By now, nearly every large business that maintains private or proprietary data has robust data protections in place, and as well data privacy insurance. Indeed, after well-publicized hacks into such high-visibility companies as Yahoo and Target, such measures are not only normal – they are seen as indispensable by business people and risk managers. But what about the lawyers?
Law firms pose a uniquely attractive target for hackers. A hacker who attacks a single company might obtain valuable information about that company; the same hacker can obtain valuable information about dozens or even hundreds of companies by hacking a single law firm. And, the scope of the information that a law firm possesses can be staggering. A single mid-sized law firm could hold trade secrets, patents, tax filings, intellectual property, internal investigations, and a host of other potentially damaging or embarrassing corporate information – not to mention the particularly lucrative information that M&A lawyers have on pending deals.
And, while most large organizations have been relatively quick to adopt data-protection measures, many law firms have been late to the party. Many lawyers, in a self-governing profession, seem to have adopted a “it can’t happen to me” attitude. And, bar associations have been remarkably slow to adopt uniform standards for data security. Further, as a practical matter, data security is an expensive cost that law firms cannot readily pass on to their clients. Perhaps as a result of these lags, the cybersecurity group Mandiant estimates that 80 of the 100 largest U.S. firms have been hacked at least once in the past six years.
Case in point: Just a few days after Christmas, 2016, the U.S. Attorney for the Southern District of New York filed indictments against three Chinese citizens who allegedly made more than $4 million by trading on merger information they stole from two major New York law firms. The trades were the product of a calculated and sophisticated campaign that involved more than 100,000 attempts to break into law firm servers and networks. Upon succeeding, the group used information they found to trade on pending acquisitions in the pharmaceutical, technology, and manufacturing industries – at a tidy profit.
The above case is only one of many recent high-profile revelations of law firm hacks. In 2015, a leak of millions of documents from the Panama firm Mossack Fonseca made international headlines. In 2016, a group of Russian hackers attacked scores of large firms searching for insider-trading information. And, over the past several years, data security experts have reported an increase in data “ransom” demands, in which hackers control viruses that will delete sensitive data absent the payment of a major ransom.
“Ransomware” attacks, in fact, have even made it to prime time, featuring prominently in an episode of “The Good Wife.”
Plaintiffs’ lawyers are beginning to take note. Last year, potentially for the first time, a prominent class-action firm filed a data-security lawsuit against a major Chicago law firm over security lapses in the firm’s time-entry and email systems. The case was ordered to arbitration, and so the outcome will likely remain unknown. But, from the firm’s (and likely, its clients’) perspective, the damage was done as soon as the suit was made public.
The law is also beginning to catch up. Recently, the New York State Department of Financial Services issued new regulations requiring third-party vendors to the financial services industry (which include law firms) to develop written data-security plans and to conduct annual reviews. Consequently, law firms with outdated data security measures risk regulatory action as well as civil liability.
The risk is particularly acute with smaller law firms. According to a 2016 American Bar Association survey, more than 60 percent of “large” firms – i.e., firms with more than 500 lawyers – have adopted enhanced data-security measures at the request of their clients. However, less than a third of firms smaller than that size have done so. Around half of larger firms have “incident response plans” in place to deal with major breaches; less than one in five smaller firms have one. These numbers should raise the concerns of businesses who entrust regional or niche firms with sensitive data.
So, what is an insurance agent to do? If you number businesses among your clients, it would pay to discuss whether management has ensured that the company’s outside counsel follows the same or similar data-protection protocols as its client, no matter the size of the firm or the business. Many Fortune 500 companies have already done so, and others are following suit, but some have not. And, if you broker policies for law firms, the recent high-profile hacks described above should provide a good icebreaker into the topic of data privacy or other forms of cyber liability insurance and enhanced internal procedures for protecting client data.