Sharon D. Nelson, John W. Simic, and Michael C. Mashky
Do you remember the golden ticket from Willy Wonka?
Many lawyers thought they had discovered the golden ticket when they discovered ChatGPT. They were excited about how fast it was and how they could leverage it for legal research, drafting legal documents, case analysis, legal compliance, authoring client communications, and the list goes on. Her speed was amazing and the conversational language was irresistible – and understandable.
Unfortunately, many lawyers didn’t realize that they were feeding the AI with confidential data, and that the history of their conversations with ChatGPT could be remembered and even used to train the AI.
If you’ve been keeping an eye on developments, you might know that OpenAI, the creator of ChatGPT, announced on April 25 that it has added the option to turn off chat history for ChatGPT, which means you can keep your confidential data safe. But if you’re not keeping an eye on developments — and many lawyers haven’t — you’ll happily go ahead and feed the AI with your data.
There was a reason why Apple and Samsung banned the use of generative AI — in Samsung’s case, employees inadvertently leaked confidential data. Apple likely fears the same fate. Some law firms have also banned the use of ChatGPT. But many others have not, and therein lies the threat.
Timing is everything – and timing is terrible
Along with the knowledge that many lawyers may have inadvertently provided confidential data to ChatGPT, law firms managing partners are facing a tidal wave of law firm data breaches. We’ve never seen so many law firm data breaches in such a short period of time. It’s a one punch of big proportions.
While some of the reported violations will not be exposed until 2023, many violations occurred in 2023, which is when ChatGPT use became more popular.
This has already become ‘open season’ for law firms who have become the target of numerous cyberattacks – putting the security of their proprietary data at risk. And if you need another reason to complain, ChatGPT is a great tool for cybercriminals who want to create better, more effective phishing emails. No more spelling and grammatical errors for shouting “phishing email!” in the legal staff.
In late June, the UK’s National Cyber Security Center (NCSC) released a threat report indicating that cybercriminals are heavily focused on going after law firms. The National Cyber Security Center (NCSC) reports that nearly 75% of the top 100 law firms in the UK have been affected by cyberattacks.
Do you really think it’s much different in the United States? We certainly don’t.
Class action and data breach attorneys
In the wake of reports that Bryan Cave Leighton Paisner had suffered a data breach, news came in late June that a class action lawsuit had been filed against the company. According to a data breach report from Mondelez, the company’s client, the attackers who breached the company obtained more than 51,000 data from current and former employees.
The complaint states that Bryan Cave was hired in part to provide advice on data and privacy, and the company is accused of negligence, breach of implied contract, breach of contract, unfair enrichment and invasion of privacy.
We believe that more class action lawsuits will follow more quickly than any law firm discovers that it has been infringed. This will no doubt come to the desperation of hacked law firms who are well aware that class action lawyers get very large rewards for their successes. class members? Not much.
The authors note that because we were awarded a paltry $7.50 for the settlement Google recently agreed to after it was accused of “intentionally, systematically and repeatedly storing and disclosing users’ search queries and histories to third-party websites and companies. Wow! Total $7.50 wasted Energy in form filling and document compilation.
We’re not saying class suits don’t have their uses, but a storm of law firms filing class action lawsuits against other law firms will complicate an already complex data breach landscape.
Law firms need to provide more funding for cybersecurity
Given the double whammy of leaked confidential data and the sharp increase in data breaches, it’s time for law firms to get serious about combating data breaches. PriceWaterHouseCoopers’ annual survey of law firms reported that the top 1,000 law firms spent just under 1% (0.46%) of their fee income on cybersecurity.
We’ve heard all the excuses. “It costs a lot.” “It takes a lot of time.” “It takes a lot of training.”
“We have cyber insurance.” The latter could be the topic of another column. Read your policies carefully. Most now have strict requirements for your cybersecurity – if it is found that you did not comply with the requirements, there may not be any compensation. Many policies will not cover ransom payments or damages from state-sponsored attacks. Oftentimes, you pay more and get less.
Sharon D. Nelson (email@example.com) is a practicing attorney and president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, Fairfax Bar Association, and Fairfax Law Foundation. She is the co-author of 18 books published by the ABA.
John W. Simek (firstname.lastname@example.org) is Vice President, Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally recognized expert in digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their firm in Fairfax, Virginia.
Michael C. Maschke (email@example.com) is CEO/Director of Cybersecurity and Digital Forensics for Sensei Enterprises, Inc. He is an EnCase Certified Examiner, Certified Computer Examiner (CCE #744), Certified Ethical Hacker, and Certified AccessData Examiner. He is also a Certified Information Systems Security Professional.