“This is not time for firms to keep calm and carry on. The proper response is to freak out.” – Prof. Dan Solove, GWU Law School
While I am not sure that freaking out is, in fact, the only proper response, I think that what Prof. Solove is saying is that ignoring the situation is not going to work very well. We are beginning to seem law firms being hacked showing up in the news. Firms such as Weil and Cravath have been outed by the FBI. Bloomberg says that 80 out of the top 100 law firms have been hacked. The Russian hacker Oleras has announced he is trying to hack 48 specific law firms. It seems like the handwriting is on the wall.
Professor Solove calls hacking law firms a “gourmet data feast“. Once they get in, many law firms have little to no monitoring, so the odds of getting caught are nearly zero. In addition, many firms have no internal access controls, so while associates are not supposed to access files for clients that they are not working on, there is nothing to stop a hacker, who is using an associate’s credentials, from hacking every client’s data and sending it to their server in Outer Slobovia.
The gourmet data feast comes from the fact that most law firms have hundreds of clients and the data that they have may include HIPAA protected information, non public personal information, financial information, criminal trial information, civil trial information, merger and acquisition information, insider trading protected information and other sensitive files. Hackers mouths just water at the thought of it.
Prof. solove suggests that state laws governing breach of confidentiality, public disclosure of private facts and negligence may be used against attorneys that do not take appropriate steps to protect their client’s information. Even if the case is not ultimately successful, the reputational damage can be significant.
In the case of HIPAA protected information, the fines can be very steep. HHS can fine a law firm that has a client’s protected health information up to $1.5 million per violation. In addition, the client can be fined because the law firm is now considered a business associate under HIPAA and HiTech regulations and if the client does not have a written and signed business associate agreement, they can be held liable for violating HIPAA as well.
In addition to dealing with the breach – paying for forensics investigations, dealing with lawsuits and depositions, reputational damage and regulatory fines, victim clients could file ethics complaints for failing to adequately protect confidential information.
A client’s trade secrets could be disclosed and I am not sure how you can possibly put that genie back in the bottle.
In addition, the client could be liable too, via vicarious liability.
Since the client did not adequately vet the law firm for cyber security risk prior to hiring them, they get to share in the responsibility. Assuming this happens the client could both get sued by the victims and sue the firm.
To really make things messy, the FTC recently sued a company for violating section 5 of the FTC Act – unfair or deceptive practices – for failing to vet their vendor prior to giving them sensitive information. This means that the FTC could commence an action against your client for your data breach. Under typical FTC consent orders, the FTC will be closely watching your client for a mere 20 years and requiring an external audit every year or two. Who do you think the client is going to turn to in order to recover those costs?
To make matters a little more uncomfortable, the insurance broker Marsh did a study recently and found that only half of the law firms surveyed had cyber risk insurance and 60% said that they had not calculated the effective revenue that could be lost following a breach. For the firms that do have insurance, whether the insurance would adequately cover the effects of a breach is unknown.
One last thought. Professor Solove has almost 900,000 followers to his LinkedIn blog in addition to being a law professor at GWU Law School. In the blogging world, that is a ridiculously large following. He is also the organizer of the annual Privacy + Security forum in Washington, DC. I would suggest that he would likely qualify as an expert.
Information for this post came from Prof. Solove’s company, Teach Privacy.