Cyber threats a unique form of professional risk for lawyers
With law firms facing unprecedented risks because of cyber fraud and the online theft of confidential information, lawyers must take action to safeguard information security and live up to their duty of confidentiality, writes Simone Herbert-Lowe.
Cybercrime is challenging organisations everywhere, with daily news stories about businesses, government organisations and even global IT companies that have been hacked.
Law societies and insurers have been warning lawyers about cyber risk; in particular, funds-transfer frauds in which a scammer sends a fake email impersonating either a lawyer or their client with the aim of tricking the other party into paying funds into the wrong bank account.
While payment redirection frauds affecting client funds are a key area of concern, other cyber events can also have significant impacts for legal practices. In contrast with traditional categories of professional risk, cyber exposure encompasses new types of losses, some of which are not insured under legal professional indemnity (PII) policies, and they can have unprecedented potential to impact multiple clients, ongoing income and the professional reputation of firms. Importantly, while cyber risk may have little connection with your skills as a lawyer, it can have everything to do with your professional duties as a fiduciary and custodian of confidential information.
Two major incidents in 2017 involving the WannaCry and NotPetya malware demonstrated the potential damage that cyber events can cause in terms of business interruption, loss of data and income, and remediation costs.
The first victim of the NotPetya malware was a small software company in Ukraine that was targeted by Russian hackers. The malware spread rapidly from the company to its contacts, encrypting computer records and making data permanently unavailable. The malware spread from computers that had not been patched for vulnerabilities to computers that had been patched. It took only one unpatched computer in a network to cause havoc to a company’s infrastructure. (https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/)
Total losses from NotPetya worldwide have been estimated at more than $10. While news reports at the time focused on high-profile organisations such as transportation giants Maersk and TNT, it has been reported that 22 per cent of small businesses breached by the 2017 ransomware attacks could not continue operating (https://www.asbfeo.gov.au/sites/default/files/documents/ASBFEO-cyber-security-guide.pdf).
DLA Piper was among many victims globally, with the malware compromising operations for days as lawyers at the firm had no access, and then only limited access, to computer systems or email. The firm later revealed it spent 15,000 hours in overtime for IT employees in response to the NotPetya event (https://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495).
While NotPetya purported to require the payment of a ransom, in fact the virus could not be unlocked even if a ransom was paid. In other cases, however, ransomware is effective in locking up computer networks and, unless reliable backups are available, the affected firm may be forced to consider paying a cyber extortion demand in order to retrieve its information.
More than 90 per cent of cyberattacks reportedly start with a phishing email designed to manipulate the recipient into inadvertently revealing log-in credentials, or installing malicious software by opening attachments or clicking on malicious links.
Many such emails can be generic and untargeted in nature – the good news is that these can often be caught by email filters.
Unfortunately, however, as generic emails are increasingly likely to be filtered out, phishing emails can also target specific individuals for cyberattacks (spear phishing) by tailoring a personalised message for the targeted individual. Once access has been obtained to a mailbox using phishing techniques, the hacker can collect confidential client information, access address books, scan a mailbox for correspondence identifying high-value transactions, tamper with correspondence to facilitate funds transfer frauds, or copy sensitive information that can be used for a range of purposes, including identity fraud against clients, or the theft of information that is commercially sensitive.
As well as computer-intrusion techniques such as phishing, another type of business email compromise involves pure impersonation fraud not involving any computer intrusion. In these cases, the scammer may impersonate a client, colleague or manager while providing directions for a funds transfer. ‘CEO fraud’ is one of the most effective forms of business email compromise and involves the sending of an email to an employee of a firm impersonating a senior person such as a managing partner or chief financial officer. Because the employee believes the email is from an owner or senior staff member, she or he may action these payment requests quickly and without question unless she or he has previously been educated about the existence of this type of scam. PII policies designed to protect against third-party risks do not indemnify the practice’s own losses in this situation.
Lawyers’ obligations to maintain the confidentiality of information received from clients stems from a variety of sources, including the common law, equity, professional conduct rules and legislation such as the Privacy Act 1988 (Cth).
When so much information is stored and communicated electronically, the prevalence of cybercrime brings a new challenge to meeting this obligation. Whereas once an intruder needed to physically break into an office to steal information, without adequate safeguards this can now be done via the internet. The capacity for criminals to mine that information for profit or to cause damage is unprecedented, with technology also amplifying the risk of information being intentionally or unintentionally disclosed to a wider audience.
In some cases, businesses may have concerns about a possible hacking episode, but they may be reassured by the apparent absence of any fraud, when in fact sensitive data such as contact details, credit cards, financial records and health information may have been copied and made available for sale on the dark web. In cases where there is evidence that a hacker may have accessed confidential information that could, for example, expose clients to identity fraud, there may be disclosure obligations under fiduciary duties and the Privacy Act.
Bar rules in a majority of American states now require a competency component for lawyers in relation to technology. While such a duty is not currently included in the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015, courts may imply a duty to take reasonable care to ensure information security given the fundamental nature of lawyers’ duty of confidentiality.
Law firms are now targets of fraud, theft of confidential information, or cyber vandalism in a way that is unprecedented. Preventing cyber risk involves an acceptance that the appropriate technology management is now encompassed within lawyers’ professional duties and cannot be regarded as a problem solely for an IT contractor or a department to manage. While a strong relationship with a cyber-security specialist is vital, the truth is that technology solutions, coupled with a more holistic approach (encompassing user education, risk-prevention processes, mitigation via incident planning and an insurance program that factors in the unique perils of cyber exposure) are all needed to protect your firm from this new and challenging form of professional risk.
Simone Herbert-Lowe is the solicitor director of legal practice Law & Cyber, which provides advice on professional duties and cyber-resilience services.