During the month of August alone, the Center for Strategic & International Studies recorded nine cyber attacks that targeted government agencies and/or high-tech companies or caused an economic loss of more than one million dollars. As of May 25, 2021, according to the Health Sector Cybersecurity Coordination Center or HC3, there had been 82 ransomware incidents that affected the healthcare sector worldwide. In one of the more high-profile events, Colonial Pipeline suffered a ransomware attack in late April that had a profound impact on the critical infrastructure system of the United States. As cyber attacks and ransomware attacks become more prevalent, it is incumbent upon businesses, large and small, to take immediate steps to reduce their risk of falling prey to cyber criminals and hackers.
Lawyers and law firms owe a special duty, and, in fact, are required by rules of professional conduct, to maintain client confidentiality. The obligation to protect client information extends to cases in which a lawyer or law firm’s computer network is infiltrated by a hacker. Under Formal Opinion 483, issued by the American Bar Association’s Standing Committee on Ethics and Professional Responsibility, an attorney has an affirmative duty to notify the client of any data breach through which material client information may have been compromised. This responsibility stems from the attorney’s obligation to prevent inadvertent or unauthorized disclosure of client information and to keep well-informed of any risks associated with technology.
Experts agree that the key to preventing or, at least, minimizing the risks associated with any cyber attack, is being prepared before it happens. Some suggestions for protecting your firm and information include:
Hiring a security consultant to conduct an audit of your network and security practices;
Taking steps to ensure that staff is trained in recognizing potential security threats;
Creating policies covering electronic communications and internet usage, social media, and mobile security; and
Educating staff on the importance of strong password creation and the use of multi-factor authentication.
These steps are designed to prevent a cyber attack from occurring at the outset. But what happens if your business has been the victim of a ransomware attack or other cyber attack? Some firms have resorted to cyber insurance to help in this regard.
Cyber insurance generally covers losses that arose as the result of a cyber incident, events that generally aren’t covered by traditional insurance policies. It can provide protection against a wide range of losses, including “costs arising from data destruction and/or theft, extortion demands, hacking, denial of service attacks, crisis management activity related to data breaches, and legal claims for defamation, fraud, and privacy violations.” To help consumers determine the best policy for them, the Federal Trade Commission has provided some general tips as to what cyber insurance should cover, what you should look for in first-party coverage, and what to look for in third-party coverage. Cyber insurance will cover generally the costs related to data recovery, forensic investigations, and the defense of legal claims that might arise because of the breach. Such costs can break a business, especially when considering that a data breach can cost a law firm, on average, $7.01 million. In 2019, ransomware attacks cost some business sectors upwards of $7.5 billion, and it doesn’t seem that these events will be going away any time soon.
For more information about cybersecurity and cyber insurance, please see the following resources:
The ABA Cybersecurity Handbook by Jill D. Rhodes and Robert S. Litt
Locked Down: Practical Information Security for Lawyers by Sharon D. Nelson, David G. Ries, and John W. Simek
Law Firm CyberAttacks: Is Your Firm Protected? – National Law Review