The dawn of a new year makes us pause for a moment and reflect upon the past year. Doing so within the cybersecurity space in 2018 reminds us once again that none of us are safe from the challenges and risks of living and practicing law in a technological society.
2018 was yet another extremely active year for cyber security with data breaches affecting many companies, including Google+, Aadhaar, Orbitz, Panera, Hudson Bay-owned Saks Fifth Avenue and Lord & Taylor, Under Armour, Ticketfly, MyHeritage, Exactis, British Airways and T-Mobile. The variety of industries attacked simply demonstrates that no one is safe.
In Nov. 2018, we saw one of the biggest cybersecurity breaches known to date. On Nov. 30, 2018, Marriott announced that personal data of up to 500 million of its customers was taken. The data included personal information of customers who made reservations at the company’s Starwood hotel brands from 2014 through Sept. 2018. It included names, addresses, phone numbers, birth dates, email addresses and encrypted credit card information. The data also included travel histories and passport numbers of some customers. As is often discovered in the aftermath of cybersecurity attacks, the breach went unnoticed for a long period of time – in this instance, over four years, starting in 2014 prior to Marriott’s acquisition of the Starwood brand in 2016.
Throughout 2018, we continued to see Facebook struggle with cybersecurity issues culminating in one of its largest breaches over the course of its 14-year history - nearly 50 million users’ information was compromised in Sept. The company’s ongoing difficulties have led to a call by regulators and lawmakers for congressional action to protect the privacy and security of social media users.
Like in other industries, the risks of cyber security breaches and effects therefrom continued in the legal industry during 2018. We saw the end of Mossack Fonseco, the law firm at the center of the Panama Papers debacle. After more than 40 years of providing legal services and having more than 500 employees, the firm announced in March 2018 its plan to close its doors. Then, on December 4, 2018, United States prosecutors unsealed an indictment against four people, including firm partner Ramses Owens, affiliated with the law firm and the 2016 investigation which began as the result of a cybersecurity breach of the Firm’s computer database and systems.
In Oct., law firm Foley & Lardner announced that it experienced a “cyber event” that disrupted its information technology systems. While the firm reported that no client data had been accessed, the cyber event has reignited a debate over security at top law firms. The last several years have seen attacks against a number of national and global U.S.-based law firms, including DLA Piper, Cravath, Swaine & Moore, Weil Gotshal & Manges and Wiley Rein.
Law firms are at particular risk for cybersecurity threats due to the nature of our business and the sensitive client information we often hold. Law firms and our electronic systems are constantly at risk for cybersecurity liability arising from invasion into our electronic systems through phishing attacks (A fraudulent attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials and more by posing as a legitimate person or entity by phone or email. Such attempt usually utilizes social engineering to manipulate victims into performing a specific action such as clicking on a malicious link or attachment or divulging sensitive information.); ransomware attacks (A form of malware in which infiltrators effectively hold a victim’s computer hostage through blocking access to systems or files and seeks a “ransom” to restore access); leak of sensitive information; and sometimes culminating in claims for legal malpractice for failure to maintain adequate cybersecurity protection.
The cybersecurity events of 2018 serve as a reminder that such incidents will not cease and will continue to constantly evolve. The ABA Standing Committee on Ethics and Professional Responsibility’s issuance of Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyber attack on Oct. 17th was yet another reminder of our duties and obligations in the cyber security arena. As such, we must remain steadfast in doing in what we can to prevent such incidents by safeguarding electronic data and minimize the fallout when such incidents occur by responding quickly. Steps to do so may include:
- Collect and maintain only data you need
- Ensure software and electronic security measures are up-to-date
- Employ end-to-end encryption for personal or sensitive data
- Secure hardware, including laptops or mobile devices
- Ensure vendors utilize appropriate cyber security measures
- Maintain a reliable backup system
- Prepare and maintain an Incident Response Plan
- Educate employees on appropriate data security protocol and procedures
- Procure appropriate cyber security insurance
As we move forward in 2019, law firms and attorneys must continue to take reasonable steps and put forth reasonable efforts to protect client information contained in their computer systems, electronic devices and email communications.
This article was prepared by Holly M. Whalen, Esq. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.