As cyberattacks increase against Nevada law firms, lawyers have a heightened duty to regularly assess firm security practices and data breach protocols. It’s no secret that state-supported cyberhackers target law firms of all sizes, holding sensitive and confidential client information for ransom. The nature of legal practice provides hackers with a trove of valuable information. And a lawyer’s duty of confidentiality means that the incentive to pay the ransom is high. No wonder hackers appear to be in relentless pursuit of lawyer data. Law firms present an attractive, and often an easy, target.
Beyond compliance with Nevada’s data breach laws, what are our requirements as lawyers, both with respect to implementing cybersecurity measures and remediating a breach? The Nevada Rule of Professional Conduct 1.6(c) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information related to the representation of a client.” But Rule 1.15 on safekeeping property also comes into play for cases where information may not be disclosed but instead may be lost, as in a ransomware attack.
What constitutes reasonable efforts? The comment to Rule 1.6(c) provides factors to be considered, including “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.” From an ex-post perspective, these factors could justify most cybersecurity configurations, provided some effort is made. But ex-ante, they provide little help in identifying concrete measures for prevention.
The “cybersecurity pillars” of “people, process, and technology” provide good guidance for firms. First, training people is vital. Most cyber-attacks involve social engineering: where someone falls for a phishing scam or email and unintentionally gives the hacker access to the system. Checking email addresses to confirm the sender is legitimate, not opening attachments from unknown individuals, and not providing credentials or codes via email or over the phone are just a few steps that, if consistently taken, can prevent social engineering attacks.
With regards to process, firms should define, produce and adhere to a course of action for things like wiring funds. A hacker that gains access to a system can send impersonating emails changing wiring instructions for funds, for example. A process that requires verbal confirmation of wiring instructions using known telephone numbers can detect unauthorized changes, avoiding loss of client funds in violation of Rule 1.15.
From a technology perspective, strong firewalls, consistent and timely patching of systems, antivirus protection, and use of multifactor authentication are just a few of the steps that can be taken to harden the law firm technical environment. With the advent of cloud computing, using hypercloud services that monitor for attacks is generally more safe than trying to manage and maintain an on-premises environment, as counterintuitive as this may seem to how lawyers have traditionally maintained documents and files.
What about after the attack has occurred? The ABA has provided guidance in Formal Opinion 483, Lawyers’ Obligations After an Electronic Breach or Cyberattack. Firms should develop a “comprehensive incident response plan.” Frequently such plans require hiring a third-party mitigation expert. Additionally, the communication requirements embodied in Rule 1.4 require attorneys to notify clients when data is lost, disclosed, or improperly accessed.
Paying ransom is also a consideration. It is not in itself a criminal act, but the recipient of the ransom could be sanctioned, which is increasingly common given the sanctions applicable to Russia, where many hacker gangs are based.
Finally, insurance is a consideration. Malpractice insurance will not usually cover cyberattacks, but cyberliability insurance (including ransomware payment) is available, including through the ABA. Given the rise in attacks, such insurance has become more expensive, with more exclusions, but may still be valuable if the worst happens.
In sum, law firms have a duty to simultaneously prevent and prepare for cyber intrusions. In the event of a breach, law firms must undertake a prompt and thorough investigation, usually conducted by mitigation experts. Lawyers must also disclose the breach, which may help further mitigate the damage to both the client and the firm.
About this article: This article was originally published in the “Cyber Law” issue of Communiqué, the official publication of the Clark County Bar Association, (October 2022). See https://clarkcountybar.org/member-benefits/communique-2022/communique-october-2022/.
About the author
Jessica E. Brown, Esq. is an Associate at John Cotton and Associates where her practice focuses on professional liability defense, commercial litigation, and appeals. Before becoming a lawyer, she was a technologist and developer.
© 2022 Clark County Bar Association (CCBA). All rights reserved. No reproduction of any portion of this issue is allowed without written permission from the publisher. Editorial policy available upon request.