By Cam Kollar
The first time I heard about a massive data breach was when OPM sent me a letter in the mail informing me that my personal data may have been compromised. Soon after I realized that these data breaches that are seemingly dismissed were happening more frequently-happening in more industries. Then it was Sony, Target, Equifax, Mossack Fonseca, Facebook….the lists goes on and on.[1] The constant barrage of how our data has been compromised and the fact that you are not as anonymous as you think you are, has been desensitizing individuals across industries.
It isn’t a surprise that most data security specialists state that it isn’t a matter of “if” you will be hacked, but “when”.[2] Regardless, attorneys have a special role-we have to protect clients’ confidences where law firms end up acting as bank vaults for the secrets that people keep from even their closest family members. Law firms saw an increase of data breaches to 22% of respondents according to the ABA 2017 Legal Technology Survey Report.[3] That is an estimate that more than one in five law firms were hacked last year.[4] Firms of every size are affected and unfortunately according to some reports approximately 40% of law firms do not even realize that they were breached![5]
Despite these numbers many law firms are lagging in their cybersecurity procedures. Of note, in Shore v. Johnson & Bell, a former client is holding the law firm responsible for their cybersecurity practices (or then lack thereof) alleging that the large law firm, Johnson & Bell, “left its clients’ confidential information unsecured and unprotected.”[6] Johnson & Bell have since corrected the specified vulnerabilities, which were originally spelt out in the temporarily sealed complaint.[7]
The highlights of the cybersecurity practices that triggered the legal malpractice suit are as follows: Johnson & Bell used a “webtime time tracking system” that was built on a “JBoss Application Server.”[8] The particular software was introduced in 2005, and had an “end of life” recommendation.[9] JBoss terminated full support for the software in September 2007, and maintenance support ended in September 2009.[10] Johnson & Bell was still running the software when the complaint was filed in April 2016.[11] Technology updates quickly and those pesky updates your computer and phones do every so often protect the devices from vulnerabilities and are considered to be maintenance support. Johnson & Bell was possibly running unsupported product for over six years.[12] Adding insult to injury, a partner at Johnson & Bell was aware of reasonable cybersecurity practices as he wrote a paper titled “Don’t Let Cybersecurity Breaches Lead to Legal Malpractice: The Fax is Back.“[13] I believe Joseph Beckman said it clearly when he said, “You can bet Johnson Bell wishes it had invested the money to patch its time-keeping program sometime between 2009 and 2016.” [14]
The costs of data breaches get shared between the clients, attorneys, and law firms. These costs include significant business downtime, loss of billable hours, hefty fees to correct the problems, and effects on lawyer and law firm reputations.[15] According to Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tennessee, and former treasurer of the American Bar Association, lawyers that fail to protect data from hackers due to lax cybersecurity practices risk their licenses.[16]
[1] See Nate Lord, The History of Data Breaches, Digital Guardian, (Apr. 6, 2018), https://digitalguardian.com/blog/history-data-breaches.
[2] See David Ries, ABA Security TechReport 2017, A.B.A., https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security.html.
[3] See id.
[4] Jay Reeves, One in 5 Law Firms Hacked Last Year, Lawyers Mutual (Feb. 22, 2018), https://www.lawyersmutualnc.com/blog/one-in-5-law-firms-hacked-in-2017.
[5] Law Firm Cyber Security Scorecard, Logicforce, https://www.logicforce.com/2018/03/28/law-firm-cyber-security-scorecard/ (last visited Oct. 25, 2018).
[6] Joseph P. Beckman, Law Firm Cybersecurity Breach Opens Door to Lawsuit, Litigation News, A.B.A. (July 31, 2017), https://www.americanbar.org/publications/litigation-news/featured-articles/2017/law-firm-cybersecurity-breach-opens-door-to-lawsuit/.
[7] See id.
[8] See id.
[9] See id.
[10] See id.
[11] Joseph P. Beckman, Law Firm Cybersecurity Breach Opens Door to Lawsuit, Litigation News, A.B.A. (July 31, 2017), https://www.americanbar.org/publications/litigation-news/featured-articles/2017/law-firm-cybersecurity-breach-opens-door-to-lawsuit/.
[12] See id.
[13] See id.
[14] See id.
[15] See id.
[16] Daniel R. Stoller, Memo to Law Firms: Raise Cybersecurity Bar or Risk Client Losses, Bloomberg Law (Feb. 23, 2018), https://biglawbusiness.com/memo-to-law-firms-raise-cybersecurity-bar-or-risk-client-losses/.
Image Source: https://selinc.com/solutions/sfci/cybersecurity-posters/