In what has become an all too familiar refrain, a major New York law firm was recently informed by the FBI that all of the firm’s client files had been discovered on a server in a foreign country. Those files were then sent from that foreign server to China.
For those unfamiliar with this turn of events, a little bit of background will be instructive. The Chinese People’s Liberation Army (the “PLA”) has been operating a very successful industrial espionage program for years in order to ensure China’s economic supremacy by any means, regardless of their illegality. If, for example, a company from another country is interested in doing business with a Chinese company or agency, the PLA steps in and gives the Chinese company an unfair advantage by stealing data from the other side. The most sought after data? The foreign company’s set of documents describing what the foreign company’s real posture is in the bargain, i.e., what they are willing to give up on and what they will hold firm on. Once the Chinese company or agency knows the foreign company’s true position, they can tailor their negotiations accordingly. It could be used to sabotage a deal, it could also be sold to give rival bidders an advantage, or it could be used to conduct illegal insider trades. At other times, if China wants a certain technology and does not feel like paying for it, they just steal it. Just ask Google.
How do law firms come into the picture? The Chinese are just as likely, if not more likely, to steal the data they want from the foreign company’s attorneys and consultants as from the company itself. In fact, it is widely known that attorneys’ files are not well-protected from cyberattacks, and it is usually much easier for the Chinese to hack into the law firms’ files to steal the client data than it is to hack into the company’s files directly.
If you think this is a uniquely American problem, guess again. The U.K.’s Director General of the British Security Service, better known as the MI-5, informed the Managing Directors of the 300 largest British companies that this cyber breach was going on. Also, law firms in our neighbor to the North, Canada, have experienced quite a few data security breaches, courtesy of the Chinese, over the past several years. For example, computer hackers penetrated four major Toronto law firms in or around 2011 alone. The highly sophisticated attacks were designed to destroy data or to steal sensitive documents relating to impending mergers and acquisitions. The attacks ostensibly originated from computers in China. In one of the attacks, lawyers working on a proposed acquisition of a Chinese company received e-mails which were apparently sent by a partner working on a deal, i.e. “spear phishing”. The e-mail was a fake and its attachment launched a hidden computer program, malware, that infected the law firm’s computers. The attack was traced to computers in China. This kind of malware can sit on a computer for months without being detected. It can steal information over a long period of time before anyone even realizes that there is a security breach.
In 2010 alone, Canada saw seven law firms hit by hackers as well as the Canadian Finance Ministry and Treasury Board. The hacking was linked to an attempt by the Chinese to derail the takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd. Not coincidentally, at the time of the attacks, China was searching for new sources of agrochemicals. In order to sabotage this transaction, Sinochem Group, China’s formerly state-owned chemical giant, hired two banks to attempt to disrupt the transaction. This tactic was directly approved by the Chinese government. A law firm involved in the deal detected signs of the cyberattack, and investigators later discovered that the malware – which was sent via the fake e-mails — was compiled on a Chinese-language keyboard and China-based servers were involved in the attack.
There were notable similarities to cyberattacks via counterfeit e-mails which had been sent to Canada’s Ministry of Finance. The e-mails were supposedly sent by an aboriginal group opposed to the deal. The e-mails directed the officials to a website which secretly downloaded spyware onto state-owned computers. The Canadian law firms would have had detailed knowledge of the deal’s negotiations, including potential weak points.
It has now been revealed that the Canadian attack is eerily similar to recent attacks at U.S. law firms with corporate clients doing business in China. In one recent case, a corporation was negotiating to open a major plant in China when the U.S. law firm representing them in the deal became the victim of a cyberattack. The hackers were investigating what the company was willing to pay for the land and what they were willing to pay to bring roads to the facility. Other recent attacks on law firms involved efforts to steal secret details about a merger and documents relating to an opponent’s strategy in a major litigation.
The U.S. Government’s Involvement
The U.S. Government has certainly taken notice of this security breach. The FBI is constantly sending out warnings to U.S. law firms regarding data security breaches. In fact, the FBI’s New York office convened a meeting with the top 200 New York City law firms to address the rising number of cyberattacks on law firms. At the meeting, the FBI warned the lawyers that they were easy prey for hackers trying to obtain their clients’ valuable data. The FBI instructed the firms to prepare a diagram of their network and to keep track of how their computer logs are kept. An FBI agent pointed out that the culture of law firms and the power exercised by partners often make them an easy target. They all vie for network administrator rights, and partners insist on mobility –including the ability to review case documents at home on the weekend or while travelling — which means highly sensitive documents are routinely transferred by e-mail, leaving them vulnerable to attack. At the meeting, the FBI urged firms to review their mobility policies, including the security of e-mail linkups and mobile phones.
Dangers to Law Firms-Immediate and Long-Term
If law firms do not wake up and begin to show that they are taking concrete steps to thwart such hacking attacks, they will lose client business. If clients start thinking they cannot give private information to their lawyers because it might get out, it creates a huge problem for the profession. Unfortunately, most law firms first take steps to improve their security protection of client data after their security has been breached.
Sometimes, law firms are targeted by hackers, not because it is representing a client in a transaction with a Chinese angle, but rather in retaliation for representing a client who is suing Chinese entities for hacking in the first place. For example, in 2011 the California law firm, Gipson Hoffman & Pancione, which was representing the company CYBERsitter in a law suit against the Chinese government, Chinese computer firms and Chinese software makers, accused China of retaliating by hacking into the law firm’s computers. The firm was the victim of a spear-phishing attack, which happens to be the same attack the Chinese used against Google and others. E-mails were sent to people in the law firm that were made to look like they were coming from other individuals at the firm. The hackers were hoping that the e-mail recipient would click on a link or attachment thereby unknowingly downloading malware onto their computer. At least some of the e-mail messages were sent from China and some of the malware payloads were on servers in China.
Not only can hackers gain access to a firm’s networks through phishing, it can also hack into a firm’s cloud storage programs, making this popular document-storage program particularly vulnerable to attacks.
Steps to Be Taken to Protect Against Cyberattacks
Security firms have recently seen an increase in queries from law firms whose clients are concerned about their data’s security. Some of the remedies suggested include requiring lawyers to access highly sensitive client data directly in a secure location and banning e-mail or the digital transfer of documents. The attorneys have to go to the client company, use a dedicated terminal and review the data there so that the data never leaves the client’s building. Another measure some firms have implemented is moving all of its computer servers to a third-party, off-site security facility.
Some law firms protect data by requiring the use of encrypted connections. Also, some firms restrict the use by attorneys of vulnerable file-hosting programs like the popular Drop Box which is a cloud-based system that allows users to save files including photos, documents and videos. Also, there is now an accreditation for information protection that law firms can obtain if they implement certain data security measures. The law firms that have received this accreditation use this as a selling point to clients.
The level of sophistication of the attacks varies. Sometimes hackers are merely looking for information they can sell quickly. This kind of hacker usually targets law firms representing celebrities. However, many times the attack is much more serious as was the case with Potash Corp. of Saskatchewan Inc. The intruders were professionals potentially linked to China which of course has much greater resources for carrying out and maintaining such an attack.
Law firms are not, of course, the sole target of such security breaches. Instances of famous security breaches include, of course, Google, the Pentagon, and the Canadian government. Many contend that the PLA or other government agencies are behind some or all of these attacks.
Not surprisingly, the Chinese Government has denied any involvement in these cyberattacks.
Ethical and Statutory Obligations
There are several ethics rules, statutes and common law which govern a lawyer’s duty to protect client’s data. The overall rule regarding a lawyer’s duty to his clients is that a lawyer must provide competent representation and protect his client’s confidentiality. See ABA Model Rule 1.1. ABA Model Rule 1.6 defines the duty of confidentiality quite broadly as “information relating to the representation of a client.” The duty applies to client information in computer and information systems as well. More specifically, an amendment to Model Rule 1.6, part of the Ethics 2000 revisions, added new Comment 16 which requires lawyers to take reasonable precautions to protect confidential information:
“A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”
Only recently have state bar organizations taken steps to define what lawyers must do in order to protect their clients’ data. See, e.g., State Bar of Arizona Opinion No. 05-04, issued in July 2005, regarding the measures a law firm must take to safeguard client data from hackers and viruses, and Arizona Bar Opinion No. 09-04, issued in December 2009, regarding online file storage and retrieval systems for client access to documents. The opinion discusses specific safeguards lawyers should consider, including secure socket layer (SSL) protocol, firewalls, password protection, encryption and antivirus measures. It also calls for lawyers to periodically review their security measures to make sure that they are still adequate and to update them as needed.
Other states have issued ethics opinions on this issue as well including New Jersey Committee on Professional Ethics Opinion 701 (April 2006), Nevada Standing Committee on Ethics and Professional Responsibility Formal Opinion 33 (February 2006) and Virginia Standing Committee on Legal Ethics Opinion 1818 (September 2005). They all require lawyers to take steps to protect the confidentiality of client information.
Common law also assigns duties to lawyers in connection with the protection of client data. See The Restatement (3rd) of the Law Governing Lawyers (2000). See, e.g., Section 16(2) on competence and diligence, Section 16(3) on complying with obligations concerning client’s confidences, and Chapter 5, “Confidential Client Information.” Lawyers can open themselves up to malpractice actions if they breach these duties.
Private contracts might also require lawyers to protect client data. The most obvious examples are in the health care industry and financial services.
General Statutes and Regulations Regarding Data Protection
Several state and federal statutes and regulations require the protection of personal information. Given their broad coverage, they are likely to apply to lawyers who possess such personal information about their clients as well as others. Additionally, at least ten states now have general security laws which require that measures be taken to protect certain personal information. The states include California, Massachusetts, Maryland, New Jersey and Rhode Island.
There are also several state laws that require the protection of certain personal information, including Social Security numbers, driver’s license numbers and financial account numbers. Some also require the protection of health information. Nevada also has laws that require protection of data. See NRS 603A.210 and NRS 597.970.
Most states have laws requiring notification if data security has been breached, and approximately nineteen states have laws requiring secure disposal of paper and electronic records that contain defined personal information. The FTC’s Disposal Rule, 16 C.F.R. Part 682, has similar requirements for consumer credit reports. Furthermore, HIPAA (the Health Insurance Portability and Accountability Act) requires lawyers (and others) who receive protected health information of an individual to comply with the statute’s security requirements. The 2009 HIGHTECH Act extended HIPAA security requirements and added a new breach notification requirement.
As this article makes clear lawyers’ computers and information systems face very real risks of cyberattacks. Lawyers must take this threat seriously and implement the necessary measures to protect their clients’ data and ensure that they are in compliance with all statutory, regulatory and common law requirements. This is an ongoing process and lawyers will need to periodically re-evaluate their measures to make sure that they are up-to-date.