Cybercrime is now considered one of the leading risks to the global economy. Data is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. Despite the lessons of the so-called ‘Panama Papers’ scandal of 2016, law firms continue to be soft targets for cyber criminals due to the sheer amount of confidential information that law firms hold, the large sums of client money they may hold in trust accounts, their lack of cyber security defences and their adoption and reliance on modern working practices and devices such as mobile phones, laptops and remote working.
Scale of the problem
Last month the Solicitors Regulation Authority reported that there has been a record number of reports of cyber thefts from law firms reported in the first quarter of 2017, with house moves the main target. Overall, in the last year the SRA has seen cases involving around $14m of losses. Last year, insurance company QBE—which insures more than 1 in 10 law firms in England and Wales—reported that more than $120M has been stolen across the legal profession in the past 18 months. QBE estimated 150 successful “raids” on its clients’ accounts during that time as well as at least 1,500 failed attempts. Further, the firms recovered only a small portion of the stolen money. IT security company TruShield reported that, based on its collected data set of nearly 50 billion events, the legal industry was the third-most-targeted sector in January 2016, after the retail and financial sectors.
The American Bar Association’s (ABA) 2016 ABA Legal Technology Survey Report, which received 800 responses for the section covering “technology basics and security,” found that 14 percent of responding firms had been breached (firms with 500 or more lawyers were the biggest targets, as 26 percent of those firms reported a security breach). The ABA study found that approaches to cyber security varied, considerably, based on firm size. When it came to having an incident response plan, for example, the ABA study found that 50 percent of firms with 500 or more lawyers and 60 percent of firms with 100 to 499 lawyers, had such a plan in place, compared to only five percent of solo practices and 20.5 percent of firms with 10 to 49 lawyers.
Whilst the cyber attacks that make the headlines tend to be those against the large law firms (DLA Piper, Cravath Swaine & Moore, Weil Gotshal & Manges, Stikeman Elliott, Blake, Cassels & Graydon etc.) in reality cyber threats are not limited to large firms engaged in multibillion-dollar M&A deals. Take for example the small Clarendon, Texas law office of James Shelton began receiving thousands of calls a day from across the U.S., Canada, and the United Kingdom. Apparently, hackers had used one of the law firm’s email accounts to message recipients with the subject line “lawsuit subpoena.” The company-specific email asked if the legal department has received the subpoena yet, and includes an attachment with malware that infects systems, steals banking credentials, and accesses financial records.
Whilst the data security issue may be particularly pressing for large firms, which hold the most valuable information pertaining to the largest clients, and which have large, dispersed networks (often across multiple jurisdictions), they do have significant resource to help them tackle the issue and to build defences. Cyber security is a big challenge for small or medium-sized firms, or specialist firms servicing top-tier clients. These firms deal with sensitive and valuable information and property, but because of the economies of scale of implementing a thorough data security framework, they might be particularly stretched in terms of resources.
Data security is increasingly resource intensive, requiring technology, expertise, staff training and, for medium to large firms, a well-staffed IT department. One computer security firm quotes the cost for a large law firm to hire them as a cyber security consultant (to work with the firm over a period of months to bring its cyber security framework up to acceptable industry standards) at approximately $130,000. One estimate for the cost of a large firm going through the procedure to obtain a three-year ISO 27001 certification is around $30,000. These sums of money are clearly out of reach for the majority of law firms and yet every one of them is vulnerable. The average cost of a single data breach for a company is approximately $200,000. Even though this is less than the millions that large enterprises have lost in the most publicised breaches, it is still too much for a typical small or medium-sized law firm. Lawyers should not assume that any data security breach will be covered by their commercial general liability insurance, professional liability insurance or other policies.
Law firms with lax cybersecurity risk more than just the loss of a client and reputation; they also risk malpractice exposure and disciplinary actions. In 2012, the ABA updated its model rules of professional responsibility, requiring lawyers to make “reasonable efforts” to prevent the disclosure and unauthorised access to client information. Many States similarly have adopted more modern standards. In April 2016, a New York real estate lawyer, Patricia Doran, was sued by two clients who allege that the attorney’s use of a “notoriously vulnerable” AOL email account resulted in their loss of nearly $2 million. According to the lawsuit, Doran’s computer negligence allowed hackers to not only read all of the lawyer’s emails, but also to impersonate the attorney for the sellers of real estate that the couple was buying. Doran allegedly forwarded bogus emails from the hackers to her clients, resulting in funds being wired to cyber thieves.
A global and profession-wide issue
The true picture of the scale of cyber crime attacks against law firms is not known. Whilst in many jurisdictions there is an obligation to report any breaches to clients, there is no central location to which law firms must report and no real clear indication of the breadth of the problem. Data security has become a risk issue that is truly global in nature. Threats can originate from anywhere, and all firms are potential targets. However, at present the leaders in law firm cyber security are the very large law firms in the US and UK, and this is not truly representative of where the risk lies, nor is there evidence that their experience and expertise filters down to help the smaller firms. Should more be done, to support the less developed legal sectors (and protect their clients), where there may be fewer resources and less expertise, but where the risk is no less compelling? Cyber crime has the potential to cripple individual firms financially but collectively it also has the potential to undermine consumer confidence in the profession as a whole, which could be much more damaging than any monetary losses.