On Friday August 11, 2023, a class action complaint was filed against the law firm Orrick, Herrington & Sutcliffe International, LLP (Orrick) as the result of a data breach that occurred between February and March 2023. The breach affected approximately 152,818 individuals, who are all now part of the class mentioned in the complaint. The contents of the complaint shed light on how the breach occurred and the volume of blame that the plaintiffs are levying against the firm.
The Anatomy of the Breach
Buried deep in the complaint are claims that Orrick failed to secure its employee email accounts, did not properly encrypt personally identifiable information (PII) in transit, and did not properly train its employees on how to identify phishing emails. While the actual breach notification only referenced unauthorized access to an online file share, the complaint itself alludes to compromised employee email accounts as part of the attack.
Common Pitfalls in Email Security
All too often in cases like this, employee email accounts were not protected with multi-factor authentication (MFA) and the affected employees potentially were victims of an identity-harvesting phishing email that convinced them to enter login credentials into fake websites that look like legitimate authentication screens. The result is that attackers trick users into giving them access to highly sensitive and trusted email accounts.
Legal Action and Security Improvements
The Orrick complaint is seeking several security improvements such as third-party audits, penetration testing, network segmentation, employee training and several other basic security hygiene steps, along with monetary relief, including punitive damages and legal fees.
Remote Work and Cloud Services
This example is repeated nearly daily as more companies move to cloud services (such as online email like Office 365 or Google G-Suite) as a way of providing employees with flexibility on work location and schedule.
Guidance from the ABA
As has been mentioned in previous blogs on law firm security, the American Bar Association (ABA) has provided reasonable guidance for firms to follow if they want to avoid getting themselves into a similar situation as Orrick. More specifically, the ABA has released Formal Opinion 498 which speaks specifically about practicing law virtually and securing mobile devices.
Protecting Client Confidentiality
Whether a lawyer is working out of a law office or out of her home, the requirements for competency and maintaining client confidentiality are still in full effect. Under Model Rule 1.6, lawyers have a duty of confidentiality, which necessarily leads to a requirement for attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This duty of confidentiality is what plaintiffs argue Orrick violated.
Key Considerations for Secure Cloud Usage
How can law firms that utilize cloud services like O365, Workday, SuccessFactors, or any number of other cloud-based applications properly protect the data that relates to their clients or that are critical to running their own operations? And more challenging, how do those firms protect their employees that may be accessing that data from their homes, coffee shops, or client sites? Formal Opinion 498 attempts to answer these questions by providing the following guidance:
1. Hard/Software Systems
- Company laptops and personal devices should be properly managed, patched, and protected with strong anti-malware and malware detection capabilities.
- Mobile devices should be password protected.
- Remote connectivity to the corporate network and any systems on the corporate network should be done through a Virtual Private Network (VPN) which encrypts all traffic traversing the public Internet.
- Any remote access across the public Internet should be protected with Multi-factor Authentication (MFA).
2. Accessing Client Files and Data
- Law firms should use reputable and well-established cloud service partners and ensure that staff are trained in how to use the cloud services to process and protect client data.
- Technical staff should understand how to properly configure the cloud services to ensure data privacy and data security.
- Even cloud data needs to be backed up and access to the backups must be readily available in case of a ransomware attack or other data loss event.
- Understand the contractual terms of all cloud services so that appropriate cyber insurance policies can be provisioned to cover gaps and losses.
3. Virtual Meeting Platforms and Videoconferencing
- Virtual meetings should be password protected to ensure only invited participants are able to join.
- Get client consent before recording any meetings and secure all recordings.
- Remind attorneys working from home to consider their surroundings and who might be able to overhear any virtual meetings.
4. Virtual Document and Data Exchange Platforms
- Understand the archiving capabilities of your virtual document management system.
- The document management system must be properly configured and secured to defend against unauthorized access from the Internet.
- If possible, encrypt the documents stored within the document management system.
5. Smart Speakers, Virtual Assistants, and Other Listening-Enabled Devices
- Disable the listening feature of any smart devices that could overhear client conversations or virtual meetings.
- It is important that managing attorneys develop policies and procedures for employees who are working remotely.
- Policies should cover non-attorneys assisting with legal matters or who would otherwise have remote access to client data.
- Special interest should be paid to Bring Your Own Device (BYOD) to ensure that remote workers have clear guidelines on what types of devices are acceptable and how those devices should be secured – such as antivirus software, patching and updating of software, the use of VPNs, and security training.
7. Possible Limitations of Virtual Practice
- There may still be a need for physical documentation and other paperwork to be generated – policies should also be developed to address these aspects, even if the attorneys are remote.
- Consider the address that the lawyers will use on official correspondence, will it be the remote address or some other location?
Clearly, there are many security issues to consider, even if the lawyer is not operating within the confines of the law firm’s offices. These nuances need to be carefully considered, then thoughtfully communicated to all remote workers. Security cannot relax just because the attorney is working from a home office. Instead, it needs to be bolstered because the normal corporate resources are not as readily available. Don’t open the door to a plaintiff’s claim of negligence, apply good security hygiene across all aspects of your firm.