Cyber risk for lawyers: a unique form of professional risk
Cyber events impacting law firms can be targeted or untargeted
Cyber risk includes funds transfer frauds and other losses with the potential to impact multiple clients, ongoing income and professional reputation
Lawyers’ duties of competence and confidentiality means courts may imply a duty of competence in the use of technology
Cybercrime is challenging organisations everywhere, with daily news stories about businesses, government organisations and even global IT companies that have been hacked. Law societies and insurers have been warning lawyers about cyber risk, in particular funds transfer frauds in which a scammer sends a fake email impersonating either a lawyer or their client with the aim of tricking the other into paying funds into the wrong bank account.
While payment redirection frauds impacting client funds are a key area of concern, these are not the only cyber events that can have significant impacts for legal practices. In contrast with traditional categories of professional risk, cyber exposure encompasses new types of losses, some of which are not insured under legal professional indemnity insurance (PII) policies, and they can have unprecedented potential to impact multiple clients, ongoing income and professional reputation. Importantly, while cyber risk may have little connection with your skills as a lawyer, it can have everything to do with your professional duties as a fiduciary and custodian of confidential information.
Cyber events impacting law firms can be global and random
Two major incidents in 2017 involving the WannaCry and NotPetya malware demonstrated the potential damage that cyber events can cause in terms of business interruption, loss of data and income, and remediation costs. The first victim of the NotPetya malware was a small software company in Ukraine which was targeted by Russian hackers. The malware spread rapidly from the company to its contacts, encrypting computer records and making data permanently unavailable. The malware spread from computers that had not been patched for vulnerabilities to computers that had been patched. It took only one unpatched computer in a network to cause havoc to a company’s infrastructure (see Wired.com)
Total losses from NotPetya worldwide have been estimated at more than $10 billion. While news reports at the time focused on high profile organisations such as transportation giants Maersk and TNT, it has been reported that 22% of small businesses breached by the 2017 ransomware attacks could not continue operating (sources: Wired.com + asbfeo.gov.au)
DLA Piper was among many victims globally, with the malware compromising operations for days as lawyers at the firm had no access and then only limited access to computer systems or email. The firm later revealed it spent 15,000 hours in overtime for IT employees in response to the NotPetya event. (source: itnews.com.au).
While NotPetya purported to require the payment of a ransom, in fact the virus could not be unlocked even if a ransom was paid. In other cases, however, ransomware is effective in locking up computer networks and unless reliable backups are available the affected firm may be forced to consider paying a cyber extortion demand in order to retrieve its information.
Cyberattacks and email fraud can also be highly targeted
More than 90% of cyberattacks reportedly start with a phishing email designed to manipulate the recipient into inadvertently revealing log-in credentials or installing malicious software by opening attachments or clicking on malicious links. Many such emails can be generic and untargeted in nature – the good news is that these can often be caught by email filters.
Unfortunately, however, as generic emails are increasingly likely to be filtered out, phishing emails can also target specific individuals for cyberattacks (spear phishing) by tailoring a personalised message for the targeted individual. Once access has been obtained to a mailbox using phishing techniques, the hacker can collect confidential client information, access address books, scan a mailbox for correspondence identifying high-value transactions, tamper with correspondence to facilitate funds transfer frauds, or copy sensitive information that can be used for a range of purposes including identity fraud against clients or the theft of information that is commercially sensitive.
As well as computer intrusion techniques such as phishing, another type of business email compromise involves pure impersonation fraud not involving any computer intrusion. In these cases, the scammer may impersonate a client, colleague or manager while providing directions for a funds transfer. “CEO fraud” is one of the most effective forms of business email compromise and involves sending an email to an employee of a firm impersonating a senior person such as a managing partner or chief financial officer. Because the employee believes the email is from an owner or senior staff, s/he may action these payment requests quickly and without question unless s/he has previously been educated about the existence of this type of scam. PII policies designed to protect against third party risks do not indemnify the practice’s own losses in this situation.
Professional duties as fiduciaries and custodians of confidential information amplify the risks presented by cyber events
Obligations to maintain the confidentiality of information received from clients arise from a variety of sources, including the common law, equity, professional conduct rules and legislation such as the Privacy Act 1988 (Cth). When so much information is stored and communicated electronically the prevalence of cybercrime brings a new challenge to meeting this obligation. Whereas once an intruder needed to physically break into an office to steal information, without adequate safeguards this can now be done via the internet. The capacity for criminals to mine that information for profit or to cause damage is unprecedented, with technology also amplifying the risk of information being intentionally or unintentionally disclosed to a wider audience.
In some cases, businesses may have concerns about a possible hacking episode but may be reassured by the apparent absence of any fraud, when in fact sensitive data such as contact details, credit cards, financial records and health information may have been copied and made available for sale on the dark web. In cases where there is evidence that a hacker may have accessed confidential information that could, for example, expose clients to identity fraud, there may be disclosure obligations under fiduciary duties and the Privacy Act.
Bar rules in a majority of American states now require a competency component for lawyers in relation to technology. While such a duty is not currently included in the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015, courts may imply a duty to take reasonable care to ensure information security given the fundamental nature of lawyers’ duty of confidentiality.
Law firms are now targets for fraud, theft of confidential information or cyber vandalism in a way that is unprecedented. Preventing cyber risk involves an acceptance that appropriate technology management is now encompassed within lawyers’ professional duties and cannot be regarded as a problem solely for an IT contractor or department to manage. While a strong relationship with a cyber security specialist is vital, technology solutions, coupled with a more holistic approach encompassing user education, risk prevention processes, mitigation via incident planning and an insurance program that factors in the unique perils of cyber exposure are all needed to protect your firm from this new and challenging form of professional risk.