This is the third post in a month we've dedicated to the topic of law firm data security, and for good reason. These are scary times, folks. The breach that is now widely known simply as The Panama Papers showed that the nightmare scenario many had long portended is now a reality: a hacker has cracked open a major law firm's IT framework like a piñata and strewn its contents across cyberspace.
It is common knowledge that law firms are low-hanging fruit for cybercriminals because, as legal ethics expert Eli Wald told us recently, they handle the valuable distillate of all the sensitive information their clients possess. In other words, law firms are clearinghouses for the world's most sought after business secrets, which makes it doubly scary that their security infrastructures are thought to be vulnerable both to bad actors and run-of-the-mill human error.
In this, the second the part of our conversation with Wald, a former attorney who now teaches at the University of Denver Sturm College of Law, he explains why law firm clients have little recourse in addressing data breach, and the consequences of that lack of accountability. The third and final part of the interview will be posted later this week.
Logikcull: We’ve established the reasons why law firms are perhaps more vulnerable to data breach. In what specific areas do you think they're at most risk? We deal mostly with discovery and see a lot of gaps in that process. But what other areas would you say are ripe for breach?
Eli Wald: I think we already touched on the primary area, which is people. Law firms are institutions where the primary asset is people, and people tend to make mistakes, either because they’re not as familiar with cybersecurity or because they haven’t been trained appropriately, or both. We see this, for instance, in the rise of successful phishing attempts.
Do law firms have issues with equipment and infrastructure? With lawyers downloading, surfing, using external drives, and logging in from insecure sites? Yes, of course. I think that the one issue that good law firms most address is insufficient training, and lack of follow-up to that training. So to come full circle to where we started, law firms are increasingly aware of cybersecurity threats, but what they lack is a better appreciation of what those threats are and what to do about them.
"LAW FIRMS ARE INCREASINGLY AWARE OF CYBERSECURITY THREATS, BUT WHAT THEY LACK IS A BETTER APPRECIATION OF WHAT THOSE THREATS ARE AND WHAT TO DO ABOUT THEM."
The second most important factor, and you alluded to it before, is the lack of accountability and even liability such that law firms are often able to get away with insufficient, inappropriate conduct. And because there are insufficient incentives to get lawyers to alter their unsafe cyber ways, it is not, to me, a huge surprise that, when a breach does occur, the mitigation and follow up is below par.
"THERE IS A LACK OF ACCOUNTABILITY... SUCH THAT LAW FIRMS ARE OFTEN ABLE TO GET AWAY WITH INSUFFICIENT, INAPPROPRIATE CONDUCT."
Logikcull: One of the things that you write about in your paper is that it’s very hard for clients who have suffered data breaches at the hands of their law firms to actually pursue malpractice cases. Can you tell us a little bit more about why that’s the case?
Wald: The thinking here is that, if lawyers fail to secure their clients' information, clients will find out, get upset, and perhaps sue them. That’s one way to address the malfeasance of lawyers. You can also fire them, or fail to hire them again.
When clients sue lawyers for negligent conduct, we call that malpractice. But, even for the non-lawyers among us, a quick crash course in malpractice will amount to realizing that a successful malpractice cause of action consists of four elements. They are really intuitive.
First, you have to show that the lawyer owed a duty. For our purposes, if an attorney represents a client, that usually establishes what we call the "privity requirement," or the existence of a duty requirement. So we've checked that box.
The second component is breach of that duty, meaning, in plain English, the lawyer did something wrong. The lawyer was negligent. The lawyer’s conduct fell below a standard of care. In this case, it is not necessarily easy (to show a lawyer was negligent), but if you could produce an expert, and you can document what the lawyer or the law firm did, or failed to do to secure the data, a client is likely to be able to navigate his or her way through the element of breach.
But what clients are often unable to do is meet and satisfy the third and fourth elements of a successful malpractice suit. The third is causation of damages. What does that mean? It means that a successful plaintiff would have to show that the client would not have suffered damages if not for the lawyer’s negligence. And then if you can show damages, you proceed to the fourth element: show exactly what harm was done to you.
"IT'S NO SURPRISE TO SAY THAT CLIENTS OFTEN WILL NOT BE IN A POSITION TO BE ABLE TO SUCCESSFULLY PROVE CAUSATION AND DAMAGES."
But for those of us who are well-versed in cybersecurity, it's no surprise to say that clients often times will not be in a position to be able to successfully prove causation and damages. Why? We know that, often, when a breach occurs, an attack took place and we know what underlying information was compromised. But we often don't know who was the perpetrator. And we don’t know exactly how the information was compromised. We don’t know if, for example, it was just copied, and if so, how so and for what purpose, or how it was used.
So a client often knows that a breach has taken place, but it simply doesn't know enough to establish causation and damages. As a result, malpractice liability is rare. Not just for lawyers -- it's also rare when it comes to corporate entities and service providers who are responsible for maintenance of information. And for the very same reason, it’s hard for a successful plaintiff to show causation and damages.
Logikcull: So you have all these unknowns, as you say, when it comes to proving causation and damages. Another thing you mentioned is that you have to show your counsel fell below some standard of care. It has been argued that it is also hard to show a lawyer fell below a standard of care because, when it comes to cybersecurity issues, there really is no standard of care. There’s no bright line demarcation that says "this is the standard of care you have to meet in protecting your client's data." What are your thoughts on that?
Wald: So actually, in this regard, there is some good news. You were asking a few minutes ago about the role of the ABA in holding lawyers to a higher standard of care. We've already said that malpractice claims may not pose a way forward. Maybe one possible way to move forward is through additional regulation by the ABA and other bar organizations.
"MALPRACTICE CLAIMS MAY NOT POSE A WAY FORWARD. MAYBE ONE POSSIBLE WAY TO MOVE FORWARD IS THROUGH ADDITIONAL REGULATION BY THE ABA AND OTHER BAR ORGANIZATIONS."
In fact, the ABA has actually already introduced revisions to its Model Rules of Professional conduct. And some of the revisions go to the core of exactly what you asked me about. That is, the ABA has formulated rules that attempt to, in fact, define the very standard of conduct that lawyers must follow.
Specifically, the ABA has revised Rule 1.6, which deals with confidentiality. It has added subsection 1.6(c) that specifically spells out the responsibility of lawyers to protect confidential submissions of clients against “unauthorized access.”
For those who are not familiar, the ABA also provides comments to rules that explore and further delineate the rule. In new comments to this new subsection, 1.6(c), the ABA begins to spell out the standard of care that is referred to as "reasonable measures." The short version is, rather than impose strict liability on lawyers and say that "every time client information has been compromised will infer that the lawyer was negligent," the rule attempts to set a negligence standard such that lawyers will be liable for a breach of the standard of care when they fail to take reasonable measures to protect the confidential information of the client.
"THE (ABA MODEL RULE) ATTEMPTS TO SET A NEGLIGENCE STANDARD SUCH THAT LAWYERS WILL BE LIABLE FOR A BREACH OF THE STANDARD OF CARE WHEN THEY FAIL TO TAKE REASONABLE MEASURES TO PROTECT THE CONFIDENTIAL INFORMATION OF THE CLIENT."
I actually think the negligence standard here works well. All of us well versed in cyber-technology and cybersecurity are aware that the possibility of protecting information 100% of the time is slim to none. And even if we could protect information to a significant degree, say close to 100%, the cost of doing that would be quite prohibitive to doing business. So I think that the approach that the ABA now follows -- the approach that it now suggests to the various states that follow and incorporate the rules into their state laws -- is common sense.
If you missed the first part of our interview with Professor Wald, it can be read here. To learn more about how you can secure your client’s data in the age of cybercrime, visit our free resource library here.