The Cybersecurity phenomenon has changed the risk management paradigm for many enterprises, especially those in the practice of law. Modern-day cyber attacks present an existential threat to certain fundamental principles of the attorney-client relationship, including the duties of competence and loyalty, two of the many bedrock duties that every attorney owes to its clients. And against this backdrop, generally speaking, the entire bar has demonstrated that they are frighteningly vulnerable and unabashedly exposed to such risks. In fact, in recent years, several iconic law firms such as Weil, Gotshal & Manages LLP, Cravath, Swaine & Moore LLP and, most recently, DLA Piper – have all been publicly hoodwinked and suffered well-publicized cyber attacks in which either data has been compromised (including privileged data and inside information) or operations (including ongoing and time sensitive legal matters) were halted. Each of these breaches will have exacted an immense quantum of damage to the law firm targeted by such attack, yet these liabilities will undoubtedly pale in comparison to its clients, the very parties that pay these firms to protect them.
The most recent of these breaches was the June 2017 attack of DLA Piper, one of the mightiest legal titans on the planet in which the firm was completely shut down and operationally crippled by the latest Petya/Non-Petya ransomware attack. DLA Piper is one of the largest global law firms today, with over 4,000 attorneys and is the epitome of a growing, sophisticated and successful firm. And yet, operations were halted and communication channels and data flows were rendered utterly frozen by the attack. Ironically, DLA Piper has its own Cybersecurity practice group.
DLA Piper appears to have slowly recovered, and is presently back online. However, one must wonder about the gravity and extent of the internal damage sustained by the firm and its clients, even with their internal Cybersecurity SWAT-team and native, on-hand expertise. After yet another prestigious and seemingly untouchable global law firm has been proven vulnerable to such an attack for the whole world to see, perhaps other law firms will see this as a legitimate reason to review their Cybersecurity policies immediately. But let’s not get our hopes up too soon.
Over 80% of the 100 largest firms in the US have been hacked since 2011. And the discovery of these breaches is far from immediate. It takes 204 days on average for a firm to detect a breach. With the shockingly high number of breaches and the length of time that they can remain hidden, it is even more startling to learn that three out of four law firms report that they have made no effort to determine the enormous risks posed by a potential breach. The number of reported breaches only appears to increase with the size of the firm, perhaps due to the larger scale of data and technology that is exposed. And breaches have meaningful impacts on operations; the ABA 2016 Survey revealed that 37% of those surveyed law firms reported downtime and loss of billable hours after having sustained a security breach.1 With regard to actual damages caused by such breaches – experts agree that the extent is simply too great to quantify in a meaningful and accurate way.
This empirical data illustrates the unmistakable reality that law firms are, simply put, under attack. These attacks are often designed to, among other things, extract the valuable client data such firms maintain. These data pools are, by their nature, entirely confidential, if not ‘privileged’. And since all experts believe that breaches are inevitable, it follows that every piece of data is vulnerable to infiltration or theft. These data sets are, of course, subject to fundamental duties of protection and confidentiality owed by its custodian (i.e., the lawyer) to its clients (and notably, these protections are baked into the hourly rates being charged by these law firms). We postulate here that these attacks effectively undermine an attorney’s ability to serve a client competently, pursuant to the basic cannons of legal ethics and the fiduciary, legal and other duties every lawyer owes to its clients.
Consider this: “A fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation. … This contributes to the trust that is the hallmark of the client-lawyer relationship.” This principle of confidentiality, as defined by the American Bar Association in Model Rule 1.6 Comment 2, obligates an attorney to not only protect information exchanged between attorney and client, but any information relevant to representation, regardless of the source.2 A client must be able to rely on an attorney’s loyalty and commitment to protecting that information, in order to foster a constructive legal relationship rooted in trust.
In addition to trust, a client must be assured of having retained a competent attorney. Comment 8 of Model Rule 1.1 has been amended to state that in order to provide competent representation to a client, “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” A viable method for an attorney to instill trust in their client and bolster their own competence, is to make every effort to protect client data from cyber threats. The Association of Corporate Counsel has developed safety guidelines with respect to cyber security in law firms, “Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information”.3 These guidelines serve as a reference to assist attorneys in making crucial cyber security decisions. However, as Cybersecurity Risk Management is a faceted, multi-disciplinary issue involving not just ethical considerations, but IT, technology, governance, security, educational and vendor management challenges, law firms are better served to take a breath and commit to engaging in a comprehensive, thoughtful planning exercise with Cybersecurity experts that understand the legal services industry and the unique –and we believe existential – threats that cyber attacks pose to law firms in the modern era.
And yet the attacks continue. The price these law firms will be forced to pay may, at some point be in parity with the greater magnitude of losses sustained by their clients. Until there is real recognition of this systematic risk by the bar and actual reforms are instituted, more attacks will follow, more reputations will be ruined and more clients will be left holding the bag, trying to understand the full extent of the damages they will have sustained.
John Araneo, General Counsel and Managing Director of Align Cybersecurity
John Araneo is Managing Director and General Counsel of Align Cybersecurity. John also remains a practicing attorney with Cole-Frieman & Mallon, LLP, a firm that represents over 600 asset management clients and launches approximately 70 private investment funds annually. Having followed the regulatory initiative on cybersecurity in the alternative asset management space since its inception, John is an established author, cybersecurity expert and well-known thought leader on the legal, regulatory and governance issues related to cybersecurity.
1Ries, David. “Security.” American Bar Association – Tech Report 2016: Security. 13 July 2017. http://bit.ly/2tN7dty.
2Michmerhuizen, Sue. “Confidentiality, Privilege: A Basic Value in Two Different Applications.” American Bar Association. May 2007. Web. 17 July 2017.
3Association of Corporate Counsel. ACC Issues Guidelines for Law Firm Cybersecurity Measures. ACC – Association of Corporate Counsel. 29 Mar. 2017. Web. 17 July 2017.