Under [Cybersecurity] Pressure: Law Firms are Feeling the Pressure to Employ Effective Cybersecurity Measures
To say that much has been written about data breaches over the past several years would be to state the obvious. Every industry, sector, business size, and geographical location has in some way been impacted by data breaches and the increasing need for better and more effective cybersecurity and data privacy measures. Law firms are no exception. Despite the lack of direct government oversight or regulations, law firms are beginning to feel pressure to enhance their cybersecurity awareness and preparedness from other angles. From threats of legal malpractice to pressure from clients, not to mention being a high value target for hackers, the need for law firms to employ adequate cybersecurity measures and take these risks seriously has never been greater.
In 2016, a class action lawsuit was filed against the Chicago-based firm Johnson & Bell in the United States District Court for the Norther District of Illinois. The class of plaintiffs consisted of a group of Johnson & Bell’s clients. The lawsuit claimed that Johnson & Bell had particularly vulnerable security such that it permitted hackers to employ a “man-in-the-middle” attack. This attack would exploit a known vulnerability in the remote log in system used by Johnson & Bell to allow a hacker access to the system and then eavesdrop on communications and potentially steal confidential communication. This could occur even though it appeared as though the lawyer was logging in through a secure remote VPN system.
The Complaint also alleged a vulnerability in Johnson & Bell’s email system by virtue of Johnson & Bell’s use of an outdated Secure Sockets Layer version. By exploiting known vulnerabilities in this outdated version, the Complaint alleged, hackers could gain complete access to Johnson & Bell’s email database. The Complaint alleged breach of contract in legal malpractice, negligence in legal malpractice, unjust enrichment, and breach of fiduciary duty, and sought both injunctive relief and damages based on the alleged malpractice. Interestingly, the Complaint did not allege that any data breach had actually occurred as a result of the above-described vulnerabilities, but only that the cybersecurity practices employed by Johnson & Bell put confidential information at risk. Surprisingly, the Court denied Johnson & Bell’s Motion to Dismiss, at least leaving open the theoretical possibility that the claims of risk of future harm were viable as against the law firm. The matter was ultimately transferred to binding private arbitration. However, the fact that such a malpractice suit survived a Motion to Dismiss is telling of a growing trend—adequate data protection is becoming a common expectation on law firms.
While malpractice claims against law firms based on lax cybersecurity measures are few and far between, the growing demand for adequate security of confidential and personal information will inevitably lead to more of these suits. As the expectation for appropriate and adequate cybersecurity grows, and the deployment of up-to-date security becomes the standard of care, the tolerance for lax measures will wane, leading those affected by a data breach to be more likely to file suit. In turn, if Courts continue to view a mere risk of future harm as sufficient to survive a motion to dismiss, law firms may find themselves having to defend these lawsuits through discovery and potentially trial—a risky and expensive proposition.
Apart from litigation in the form of malpractice claims, regulations regarding cybersecurity, though not directly impacting law firms as regulated entities, will nonetheless have a trickle-down effect forcing law firms to employ adequate cybersecurity or risk losing clients. For instance, the recent New York Cybersecurity Regulations contain, in part, a requirement for financial institutions to develop third party service provider policies and protocols. The regulations require New York financial institutions to put in place policies designed to ensure adequate cybersecurity by their vendors (which would include law firms). By March 1, 2019, these financial institutes must put in place policies that specify minimum cybersecurity practices required of third party vendors, due diligence processes to evaluate third party vendors, periodic assessments of vendors, among other items. As these portions of the regulations come into effect and these institutions are required to employ such protocols, law firms may be asked questions about their cybersecurity they would rather not, or cannot, answer. If a law firm is not employing the proper security measures and policies as required by the NY Cybersecurity Regulations, for example, their regulated financial client may take its business elsewhere.
While New York has taken the lead in passing this type of regulation in the financial industry, other states in other industries are likely to follow suit. As with legal malpractice litigation, the growing expectation of proper cybersecurity measures, which in part leads to the passage of regulations like the NY Cybersecurity Regulations, will put law firms in a position of either employing those adequate measures or risk losing business from clients who are put under regulatory pressure.
All this is to say that we are only starting to witness the development of the standard of care for law firms as it pertains to cybersecurity and protection of their clients’ data. As the standard develops, the expectations of confidentiality on law firms will only grow, and law firms will be well served to employ proper cybersecurity measures not only to maintain their reputation among clients, but also because the retention of business and avoidance of malpractice claims may depend on it.
This article was prepared by Jason R. McLean, Esq. of Cipriani & Werner, P.C. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.