When Will We Learn????

So I am taking a short break from the “Luck Favors the Prepared” series on cybersecurity to talk about the recently publicized cyber attack against DLA Piper and the “Petya” ransomware global cyber attack against banks, power companies and Maersk.  Both attacks are similar to the WannaCry attack that affected many organizations (primarily) in Europe last month.

Just like WannaCry, “Petya” infects your device and spreads like a worm through entire networks looking for other vulnerable devices.  Many experts say that the “Petya” code is more sophisticated than WannaCry, which just makes me want-to-cry.  These cyber-terrorists are getting better and better. And “Petya” just proves that.  Another scary aspect to “Petya” is that it hit a state power distributor and Chernobl’s radiation monitoring systems.  These attacks are starting to hit at the very core of our infrastructure and have the ability to shut down critical systems.

The DLA Piper attack was also similar to WannaCry ransomware attack.  Apparently, it knocked out phones and computers across its world-wide network. The ex-deputy director of the UK government National Security Secretariat that deals with cybersecurity is quoted as saying: “There is a huge cyber threat to law firms.  The hackers perpetrating these types of attacks will not be teenage boys- they are criminal gangs set up to exploit law firms sensitive data or lock people out of the data in return for a ransom.”  The implications for law firms goes beyond a “normal” business loss; i.e loss of revenue, loss of consumer confidence and potential long term liabilities for any PII (personal identifying information) or PHI (personal health information) that gets out in the public. It implicates the attorney-client privilege.  THE most sacrosanct privilege known to legal kind.

From our first day in law school, lawyers are told that we are the secret keepers.  We keep our clients secrets.  We hold their most private and potentially damaging information and we can NEVER reveal those secrets.  What happens when one of these cyber terrorists violate the systems of a law firm and take those secrets.  Lawyers keep records on literally everything.  Every conversation, every implication, every thought that runs through our minds.  So there is very little information that those cyber terrorists would not have access to once they are in the systems.

The American Bar Association recently issued a revised ethics rule regarding competence.  ABA Model Rule 1.1 states that, included in the requirement that lawyers maintain the requisite knowledge and skill (keeping abreast of changes in the law) includes the “benefits and risks associated with relevant technology”. Further, the ABA amended Rule 1.6 “Confidentiality of Information” requires attorneys to “ make reasonable efforts to prevent the inadvertent or
unauthorized disclosure of, or unauthorized access to, information relating to the
representation of a client.”  What does this mean for the average practitioner? It means that lawyers need to take reasonable steps to prevent a cyber breach from occurring whereby the client’s data and information is exposed to third parties.

Now, many practitioners would argue that they are not DLA Piper and it is the big law firms that are the targets of these cyber attacks.  However, a cursory review of the statistics on the attacks on small businesses shows that small to mid-sized firms are not immune to these threats.  According to NetDiligence, 43% of all cyber attacks are perpetrated on small to mid-sized businesses.  And why is this?  These businesses spend the least on cybersecurity making them the proverbial “low hanging fruit.” Small businesses spend, on average, $4,000/year on cybersecurity.

There is no direct correlation, however, between the amount of money spent on cybersecurity and a secure system.  The dearth of funds dedicated to cybersecurity is emblematic of the importance (or really lack thereof) that small and mid-sized businesses put on cybersecurity.  The U.S. National Cyber Security Alliance found that 60% of small companies are unable to keep their businesses going past six months post-cyber attack. Between the financial and reputational burden of having your system’s breached and the fact that your client’s data has been compromised (and now you have financial consequences to deal with in terms of credit monitoring) spells bankruptcy after just 1 cyber attack. The Ponemon Institute concluded that the average price for a small business to “clean-up” a cyber mess after a hack is approximately $690,000. That price tag rises to over $1 million for mid-sized businesses.

The reality of the situation is that we all need to be concerned about cybersecurity.  Attorneys cannot stick their heads in the sand and pretend that they are not at risk  Our model rules of professional conduct and our ethical duty of confidentiality specifically prohibit it.  What an attorney knows about the client she or he serves makes the law firm the most desirable target for cyber breaches. Lawyers have no excuse not to take cybersecurity seriously.  We need to wake up and be proactive! We need to learn from the missteps and mistakes of others and take reasonable steps to ensure our client’s data, our internal systems and our reputation are not exposed from a cyber attack.

You will never be 100% “secure”, none of us can be, but you can make simple reasonable changes to make the law firm’s systems as secure as possible.  Understand your systems, educate your staff, use redundancy principles, and just overall be prepared.  Know what are your critical systems and have a breach response plan in place. The real message here is that we need to learn from what has happened to DLA Piper.  Lawyers need to finally wake up and realize that they are not immune-but the prime targets- for these attacks.  Being prepared is our only weapon against these cyber terrorists.  Because in the end, when all else fails, luck favors being proactive (i.e. prepared). (Sorry, couldn’t help myself!)

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.