On June 27, 2017, a global ransomware attack affected computers in the U.S., Europe, India, Russia, and the Ukraine, similar to a computer virus known as Petya or Petrwrap, but more intense than the May cyberattack that impacted 150 nations with the ransomware WannaCry. Bill Wright, senior policy counsel for the cybersecurity firm Symantec, explains that “[o]nce you unleash something that propagates in this manner it is impossible to control.” And companies could not control the attack as DLA Piper lawyers showed up to work early Tuesday only to see a sign stating: “All network services are down, do not turn on your computers! No exceptions.”
The hackers used methods stolen from the National Security Agency and targeted major companies, law firms, financial institutions, and hospitals. Including: the pharmaceutical firm Merck & Co., Russia’s leading oil producer Rosneft, Britain’s WPP (the largest advertising agency), Deutsche Post’s Ukraine division, law firm DLA Piper, the Russian central bank, multiple Ukrainian banks, and hospital chain Heritage Valley Health System. The hackers encrypted some of the world’s most sensitive information and demanded a payment of $300 in Bitcoin (roughly $777,700 USD) as consideration for the decryption code. According to the American Lawyer and blockchain records, 27 organizations have paid the ransom. Perhaps if these companies kept their information secure using blockchain technology, they would not have run into this problem in the first place since there is no centralized source with blockchain, making it virtually impossible to hack.
Between this week’s global malware outbreak, the attacks on Weil Gotshal & Manges and Cravath, Swaine & Moore last March, and the leak of the “Panama Papers” from Mossack Fonesca, law firms more than ever have an incentive to adapt their measures, technology and policies to safeguard client information. How can firms protect themselves for a major breach of security? Establish and maintain an enterprise security system to protect all electronic documents and conduct and document regular risk assessments. Installing and implementing thorough and precise cybersecurity measures, technology, and policies is essential. These practices will mitigate malware risks, provide procedures on how to locate and eliminate the virus, and attract future clients. These policies however need to be monitored not just by IT, but by the attorneys and support staff. In case of a cybersecurity attack, it is helpful to have an off-site back-up server that is frequently maintained to re-install any lost information. Firms should have cybersecurity insurance to cover the ransom, forensic investigator contracts, and legal expenses related to the malware attack.
Furthermore, law firms should also have in place malpractice insurance policies that protect against cybersecurity liability in case privileged or otherwise confidential client information is released due to the malware. Attorneys can be held liable under professional negligence such as in the case Millard v. Doran No. 153262/2016, where a real-estate attorney who used AOL email for her legal practice was liable for professional negligence for not implementing any cybersecurity protection measures and for using a server that was “notoriously vulnerable” to hackers.
Law firms with clients in the financial or health sector are subjected to further cybersecurity regulations. Pursuant to 23 NY CRR 500.03 and 500.01(n), (d), (g) and 500.11(b), the New York Department of Financial Services requires financial institutions to comply with cybersecurity regulations, which includes assessing their law firms’ (who fall within the ambit of Third Party Service Providers) cybersecurity measures and ensure law firms do not misuse nonpublic information. FINRA regulates broker-dealer firms in regards to cybersecurity as well. However, these regulations transfer to broker-dealer’s law firms if the firm is negligent in monitoring the client’s security practices. In regards to any client matters relating to health, data protection is covered in the HIPAA Data Security Regulations and the HIPAA Privacy Regulations. Law firms here fall within the ambit of “business associates” and are directly liable under HIPAA for any data breaches.
For firms that are located in both the U.S. and EU, it is imperative to understand the different regulations in each jurisdiction. The European Union has implemented the Data Protection Regulation for all Member States, which will be in effect on May 25, 2018. This Regulation requires law firms to notify clients in the event of a data breach.
Click here for a regulation implementation timeline.