Not only are lawyers and law firms not immune from experiencing cybersecurity incidents but they are also in a distinctive position: Such incidents might subject them to legal and ethical obligations.

Whether a "breach" occurs is typically a legal determination. In general though, a data breach occurs when there is unauthorized access or acquisition of personal information. Although different states and other countries might have varying definitions of a data breach, a breach can occur when a person steals, gains access to, or uses information or, in some cases, exceeds their authority to access information without permission. The two most common types of cybersecurity incidents that law firms experience are ransomware attacks and business email compromises. Such incidents must be taken seriously and investigated properly to determine whether a data breach occurred and what reporting obligations the incident may have triggered under state statutes and ethical rules.

An Overview of the Data Breach Response Process

When a cybersecurity incident occurs, a law firm should first identify whether there is an insurance policy in place that will cover the incident and, if there is one, contact the insurance company. The insurance company might provide the firm with a list of approved service providers, such as law firms that specialize in data breaches and forensic providers with which the firm can work.

Regardless of insurance coverage, the firm's next call should be to a lawyer (hereinafter data breach counsel) who can help the firm navigate the incident and, to the extent possible, provide attorney-client privilege protections during the investigation. Data breach counsel can work with the firm's internal IT team or help the firm find and engage a forensic IT company that can assist in removing the threat actor from the network, restoring computer systems, and determining which information was accessed or acquired. In the case of ransomware incidents, the forensic company might also engage in negotiations with threat actors responsible for deploying the ransomware and demanding payments.

After determining the extent of the incident, data breach counsel can work with the firm to determine the firm's legal notification obligations. Such a determination involves reviewing laws for the state or states where the persons affected by the data breach reside. Data breach counsel will also work with the firm to determine notification obligations to clients invoked by applicable ethical rules. A third party can also assist with notification letters and offer credit monitoring services as may be required by law or otherwise recommended by data breach counsel.

Ransomware and Business Email Compromises Explained

Ransomware. Ransomware attacks occur when a threat actor delivers malicious software, typically referred to as malware, that locks and encrypts a user's files and systems. To get access to those files and systems, a user will have to use a decryption key, which the threat actor will provide once a ransom is paid. A user will typically receive a ransom demand and detailed instructions about how to pay the ransom. These ransoms sometimes can be negotiated, and a forensic company with expertise in negotiations is the best party to assist in such negotiations.

Negotiating with a threat actor may seem counterintuitive. How can the threat actor be trusted to deliver the decryption key once the firm pays the ransom? How can the target of the attack know that the threat actor won't leak information obtained during the attack? However, ransomware gangs know that they must do what they say they will do; otherwise, there will be no reason for any victim to pay.

Forensic providers have a lot of insight into ransomware gangs and are experienced negotiators. Data breach counsel, the forensic provider, and the law firm can work together to determine whether the ransom should be paid. Even if a law firm has backed up all its data, there might be reason to pay the ransom. Threat actors use double and triple extortion methods to get victims to pay. To encourage payment of the ransom, the threat actors might tell the law firm they are going to release firm data online or put it up for sale on the dark web or might even contact clients whose data was stolen to inform the clients of the breach.

Some factors to keep in mind when considering whether to pay the ransom include 1) whether the threat actors are individuals or entities that appear on government sanctions lists, thus making it a federal crime to conduct business with them;1 and 2) that purchasing the stolen data on the dark web may also violate federal criminal laws, even if law firms are buying back their own stolen data.2 Data breach counsel can help guide firms through the stress of an investigation and decision-making during and after a ransomware incident.

Business Email Compromises. Business email compromises occur when a threat actor gains access to a user's email account, through exposing a vulnerability in the email system or through guessing or knowing a user's password. Once in the user's email account, threat actors have access to all the user's email and can send those emails to an account controlled by the threat actor. A threat actor can also send malicious email attachments to a user's contacts, in the hope that the contacts will trust emails coming from the user and download attachments or click on the links in the email, causing that contact's computer to become infected.

Business email compromises often are used to commit wire fraud. Lawyers and law firms handling real estate transactions need to be especially aware of this risk. A threat actor can sit in a lawyer's email undetected and wait for the right time to strike. Once it is clear a wire transaction is scheduled to occur, the threat actor can send an email from the lawyer's inbox with a change in wiring instructions. The wire will now be directed into the threat actor's account. The threat actor can set up rules for the inbox so any emails about that change in instructions are automatically deleted, and the lawyer is none the wiser. The prevalence of wire-fraud incidents emphasizes the need for all parties in a real estate transaction to make sure to have steps in place to counter any such attempts – for example, requiring oral confirmation (by telephone or in person) when wiring money or if a change is proposed.

Notification Requirements under Wis. Stat. Section 134.98

There are legal obligations to consider if a data breach has occurred. Law firms in Wisconsin will likely have personal information involving Wisconsin residents that were affected by such a breach. Accordingly, the law firm should understand the obligations outlined in Wis. Stat. section 134.98concerning the notice of unauthorized acquisition of personal information.

Personal information is defined in Wis. Stat. section 134.98as an individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements (if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable):

  1. The individual's Social Security number;
  2. The individual's driver's license number or state identification number;
  3. The individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account;
  4. The individual's deoxyribonucleic acid profile, as defined in Wis. Stat. section 939.74(2d)(a); or
  5. The individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.3

Wis. Stat. section 134.98requires notification of a data breach when "an entity whose principal place of business is located in this state ... knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorized to acquire the personal information"4 and there has been a material risk of identity theft or fraud to the subject of the personal information.5 The statute contains requirements for a single data breach involving more than 1,000 people,6 timing of and manner of notice requirements,7 entity exceptions,8 and exceptions in situations in which law enforcement agency request9 or federal legislation is involved.10

The two most common types of cybersecurity incidents that law firms experience are ransomware attacks and business email compromises.

Ethical Notification Requirements under Wisconsin Supreme Court Rules

In addition to complying with statutory obligations, law firms and lawyers also must address whether the cybersecurity incident triggers any ethical obligations.

Wisconsin Supreme Court Rule (SCR) 20:1.4(a)(3) and (a)(4) states that a lawyer must keep the client reasonably informed about the status of the matter and promptly comply with reasonable requests by the client for information. According to an American Bar Association (ABA) ethics opinion, which cites a rule on which SCR 20:1.4 is based, "When a data breach occurs involving, or having a substantial likelihood of involving, material client confidential information a lawyer has a duty to notify the client of the breach."11 Although this statement applies only to current clients, the opinion also provides guidance regarding former clients:

"Lawyers should recognize that in the event of a data breach involving former client information, data privacy laws, common law duties of care, or contractual arrangements with the former client relating to records retention, may mandate notice to former clients of a data breach."12 This means that a firm should look to engagement letters or any other arrangements made with former clients to evaluate whether there is an obligation to notify these individuals about the incident.

The differing language in state statutes and in ethical rules and guidelines means that legal and ethical obligations likely are not identical. State law might not require a law firm to notify clients about potential or actual data breaches, but ethics rules might impose a notification obligation. Additionally, if a past client contacts a law firm to discuss a data breach, SCR 20:8.4(c) requires the law firm to truthfully respond to the past client's questions. Among other factors to consider in determining what type of notice is appropriate for former clients is the reputation of the firm. Data breach counsel can help a law firm navigate these complicated waters.

An additional, independent obligation might exist when there has been a breach of a law firm's third-party provider's services (for example, cloud storage, case management, or email), which typically occurs when threat actors attack a provider directly and compromise the provider's systems. "If there has been a breach of the provider's security that affects the confidentiality or security of the client's information, SCR 20:1.4(a)(3) and SCR 20:1.4(b) require the lawyer to inform the client of the breach."13 Therefore, lawyers must also stay up to date on the security of the providers they use and notify clients when client information has been compromised as a result of a provider incident.

Conclusion

Data breaches must be taken seriously by attorneys. It is not enough for firms or individual lawyers to declare to clients that you have been hacked or that email recipients should not open messages from you. Lawyers have statutory and ethical obligations to investigate data breaches and notify clients accordingly. Outside counsel, forensic information technology companies, and credit monitoring services can assist with responding to incidents. Prevention and recovery strategies should be implemented, reviewed on an annual basis, and regularly updated to help thwart cyberattacks.

Footnotes

1 See U.S. Dep't of Treasury, Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Sept. 21, 2021), https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf.

2 See U.S. Dep't of Just., Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (Feb. 2020), www.justice.gov/criminal-ccips/page/file/1252341/download.

3 See Wis. Stat. 134.98(1)(b).

4 See Wis. Stat. 134.98(2)(a).

5 See Wis. Stat. 134.98(2)(cm)1.

6 See Wis. Stat. 134.98(2)(br).

7 See Wis. Stat. 134.98(3).

8 See Wis. Stat. 134.98(3m).

9 See Wis. Stat. 134.98(5).

10 See Wis. Stat. 134.98(7m).

11 ABA, Formal Op. 483, Lawyers' Obligations After an Electronic Data Breach or Cyberattack (Oct. 17, 2018), www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf.

12 Id.

13 See Wis. Formal Ethics Op. EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing,

www.wisbar.org/ethop.

Originally Published by State Bar of Wisconsin.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.