Law Firms in the Cybersecurity Regulatory and Litigation Crosshairs in 2017
2017 is promising to be a year in which law firms that do not harden their information security safeguards may face dire consequences from regulators and even from other lawyers.
On January 1, New York’s Department of Financial Services cybersecurity regulations will take effect (unless revised or delayed before that date). They will require law firms and other third parties that access certain nonpublic information of covered clients such as banks, investment companies, licensed lenders, holding companies and insurers (“Covered Entities”) to represent, in Engagement Letters, that the firms will permit their covered entity to audit the firms’ cybersecurity practices. Firms’ information safeguards must include:
- Encryption at rest (in storage) and in motion.
- Notice to the Covered Entity of Cybersecurity Events (defined as “acts or attempts, successful or unsuccessful, to gain unauthorized access to the firms’ systems or disrupt the systems.
- Provide for identity protection services in the event customers of the Covered Entity are impacted by a “Cybersecurity Event that results from the (firm’s) negligence or willful misconduct.”
- Representation and warranties that the firm is free from malware that would “impair the security of the Covered Entity’s Information Systems or Nonpublic Information.”
Law firms will require a great deal of heavy lifting to meet these requirements, and that’s before the new Engagement Letters with these provisions arrive. Many firms will try to ameliorate the sting of these requirements through negotiation of the new engagement documents, but their odds of success are certainly in question if they wish to keep the business from concerned Covered Entity clients.
In the legal world when it rains threats to the profession, it pours. On Dec. 9, 2016 the first publicly known class action against a law firm for allegedly failing to protect client information was unsealed. The Complaint against Johnson & Bell of Chicago comprises claims in malpractice, breach of fiduciary duty and unjust enrichment. The Complaint avers that the firm held itself out as “experts in data security,” and had even authored an article with the ironic title “Don’t Let Cybersecurity Breaches lead to Legal Malpractice: The Fax is Back.” It also claims the firm had failed to use industry standard safeguards such as updating its ten-year-old time entry system with appropriate security patches and updating its Virtual Private Network (VPN) to prevent “man in the middle attacks.”
As a result, the Complaint alleges, the firm exposed confidential information of its clients and “injured its clients by charging and collecting market-rate attorneys’ fees without providing industry standards for client confidentiality. Interestingly, the Complaint does not claim that a breach actually occurred arguing, instead, that “a breach is inevitable.” A motion to dismiss was filed arguing, among other things, lack of a concrete injury and the presence of an arbitration clause with a party client. The case is now in arbitration.
But Johnson & Bell has been put to considerable expense and effort to defend this case and may well have sustained significant reputational damage. The cautionary tale here is that law firm time and expense in tightening client and firm data security pales in comparison to costs from regulators, litigation and potential loss of business if the firms fail to do so.
If you have questions concerning your firm’s compliance with cybersecurity laws, regulations or standards please contact Kenneth N. Rashbaum.