With this information, a business rival can outmaneuver a competitor, or a hacker can blackmail an individual from half a world away. The right details can blackmail people and outflank businesses. As the FBI warned law firms, “Hackers see attorneys as a back door to the valuable data of their corporate clients.” Bill Gardner and Valerie Thomas, Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats (2014) at 27.
From the clients’ perspective, this is inexcusable. Practically, the consequences are obvious; no client spends money fortifying its computer defenses only to hand its data to a vendor with the cyber equivalent of an unlocked door.
Moreover, an attorney’s neglect in this regard can also cause the client legal consequences. In 2012, the American Bar Association amended its rules to provide that lawyers “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .” Model Rule 1.1 cmt. 6. A growing number of states have signed onto this amendment, including Arizona, Arkansas, Connecticut, Delaware, Idaho, Kansas, Massachusetts, Minnesota, New Mexico, North Carolina, Ohio, Pennsylvania, West Virginia, and Wyoming. Additionally, the State Bar of California has issued Formal Opinion Interim No. 11-0004, which provides that “[m]aintaining learning and skill consistent with an attorney’s duty of competence includes ‘keeping abreast of changes in the law and its practice, including the benefits and risks associated with technology.’” See also New Hampshire State Bar Advisory Opinion @2012-13/4 (“Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.”).
The ABA emphasized these obligation in October 2018, when it issued Formal Opinion 483. According to the ABA, an attorney must “stay abreast of changes in technology, and . . . properly supervise other lawyers and third-party electronic-information storage vendors [that] may suffer a data breach.” If a data breach occurs, either directly through a law firm or its vendors, the Opinion states that attorneys “have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to permit the client to make informed decisions regarding the representation.”
With this increasingly accepted standard in effect, it will be easier than ever for plaintiffs’ counsel to hold an attorney liable for data breaches. See, e.g., Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd., Case No. 16-cv-4363 (N.D. Ill. filed April 16, 2016) (complaint against law firm for failure to safeguard data). With 46 states and three US territories having enacted breach notification requirements, law firms cannot hope to escape responsibility by failing to disclose an incident.
Such neglect may also trigger government action. The FTC has long exercised the authority to hold data breach victims accountable for the harm the breach causes the victims’ customers. FTC v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015). Essentially, the Third Circuit held that Wyndham engaged in “unfair” cybersecurity practices that “unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” These practices included failing to use firewalls, storing unencrypted payment card information, not fixing known security vulnerabilities on the company’s servers, not changing the default user IDs and passwords for those servers, and not requiring complex, difficult-to-guess passwords. Id. at 8-10. As a result of these failures, the FTC alleged, Wyndham exposed its clients to three cybersecurity attacks that compromised customer payment data, payment card account numbers, and other customer data.
The FTC asserted jurisdiction over Wyndham’s actions through the Federal Trade Commission Act of 1914, which outlaws “unfair methods of competition in commerce.” 15 U.S.C. § 45(a). Wyndham alleged that the FTCA did not grant the FTC jurisdiction, but the Third Circuit was unconvinced. As that court remarked:
A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business.
Id. at 17.
The FTC has used its authority pursuant to Wyndham to prosecute other companies that have suffered data breaches. In December 2016, the website Ashley Madison agreed to a settlement based on its inadequate security protocols, which allowed hackers access to its customers’ databases. Similarly, in April 2018, Uber agreed to a settlement for its failure to disclose a significant consumer data breaches in 2014 and 2016.
Given the FTC’s successful assertion of jurisdiction over hotels, there exists no immediately apparent reason why it would not enjoy similar success if it turned its attention to a law firm that suffered a similar cybersecurity breach. Just as Wyndham allegedly “published a privacy policy to attract customers,” law firms promise to keep their clients’ information confidential, both explicitly and implicitly – explicitly through their assurances, and implicitly through the confidentiality rules that govern all attorneys.
The SEC may also join the action. In September 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert notifying financial services firms of their responsibility to protect customer data. Of particular interest to law firms is the OCIE’s focus on “Vendor Management,” wherein the OCIE noted:
Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
National Exam Program Risk Alert by the Office of Compliance Inspections and Examinations, Volume IV, Issue 8, September 15, 2015 at 2. Thus, the federal government is pressuring clients to ensure that their vendors – including their attorneys – are complying with all appropriate data security measures.
The SEC emphasized this point in February 2018, when it issued a Commission Statement and Guidance on Public Company Cybersecurity Disclosures (2018 Guidance). The 2018 Guidance applies general security law to provide guidelines on when the SEC believes a publicly traded company should disclose cybersecurity risks and incidents. These guidelines depend on whether the occurrence could be considered “material” and the risk factors relating to such occurrences (including the probability of an occurrence and the potential magnitude of cybersecurity incidents). The SEC also noted that the company has a duty to update and correct any cybersecurity disclosures.
Attorneys tend to take a lax attitude toward their data security, but that attitude must change. Cybersecurity threats are increasing, and the federal government is asserting its jurisdiction over private entities that do not properly secure their customers’ data. Outside or in-house counsel that do not meet their clients’ data security expectations may find itself losing clients, at the wrong end of a government enforcement action, or both.
Sean Griffin litigates contract and fraud cases in Virginia, Maryland, and the District of Columbia. You can reach him via email at sgriffin@dykema.com or by phone at (202) 906-8703.