The Threat From Within

Hackers Are Not Your Firm's Biggest Problem


Anthony Barbe | Partner

It seems we can’t go more than a few days without another story in the news regarding compromised data security at law firms leading to a breach or loss. Typically the emphasis is on the implementation of external security measures—firewalls, dual authentication, or warnings about the latest email phishing scam. Although those are all valid tools, and firms are well served to embrace them and take them seriously (as we’ve written about before), what gets less press—and less attention in most law firms—is the insider threat posed by the careless or disgruntled employee. For law firms, whose reputations ride on the ability to keep and maintain client confidences, any data breach is a serious event. Internal breaches are perhaps more serious and suggest loss of control. 

Oops, I Did it Again

No data loss is minor; when data is compromised, the impact is almost always large, no matter the cause. Preventable loss, however, may be the most frustrating, and studies show the majority of breaches fall into this category.

For example, BakerHostetler conducted a study  that showed most data breaches were caused by human error rather than malicious intent. Specifically, the study showed that the leading causes of data security breaches were:

  • Employee negligence – 36%
  • Theft by outsiders – 22%
  • Theft by insiders – 16%
  • Malware – 16%
  • Phishing attacks – 11%

Thus, a majority of data threats (52%) are attributable directly to employees through intentional theft or negligence. Even more concerning, while some forensic firms estimate that many breaches are not caught by the company itself, BakerHostetler estimated in its report that 64% of data breaches at client companies were caught by the companies, with an average elapsed time of 134 days from the time of occurrence to the time of detection. A four-month lapse in detection will unquestionably alarm a client whose data was compromised.

Negligent loss can happen in various ways:

  • lost devices (telephone, laptop, tablet);
  • inadvertently sending electronic communication with privileged, confidential, or sensitive information attached (see WilmerHale’s cautionary tale from September 2017, wherein a misaddressed email—likely an autofill error—informed a Wall Street Journal reporter that the SEC was investigating the exit of PepsiCo’s general counsel.);
  • failure to properly encrypt sensitive documents before sending them; or
  • in a throwback to the days of old, leaving physical files or documents somewhere they shouldn’t be.

Much to this last point, BakerHostetler’s report also shows that more than one-fifth of all data breaches involved paper. So electronics aren’t always to blame!

The most obvious and best tool to combat negligent data breaches is also likely the simplest: better employee training. Teaching prevention helps employees avoid a breach and empowers them as stewards of loss prevention. Employees who are well trained are also on guard; they are often the first line of defense.

Additional preventive measures, which are straightforward and relatively simple, include:

  • password policies that require longer and more complex parameters and frequent password changes (typically every 60-90 days);
  • the ability to remotely reset a lost or stolen device to factory settings;
  • installing tracking software on devices like telephones, tablets, and laptops; and
  • requiring dual authentication in the event an employee attempts to log on to the system remotely.
I Want the Artwork, Too

As in any industry, the disgruntled law firm employee is a threat to be feared. For instance, a former Dentons associate recently was sentenced to five months in federal prison after pleading guilty to a misdemeanor charge of accessing the Dentons email server without authorization. In that case, after becoming disgruntled with his work and treatment at the firm, the associate—who had decided to leave the practice of law—accessed the Dentons system and downloaded confidential information dealing with firm operations. After obtaining the information the associate demanded a ransom: $210,000 and a piece of artwork from the firm in exchange for the return of the documents. He vowed to make the documents public if the firm refused to meet his demands.

It is unknown if there were any warning signs that could have alerted management to the risk this associate posed. In this case, the misappropriated documents involved the firm and its internal operations, not client data. Such a distinction, however, is cold comfort when any sensitive data is at stake.

Preventive Measures

Implementing universal preventive measures is a good idea whether firms see warning signs or not. The approach will differ by firm based on risk tolerance and culture, but many firms take proactive steps to combat the risk of internal threats by disabling the ability to save documents to USB or other external drives on individual workstations; limiting the ability of employees to transmit documents, without specific permission, to email addresses using certain commonly used personal email accounts; limiting access to the firm’s network when using public or other unsecured WiFi networks; and limiting access to files and internal documents to a “need to know” basis. While some firms believe these measures set a negative tone or impinge on attorney autonomy, others feel the tradeoff in increased security is worthwhile.

Regardless of the steps taken, firms must be aware of the risks and take some measures to ensure their data is protected from the threat within. After all, no law firm wants to be the next day’s cover story.

Defending Lawyers & Law Firms When it Matters Most

Wheeler Trigg O'Donnell defends lawyers and law firms against high-stakes professional liability claims. Our team has successfully represented lawyers and law firms in at least 12 states.

In the past three years alone, WTO has won for lawyers and law firms in the Colorado Supreme Court, the Tenth Circuit Court of Appeals, and numerous state district and appellate courts.

Recent victories include:

  • Won a landmark federal case in Illinois defining the obligations of lead and liaison counsel in multidistrict litigation.
  • Obtained summary judgment for a national legal malpractice carrier in an attorney-lien enforcement action in Wyoming district court. In this matter of first impression, the Court held that the plain language of the statute precluded the plaintiff law firm's attorney-lien and constructive fraud claims. As the prevailing party under the statute, WTO obtained a significant award of attorneys' fees and costs for its client.
  • Won a complete defense verdict for a lawyer and law firm accused of malpractice in the handling of a sale of interests in the plaintiff's company.
  • Obtained Rule 12 dismissal for an AmLaw 200 firm facing claims exceeding $500 million in state court in Kentucky.
  • Won a complete defense verdict in a professional liability claim against a law firm and lawyer. The plaintiff alleged that WTO's client was negligent, yet the jury found that not only was our client not negligent, but that the alleged negligence didn't cause the claimed damages.

We understand how personal these claims can be. We also appreciate that staying out of court may be a client’s ultimate goal. Whether you wish to resolve claims creatively and discreetly or defend them vigorously before judge and jury, WTO will help.

About Wheeler Trigg O'Donnell

Wheeler Trigg O’Donnell lawyers have taken more than 1,100 trials, arbitrations, and appeals to verdict, award, or opinion all across the nation, with exceptional results for our clients.

Established in 1998, WTO numbers more than 100 lawyers in three offices. The firm represents sophisticated clients in high-stakes civil trials, appeals, and related litigation ranging from complex commercial to class actions to multidistrict litigation.