Beware of the Cyber Security Risks Created By Your Own Staff
It was 2:32 a.m. in January 2019 at EQT’s headquarters. A senior level employee who was slated for a layoff the next day, entered the premises and connected his company-issued laptop to a private network, transferring confidential trade secrets to his personal Google drive. In addition, he removed a portable hard-drive containing proprietary software and business-critical information which he had been downloading for several months prior. On the same evening, another employee accessed the company’s cloud based storage platform and copied hundreds of thousands of confidential documents to a USB drive. These are the allegations in two separate Pennsylvania lawsuits filed in February 2019. EQT seeks injunctive relief, as well as compensatory and punitive damages against its former employees.
Numerous data breaches come from internal sources, whether of malicious or inadvertent origin. However, what steps can and should a law firm take to reduce the risk of a data breach by its own trusted personnel?
First, take stock of the universe of people and vendors who have access to your law firm’s information and computer systems. Law firms, both big and small, routinely employ assistants in their practice and rely on them heavily to provide legal services on a daily basis. Beyond legal secretaries, firms may employ billing professionals, paralegals and law clerks. Likewise, outside contractors are often granted access, particularly IT professionals. Beyond the paid assistants and outside contractors, it is also common for firms to host high school interns as a rewarding educational opportunity for the students. Lawyers certainly cannot be expected to practice law without assistance, but the first step in a more secure office is identifying potential vulnerabilities, inclusive of your own staff.
Second, once you have identified all of those with access, consider implementing appropriate controls to minimize access to your data, particularly by those who have little or no reason to be accessing confidential information. For example, if remote access to your firm’s computer system is available, reflect upon whether those employees who are permitted such remote create a benefit, or pose unnecessary risk to your firm. With respect to internal access, do all staff members need to have access to every program, or can some be eliminated, reducing your risk? Are interns or high school helpers utilizing your firm’s computers, and if so, is anything off limits to them? If you are trusting teenagers to demonstrate maturity and restraint in the face of potentially juicy information about a client, you may wish to reconsider their access just to be on the safe side.
Reasonable steps should be identified and taken to reduce the risks posed by internal access. As employee or intern, or even the unsupervised cleaning person, who has access to your firm poses a security threat. Restricting access reduces the threat to your firm’s security.
Third, for those staff members who need access to at least some and potentially all of your computer systems and files to help you practice and/or manage your firm, train those staff members. Do not assume that non-attorneys understand the attorney-client privilege or the need to protect the client’s confidential information—inclusive of all information stored in an electronic format.
Non-lawyers do not have legal training. Lawyers, however, have an ethical duty to supervise non-lawyer staff members. See, ABA Model Rule 5.3. It is the lawyer, not the staff member, who risks discipline in the event of an ethical violation caused by a security breach. Lawyers in a supervisory position also have an ethical duty to supervise other lawyers in the firm. ABA, Model Rule 5.1.
Training in the world of cyber security risks is not a “one and done” process. Instead, continue to inform yourself of the risks as they evolve and consistently model and demonstrate good cyber security practices as an example to others in your firm. Promote a culture that ensures that all personnel, from the managing partner on down to the fleeting summer intern, understand that they are part of the team that protects the firm’s and the client’s confidences.
Finally, if you do part ways with a staff member, even if on good terms, having a basic outline of what to do in advance to protect your firm’s and your client’s confidences is critical. In the digital age, changing the lock on the door is not sufficient to protect your data. Review the following checklist items as a starting point and carefully plan out any separation, as much in advance as possible, to minimize the risk of improper access, which can lead to data loss, disruption and even theft:
- Disable the employee’s access to all computer systems, your network and all data
- Terminate all remote access (e.g. VPN, mirroring or other remote desktop access)
- Eliminate access to external sites (e.g. websites, blogs)
- Remove law firm data from employee-owned devices (e.g. delete email accounts off phones)
- Secure the law firm’s electronic data from the employee
- Company owned smartphones
- Portable hard-drives
- Flash drives
- Any off-site backup tapes
- Identify any cloud storage platforms and terminate access (e.g. corporate Dropbox)
- Change passwords
- The employee’s passwords
- Any accounts with potentially shared passwords (e.g. PACER access information)
- Any passwords of which the employee had knowledge or access
- Eliminate access to the phone system or voice mail (e.g. change applicable passwords)
- Obtain all passwords and encryption keys utilized by the employee
- Review available data access logs if you have any reason to suspect or anticipate a breach
Protecting your firm from the risks posed by a former employee requires planning, and may even require expert IT assistance to ensure that your firm continues to have access to everything that it needs to conduct business, while preventing the former employee from unauthorized access once terminated.
A lawyer is not ethically required to be invulnerable or impenetrable. However, lawyers must increasingly be cognizant of cyber risks and prepared to act in the event of a breach. See, ABA Formal Opinions 477 & 483. A law firm’s internal assessment and mitigation of threats posed by its own staff is an important step in the data protection process.
This article was prepared by Holly M. Whalen, Esq. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.
 EQT Corp. v. Lo, 2:05-MC-02025 (2019); EQT Corp. v. Cunningham, GD-19-002560 (Allegheny Co. 2019).
 ABA Standing Committee on Ethics and Professional Responsibility.