Law Firm Cybersecurity Breach Opens Door to Lawsuit

As we become more mobile, law firms face substantially greater challenges meeting their ethical obligation to keep client information confidential. The progress, convenience, and efficiency that technology has brought to our practices carries with it a risk we cannot see but against which we must be vigilant.

A recently unsealed case in the Northern District of Illinois highlights the ethical conundrum facing law firms. Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd. As Clint Eastwood’s Harry Callahan says, “A man’s got to know his limitations.” We lawyers know enough to write about our ethical obligations regarding client confidentiality. We can talk intelligently about the various risks of different technology. Our limitation is that very few of us have the level of technology expertise to make the underlying technology decisions.

If we heed the warning in this case, we may reevaluate some of the decisions we make in running a law practice. We may invest a little more time, thought, and resources into keeping all software current and following the related data security practices. The result will only benefit us and our clients.

Law Firm Data Breaches

We are all familiar with front-page data breaches. In some ways, companies like Heartland, Target, T.J. Maxx, and Home Depot are not just famous for their core businesses, but are also now synonymous with the massive loss of customer data.

Law firms are not immune from this malady. In April 2016, perhaps the highest profile security breach, the hack of Panamanian law firm Mossack Fonseca occurred. The so-called “Panama papers” included embarrassing information about the efforts of scores of global leaders, celebrities, and companies to, among other things, move money in ways to skirt the impact of tax and other laws in their home jurisdictions.

This is not, however, just a third-world problem. For example, the Wall Street Journal reported last March about a summer 2015 hack into computer networks of “some of the country’s most prestigious law firms,” including Cravath Swaine & Moore LLP and Weil Gotschal & Manges LLP. The story speculates that the firms are “attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.”

In fact, according to the ABA’s 2016 Legal Technology Survey Report, more than one quarter of firms with more than 500 lawyers admitted they experienced some type of breach. Approximately 40 percent of those firms reported significant resulting business downtime and loss of billable hours, and approximately 25 percent recounted hefty fees to correct the problems. About one in six also reported loss of important files and information.

In short, none of us are immune. In fact, “we may see a development of more stringent, client-driven data security obligations baked into the engagement letter,” opines Tyler G. Newby, San Francisco, cochair of the ABA Section of Litigation’s Privacy & Data Security Committee. “This may be similar to how businesses require certain security processes of their vendors, for example under a business associate agreement.”

Law Firms and Inadequate Cybersecurity

On December 8, 2016, Judge John Darrah of the Northern District of Illinois unsealed the complaint in Jason Shore and Coinabul, LLC v. Johnson & Bell, Ltd. Johnson Bell is a Chicago-based firm with approximately 100 attorneys, and it is one of the 500 largest law firms in the country.

Shore hired Johnson Bell in August 2014 to defend a lawsuit, depositing $30,000 into the firm’s trust account. Johnson Bell terminated its representation of Shore in February 2015.

Shore styles the case as a class action, seeking damages under separate counts for breach of contract (legal malpractice), negligence, unjust enrichment, and breach of fiduciary duty. According to the court, Shore filed its complaint in April 2016, under seal, because “the documents initiating the case . . . ‘reveal[ed], in explicit detail, where and how [Johnson Bell] has left its clients’ confidential information unsecured and unprotected,'” allegedly exposing plaintiffs to “‘a heightened risk of . . . injuries.'” The case is part of a larger effort by the plaintiff’s attorneys to investigate, identify, and sue major law firms with inadequate cybersecurity.

Alleged Technology Vulnerabilities

Among other things, the complaint identifies “three instances of a ‘JBoss Vulnerability.’ Plaintiffs contend the vulnerabilities compromise the security of their confidential information.”

First, the complaint alleges that Johnson Bell’s “Webtime time tracking system” was built on a “‘JBoss Application Server,’ which implements Java (a virtual computing language).” According to Shore, when the complaint was filed in April 2016, Johnson Bell’s “JBoss system is woefully out-of-date and suffers from a critical vulnerability.”

Johnson Bell was, at the time of the complaint, still running version 4.0.2 of JBoss, which the complaint alleges was introduced in 2005, and had an “end of life” recommendation. According to the complaint, the most current version of the JBoss product, now called “WildFly,” is version 10.

According to the website of JBoss’s publisher, Red Hat, the JBoss version 4.0 family was introduced in September 2004, full support was terminated in September 2007, and maintenance support ended in September 2009. This would mean Johnson Bell was possibly running an unsupported product for more than six years at the time the complaint was filed. Judge Darrah unsealed the complaint previously sealed on Shore’s motion over Johnson Bell’s objection, because Johnson Bell fixed the JBoss vulnerability less than three weeks after the filing of the complaint.

The National Institute of Standards and Technology (NIST), which is sponsored by the Department of Homeland Security, reported in September 2013 “that the vulnerability [in JBoss 4.0.2] was ‘network exploitable'[;] had a ‘low’ level of access complexity[;] ‘[a]llows unauthorized disclosure of information; [a]llows unauthorized modifications; [and a]llows disruption of service.” It applied its highest scores (a 10) for impact and exploitability of the vulnerability.

The complaint alleges hackers exploit the vulnerability to install the “SamSam ransomware,” encrypting files on the access devices. The successful hacker then demands payment to decrypt the files.

The complaint alleges two additional specific vulnerabilities. First, it alleges that Johnson Bell’s virtual private network (VPN) “supports insecure renegotiation, leaving it vulnerable to man-in-the-middle attacks.” Finally, the complaint alleges that the manner in which Johnson Bell ran its email system left it subject to the same “DROWN attack,” which allegedly “allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.”

Supposedly by using a DROWN attack (short for Decrypting RSA with Obsolete and Weakened Encryption), “hackers can gain access to a server’s secrets ‘in under 8 hours at a cost of $440.'” This is similar to the type of attack that led to the leak of client records from Mossack Fonseca.

Ethical Obligations Impacted

The complaint cites Illinois Supreme Court Rule 1.6(e), which addresses a lawyer’s duty to maintain client confidentiality. Rule 1.6(e) reads in pertinent part that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Rule 1.6(e) was amended in October 2015, with the amendments becoming effective on January 1, 2016. A new Comment 18 to the rule (amending prior Comment 16, also effective on January 1, 2016) acknowledges that there is a balance between the level of security a firm deploys and the extent to which safeguards “may make a device or important piece of software excessively difficult to use.” While this comment, which was not in effect at the time Johnson Bell began its representation of Shore, may give some shelter to Johnson Bell, there is another side to the coin.

Hoisted with Its Own Petard

An article that is attached as Exhibit 1 to the unsealed complaint, entitled “Don’t Let Cybersecurity Breaches Lead to Legal Malpractice: The Fax Is Back,” puts Johnson Bell in a potentially precarious position.

“The Johnson Bell attorney who wrote the article may not be involved in the decision to update or replace the [JBoss] Software,” says Scott E. Reiser, Roseland, NJ, cochair of the Section of Litigation’s Ethics & Professionalism Committee. Reiser adds, “failing to update [the software] may not necessarily breach the standard of care . . . but it sure looks really bad.”

The subtitle to the article, “Data management safeguards can prevent possible legal malpractice from cyber security breaches,” appears just above the name of the Johnson Bell partner who authored the article. And this is the same partner who signed the retainer letter with Shore.

Johnson Bell’s article notes that electronic scans are increasing in terms of sophistication and frequency. It states that, “[w]hether an attorney transfers or stores confidential client information using password-protected corporate email systems ‘cloud computing’ third-party offsite network, administrator vendors, third-party hosted e-discovery management platforms, or a variety of other electronic data transfer or data storage solutions available through the internet, the attorney inevitably faces an inherent risk that confidential client information will be susceptible to theft by a hacker or by unscrupulous third-party employee. In the absence of reasonable, preventable, and precautionary measures, the lawyer also risks losses for the firm and its clients associated with such theft.”

The article expressly cites the Illinois Rule of Professional Conduct 1.6(a) as well as ethics opinions from the Arizona State Bar, Illinois State Bar, Massachusetts State Bar, New York State Bar, and Pennsylvania State Bar discussing similar versions of 1.6(a) and its applicability to a lawyer’s ethical duty to protect electronically stored or transferred confidential client information. Since the article was published, Illinois amended its Rules of Professional Conduct and the associated comments to address more directly the challenges faced by technology.

The Johnson Bell article states that “[l]aw firms and lawyers present a particularly appealing target for hackers because the mandatory confidentiality of the attorney-client relationship creates a virtual treasure trove of sensitive client information—such as social security numbers, medical information, trade secrets, wire transfer instructions, privileged litigation communication and strategy, and internal corporate strategies—much of which can be very valuable to an array of criminal enterprises.” The article concludes that “attorneys can and should take the necessary precautions to minimize the likelihood of cybersecurity breaches, not only to give their clients piece of mind, but also to better shield themselves from third-party and first-party liabilities if a theft of information or other security breach actually occurs.”

Takeaways

“In Shore there is no allegation of a specific injury. This is something of a common theme and establishing standing to bring a claim where there has not been a concrete and cognizable injury in the sense that the vulnerability was actually exploited and someone’s data stolen, or, if stolen, that the person lost money,” adds Newby.

Newby adds there is perhaps some irony that the lawyer who authored the article is also the lawyer who signed the retainer letter with Shore. Shore is presently in arbitration of its claim, as the retainer letter sent to Shore requires arbitration of disputes. Accordingly, how many more lessons might be learned from this case will depend on how the class action aspect of the matter proceeds.

Despite this, the case provides lessons to us all. Perhaps the lowest hanging fruit, according to Newby, “is that data security is not static. It is an ongoing process. You don’t just budget money for 2017, allocate it, and forget it. You must remain vigilant, and, if a serious vulnerability is discovered, patch it.”

“As lawyers, we are probably rarely as tech savvy as we think we are,” adds Reiser. “The risks [of vulnerability like the one here] are so high, and the burden of fixing it seems relatively low. As such, it is a fair question why a firm would not simply take the steps to keep all its software running on currently supported versions, such as looking to the software publisher to monitor for, and install, patches when a feature of its software winds up on something like the NIST list.”

You can bet Johnson Bell wishes it had invested the money to patch its time-keeping program sometime between 2009 and 2016.

This article was originally published in the August issue of “Litigation News” from the American Bar Association.