Every few months the same story appears in the headlines – another company has become the victim of a cyberattack, threatening everything from the dissemination of customer and employee personal information to financial harm to clients. However, cyberattacks are not limited to the domain of big business and Fortune 500 companies – anyone can be the target of a cybercrime, and small-to-midsize law firms are increasingly becoming victims of this crime. Cyberattacks on law firms seldom target the firm’s private information; rather, they often seek to infiltrate private client information – usually to perpetuate fraud, identity and intellectual property theft or a ransomware attack. Regardless of the goal, cyberattacks seek to compromise client data, data for which a lawyer has an ethical duty to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” – making cybercrime a growing threat to legal firms of all sizes.
Increasingly, small-to-midsize firms are being targeted using Business E-mail Compromise (“BEC”) attacks – a type of phishing scam where a cybercriminal fraudulently accesses a firm’s network through tricking a firm employee into providing access. In fact, a recent American Bar Association Survey found that approximately 25% of responding law firms reported having experienced a cybersecurity breach in the past. These attacks can be quite successful against an unprepared firm, as was alleged in a recent New York case where plaintiffs claimed that they suffered a $2 million loss as a result of a fraudulent wire transfer perpetuated by a hacker who accessed their lawyer’s network though malware delivered via a BEC attack. Similarly, a Florida attorney recently fell victim to a BEC attack originally perpetuated on his client’s network, resulting in a fraudulent wire transfer of over $500,000 of his client’s funds, ultimately leading to litigation and an appeal. Clients are beginning to recognize the risk associated with cybersecurity breaches at law firms as well, as a recent putative class action claim made against an Illinois law firm alleged that the firm’s security network was purportedly too weak to protect against a possible cyberattack.
For small-to-midsize firms, instituting “reasonable efforts” to protect against a cyberattack can be as daunting and intimidating as being subjected to a cyberattack. In order to limit the risk of a breach and establish the standard of “reasonable efforts”/standard of care, firms should have protective software and systems to prevent a cyberbreach and establish that the firm took “reasonable efforts” in the light of a cyberbreach.
Simple but strong internal firm protocols, i.e., rules and guidelines, can go a long way to stopping a cyberattack and bolster compliance with the acceptable standard of care. For example, a BEC attack relies upon a law firm employee interacting with a fraudulent e-mail from outside the firm’s network, and teaching employees to look for and recognize the signs of fraudulent e-mails can be the best defense to a BEC attack. Liability often arises when employees fail to notice the “red flags” – misspelled names, incorrect domain names, grammatical errors and internal cybersecurity protocols and training can prevent costly user errors by reminding employees of best practices and giving them the framework for how to address potential breaches.
Immediate reporting of a breach to both the client and authorities, including local and Federal law enforcement, is key to combating the breach and establishing reasonable efforts. Just because the cyberattack has already occurred does not mean that an attorney’s duty of reasonable efforts to protect client information stops. Immediately notifying authorities and the client can give them time to take reactive or compensatory measures, protecting information or limiting the extent of the breach. For example, in the event of a wire transfer to a fraudster or fraudulent bank account, immediate notification to the bank and Federal law enforcement, allows for the possibility of a claw-back of the wrongfully transferred funds. Immediate notification will also help establish “reasonable efforts,” as it gives the client the best opportunity to protect against or limit the harm of breach.
Maintaining an insurance policy covering cybersecurity breaches is essential. Cyberattacks can implicate a variety of potential negligence allegations, from professional malpractice, violations rules of ethical conduct, as well as breaches of fiduciary duty claims for negligently allowing private client data to be exposed. Coverages may be available under professional liability, errors and omissions and even directors’ and officers’ policies.
Attorneys must be prepared to protect themselves and their clients from cybercriminals. Reasonable cybersecurity efforts are a must for any small-to-midsize firm – in order to limit their own potential liability as well as the harm to their clients. Segal McCambridge defends law firms, real estate professionals, accountants and other professionals who have been targets of cyberattacks. The firm also counsels clients and provides risk management and training regarding local best practices.
 American Bar Association, Model Rule of Professional Conduct, Rule1.6(c) (2020).
 Robert Millard and Bethany Millard v. Patricia L. Doran, Index No. 153263/2016, Supreme Court of the State of New York, County of New York.
 Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 795 Fed. Appx. 741, 743-744 (11th Cir. 2019).
 Shore v. Johnson & Bell, Ltd., 16-cv-04363 (N.D. Ill. 2016).