Malware Malpractice

Q. Using ransomware, hackers recently locked our firm's data and demanded bitcoins to release it. It cost us around $10,000 to get our data back. But if our clients find out, we'll lose a lot more. Must we tell them?

A. As lawyers, it's our job to keep secrets. But keeping a data breach a secret from your clients could cost your job and career.

The first question is whether your clients' data has, in fact, been compromised. Some ransomware attacks merely lock your data, leaving it on your system and preventing its use until the ransom is paid. In other cases, hackers "exfiltrate" or remove the data from your system, giving rise to a presumption that others have viewed or misused it.

If you've prepared for such attacks by encrypting your systems beforehand, and rendered the data unusable to the outside world, you may be able to overcome this presumption, restore your data from backups, and resume business as usual. If not, or if there is any doubt about the extent of the breach, the Rules of Professional Conduct and many state and federal notification laws will require that you disclose the incident to affected clients.

Although you did not intentionally "reveal information relating to representation of a client," you had a duty to implement reasonable means to protect this information. Regardless of the precautions taken, your duty to "keep the client reasonably informed about the status of the matter" undoubtedly requires that you inform your clients of the possibility that their private information may have fallen into the wrong hands. This may be a difficult conversation to have, but you must "explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation." This is especially true if the attack has interfered with your ability to work on the client's behalf, or gives rise to a malpractice action for failing to protect the client's privacy.

Unfortunately, you are not alone. Data breaches are on the rise in the legal industry and firms of all sizes have fallen victim to unscrupulous hackers. Because law firms maintain huge repositories of sensitive data, they are particularly vulnerable to such attacks. You may not be able to prevent all attacks, but you should consult with a cybersecurity expert to improve your resistance to them. When all else fails, don't compound the problem by concealing it from affected clients. If you do, your data breach will morph into a breach of ethics.

Encryption Ethics
What's In Your Wallet?

Related Posts

 
Attorney Grievance defense attorney specializes in defending lawyers in disciplinary proceedings before the Maryland Attorney Grievance Commission and the D.C. Bar's Board on Professional Responsibility involving professional misconduct, legal ethics, disbarment, suspensions of law licenses, petitions for disciplinary action, reprimands and sanctions for unethical conduct. If you receive a letter from Bar Counsel Lydia Lawless, Disciplinary Counsel Hamilton Fox, or from any attorney disciplinary board in Maryland or the District of Columbia, retain experienced attorneys with expertise in lawyer discipline and breach of ethics cases to avoid sanctions for professional misconduct. We help lawyers avoid disbarment, suspension, reprimands, censure and informal admonitions by drafting responses to client grievances and ethical complaints; representing lawyers in peer reviews, evidentiary hearings, and oral arguments before the BPR and the Court of Appeals; filing petitions to reinstate an attorney's license to practice law; conducting law firm ethical compliance audits; and drafting legal ethics opinions to protect lawyers from ethics charges. In many cases, disciplinary proceedings may be dismissed, dismissed with a warning, or result in a conditional diversion agreement with Bar Counsel to rectify misconduct. Lawyers may need help in managing their law firm attorney escrow IOLTA trust account and complying with attorney trust accounting rules to avoid charges of ethical misconduct. Do not represent yourself in responding to an attorney grievance, law firm client complaint, or other allegation of ethical impropriety. Attorney grievance defense counsel may help you comply with legal ethics rules, avoid sanctions like suspension or disbarment, and avoid future attorney grievances.

410.581.0070

By The Lawyer's Lawyers | Kramer & Connolly and  who are responsible for the content of this informational website.   This website is designed for lawyers faced with attorney grievances. As cases do differ, past performance does not guarantee future results.
 

NOT AFFILIATED WITH THE ATTORNEY GRIEVANCE COMMISSION OF MARYLAND
OR THE BOARD ON PROFESSIONAL RESPONSIBILITY OF THE D.C. BAR