Over a year ago, Citibank criticized many of the largest law firms for their reluctance to:

…discuss or even [publicly] acknowledge breaches that result [ed] in the release of their clients’, employees’, and counterparts’ confidential personal data, which has frustrated law enforcement and corporate clients for several years. That frustration bubbled over in an internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms.1

It is highly problematic that many, if not most, law firms advise their clients not to disclose information about the cyber-attacks they sustained. This advice reduces the likelihood that U.S. cybersecurity efforts will succeed: as the saying goes, “cybersecurity is a team sport.”2

This practice of non-disclosure can have far-reaching consequences. Effective cybersecurity requires sharing of best cyber defense practices and procedures among the business community, civil society, government, and private citizens. Furthermore, given the transnational (and cross-border)

nature of cyber-attacks, the identity of potential plaintiff(s) and defendant(s) in future litigation is not readily apparent.

Many organizations have suffered hundreds of thousands if not millions of cyber-attacks.3 A constant barrage of cyber-attacks is, for some organizations, the new normal.

At to rneys a re ob l iga ted by governmental regulations to advise their clients to report cyber breaches that cause material harm, as well as to inform the persons who may have been harmed that their confidential or private information has been released and disseminated as a result of a cyber-attack.

Many lawyers are skeptical of the benefits to their clients of engaging in information sharing, desirous of protecting their clients’ business reputation. These lawyers are often intent on preserving legal privileges that may exist under the Federal Rules of Evidence, usually in anticipation of litigation, arbitration proceedings, or administrative hearings. Fed. R. Evid. §592 describes the attorney-client communications privilege and work-product doctrine.

This parochial, albeit understandable, attitude may make everyone more vulnerable to cyber-attacks. President Obama and Congress recognized that there could be significant benefits if businesses shared information with both governmental bodies and organizations in the private sector. Organizations which do not share information that might help others to deal with the cyber-threat may have a harder time receiving governmental assistance should there be a need.

However, law firms themselves are increasingly subject to cyber-attacks. They certainly cannot claim they have not been put on notice by governmental bodies, academia, and the cybersecurity industry – and, recently, by their own professional organization. In 2013, the American Bar Association published a cybersecurity handbook. It was intended to reach a broad audience of attorneys, law firms, and business professionals so that they could better develop policies and procedures to address the cyber-threat.7

The Handbook, among other things, can arguably be viewed as a norm-establishing document for best

Cyber Attacks and Legal MalpracticeEthan S. BurgerAdjunct Professor, Washington College of Law

United States Cybersecurity Magazine10

practices among lawyers and law firms. Significantly, the Handbook states that:

…law firms and lawyers in different fields of practice are increasingly required to know and understand data security and how it potentially affects their clients. In fact, as will be discussed further throughout this [H]andbook, lawyers and their practices can now be held liable for breaches. Ignorance of the risk is no longer an option or an excuse.8

Law firms and their partners may have to defend against legal malpractice lawsuits by their current and former clients under various tort and contract theories after they face a successful cyber-attack. At present, law firms are ripe targets for cyber-attacks, since they often hold their clients’ confidential and personal data. On April 12, 2016, American Bar Association President Paulette Brown sent a letter to all ABA members which discussed this increased threat of cyber-attacks, and contained links connecting members to the ABA Cybersecurity Task Force website, as well as encouraging members to sign up to receive FBI Cyber Alerts.

This letter should be considered by factfinders when regarding the standard of care to which clients are

entitled from their outside counsel. Since almost all law firms possess their clients’ and employees’ private and confidential information, they should have cyber-defenses (hardware, software, practices, and procedures) in place that are consistent with the norms for entities holding the confidential and private information of others. The failure to do so in the event of a breach may give rise to legal malpractice claims for:

1. Failure to protect their clients’ confidential and personal data (depending on the facts, these same persons may have individual claims against the law firms) in the event of data breaches;

2. Failure to supervise those members of the law firms, their employees, and contractors responsible for cybersecurity;

3. Claims where their clients may be harmed in current (and possibly past) criminal, litigative, administrative, or transactional matters; and

4. Fraud or constructive fraud as well as misrepresentation by law firms as to the standard of care they observe when doing work for existing and former clients.

This is just the tip of the iceberg for claims against professionals such as accountants, money managers, etc. Law firms must take all reasonable steps to protect the confidential and private data they possess. Factfinders are entitled to assume that law firms follow a reasonably high standard of care with respect to cybersecurity. Law firms that fail to take appropriate steps to maintain this higher level of cybersecurity are playing with fire. They are creating significant legal and financial risks for their clients, themselves, and all attorneys (and staff) who work for them.

About the Author:

Ethan S. Burger, Esq., is a Washington-based i n t e r n a t i o n a l l e g a l consultant, attorney, and academic. He is an Adjunct Professor at Washington

College of Law (American University).

H i s a reas o f spec ia l t y i nc lude Transnational Financial Crime and Corruption, Cybersecurity Law and Investigations, Corporate Governance, Russian Country Conditions (Organized Crime and Human Rights), and Legal Ethics/Professional Responsibility. He has spent one-third of his career working abroad (Australia, France, Russia, Ukraine, and the United Kingdom).

Sources1. Matthew Goldstein, “Citigroup Report Chides Law Firms for Silence on

Hackings,” The New York Times,” March 27, 2015, available at http://www.nytimes.com/2015/03/27/business/dealbook/citigroup-report-chides-law-firms-for-silence-on-hackings.html?_r=0.

2. Limnell, Jarno. “Cybersecurity Is a Team Sport.” POLITICO. May 14, 2015. http://www.politico.eu/article/cybersecurity-is-a-team-sport/.

3. Fortis Blog, “Millions of Cyber Attacks Happening Each Day,” January 20, 2015, available at https://www.fortis.edu/blog/technology/millions-of-cyber-attacks-happening-each-day/id/3333; and Virginia Harrison and Jose Pagliery, “Nearly 1 million new malware threats released every day,” CNN Money Website, December 8, 2015, available at https://money.cnn..com/2015/04/14/technology/security/cuber-attacl-hacks=security.

4. Legal Information Institute Website: “Rule 502. Attorney-Client Privilege and Work Product; Limitations on Waiver,” available https://www.law.cornell.edu/rules/fre/rule_502; Sue Michmerhuizen: Confidentiality, Privilege: A Basic Value in Two Different Applications,” Center for Professional Responsibility, March 200 http://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/confidentiality_or_attorney.authcheckdam.pdf

5. See Cybersecurity Information Sharing Act of 2016, available at https://www.congress.gov/bill/114th-congress/senate-bill/754; and ISACA, “Cybersecurity

Information Security Information Watch,” ISACA Website, available at http://www.isaca.org/cyber/pages/cybersecuritylegislation.aspx; Leslie C. Thorn and Laurel D. Brewer, “How to Preserve Privilege During Data Breach Investigations,” American Bar Association’s Litigation Section, March 11, 2015, http://apps.americanbar.org/litigation/committees/businesstorts/articles/winter2015-0315-preserving-privilege-during-data-breach-investigations.html; Susan Hansen, “Cyber Attacks Upend Attorney-Client Privilege: Security experts say law firms are perfect targets for hackers,” Bloomberg Businessweek, March 19, 2015, http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security

6. See Joseph R. Marconi & Brian C. Lang, “Don’t Let Cybersecurity Breaches Lead to Legal Malpractice: The Fax Is Back,” ISBA Mutual Website, https://www.isbamutual.com/liability-minute/donrsquot-let-cybersecurity-breaches-lead-to-legal; David Mandell and Karla Schaffer, “The New Law Firm Challenge: Confronting the Rise of Cyber Attacks and Preventing Enhanced Liability,” Law Practice Today, March 2012, http://www.americanbar.org/content/dam/aba/publications/law_practice_today/the-new-law-firm-challenge-confronting-the-rise-of-cyber-attacks-and-preventing-enhanced-liability.authcheckdam.pdf; Digital Guardian HOME BLOG, “Law Firms: Cyber Criminals’ Next Top Target?”, March 28, 2016, https://digitalguardian.com/blog/law-firms-cyber-criminals-next-top-target

7. Jill D. Rhodes and Vincent I. Polley, “ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals,” ABA Cybersecurity Legal Task Force,” (2013) (the “Handbook”).

8. Ibid.

Spring 2016 | www.uscybersecurity.net 11