As cybercriminals become increasingly sophisticated, they find new ways to infiltrate systems and disrupt operations. Corporations, legal and other firms, nonprofit organizations, academic institutions and government agencies are among the countless victims of data breaches every year.
Until recently, breaches largely involved encryption where threat actors accessed networks and locked down systems, causing business interruption and often demanding a ransom for their release. While this tactic remains a common tool in most breaches, the growing threat that emerged in 2022 is incorporating data exfiltration into the toolkit. Now—with increasing frequency—multiple threat factors are becoming involved in a single incident: encrypting systems, stealing and selling data they have accessed, and threatening to expose the fact that an organization’s data was stolen unless they are paid the requested ransom. Among the many breaches experts handled in Q4 of 2022, very few did not include an element of exfiltration, which is in stark contrast to the first half of 2020, where less than 30% of data extortion incidents included exfiltration.
Due to the rise of exfiltration, lawyers should be on guard and ensure they are compliant with Rule 1.6(c) of the American Bar Association’s Model Rules of Professional Responsibility: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” If lawyers do not take “reasonable efforts,” they may risk sanctions, disbarment, and legal liability in the event of a data breach. The ABA issued an opinion[1] on Model Rule 1.6 clarifying that what constitutes a reasonable effort is not a “hard and fast rule,” but rather a flexible set of factors that are weighed on a case-by-case basis.
The ABA opinion’s factors to be weighed include:
- the sensitivity of information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards;
- and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
The ABA Standing Committee on Ethics and Professional Responsibility stresses that attorneys should assess the risk of inadvertent disclosure of client information before connecting to unsecure networks, using computers and servers without anti-virus software, and sending unencrypted communications.[2]
In some cases of data exfiltration, the threat actors download a copy of the data; in other cases, they download a copy of the data and then also delete it from the network from which it was taken. The latter scenario reinforces the importance of regularly backing up all systems and the data they contain, so that in the event of deletion during a breach, the organization can reinstall a recent version of that data to reduce the impact on regular business operations.
Once stolen, data is often sold or threatened to be sold. Data may be posted on the dark web, or the threat actor may have a buyer already identified before the theft. Regardless of what the criminals do with exfiltrated data, dealing with this type of breach is a logistical nightmare. In many cases the stolen data includes trade secrets or the personally identifiable information of employees and/or clients of the organization, posing a substantial risk to everyone involved.
Among the growing impacts of data breaches is the risk of class-action lawsuits. As more people understand the effects of having their data compromised, more are taking action by initiating or joining class actions. And this isn’t limited to breaches that occur in large organizations like Equifax, Twitter, or Uber, for example. Smaller companies dealing with breaches affecting as few as 1,000 data subjects—small by previous standards—are now facing litigation as well. While the number of impacted data subjects may be relatively small, the scope of the impact felt by the data subjects and the organization is often the same as in larger breaches.
Companies can’t do much to prevent these lawsuits once a data breach has occurred, but they can take steps to help mitigate the consequences:
- Pre-event: Establish strong security protocols upfront, which will help in passing a reasonableness test in the event a suit is filed. If an organization can prove to a court that it took reasonable care in protecting customer data and to prevent a breach, it is more likely to prevail against negligence claims in a suit. Examples of reasonable security measures an organization might point to include having a dedicated security officer, maintaining ISO 27001 and SOC 2 certifications, mandating multi-factor authentication, and providing quarterly cybersecurity training for all employees.
- Post-event: Likewise, if the company can demonstrate it has followed all regulatory compliance requirements, met deadlines, and taken reasonable and necessary steps to address the situation without delay and with as much transparency as possible, it can lower the risk of penalties and fines.
Key tips for dealing with cyberattacks:
- Lawyers should ensure that their organizations or clients take every incident seriously and put in place mandatory, periodic employee cybersecurity training to help employees understand what incidents might look like, how to prevent them, and to immediately report anything suspicious to IT. From a compliance perspective, lawyers should instruct their organizations or clients not to dismiss something strange as nothing if they do not encounter any immediate impacts, as the company may be vulnerable to a further attack or breach at a later time. Recently a Reddit employee contacted Reddit’s IT department shortly after falling victim to a spear-phishing attack—which led to a website that cloned Reddit’s internal systems and allowed threat actors to steal credentials and second-factor tokens. Had the employee not made that notification, the results could have been disastrous.[3]
- The legal department should be informed immediately of a potential incident and should encourage the organization or their client to take immediate action. This is important from both a compliance and mitigation standpoint, as well as the potential for privilege to apply to certain communications in the case of post-event lawsuits. Do not delay, and do not assume that a threat has been resolved once it has been identified, as it may be ongoing. In the Reddit scenario discussed above, because the employee reported the incident right away and Reddit’s IT department took immediate action on the threat, the attacker’s window of opportunity was reduced, and the damage was limited.
- Lawyers should instruct their organizations or clients to consider retaining a third-party digital forensics expert to verify the risk is contained and that it is safe to conduct business. Digital forensics experts can check all systems and networks to ensure the threat is resolved and that there is no additional risk of ongoing or subsequent threats. This will provide the company and its customers with peace of mind and will limit the business repercussions, to a degree. The third-party digital forensics report and corresponding forensics expert can provide compelling facts in eventual litigation as well.
Importantly, an ounce of prevention is worth a pound of cure. Cybersecurity awareness training remains a critical function for every organization, but it typically does not get the attention it deserves. Threats are constantly evolving, so your training should, too. Keep all employees up to date on the latest protocols and best practices to prevent breaches, as they are your first line of defense against cyberattacks.
See American Bar Association Standing Committee on Ethics and Professional Responsibility, Formal Opinion 477R*. Issued May 11, 2017, revised May 22, 2017. Pages 4–5. Available at: https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.pdf. ↑
See id. at pages 6–7. ↑
See Reddit Press Release, “We had a security incident. Here’s what we know.” February 5, 2023. Available at: https://www.reddit.com/r/reddit/comments/10y427y/we_had_a_security_incident_heres_what_we_know/. ↑