Law Firms and Data Breaches: Sensitive Data and Dangerous Practices

Posted by Mark Greisiger

A Q&A with Jay Edelson of Edelson PC

Hacking incidents at law firms have led to major data breach events in recent months. Even as all law firms store and handle sensitive client data, many of the smaller organizations tend to lack robust cybersecurity policies and procedures. I spoke with attorney Jay Edelson of Edelson PC about the cases he is bringing on behalf of plaintiffs and what law firms should be doing to avoid or minimize these events.

Why are law firms particularly prone to data breach incidents?
Law firms are prime candidates for data breaches for many reasons. They tend to have lax security and they tend to hold the most sensitive data of their clients. And while hackers know they can’t get information about people from a well-protected company like Google they can get the same information through the law firms representing those clients. A lot of firms talk a good game but they have huge vulnerabilities. We have seen a couple noteworthy examples of firms being hacked, and now with the Panama Papers we see how these incidents can create a host of problems for noteworthy people.

Are clients of law firms that may have had private information exposed contacting you to bring a case on their behalf?
Yes, we have cases on file right now. Over the past year our firm has been investigating a number of sectors, including the legal industry.

What are the specific damages being sought? Is it loss of IP, reputational damage, loss of PII or private medical information, theft of client funds, or something else?
Our suits are focused on getting injunctive relief to fix existing vulnerabilities and for damages. Our primary theory for damages is an overpayment theory—the idea that when clients pay for a law firm’s services their expectation is that the information will be protected. If it’s not, they have lost some of the value of what they paid for. This theory has been accepted by a number of courts throughout the country.

Law firms are notorious for not complying with state notification laws when they have a breach. How do you explain this?
We’re not suing for failure to comply with state breach notification laws but I can say that my general sense is that they’re taking a narrow view of what the notification laws require and that’s becoming an issue with regulators and state AGs. 

What kind of discovery would you expect to ask for from a law firm in a breach case in light of attorney-client privilege?
When a former client brings suit the attorney can’t assert attorney client privilege, and we’re not seeking to gain attorney-client information about other people in the class. What we are interested in largely is learning about the firm’s security procedures. We don’t have any interest in doing a deep dive into case files.  

In certain instances, a breach in and of itself can mean the firm violated ethics or acted negligently.

Is a breach at a law firm more than a violation of ethics rules?
Yes, we think that, depending on the circumstances, it can constitute legal malpractice. In certain instances, a breach in and of itself can mean the firm violated ethics or acted negligently. The real question is whether they took reasonable steps to protect confidentiality of client information, and does it constitute malpractice or breach of contract or otherwise entitle former and current clients to damages. If the firm isn’t following best practices, then it’s going to be low hanging fruit for hackers.

What should law firms do to meet due diligence standards to protect their clients’ private information?
We can’t give blanket advice, as it really depends on what kind of information the law firm has. If there are sensitive health records or data that can be used for insider trading, the firm has a duty to protect that information. The top 20 largest firms have good procedures and are taking it seriously. Beyond that, we’re seeing firms that are not being thoughtful about security at all—if they did the most basic audit they would find problems. We also see firms where there are good policies in place but the lawyers simply don’t care and do whatever they want. You can have a very smart IT security policy but if you have a 65-year-old rainmaker who can’t use his laptop the way he wants to, it becomes a hard sell. I think we’ll see this change as the repercussions affect these people who ignore the protocols. Lawyers should realize that they need to honor their duties to their clients.

Are these firms giving their clients cybersecurity advice that they’re not following themselves?
Yes, we have seen examples of attorneys who gave very public advice and acknowledged that law firms would be targets for hackers yet who are not just negligent but reckless in their own practices. There’s a false sense of security for law firms. One reason is that this hasn’t happened to that many people in our industry. Secondly, these cases are typically filed under seal so as to not alert hackers of existing vulnerabilities. Some people in the industry would be surprised about what’s been happening but hasn’t yet come to light publicly. We expect this to change over time. In healthcare, for example, you are simply not allowed to practice if you don’t follow HIPAA and the same should be true for lawyers. These are the types of arguments we look forward to making in front of a jury.

In summary…
We want to thank Mr. Edelson for his expert insights into this issue. Jay and his colleagues often speak at the NetDiligence® Cyber Liability Conferences, and are crowd favorites. It is universally agreed, especially in the cyber liability insurance community, that the legal sector has tremendous cyber risk for the many reasons Jay described. Firms store and communicate vast amounts of sensitive client data, from PII to IP and trade secrets that are very attractive to hackers. Too often, basic security controls like encryption are missing. Daily vigilance is required when lawyers strive to protect their information assets, whether that data typically resides in logical nodes such as databases or outside the law firm walls (e.g., with a cloud provider, laptops at home, etc.). Maintaining an inventory of both systems and data locations is a critical step in any data security strategy. Finally, knowing this sector is being targeted, it makes sense for law firms to work with a broker and insurer to ensure that they have the right cyber liability coverage in place.