The organized, allegedly state-sponsored hacking of confidential data by the Chinese army has been much in the news in recent days. Included in the list of targets described in the latest stories (albeit not for the first time), are law firms. According to the 2012 ABA technology survey, approximately 10 percent of all law firms have experienced a data security breach of some type. Well understood in this context is the fact that law firms' own data is likely not very interesting to the intrudersbut their clients' data certainly is.
Numerous ethics opinions in New York and elsewhere emphasize lawyers' duties in connection with their use of technology. The opinions explain that the duty of competent representation includes a requirement that lawyers have an understanding of the technologies that they use, and emphasize the duty to take reasonable care in the selection and use of technology. The most important element of that duty is the responsibility for adequately and appropriately protecting client confidential information in accordance with the obligations set out at Rule of Professional Conduct 1.6. This article addresses the subject of technology in law practice from two very different perspectives: What are some of the consequences if confidential client data is lost, whether through hacking or otherwise (a "data breach"); and what help can lawyers expect from their insurance carriers when these events occur.
Let's begin with some questions:
Has your firm's network ever been successfully hacked? (If you answered "no," how do you know?)
Has anyone in your firm ever lost a laptop, a BlackBerry, iPhone, Android (or any other PDA), or a flash drive?
Did the lost device contain client-specific and confidential information?
Was the device password protected? Was all data contained therein encrypted?
Has anyone in your firm accessed the firm's network or transferred sensitive data from an unsecured Wi-Fi connection?
Does your firm have a "Bring Your Own Device" culture? If you answered "yes," how can you be sure each mobile user has adhered to practices within the IT department's control and security in every aspect of their use of the device?
Does your firm use an open document or knowledge management system? If you answered "yes," how do you control access to confidential data? Do you track what has been accessed or removed?
Even before the most recent spate of media coverage, in an article on Bloomberg's website in January 2012, "China-Based Hackers Target Law Firms to Get Secret Deal Data," reporters Michael A. Riley and Sophia Pearson quoted Mary Galligan, head of the cyber division in the New York City office of the U.S. Federal Bureau of Investigation, as saying that "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it's a much, much easier quarry." According to the story, Galligan's unit convened a meeting with the top 200 law firms in New York City in November 2011 to deal with the rising number of law firm intrusions and issued a warning: Hackers indeed see attorneys as a back door to the valuable data of their corporate clients. Back then, before its most recent report grabbed the headlines, Mandiant, a consulting firm based in Alexandria, Virginia, estimated that 80 major U.S. law firms were hacked in 2011.