Are We Taking Data Security Seriously Enough?

Every litigator should be able to give a positive answer to the following question: “Did I do everything reasonably possible to protect my clients against the loss of information they entrusted to me?”

Although most attorneys would find the question well-timed and entirely legitimate, the unfortunate reality is that many law firms are not taking data security seriously enough. The problem is particularly acute during the ongoing COVID-19 pandemic, when the rush to remote work has significantly increased the risk of unauthorized access to client information.

ABA: Lawyers Must Improve Data Security

According to the American Bar Association’s 2020 survey of technology use among law firms, only a minority of law firms employ widely recommended data security technologies and practices.

The ABA survey found that just 43% of firms use file encryption, 39% use email encryption, 39% use two-factor authentication, 23% use employee monitoring, and 29% use intrusion detection technologies. Lawyers who neglect to adopt these measures not only increase their risk of mishandling client information but also deprive themselves of knowledge that a data breach has occurred. “The 2020 Survey largely reflects incremental progress in areas fundamental to adequate security, in an age which cries out for a much more robust response by the profession to the challenges at hand,” the survey authors noted.

The consequences for lax data security practices are varied in nature but uniformly severe: 

• diversion of firm revenue for hefty breach investigation and remediation costs
• the burden of compliance with state data breach notification statutes
• negative publicity and other reputational harms
• client lawsuits for money damages
• the dubious honor of being memorialized in a best-selling book and motion picture starring three-time Oscar winner Meryl Streep

Sealed Documents Exposed on Federal Case System

And then there’s this recent news. Hackers operating from Russia have compromised the federal court system’s electronic case-management system, potentially exposing the contents of sealed attorney submissions in federal court litigation. Sealed federal court filings on the federal Case Management/Electronic Case Files system (CM/ECF), which often include deposition transcripts in support of pretrial motions, contain a wealth of intellectual property and proprietary information that parties do not want exposed to public view.

Until the incident is thoroughly investigated, lawyers filing sensitive or sealed information should use paper or secure thumb drive devices, the U.S. Judicial Conference said in a January 6, 2021, emergency order. Federal district courts have leeway to craft local solutions, and some have done so in recent days (e.g., Modified Procedures for Highly Sensitive Documents (S.D.N.Y., Jan. 8, 2021) (PDF) and In Re: Procedures for the Filing, Service, and Management of Highly Sensitive Documents (E.D.N.C., Jan. 8, 2021) (PDF)).

The prospect that hackers have gained access to client information raises interesting legal questions regarding whether lawyers who used the CM/ECF system have an obligation to notify clients that their information, filed under seal, has been obtained by third parties.  

Data Breach Prevention Strategies

For law firms, the first line of defense is to prevent the occurrence of a data breach. A widely publicized 2019 analysis of public data breach notifications highlights several measures that firms should be adopting if they have not done so already. According to the ABA Journal, an analysis showed that more than 100 firms, large and small, had been victimized by a combination of phishing attacks, network intrusions by hackers, and vendor security shortcomings.

Phishing attacks are premised on human engineering, such as requests for information from someone with apparent authority or by tricking the victim into clicking a link that delivers malware or collects login information. Training law firm personnel to recognize phishing attacks is an effective means to combat these types of network vulnerability.

Phishing emails continue to account for the vast majority of attacks on organizations and continue to be effective at delivering malware, viruses, harvesting login credentials, and triggering other fraud schemes such as the business email compromise. One of the most effective ways to combat the threat of phishing emails is by training members of the workforce to recognize phishing emails and then having regular exercises to test them by sending fake phishing emails to see who is clicking on the links or otherwise falling for the phishing email.

Unauthorized intrusions occur when third parties gain access to client information stored on a law firm network, a laptop or tablet device, or a smartphone. Two-factor authentication, file encryption, and email encryption are effective, easy-to-deploy tools to prevent unwanted access to client information. Law firms that believe they must allow remote access to the firm’s network should use secure virtual networking technologies (VPN) with care, as well as ensure that anyone accessing client information on the network is thoroughly trained in the safe use of these tools.

Network technology vendors should be chosen with care (of course), but specifically with an eye toward the level of security they provide for client information stored and transmitted over their systems. Relevant considerations to weigh when selecting a network technology vendor include recommendations from other law firms, ease of use by firm personnel, past experience with data breaches, vendor service level assurances, and incident response time. The availability of indemnification in case of intrusion and data loss should also be explored.

It is important for law firms to scrutinize not just the firm’s network technology providers but all outside vendors that handle client information. Proprietary information, business secrets, and valuable intellectual property are frequently shared during pretrial stages of litigation. This data can be stolen, altered, destroyed or exposed to public view if entrusted to a careless vendor. In the deposition space, for example, vendors should be able to provide, at a minimum,  end-to-end encryption of all data communications and technology that meets federal data security standards for health and financial information.

The American Bar Association’s guidance Securing Communication of Protected Client Information (ABA Formal Opinion 477R) (PDF) is a good place to start for law firms that want to learn more about placing adequate safeguards around client information. Two other helpful guides are Cybersecurity Alert: Tips for Working Securely While Working Remotely (PDF), published by the New York State Bar Association and Esquire Deposition Solutions’ article on the same topic, Information Security Basics While Working From Home. 

Data Breach Notification Duties for Law Firms

Law firms that suffer a data breach must contend with three (possibly four) sources of a duty to notify clients that a data breach has occurred. One is posed by the data breach notification statute in their local jurisdiction, and the second one arises from professional ethics rules.

Relevant data breach notification statutes must be carefully examined to determine if the data breach has caused the exposure of data protected by the statute, and in a sufficient amount to trigger a duty to notify. In some states, small-scale data breaches will not trigger a notification obligation. In others, notice of any breach must be provided to the affected party or the state attorney general, or both. Failure to comply with data breach notification statutes — either through lack of notice or tardy notice — can result in hefty fines.

Law firms may also have an ethical duty to notify clients affected by data breaches. The American Bar Association recently addressed this topic in Lawyers’ Obligations After an Electronic Data Breach or Cyberattack (ABA Formal Opinion 483) (PDF). Opinion 483 defines a data breach as an intrusion that results in the loss of “material client information” or one that “significantly impair[s]” the attorney’s ability to provide legal services. The qualifiers “material” and “significantly” suggest that not all data breaches trigger a duty to notify clients.

However, ethical guidance in local jurisdictions may provide lawyers with less wiggle room. Some attorneys have suggested that, in Maine for example, the exposure of any client information triggers an ethical obligation to notify the client.

Lawyers with large institutional clients may already be under contractual data breach notification obligations. For firms under no such duties, it may make sense to have a frank conversation with clients about data security risks and consider adding language to retainer agreements memorializing that understanding.

Finally, there is a fourth possible reason to notify clients of a data breach: It makes good business sense to do so. As these lawyers note, a client’s trust in the law firm could be undermined if the firm withholds notification of a breach that the client learns about through other sources. That eventuality could lead to lost business and even litigation. On the other hand, some data breaches are so trivial that reasonable minds can fairly conclude that notice to the client is not in the firm’s best interest.

Conclusion

Technology is rapidly changing, as are the threats to client information stored on law firm and judicial networks. These facts account for the lack of strongly prescriptive guidance regarding data security measures. However, the lack of highly specific rules should not be taken as a license for inaction or carelessness. Being aware of everything that we now know about the potential for catastrophic losses as a result of data breaches, the definition of “reasonable” might be “constant organizational vigilance and use of the best technology available.”