Quimbee logo
DMCA.com Protection Status

Cyber-Based Legal Malpractice Claims: Defenses, Risk Management and Ethics Issues

4.9 out of 5 Excellent(47 reviews)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Cyber-Based Legal Malpractice Claims: Defenses, Risk Management and Ethics Issues

Cyber-based claims are an exponentially growing threat to attorneys. Cyber risks touch on every area of practice and overlap with the two greatest sources of professional risk to attorneys – ethical obligations and legal duties to clients. This course explores the basics of legal malpractice claims along with corresponding ethical considerations in the context of the cyber threat while providing practical advice for anticipating, mitigating and surviving cyber risks and related claims. Cyber-based causes of action, common defenses and jurisdictional considerations will be reviewed as well as risk management techniques and best practices, including an overview of how to develop a cyber risk management team and plan.


Jeffrey Cunningham
Goldberg Segalla


Jeff Cunningham:  Good morning. My name is Jeff Cunningham. I'm an attorney at Goldberg Segalla LLP, and today we're going to be talking about cyber-based legal malpractice claims, defenses, risk management, and ethical issues. The talk today is going to discuss the three main sources of risk that attorneys are facing and the overlap of those sources of risk. I like to think of these risk groups as a Venn diagram with the legal malpractice claims that attorneys face as one circle, ethical considerations and ethical violations, the potential risk there as another circle, and then the new and evolving technological risks, cyber risks we see every day in the news, not just for attorneys, but for everyone now, especially in the new normal following COVID. The cyber risks is a third circle in our Venn diagram. Those three areas of risk are something attorneys have to deal with every day in all areas of practice, but it's really that overlap, the overlap of those three sources, that we're going to talk about today and should be a primary target for risk management for any attorney.

   A course overview. We're going to talk about that intersection of risk for the center of the Venn diagram. Practical advice for risk management techniques, best practices that you can use in your practice, no matter if you're in a huge firm, solo practitioner, in-house, going through kind of the day to day what you can do to address cyber-based claims and ethical considerations. And then sort of some homework is to develop a plan today. So no matter what area of practice you are in, no matter how much technology you are using, no matter what jurisdiction you're in, you should leave today's talk with an idea to develop a plan, start a plan. Whether it's put down on paper or not, whether you assign team members to a risk management team or not, you'll have some idea as to what to do before a cyber-based claim and associated risks become a real problem.

   Talking about cyber threats, I like to break down the two traditional sources of risk to attorneys: ethical violations and malpractice claims. Overlapping those two sources of risk is the cyber threat, but first to talk about ethics and malpractice and how they differ. Our ethical obligations are enshrined in professional ideals. Malpractice claims are based on common practice, the common practice of an attorney in your community and practice area. Ethics violations generally involve intent. Malpractice is negligence-based, so it's a mistake. Ethics involve, typically, a course of conduct, not just one instance, whereas malpractice claims are the other way. They're based on one instance. And if you have a continuing course of conduct of negligence, you're going to be exposed to multiple malpractice claims. And then finally, the ethics claims are handled by the state bar associations, the grievance committees, and in the local jurisdictions. Malpractice claims are handled by state courts, federal courts to some extent, but applying state law. So those two traditional sources of risk, ethics and malpractice, again, overlap with the growing, and it's growing exponentially, the growing risk of cyber-based technological-based claims against attorneys.

   So kind of an ethical overview. The duty to disclose malpractice, I think, is always the best starting point from the ethics standpoint. It's where the two sort of ethics and malpractice sort of meet. And the ABA Model Rules apply, your state ethics rules apply. ABA Opinion 481 provides that a lawyer is required to inform a client if the error is material. Now, whether the error is material, there's some wiggle room there, but generally speaking, the ethics rules do require disclosure of malpractice or potential malpractice. The Restatement Third of Lawyers also requires attorneys to disclose malpractice. And then on the flip side, the majority of jurisdictions do not require an attorney to disclose malpractice. There's a minority of jurisdictions that do, but most jurisdictions do not require disclosure. Always important to keep in mind when discussing disclosure of potential malpractice is the failure to disclose potential malpractice to clients could expose the attorney to other claims, especially breach of fiduciary duty-type claims.

   But there are other claims out there, and each case is of course specific, but the failure to disclose could expose the attorney to other potential claims due to that failure. And there's also malpractice insurance considerations. I'm an insurance defense attorney, and your professional liability carrier should be involved in the discussion from the moment you suspect that there could be malpractice, or even exposure to a meritless malpractice claim. You want to talk to your insurers. They're a great resource. Also, it could trigger notification provisions in your policy. But if you decide to disclose or apologize or admit, or essentially do anything as it relates to a potential claim from one of your clients, that could impact your insurance coverage.

   So you want to bring the insurer in right away. And we'll talk about that a bit deeper down when we start to get into the cyber-based claims and the cyber threats. Now, jumping into an overview of legal malpractice claims, the ABA has a staggering statistic that 80% of lawyers will be sued for malpractice during their career. I always throw out the citation of this because that number just seems too high. It's from around the ABA Ways to avoid legal malpractice, as claims rise industry-wide from the December 2016 issue. The ABA puts out statistics on professional liability claims against attorneys, and it's interesting stuff if that's what you do, like me. But again, just the overview aspect of it, 70% of legal mal claims are against firms with one to five attorneys. So 70% of the claims out there are against small or solo practitioners. Legal malpractice claims continually rise about 20%, and this is since 2012.

   The claims are just increasing in dollar amounts. They're increasing in volume. One-third of all reported errors involve sort of administrative work: preparation, filing, transmittal of materials. So one-third of the claims faced by lawyers are things that unfortunately lawyers tend to delegate to staff, and maybe don't provide the level of supervision that the rules and the law require. Generally speaking, the legal malpractice action, you have to prove the case within a case, and that carries through to transactional claims as well. And obviously each jurisdiction has nuances, but there's four general elements to a malpractice claim. Those elements being one, the attorney-client relationship, privity, two, the negligence, breach of the standard of care, three, approximate causation, and four, actual and ascertainable damages. The breach of the duty is not enough.

   All four elements are required. I'm sure you've heard other people, other attorneys say, "That would be malpractice. If you didn't do that, that would be malpractice. If we missed that deadline, that would be malpractice." What they're really talking about is the second element, the negligence element, a breach of the duty. But again, that's not enough. So a mistake doesn't equal malpractice. A mistake that approximately causes actual damages to your client, that amounts to malpractice. And it's important to remember, and attorneys forget all the time. The only person that can... We'll talk about this a little later. There are some exceptions, but the only person that can sue you for malpractice is really your client. And just to consider breach of fiduciary duty, other duplicative claims are often kitchen-sinked into complaints against attorneys. Typically, if it's the same facts amounting to the same damages from a lawyer's professional responsibility to his client or her client, those associated claims will be dismissed as duplicative.

   If they can show distinct facts, distinct damages, well, then that's another story. An ethics overview. Today, we're going to talk about the ABA Model Rules, but each jurisdiction of course has its own rules. The good news is there's a trend to make the rules more and more uniform. We're not even close to there yet, but eventually, I think the ethical rules for attorneys will be more or less interchangeable. Maybe not in our lifetimes, though. The Model Rules' preamble and scope specifically explicitly says that a violation of the rules does not give rise to a cause of action against a lawyer, and the rules are not to be used to impose civil liability. So the Model Rules themselves accept that these are ethical rules. They're not meant for a court of law to decide whether there's a legal malpractice claim. You have to know the rules for every jurisdiction you're practicing in, whether it's a jurisdiction you've been in for 30 years or if you pro hac in for just this one case. You have to know the rules. The ethical rules are generally admissible to establish the standard of care.

   Most jurisdictions will allow the professional responsibility rules to be admitted as evidence to establish the standard of care and whether the attorney breached that standard of care. Diving into the elements, I'm going to go through each of the four elements and talk about ethical considerations related to those elements. So privity, the attorney-client relationship creates the duty. Most states have a strict privity requirement, meaning only your client can sue you from malpractice. There generally has to be some sort of explicit undertaking to perform a specific task. So if you are a real estate closing attorney and your client gets arrested for a crime, they can't turn around and say, "You were my lawyer. You committed malpractice by not showing up at my arraignment," or something like that. The client has to be able to demonstrate a specific undertaking to perform a task.

   That's the good news. Unfortunately, the subjective unilateral reasonable belief of the client is sort of the standard. So if the client does think you're their attorney, then that's going to likely at least survive a motion to dismiss. Even if you're the real estate attorney who didn't show up at the arraignment, if the client can show a reasonable belief that you should have, were going to... Represented them in some way in the criminal matter, you could be stuck in the case at a minimum. Payment for services does not typically matter. So no matter who's paying for the attorney, that doesn't impact who the client is. As I mentioned at the beginning, there is a bit of a privity spectrum. So California sort of opens the door to intended beneficiaries, known beneficiaries, especially in the trust and estates context. States like New York have a very strict privity requirement, where really the client and only the client can sue the attorney for malpractice.

   And I've had cases where a spouse was found not to be the client, even though they were involved completely in the representation. In one instance, I had a spouse who served as the interpreter for her husband. Met with the attorney every single time the client's spouse met with the attorney, and still the case was dismissed against them, because they didn't have that attorney-client relationship. Scope of services is key. Again, in our real estate attorney turned criminal defense attorney scenario, a retainer agreement that explicitly outlines the role of the attorney and the scope of the services is going to be key. And that's why a retainer agreement is such a necessary tool for risk management from the legal malpractice side, but as we'll talk about more, ethical issues and the cyber risks that we're going to discuss. Now, while I talk about privity, I always want to talk about the jury perception problem that attorneys have.

   Now, people always tell me, plaintiff's attorneys always tell me, "Juries don't like attorneys." I haven't found that to be the case at all. And in fact, I find that juries don't like people who lie, people who manufacture claims, people who they shouldn't like. I found that juries typically give lawyers as fair a shake as they give everyone else. But what juries do, I think, do is they do sort of agree with the client that the lawyer was supposed to handle that. And maybe they wouldn't go so far as to think, "Yeah, that's reasonable that this person thought his real estate attorney was going to show up at his arraignment," but typically juries will look at a much broader view of what the real estate attorney is supposed to do in a real estate transaction, or the criminal defense attorney is supposed to do in a criminal defense matter.

   And that idea that... Clients say it all the time, "The lawyer was handling it." Juries do sort of agree with that, and that's a real problem. Again, that's where the retainer and clearly outlining the scope of services is key. As I said, for each of the elements, we're going to go through the ethical considerations. So the ethical considerations in privity, again, they're based on the jurisdictional rules. The retainer agreement's key. Updating the retainer agreement is key. As the work evolves, it's important to keep that retainer agreement as a living document, and we'll talk about this throughout the course today. Client communication is of the utmost importance, and it's just a great way to one, provide excellent service to your client, and two, provide risk management for yourself and your firm. The more you keep the client in the know, the safer everything's going to be.

   There's ethical considerations with incapacitated, incompetent, minor clients that that need to be addressed on a jurisdictional level, but should not be overlooked. Also, dealing with unrepresented parties and witnesses, arbitration clauses, and informed consent are big areas where you need to take a look at the ethical rules in your jurisdiction, and perhaps even retain ethics counsel. If you're going to be contracting with your client in any way, it's important to make sure that's done independently, and that it'll hold up if you ever need to invoke that arbitration clause or whatever the contract is. Conflicts of interest are a huge source of risk to attorneys, and major firms tend to have large conflicts departments that handle these things. Smaller solo firms tend to do it off of just what the lawyer knows. And the lawyer doesn't think they represent that person or that entity, and that's good enough, and it's usually not good enough.

   It's a major source of ethical issues and legal malpractice claims against attorneys. And just to touch quickly on the attorney-client privilege and the "at issue" doctrine and the ethical considerations there, if a client sues their attorney for legal malpractice, they've put the privilege at issue and waived the privilege as to that legal amount practice claim. Now, it's not a blanket waiver. The attorney can't just publish privileged information in the newspaper or something, but the attorney can use privileged information in the defense of the claim. And there are ethical issues there, because even though your former client is suing you for malpractice, and even though that constitutes a waiver of the attorney-client privilege, ethically, we still owe obligations to that client, that former client to maintain confidentiality and maintain their privilege as best we can.

   So it's a very tight balancing act as to what part of the privileged communications you can use in your defense. And again, in particularly tricky situations, ethics counsel should be retained and consulted. All right, the second element, the breach of the standard of care. Typically, the attorney has to exercise the degree of skill and diligence commonly exercised by other attorneys in similar conditions and similar circumstances. So usually, again, a real estate attorney in New York City is going to be held to a different standard of care than a real estate attorney in a small, rural community. It's just the reality of the legal malpractice claim. The professional or attorney judgment rule provides qualified immunity for attorneys, and courts will not look back with 20/20 vision and say, "Oh, yeah, this was a mistake. The attorney breached the standard of care because of this decision."

   If it's a reasonable professional decision, the court will not challenge it. So it's a little bit of protection for the lawyer, and again, why constant communication with your client, explaining what you're doing, why you're doing it is a great risk management technique. The role of attorney experts, many states require an affidavit of merit in order to bring a claim, and expert testimony is really almost always needed to establish a breach of the standard of care. Although some states go the other way, where a judge does not need an expert. The judge is an expert on the law. Which makes sense, but most states require expert testimony to establish and rebut the breach of the standard of care. Just like with privity, the breach of the standard of care element has specific ethical considerations. The majority of jurisdictions, as I said, allow an ethics violation or the ethical rules to be used as evidence of a breach.

   Some jurisdictions even presume an ethics violation equates the malpractice. Others hold that ethics violation as totally inadmissible, so of course you have to know your rules in your jurisdiction and the legal mal law, and the impact of an ethics violation, and how that could be used or could not be used regarding the breach of the standard of care element. Expertise in an area of law in jurisdictions that allow specialists or things like that can add a heightened standard for the attorney's practice, and make it easier to be sued. If you are a specialist in, again, real estate law, then you're going to be held to a higher standard than a general practitioner who's doing a real estate closing too. Be wary of practice in other jurisdictions. Once the subject matter of representation involves another state, if you are not admitted in the state, it's a big red flag and a big warning sign to step back, decide whether you need local counsel, decide whether there are ethical considerations that should be explored, and decide whether it's worth the risk to even take that representation on.

   And the scope of services in the retainer agreement should be adjusted to reflect that consideration if any of the subject matter of the representation involves another state, another jurisdiction, even if you're admitted in that jurisdiction. The third element, proximate cause. Negligence is not enough. Mistakes happen all the time that don't proximately cause damage. In the criminal context... And this is just a good illustration of the proximate cause requirement. In the criminal context, most states have an innocence requirement. So if the criminal defendant pled guilty, they cannot then turn around and sue their attorney for malpractice, the idea being they would never be able to prove proximate cause. If they committed the crime, then they should be found guilty in a perfect system. So nothing the lawyer did or did not do proximately caused their incarceration or their conviction, it was their commission of the crime.

   But for causation, of course each state sort of describes that differently. Considerations there are with prior, subsequent, and co-counsel. Any other attorneys involved all owe equal duties to their client. The sophisticated client doctrine is available in many states to protect attorneys. And I don't want to beat the real estate dead horse here, but in the real estate context, for example, if it's a first-time home buyer who's the client, versus a sophisticated real estate investor with a $100 million real estate portfolio, the courts are going to consider that when determining proximate cause. A babe in the woods first-time home buyer is going to have a lot more leeway in establishing proximate causation than a sophisticated real estate developer who probably has staff, maybe even in-house counsel. So that's a protection for attorneys that a sophisticated client is not going to be heard by the court to blame the lawyer for something that they really should have known about.

   Client satisfaction and speculation should not be involved in the proximate cause calculus. Unfortunately it often is, which is again why the living retainer at agreement is so important to really define the scope of services and to exclude what the client might later think the representation was supposed to be. Ethical considerations in proximate cause. As attorneys, we are agents of our clients. We bind our clients. We have actual and apparent authority to do so. It is especially important in settlement negotiations and when reaching actual settlement that we need to communicate 100% with the client and make sure that they're aware of any settlement offers, and certainly whether a settlement is finalized. The client needs to be informed, and it's best to get their consent in writing.

   I like to pause at this point and just point out that most mistakes do not cause recoverable damages, and do not amount to ethical violations, so that's good. But there's still a failure of our professional duties to our client. We still have an ethical obligation of competency, that you don't want these mistakes to happen if you can avoid them. And I think the risk management techniques we're going to talk about later in the presentation are really helpful to avoiding these pitfalls that may not amount to an ethical violation or illegal malpractice claim, but still fall short of the best practice that we all aspire to. The final element, damages. Generally, states require pecuniary loss, actual ascertainable dollar amount damages. Speculation is not allowed. Most states do not allow emotional distress, loss of liberty. Things like that are not recoverable.

   There's some considerations with damages, collectibility. Many states require the plaintiffs to show that but for the attorney's actions, they would have been able to collect from the underlying defendant. And oftentimes, it's either an affirmative defense or an element of the malpractice claim. But if the attorney can show that the million-dollar verdict they made a mistake on and lost was actually not worth anything because the underlying defendant was judgment proof without assets, then the plaintiff won't be able to establish actual damages against the attorney. Pre-judgment interest is a major consideration, and the accrual date of that interest. Some states, a very slim minority, allow attorney's fees to cure malpractice. And that can sort of be tied into attorney's fees to prosecute a malpractice claim, although it's pretty specific. And there still are ethical considerations, even with the non-recoverable, non-pecuniary damages. Emotional distress, loss of liberty, reputational damages, those don't equal dollars and are not recoverable, but those are still damages.

   And that's something that we really need to pay attention to and be cognizant of in our practice, especially in areas where those sorts of damages are extremely common, in the matrimonial context, family law, criminal law. Those practices especially can result in those types of damages, so we have an ethical obligation to keep those considerations in mind. All right, so that was a lot of information. I'll do a quick wrap-up of ethics and malpractice and how they intersect. The elements of the malpractice claim, each of the four elements overlaps with our ethical obligations. Each aspect of the representation present risks and challenges. So from that initial meeting, the retainer agreement, all through the representation, whether it's a litigation or transactional, to the end of the representation, each presents its own unique circumstances and challenges. You have to know the rules of each jurisdiction that you are practicing in, and the best risk avoidance tool we have is contemporaneous communication with the client and to make that in writing.

   I mean, email is really an amazing risk management tool for lawyers, often underused, but keeping the client up to date in writing provides for the best practice. It really does make sure that you are giving the client the best service and protects you from a potential claim or a claim of ethical violation. That was a bit of a deep dive, a quick deep dive, I guess, into the basics of legal malpractice claims and the ethical rules and ethical considerations that overlap in our Venn diagram. We're about to get to the third circle there, the cyber risks, cyber claims, but I'd be remiss if I didn't touch on a few more points about related claims: negligence, breach of contract, fraud, breach of fiduciary duty, disgorgement of fees, unjust enrichment. I mean, the list that plaintiff's attorneys come up with is sort of never-ending, but you'll see related claims brought against lawyers all the time. It's pretty rare to just get a straight up legal malpractice cause of action and nothing else.

   As I said before, if it's the same facts, the same damage, it's likely subject to dismissal as duplicative. But these other claims are often brought in to seek otherwise unrecoverable damages and or to get around the statute of limitations, which is typically shorter, especially shorter than fraud-based claims and things like that in most jurisdictions. It's also important to remember that while these claims are often duplicative and usually used to seek unrecoverable damages or do a statute of limitations end run, or for other creative reasons that plaintiff's attorneys come up with, these claims can stand alone, and you unfortunately could commit legal malpractice and a distinct breach of fiduciary duty or a distinct claim for fraud or something like that. So that's important to keep in mind as well.

   All right, getting into the cyber risks, the third circle of our Venn diagram. The ABA tracks a lot of technology and the law associations, the risks related to that. And they're doing more and more of it as it's becoming ever more prevalent in our practice, especially considering how technologically dependent we are in the remote practice world of COVID. And obviously, none of that's going away, and it's only going to grow more and more. The ABA Legal Technology Survey puts out statistics. One of the most interesting statistics, I think, is that 8% of practicing attorneys are using some sort of artificial intelligence in their practice. That is going to increase over time, and I think create more and more cyber risk. On the good side, there's been a marked decrease in the number of attorneys' work using public Wi-Fi, which was a great source of problem.

   And it's good to know that there are fewer of us out there practicing from Starbucks and things like that, which is probably not a best practice tool anyway, but presents real cyber risks. The ABA's 2016 Legal Technology Survey essentially puts out that firms with 500-plus attorneys result in a quarter of the professional cyber claims against lawyers, so the huge firms. And then another quarter of claims is from what I call the danger zone, 10 to 49 attorneys, so it's the small firms who are growing into mid-size firms. And I think taking on more work, more types of work, more attorneys, and then using more technology exposes those firms to more risk. So the growing firms are seeing more and more risk as more and more technology is used, which isn't particularly surprising.

   The ABA puts out the Cybersecurity Handbook, which is available through the ABA website, and it's a great resource for lawyers. It really does help. And I think it's written in a very lawyer-friendly way so that even if you're not particularly tech savvy, it can make sense, and it's a good starting point. Ethical considerations and cyber risks. Unfortunately, there's no clear standard, and each bar association is grappling with what to do, how to address the exponentially-growing risk of technologically-based claims. Each state bar is handling it, each firm is sort of trying to handle it as rules and opinions are issued. And state law is slowly catching up, but the bar associations and ethical opinions are really the driving source for ethical resources for lawyers. As I mentioned, the ABA Cybersecurity Handbook does provide guidance.

   And from an ethical standpoint, the ABA says if a lawyer is not competent to decide whether the use of a particular technology, they give examples, cloud storage, public Wi-Fi, is safe, the lawyer must get help, even if that means hiring an expert information technology consultant to advise. So the ABA holds out that if the lawyer is not tech savvy, that's not a defense. That doesn't meet our ethical requirements, which I think does make sense. If not, we could all just claim, "Oh, I don't know anything about Wi-Fi, so it wasn't my fault that I lost all my client's information." Everything comes back still to ABA Model Rule 1.6, the reasonableness standard. So the ethical rules don't require you to get the best IT person out there, but a reasonable IT person, and to put reasonable safeguards in place to protect your system and your client's data.

   As I said, courts and state bar ethics opinions are issued daily trying to address these risks. Now we'll turn to legal malpractice and cyber risks, the other two parts of our Venn diagram. The good news is the elements of a malpractice claim remain the same. The duty standard of care is still the prevailing practice, and that's, I think, a good thing on the whole. I think it's a fair thing. More technology does not always mean the most secure, and I like to look at this in two ways. One, we saw a quarter of cyber-based claims are against firms with 500 or more attorneys. By their nature, they have training that smaller firms don't have. They have staff, IT departments that smaller firms don't have. They have typically much more expensive software, much more expensive hardware, just better systems overall, and a quarter of the claims involve firms that have more technology.

   But from an individual practice level, more technology is not always best, and it's our go-to. I mean, I was just preaching about how you should use email constantly to communicate with your client as a best practice technique. And you should. Email is an amazing way for attorneys to manage risk and protect themselves and provide best practice to their clients, but the telephone and in-person meetings, when you can do that, given the COVID situation... But the phone and face-to-face meetings to confirm electronic communications is a simple risk management technique to help support the technology. As I think we've all seen over the course of the pandemic, a phone call or even an in-person meeting, it really does provide a service level that email doesn't doesn't do.

   It gives your client a more human touch, which I think is important from a practice perspective, but it really is a huge way to mitigate potential cyber risks. And also things like Zoom versus the phone. Zoom specifically, I don't want to pick on that particular platform, but there have been security issues with Zoom that just don't exist with a phone call. And so sometimes, less is more when it comes to technology and security. Using the mail might be the best alternative. Meeting your client in person might be the best, securest way to communicate extremely valuable or sensitive information. While it might not be the most convenient, it certainly is something to keep in mind. There's a host of local laws, administrative agencies, industry regulations that overlap. I mean, it really is specific to your practice area, what jurisdiction you're in, and where you rub up against the government administration, and whether your industry is regulated, but it's very state-specific.

   But most industries have very specific notification requirements. Some have specific minimum standards of care for cyber protection, and it's just something to keep in mind that depending on what your practice entails, what sort of data you deal with. There could be really specific laws that apply. The sources of cyber risk. Hackers of course are a sort of Hollywood risk that I think everyone thinks about. Whether or not you completely understand what the risk is, I think we all have an idea that there are these bad actors out there looking to steal our data. But other major sources of risk... And hackers certainly are. I don't want to downplay it, but I think that's the one that everyone's really aware of. Current former employees are a huge of risk, and especially employees with a grudge or employees who are simply negligent, who lose devices, who put their passwords on sticky notes, who do things that are not best practices from the cyber risk standpoint.

   Likewise, current and former vendors, people who get access to your systems, to your data are a huge source of risk. And unlike employees... We'll talk about this in a bit. But vendors, while a source of risk, also are a great risk management tool. You can use vendors to some extent to insulate yourself, protect yourself, and indemnify yourself. Competitors can be a major source of risk. This is less seen in the law firm world than it is in the business financial world as a whole, but certainly something to keep in mind. Hacktivists, which is a term to incorporate maybe people who feel strongly about a particular social issue and target law firms, typically because their clients are on the other side of that particular social issue, so tobacco companies or environmental things, things like that.

   And then terrorists and state actors, people with virtually limitless resources who are attacking law firms to get information that is valuable to them, again based on the client, clients who work in the defense industry or other political roles, things like that. Now, the threats. And just to give a very broad overview of what the threats really are like, but hacking is exploiting weaknesses in an actual computer system. So the hacker that everybody thinks about it and everybody worries about is really someone who's able to exploit the computer system, break in, take the data, and do that in sort of the way, again, that I think most of us, while we don't understand, we at least appreciate. Social engineering or phishing, with a "ph" is sort of the other major source of cyber risk, and those really come down to deceptive emails, things like that.

   The prince of Nigeria scam, where someone's trying to get millions of dollars, and they'll give you $50,000. They just need you to send some information to them first. The emergency Saturday morning email, where the managing partner of the firm lost his wallet, and he has to pay for this conference, and so he needs your credit card number, or he needs your login. All the way down to the social media posts that ask what your first pet's name was, your favorite movie was, where you grew up, things like that. And people provide this information without really thinking, and that's sort of the social engineering aspect of it. Instead of exploiting the computer system like a hacker does, they exploit the weaknesses in your HR, your people.

   Other sources of threats are simply guessing passwords, seizing paper files or devices, and then again, employees, former employees with vendettas against the firm or against the client, that can be a major source of risk. The targets. Law firms are valuable and vulnerable targets. They're valuable in that firms tend to have extremely valuable data, extremely valuable client data, although to some extent, the law firm's data too, and vulnerable because law firms are typically less regulated than many of the client industries are. So while clients in the financial sector or the healthcare sector, say, may have very, very strenuous privacy laws that impact them, law firms are just much less regulated. And there's good and bad behind that, but it's a reality. And vulnerable in that law firms tend to be... This is not true for every firm or every lawyer, of course, but tend to be a little bit behind the curve when it comes to technology.

   For whatever reason, law firms are an easier target than perhaps the healthcare provider's system. The data these bad guys are looking for, I mean, it's sort of the conventional information you would suspect: Social Security numbers, birth dates, financial account numbers. But also, it can be practice-specific: trade secrets, IP, patents, trademarks, all that good stuff, government identification numbers and related government information, your passwords, your client's passwords, medical records and all the information that can be contained there, email, employees' email names, employees' home addresses. Things like that are very, very valuable. And that can be client employees. That could also be employees of the firm. Okay, so with all that scary stuff out there, we've got all these bad actors, we know what they're looking for. What do you do? So as I said, I think your homework after today is just to think about: What do you do if there was a cyber breach? If someone stole your client's data, what would you do today, and grow from there and develop a plan?

   So you need to develop risk management strategies and policies that protect you and your firm and your clients. The key is identifying what vulnerable data you have. If you don't deal with medical records, well, then you don't have to worry about that. But if you deal in finances and have your client's financial information available, that's what needs to be protected. And addressing the specific threats that are going to target that type of data, whatever your vulnerable and valuable data is, is key. It's so important to establish a written response plan. I mean, you can Google "cyber breach written response plan" and come up with a good outline, a good basic, but to have it in writing, to have the plan on paper before the incident occurs is half the battle. Detect incidents. So work with your IT people, have IT people, and protect and mitigate against intrusion.

   You want to have your IT people testing the system and growing and learning. Update the procedure. So that written response plan is great, but if you haven't touched it in six months or a year, you need to go back to it, update it, learn from what other law firms and just other businesses have dealt with. Enact firm-wide data handling and notification policies and procedures. So even if you're a small firm, more than one lawyer, you want to have a plan in place for everyone to do, and how your lawyers and staff are handling things like Social Security numbers, how they're using medical records. And then notification. If there's a problem, if an email gets sent out that shouldn't have been sent out to the wrong party, you want to have someone who's responsible for that who can be notified, and who can deal with that issue directly, rather than leaving it to every individual attorney or staff member to sort of try to handle. Breach simulations, that can be done internally.

   I mean, really just going through your written response plan and pretending there was a breach. Or your IT staff could generate it, or you could even hire outside consultants, and it's really not cost prohibitive to do so. Notification, notifying your counsel and carrier, having that information ready, knowing who your attorney's going to be if you have a cyber breach. It's better to have that business card ready to roll than have a cyber breach, not be able to use email, and start calling people and sort of trying to come up with an attorney at that point. It's better to have someone that you don't need than not. And then your carrier. I mean, follow the policy, but also use your insurance carrier. We'll talk about the different types of coverage, but your cyber carrier, your professional liability carrier, use them as a resource.

   They don't want a cyber breach either, and they really can be a very valuable resource to lawyers and firms in protecting against the cyber breach. Communications with counsel. Again, it's good to have an attorney set up if, God forbid, there is a cyber breach, there's issues of privilege, whether you're seeking or giving advice. I mean, when a lawyer starts communicating with a lawyer, you want to make sure it's clear who is the client, who's the attorney. And these considerations are the same even if you have an in-house counsel or a general officer's office inside your firm. And then who are the real clients? Who is outside counsel representing? Are they with your carrier? Are they representing you, your firm, the individual attorney who might have made the breach? Are they representing the vendor? I mean, it's important to keep in mind that while everybody might be on the same team at the beginning of a cyber breach, that may not be how it ends at the end of the cyber breach. Understanding risks from other systems outside of systems or lack of systems.

   You want to communicate with the businesses that you work with and find out what they're doing, what their plan is, what systems they use, and what their experience level is. It can be shocking, and it can be frightening to learn that a lot of the businesses you rely on simply have no plan. As I said, vendors can be a huge source of risk, but you can contract with clients, vendors, and essentially anyone else who is involved in the technology aspect of your practice to allocate liability and responsibility. You want to ensure your vendors maintain insurance. And that should be a huge part of your due diligence in picking a vendor, is to find out that they have insurance, and specifically cyber insurance so that you can limit liability. And it's so simple, but it's rarely done, is to limit access to information. Not everyone in the firm needs to be able to pull up every Social Security number that the firm has.

   Most firms have a general electronic filing system where all the information is dumped. And while you can often encrypt it, you can often limit who has access to those files. Typically, if it's just a run of the mill file, it's open to virtually anyone who has access to the firm's system. So to the extent you can, limit the information that's saved into the system, and really limit the information to what you need. If you don't need a Social Security number to handle that transaction, or you don't need certain medical records to defend that case or whatever it is, if you don't need that valuable protected information, don't get it. Don't save it to the system. Keep it in the paper file, something like that. Team and plan. As I said, you want to have... Leaving today, at the end of this talk, you should start thinking about who the people are at your firm and coming up with a plan and putting it on paper.

   If there's a cyber breach, if a client's data is lost, what do I do? And start thinking about it now. Create a risk management team. Get the necessary people together, even if it's informal. You don't have to meet once a month or anything like that, but just having the list of people who sort of know they're on the cyber risk management team in advance is important. It should include firm management, your IT people, vendors, if there's IT vendors, your outside counsel or a general counsel or both, a public relations person or marketing person if you have, your insurance people, as I said. Your insurance people can be absolutely amazing resource when it comes to this. They don't want a cyber breach, maybe even more than you don't want a cyber breach. And then educating your people. So all of your staff, from the attorney's staff members, even your own IT people, should be educated.

   You should update them on the risks and on your risk management team's policy and plan. Developing the plan. You want to, again, identify the threats and the valuable data, establish some sort of written plan. And again, even Google can provide you a good framework for what the plan should look like. Detect incidents, protect and mitigate against that intrusion, and then update the procedures. As I said, breach simulations can be done in-house. They can be done through IT vendors. And they're really not staggeringly expensive, and they can be really, really useful in protecting your systems. Also, again, your insurance carrier may be on board with conducting the breach simulations. They might even conduct it for you. Or you may get a cut off of your premium if you can show that you are really trying to protect their insured assets. Notifying counsel and carrier. Again, use those as a resource.

   Your vendor due diligence. The reputation in the community of course is important. The financial condition is important, to the extent you can learn that. What you can learn very easily is whether they have insurance or not, and I think that's often overlooked. It's often assumed. But press your vendors. Find out who the insurer is. Find out what their cyber policy looks like. Find out what kind of security controls they use to protect the information you are going to give them, what employee training they use, what they do with the information when you're done. Everyone assumes that they dispose of it, but how they dispose of it. The point of transfer. You're going to give them this data. How are you going to do that? Is it safe? Have your IT people involved in that conversation, and then ask them for their cyber response plan. Ask them who their team is. Involve them in your cyber response plan and team. Take vendors who are a major source of risk, and turn them into a resource and a real asset to protect your firm and your practice.

   And again, the ethical considerations here... As the ABA says, if you are not sure if your system is protected, if you don't understand the technology, you need to retain someone who does. You need a vendor who can ensure that you are protecting your electronic data as securely as you are your paper files. In contracting with your vendors, confidentiality provisions, use or no use of shared information, the destruction of data, their use of subcontractors, these are all things that you really want to address at the initial stages in your contract. They may have disclosure notification requirements. It could be industry-specific. It could be in their own contracts. You need to know that, especially if you are still deciding whether you need to disclose a potential breach to your clients, and the vendor turns around and for whatever reason they feel obligated to notify and disclose. And if they do so first, that could create major problems down the road.

   Their information security provisions, of course indemnification, hold harmless, limits on liability, defense, you want to make sure those are built into the contract to the extent you can, and that they protect your firm and your practice. There's a host of insurance coverage that's available. And again, I think this is a resource that's often overlooked by firms. But there's business interruption, cyber extortion, data restoration, which can be insanely expensive, public relations costs, which, which again it's overlooked, but it can be an insurable cost. Regulatory defenses, again, that's pretty specific to your practice. Security liability, that's something your clients can explore too. Media content liability ties into the public relations, and again can be something you can recommend to your clients. A technological errors and omissions policy, privacy liability, additional insured protections from all of the various contracting you do to run your firm, those are all things you should think about, and insurance should be a real tool in protecting against the cyber risks.

   Data breach counsel. Again, it's better to have that business card set up. It's better to have that attorney as part of the process before you need them, like any attorney. You don't want to have to scramble to find an attorney when there's a problem. Having that attorney set up in advance really helps establish the attorney-client privilege and work product protections. You can determine the scope of data breach counsel's role. Again, if you have insurance, and God forbid there is a breach, your insurance company will probably also have counsel that they'll provide for you. But it still can be useful, very useful, to have private counsel who's specifically assisting you. Counsel can prioritize the response effort, let you know what's best to do first, preserve evidence, and bring in the right forensic people to make sure that your systems are in place. And remember, these are systems that are typically, or can be, damaged by the intrusion. Investigate the source of the incident to protect against reoccurrence.

   And oftentimes, if a bad actor gets access to your system, they don't take one thing. They take as much as they can until the plug is pulled, so to speak, until they're kicked out. Contact law enforcement or other government agencies that need to be notified, and then identify compromised systems, again, to repair them, protect them, or to shut them down completely if they can't be secured. Now, the timeline of a cyber breach. Okay, the cyber breach happens, the event. The first step is to go to your plan and team, which is why it's so important to leave here today starting a written plan and putting together your cyber response team. The very first step is to go to the plan. From there, begin to develop a legal position and notify insurance. Bring your insurance people in, bring your cyber reach counsel in. Again, better to have that business card ready, rather than spend three days trying to track down a lawyer.

   You may need to contact law enforcement. You may want to contact law enforcement. And then from there, stabilizing the system, making sure that your existing system is as secure as you can make it, and shutting down portions that you can't. The investigation goes from there, where you figure out more or less what happened. And then comes the analysis, the legal analysis, but also the ancillary stuff, the business side of it, the PR media side of it, your IT side, and to make sure the rest of your systems are secure, and whether you need to address any IT errors that happened. Notification if you need to notify clients, and regulatory issues if you need to notify any regulatory agencies or government agencies. And then unfortunately, the lawsuits follow. Whoever's data was lost, whoever's systems were ruined can sue. Or many of these are resolved pre-sue, but that's where the lawsuits start to come.

   And then the last step from the timeline is to learn, is to grow from that event so that you're better next time, and that your system's better next time, your plan and your team is better next time. Testing your system. The reality is that cyber data thieves change their tactics daily, hourly. I mean, it's amazing the steps they're willing to take and the resources they have, and really the genius that some of these people exhibit. And it's unfortunate that they don't find a more legitimate use for their skills. We talked about it before, state actors and terrorists with near limitless resources. If they want in, they're going to get in.

   And it's something that I think testing really lets you do the best you can and meet, again, those ethical obligations. If you're not able to protect your system, to retain someone who can assist. New technology, new systems require new protections. So if you are at the point... Whether you're at a 1,000-attorney firm or a 3-attorney firm, if you're at the point where you're getting new or updated systems, you want to test those systems, check those systems, have your IT people advise you, if needed, whether new security is needed. Huge sources of risk happen with business changes, mergers, new generations of partners, new areas of practice, new offices. Anything like that can alter your computer systems and expose weaknesses in your security. So at those points, it's important to test and consider upgrading your system.

   As I mentioned before, consider penetration testing. And again, it's not cost prohibitive really, and often you can work with your carrier or other providers to fray some of those costs. Update your system. Having a secure system today doesn't mean much in a year. These things really do change daily. And in the same way you need to update your system, you need to update your knowledge. You need to stay apprised of your local practice areas, bar association ethics opinions, court cases, and just sort of the business world. Look in the newspaper. See what sort of cyber threats are out there, and learn from that. The takeaways from today's presentation: I think the written response plan and having a team in place so that you can educate your people is really the number one thing you can do. Protect your firm through best practices, including your insurance, using your insurance as a resource, and vendor contracts.

   And the best practices I'm talking about, again, it all sort of flows together. In the same way that the Venn diagram, those three sources of risk, have the overlap, your best practices as an attorney, your best professional practice, your best practices from the ethical standpoint, and best practices from a cyber security perspective really overlap and complement one another as well. So from the first step of having a written response plan and team in place to that first step in your practice of having a living retainer agreement that evolves with the subject matter of the representation, those go hand in hand. And improving on one of those three areas of risk, mitigating one of those three areas of risk really shrinks that overlap at the center of our Venn diagram. So the big takeaway from today is to educate your people and start right now thinking of a plan.

   What would you do today if you got a phone call that there was a cyber breach, and that your client's data was taken, that a wire transfer of millions of dollars was diverted? What would you do? Who would you call? Get that attorney's card today. I think that puts you ahead of the curve, and that puts you ahead of most of your peers. Most attorneys don't have a plan. Even large firms are just starting to come to terms with this threat and coming up with a cyber response plan. So doing so today really is important. And use your resources. I've been pretty about the insurance resources, but the ABA is a great resource. Your local bar association is an excellent resource. And those are resources not just for your cyber risk issues, but resources for legal malpractice concerns, and for your ethical obligations.

   And that's where outside counsel can be a huge resource, having ethics counsel, having a general counsel, or outside counsel that you use as a general counsel's office. Find someone who can do that and who's savvy enough with the technology that they can address your cyber risks, and help you on that front as well. On that note, of course, my name is Jeff Cunningham. I'm an attorney at Goldberg Segalla in White Plains, New York, and I'm happy to assist. Feel free to reach out with any questions you may have. I'd be happy to point you in the right direction. I appreciate your time and thank you so much.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

Supplemental MaterialsHandout

Practice areas

Course details

On demand
1h 03s

Credit information