Regardless of the industry, law firms must treat data from their clients with the same level of protection as if they were the original owner. For example, law firms representing “Covered Entities” under the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500), which places cybersecurity requirements on all businesses licensed under the insurance, banking, and financial services laws in New York State, must meet their clients’ obligations even though they are not themselves financial institutions. Similarly, law firms working with data from healthcare clients are typically considered “Business Associates” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and must ensure compliance with that law.
Failure to Reasonably Protect Data and Prevent Cyber Attacks Could Result in Malpractice
In addition to potential penalties for regulatory non-compliance, law firms that provide insufficient data protection could face malpractice claims associated with failing to protect client confidentiality. Even a lack of proper employee supervision could be characterized as negligent and rise to the level of fraud and misrepresentation if caused by a malicious insider. (1) For instance, a 2016 class action suit was filed against a Chicago law firm for inadequate security and a hacked New York attorney was sued for erroneously wiring almost $2 million.(2) Ultimately, if a law firm’s data ends up on the “dark web” and a client’s information was sold or released as a result, the liability could be substantial. In addition, the reputation of the law firm would be negatively impacted and potentially suffer permanent damage.(3) Even law firms that have cybersecurity insurance cannot afford to lose the lifetime value of an institutional client or the potential to gain another due to a loss of standing in the legal community.
Robust Policy and Reporting Framework at Law Firms Can Enhance Cybersecurity
While simple to draft, agreements governing data protection, IT security, insider threats, privacy, and related concerns are challenging to implement because they require universal commitment. Once law firms achieve that objective, they will materially reduce their risk, as well as safeguard their attorneys and other legal professionals from embarrassing, yet preventable mistakes. For example, despite obvious red flags, a lack of effective protocols allowed a law firm associate in Vancouver to be fooled into wiring $2.5 million in client funds to a fraudulent account through a combination of familiar, though creatively deceptive, tactics that should have been more obvious in 2019.
Even if an employee succumbs to a criminal’s clever ruse, there should be a reporting structure in place at the law form that requires several levels of approval before an action can cause any damage. It is also imperative for proactive firms to eliminate unnecessarily dangerous practices, such as exchanging unencrypted hard drives through the mail or a courier. Law firms must provide a mechanism for employees to report lost data, both for follow-up and any regulatory concerns, e.g., requirements associated with loss of healthcare data, and to alert security teams about suspected phishing scams or associated inadvertent security errors. Organizations with proper policies and adequate reporting structures are often able to address security concerns more quickly and effectively.
Daniel J. Haurey is a founding member at Partners in Regulatory Compliance (PIRC). PIRC provides cybersecurity consulting for law firms in the NY, NJ area.
- Rudolf v. Shayne, Dachs, Stanisci, Corker & Sauer, 867 N.E.2d 385, 387 (N.Y. 2007).
- Shore v. Johnson & Bell, Case No. 16-cv-4363 (N.D. Ill. 2016); Millard v. Doran, Index No. 153262/2016
(Sup. Ct. N.Y. Cty. 2016).
- See, e.g., Ethan S. Burger, “Cyber Attacks and Legal Malpractice,” U.S. Cybersecurity Mag., July 15, 2016, https://