7th Circuit panel discusses cybersecurity risks to law firms, clients

There are two types of professional organizations today – those who have been hacked and those who have been hacked but don’t know it yet.

Though that may seem to be an alarming characterization of the legal field, John McCauley of Bingham Greenebaum Doll LLP said it’s important for organizations, including law firms, to understand the high risk for a data breach in today’s world. McCauley spoke as part of a panel on “The Impact of Digital/Data Breach” during the 7th Circuit Bar Association’s annual meeting and judicial conference in Indianapolis on Monday.

McCauley was joined on the panel by Stephen Reynolds of Ice Miller LLP and Raymond Manna of Kroll Security in Philadelphia, each of whom work in the realm of cybersecurity and data privacy. Together, the trio outlined the cybersecurity threats facing law firms today, the steps attorneys can take to protect themselves and their clients from a data breach, and the case law governing a still developing area of practice.

Roughly 2 billion personal records have been compromised since 2008, ringing in at an average of $6 million in costs to respond to each breach, McCauley told the group of 7th Circuit attorneys from Indiana, Illinois and Wisconsin. Although Manna said hospitals, banks, retailers and higher education institutions face the most frequent cybersecurity attacks, McCauley also noted that attorneys hold highly sensitive information about their clients, making them targets for hackers trying to access personal data.

The judiciary has taken steps to try to force legal professionals to recognize this threat, most notably through the American Bar Association’s adoption of Model Rule of Professional Conduct 1.1, which requires technological competence, Reynolds said. But even with that rule in place, attorneys can still fall prey to phishing or ransomware scams if they are unaware what those scams look like.

For example, Reynolds said there are two ways that hackers like to trick legal professionals into exposing their personal information – by sending fake emails informing attorneys that they have either been nominated for a bar award or are facing a bar complaint. Hackers are aware that attorneys are likely to respond to those types of messages, Reynolds said, and when an attorney opens an attachment or link related to their “award” or “complaint,” he or she is actually opening up their computer to a digital attack.

Those attacks often come in the form of “ransomware,” or an encryption of a computer’s files. Usually, the hackers will post a message telling the attorneys that they will not unencrypt their files until they are sent a large sum of money, a method preferred over traditional data theft because it yields instant monetary gratification, McCauley said.  Although the number of phishing emails that lead to ransomware attacks is going down, Reynolds said that decrease represents an effort by hackers to be more targeted in their attacks by sending messages that will attract certain groups of people, such as lawyers.

To guard against such attacks, Reynolds reiterated the traditional advice of avoiding attachments and links that come from unknown senders or seem suspicious, and choosing passwords that would be tough to crack. Additionally, he urged attorneys to have an “out-of-band” backup on their files that will still allow them to access their work in case of a malicious encryption. Additionally, the attorney urged his colleagues to encrypt their mobile devices, a step that would make it more difficult for hackers to gain access to classified information.

Case law has generally developed favorably to defendants in the realm of cybersecurity litigation, McCauley said, though he noted that there is a split among circuit courts as to whether plaintiffs can establish standing to bring their cases. The 1st, 3rd and 4th circuits are more inclined to dismiss such cases for a lack of standing, McCauley said, while the 6th, 7th and 9th circuits are more likely to allow cases to move forward, holding that an increased risk of identity theft is sufficient to establish standing.

Looking to the immediate future, McCauley said he predicts a decline in consumer class-action suits related to data breaches, yet an increase in class cases brought by banks and credit unions.