Law firm cybersecurity is in the news again with two developments. First, the latest ABA TechReport says that large law firms were more likely to be victims of a data security breach last year than mid-size or small firms, with one in seven respondents having been hit overall. That’s a big deal. Next, a federal class action complaint in what is thought to be the first suit attempting to base liability solely on a U.S. law firm’s allegedly inadequate cybersecurity was unsealed on December 9. But that suit possibly turns out not to be such a big deal.
BigLaw take warning
As reported in Law360 (subs. req.), the 2016 ABA Legal Technology Survey collected responses from 800 ABA members, and it showed that 26% of firms with more than 500 lawyers had experienced a security breach. That contrasts with about 15% of firms with 50-99 lawyers, and 20% of firms with 100-499 lawyers. Only 8% of solos said they’d had a breach.
A possible explanation of the data may be what Willie Sutton said about why he robbed banks: that’s where the money is. Large and mid-size firms can be treasure troves for hackers looking to gain access to client info on deals and other financial activity, and law firms can provide “back door” access to the data of financial institution clients. With more lawyers and more staff, larger firms also have more chances to suffer from human error.
The good news there, according to the survey, is that only 2% of respondents reported that hacking resulted in unauthorized access to client data.
Failure to secure data?
On the litigation front, a class action complaint was unsealed against Chicago-based firm Johnson & Bell Ltd., brought by former clients who asserted that the firm’s “computer systems suffer from critical vulnerabilities in its internet-accessible web services.” Plaintiffs also alleged that client confidential information “has been exposed,” and identified the firm’s time-charge system, e-mail server and virtual private network as vulnerable to cyber-attack.
However, the plaintiffs never alleged that any actual breach has occurred, and the firm moved to dismiss the claims. Potential vulnerability is not actionable, Johnson & Bell said in its motion — otherwise “every lawyer who carries a briefcase, takes notes in court or in a deposition … could be subject to being named in a class action lawsuit, because in each instance a client’s confidential information was ‘exposed’ or ‘vulnerable.'”
Counsel for plaintiffs in the suit is Jay Edelson, who has litigated successfully on behalf of consumers against businesses where actual breaches have occurred.
Although expansion of liability against law firms where no actual cyber-breach is alleged would be a scary development, the possibility has fizzled for the moment. As detailed in the district court’s opinion, the plaintiffs acknowledged that the time-tracking system vulnerability was remedied shortly after the complaint was filed, and plaintiffs voluntarily dismissed their class action complaint in order to pursue arbitration under a provision of their retainer agreement with the firm.
Lawyer training = ounce of prevention
Law firm data vulnerability consists of at least two factors — technology and humans. As we’ve pointed out before, a good way to address the human factor is with plenty of lawyer training, because we seem to be particularly prone to falling for scams and clicking before we think. As for the technological factor, staying ahead of the bad guys is always going to be a game of Whack-a-Mole, which law firms will be striving to win.