By Natalie Posgate
Staff Writer for The Texas Lawbook
Secret law firm data and confidential client information are increasingly susceptible to hackers and data breaches, exposing law firms to the loss of trust with their clients and potential litigation against the firm.
Even the American Bar Association is about to consider new ethical rules addressing a lawyer’s responsibility during a cyber attack.
The imperative maintenance of confidential client information and the exponential growth of technology is a perplexing combination for law firms today because it can result in hacking and data breaching, according to panelists at a symposium that the Dallas Haynes and Boone office hosted Thursday.
The panelists agreed that while the high-tech tools available to lawyers today such as iPads, cloud storage and e-mail on phones are convenient for on-the-go lawyers trying to stay in touch with their clients, all of these gadgets could cause an increased risk of confidential client information being sacrificed to hackers.
“The bottom line is security comes at the price of convenience,” said Nealy Cox, who is a former Assistant U.S. Attorney in Dallas.
Eighty major law firms were hacked in 2011, according to an estimate from Mandiant Corp., a cybersecurity firm based in Alexandria, Va.
Breaux said one main reason that law firms are continually being hacked is because attorneys are constantly dealing with confidential information and are more lax about handling the information than they think.
Some of the most targeted legal information for hacking includes data on merger and acquisition deals, litigation strategy, celebrities and IP information.
According to the panelists, cyber security is not only just a threat to law firms, but also may be an ethical implication for lawyers when it comes to maintaining confidentiality with the client.
The ABA Commission on Ethics 20/20 proposed a few amendments to the Model Rules of Professional Conduct, which will be discussed at the ABA House of Delegates’ annual meeting in August in Chicago.
The proposals include revising Rule 1.6 by adding a new section that states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Another proposal revises Comment 6 on Rule 1.1 to state, “including the benefits and risks associated with relevant technology.”
Nealy Cox and Bullitt, who previously worked together at the DOJ, presented different kinds of hacks and data breaches that constantly affect law firms. The attacks come in various forms, including:
• Spear phishing: a targeted attack in which the victim receives an e-mail from the hacker who pretends to be someone else. The e-mail includes a hyperlink that looks legitimate, such as a link to change one’s password on LinkedIn. If the link is clicked, the hacker is able to get into that person’s computer system.
• Hacktivism: “Freedom of information” hackers who capture a company’s internal information and distribute it “to show the world that nobody is invincible,” according to Nealy Cox. Notorious hacktivism companies include LulzSec and Anonymous.
• Denial of service attacks: anonymous hacker attacks in which thousands of computers bring down a website. This kind of attack often targets a law firm’s website so that the firm’s IT department stays focused on fixing the website, which allows hackers to breach other parts of the network.
Nealy Cox said that the answer to responding to cyber security threat is more of a process than a product. She believes that one of the most important measures law firms can take is remaining proactive about hackers, because it makes a big difference if the firm finds out it has been hacked 24 hours after the attack versus three years after the attack.
Saldaña agreed that the time frame in which a firm responds to a cyber attack makes all the difference.
“There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked,” Saldaña said.
The panelists provided a few precautionary measures that law firms can take to avoid a cyber attack:
• Make your passwords on your computer as secure and hard to crack as possible. Make passwords with both uppercase and lowercase letters and numbers. Make sure to change your password frequently.
• Avoid using public Wi-Fi when you are handling any confidential client or firm information. This includes Wi-Fi at the airport, restaurants and Starbucks.
• If you use cloud storage or a drop box for work, only upload information that wouldn’t hurt you if it got compromised to hackers.
• Work with your IT department to implement a plan before your data is hacked.
• Avoid downloading things like screensavers and iTunes on your work computer because it may open up exposure to hackers.
Bullitt also encouraged the audience to work with the government when a cyber attack occurs despite the fact that it raises questions about keeping confidentiality with clients.
“I urge you to cooperate with these investigators when they come knocking,” said Bullitt, who is also supervisor of the North Texas Electronic Crimes Task Force. “It is very cultural to protect information, but we’re just in a different world. We’re all going to hide and criminals know that and they’ll take advantage of that attitude and culture.”
Arnold Spencer, a Haynes and Boone partner in the Dallas office who attended the panel discussion, thought highly of the presentation.
“Having a plan in place for what happens when you get hacked is incredibly important,” Spencer said. “It’s not a question of if you can be hacked, it’s a question of when. Data breach will become the crime of the 21st century.”
PLEASE NOTE: Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.