The Aftermath of a Law Firm Data Breach
Wait, I’m the VICTIM!
Yes, but your clients will not see it that way and neither does the ABA.
In addition to the ethical requirements of competency, confidentiality, and transparency, the ABA’s Formal Opinion 483, issued in November 2018, makes it clear that “Data breaches and cyberthreats targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession.”
Why not just keep a data breach “our secret”?
Sadly, most law firms do. According to the American Bar Association’s TECHREPORT 2020, only 14% of law firms reported a data breach to law enforcement. Law firm clients fared even worse, being informed just 11% of the time.
States differ in their definitions of what constitutes a breach, as well as personally identifiable information that would necessitate notification. Nonetheless, under the ABA’s Model Rule 1.4, a law firm is required to disclose a breach to a client if the breach is likely to impact the result of that client’s case.
In other words, following your state’s disclosure statues doesn’t remove your ethical obligations.
We back up our data, so we don’t need to payout on ransomware
Yes, hackers have thought of that, so to insure against this scenario, cybercriminals download your data before they encrypt it. Then they can blackmail you with the threat of selling and/or publishing your information if you don’t pay the ransom.
Our cyber insurance will cover the damages
Not so fast. Insurance companies are increasingly litigating payouts. There are several reasons that a cyber claim, or portion of the claim, would be denied:
· Failure to implement necessary prevention practices
· Failure to document preventative measures
· The incident was the fault of a third-party vendor or contractor
· Administrative errors
· Exceeding the time period covered for interruption of service
I could face a malpractice claim?
Yes. Opinion 483, combined with the ABA’s mandate for technical competence per Model Rule 1.1, opens the door for malpractice, negligence, breach of fiduciary duty, or breach of contract claims from clients whose confidential information is compromised.
What are the costs of a breach?
Outside of the costs associated with a lawsuit, there are significant costs surrounding the cyber incident itself – both monetary and reputational.
Two years ago, the average ransomware demand was approximately $5,000. Now, the average is nearly $200,000, and that’s just the ransomware payment.
Other costs can vary widely depending on the depth of the breach and the number of clients involved. These include expenses such as:
· Forensic analysis to see what data was compromised and who was impacted
· Repair and/or replacement of hardware and software
· Data recovery
· Business interruption/loss of billable hours
· Public relations advice
· Compliance with state/state’s notification laws
· Increased insurance premiums
· Increased targeting by hackers once a payment is made
· Loss of intellectual property
· Reputational damage/client churn
· Regulatory fines/penalties
· Credit monitoring for clients whose financial information was stolen
What do we need to do?
Ultimately, you need to take cybersecurity seriously. Yes, an investment in security controls can be costly, but it outweighs the downside of a data breach, which can be severe…or even business-ending.