Sharon D. Nelson, John W. Simic, and Michael C. Mashky
Companies large and small are in the headlines of a data breach
Headlines about successful results in litigation are welcome. Headlines about law firms that have suffered data breaches are considerably less welcome.
Nobody really expected 2023 to be a great year for law firm data breaches (some of which were reported in 2023 but happened earlier). However, the number of violations that occurred in 2023 is staggering. Even more surprising is that cybercriminals seem to succeed in striking both small and large companies.
And it’s not just a US problem. In the United Kingdom and France, national cybersecurity agencies have issued a warning that law firms should upgrade their security, specifying security designed to defend against ransomware attacks.
Three of the top 50 law firms have been hacked
In July, we learned that three of the top 50 law firms had been hacked: Kirkland & Ellis, K&L Gates, and Proscore Rose. All of them were hacked by the Clop ransomware group. If these huge corporations can be hacked, who is safe?
Loeb & Loeb (2022) and Orrick, Herrington & Sutcliffe (1Q2023) were also hacked.
Class action lawsuits have followed
2023 appears to be the year that class action companies discovered fertile ground for law firm data breaches. As of July 2023, five class-action lawsuits have been filed against Brian Cave; Cadwallader, Wickersham, and Taft; Smith, Gramprell & Russell, plus two smaller companies – Cohen Cleary and Spear Wilderman. Lawsuits against Cadwallader and Smith Gambrell have since been dropped.
The basis for the lawsuits was basically the same – that law firms did not have sufficient security to protect their data from cyberattacks.
We’re stunned by the number of small businesses reporting data breaches in 2023. They definitely need to step up their cybersecurity game, especially in light of the class action lawsuits that are proliferating. There has been a 154% increase in the past year in federal data breach class-action lawsuits. Really a boom! The pre-trend averaged 13 lawsuits per month — and it’s escalated to 33 per month now.
Do you want another headache? Some federal courts hold that post-breach security assessments may not be discriminatory.
Government regulatory agencies are taking action
In January of 2023, the SEC asked Covington & Burling about a 2020 attack that may have led to the theft of customer data. And while the law firm fought back and got support from many other law firms, the SEC appears to have won a partial victory. The SEC wanted the names of 298 publicly traded clients whose data may have been leaked.
Didn’t get anything massive. US District Judge Amit Mehta ordered on July 24 that Covington & Burling provide the Securities and Exchange Commission with a list of seven clients whose material non-public information may have been accessed by Chinese hackers.
“The Court sees some merit for both parties’ positions, but ultimately finds that the SEC’s request for the names of affected clients does not exceed its legal authority or cross any constitutional lines,” Judge Mehta wrote.
It was immediately clear that neither the SEC nor the law firm liked this ruling, so the odds are high that the ruling will be appealed.
Covington argued that it had a duty to keep customer names confidential. It also said the SEC’s request for client names could harm relationships between law firms and clients and could cause victims of cyberattacks to decide not to consult with law firms.
Covington, with the support of several law firms, also warned that victims could be discouraged from reporting abuse to the federal government. This is critical because the US government relies on the voluntary cooperation of victims to understand the scope of the breaches and respond to them.
Justice Mehta, in his view, did not disagree, writing: “The SEC’s approach here could cause firms that are subject to cyberattacks to think twice about seeking legal advice from outside counsel. Law firms may also be reluctant to report.” for cyberattacks to avoid scrutiny of its customers.
Mehta noted, “The court’s role is limited. Its job is only to assess whether the subpoena exceeds the SEC’s legal authority or fails to meet minimum constitutional requirements. This is not intended to convey the wisdom of the SEC’s investigative approach.” .”
Mehta’s ruling requires Covington only to “disclose the names of seven clients for whom it could not rule out the threat actor’s access to material nonpublic information.”
He also wrote: “In the judgment of the court, the SEC has not made the case that it needs the names of the 291 clients whose material non-public information Covington determined was not accessed. These clients, by the SEC’s admission, are irrelevant to its investigation.” , the court is not willing to grant the SEC access to a client list of nearly 300 names when only seven are really needed to satisfy the agency’s stated law enforcement interests.
The judge considered the SEC’s argument that it could not “independently verify” Covington’s conclusion that other clients were not accessed, but decided that this did not mean the SEC should have access to the full list of names.
Ugly statistics on law firm breaches
Checkpoint Research reported in April that cyberattacks were up 7% in the first quarter of 2023 compared to the first quarter of 2022. In the first quarter, all types of organizations saw 1,248 attacks. What caught our attention is that one out of every 40 attacks targeted a law firm or insurance company.
As we have often pointed out, law firms are prime targets due to the extensive data they maintain on government agencies as well as corporations. Experts have consistently noted that many law firms do not meet cyber security best practices.
Many of our clients are law firms, so we have some experience here. Why do law firms sometimes fail to take adequate security measures? Here are the usual reasons we hear:
- it is so expensive. Note this: IBM’s Cost of a Data Breach Report released in late July found that half of organizations that have been compromised don’t want to increase their cybersecurity budget. It also found that only a third of data breaches are caught by an organization’s security team. 27% detected by the attacker.
- It will greatly interfere with our operations.
- We are not really a target for cybercriminals.
- Our staff is already suffering from security fatigue, and this will only make it worse.
- Legal ethics rules do not require this.
Nearsightedness? Yes, that’s for sure. Many customers have paid a heavy price for refusing to use multi-factor authentication. And as you might imagine, after they took a beating, they couldn’t adopt the MFA method soon enough. As for ethical rules, they require a reasonable amount of cybersecurity – and what is reasonable has changed dramatically over time.
In fairness, cyber security can really be expensive – and one of our main directives for our IT/Cybersecurity team is to find affordable solutions for our individual/small/medium sized clients.
Fortunately, such solutions already exist!
“Time is the new currency in cybersecurity, both for defenders and attackers…”Early detection and rapid response can significantly reduce the impact of a hack” – Chris McCurdy, GM Worldwide IBM Security Services.
Sharon D. Nelson (firstname.lastname@example.org) is a practicing attorney and president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, Fairfax Bar Association, and Fairfax Law Foundation. She is the co-author of 18 books published by the ABA.
John W. Simek (email@example.com) is Vice President, Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and a nationally recognized expert in digital forensics. He and Sharon provide legal technology, cybersecurity, and digital forensics services from their firm in Fairfax, Virginia.
Michael C. Maschke (firstname.lastname@example.org) is CEO/Director of Cybersecurity and Digital Forensics for Sensei Enterprises, Inc. He is an EnCase Certified Examiner, Certified Computer Examiner (CCE #744), Certified Ethical Hacker, and Certified AccessData Examiner. He is also a Certified Information Systems Security Professional.