Q. Using ransomware, hackers recently locked our firm’s data and demanded bitcoins to release it. It cost us around $10,000 to get our data back. But if our clients find out, we’ll lose a lot more. Must we tell them?
A. As lawyers, it’s our job to keep secrets. But keeping a data breach a secret from your clients could cost your job and career.
The first question is whether your clients’ data has, in fact, been compromised. Some ransomware attacks merely lock your data, leaving it on your system and preventing its use until the ransom is paid. In other cases, hackers “exfiltrate” or remove the data from your system, giving rise to a presumption that others have viewed or misused it.
If you’ve prepared for such attacks by encrypting your systems beforehand, and rendered the data unusable to the outside world, you may be able to overcome this presumption, restore your data from backups, and resume business as usual. If not, or if there is any doubt about the extent of the breach, the Rules of Professional Conduct and many state and federal notification laws will require that you disclose the incident to affected clients.
Although you did not intentionally “reveal information relating to representation of a client,” you had a duty to implement reasonable means to protect this information. Regardless of the precautions taken, your duty to “keep the client reasonably informed about the status of the matter” undoubtedly requires that you inform your clients of the possibility that their private information may have fallen into the wrong hands. This may be a difficult conversation to have, but you must “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” This is especially true if the attack has interfered with your ability to work on the client’s behalf, or gives rise to a malpractice action for failing to protect the client’s privacy.
Unfortunately, you are not alone. Data breaches are on the rise in the legal industry and firms of all sizes have fallen victim to unscrupulous hackers. Because law firms maintain huge repositories of sensitive data, they are particularly vulnerable to such attacks. You may not be able to prevent all attacks, but you should consult with a cybersecurity expert to improve your resistance to them. When all else fails, don’t compound the problem by concealing it from affected clients. If you do, your data breach will morph into a breach of ethics.