August 2021 Ethically Speaking - Vetting Vendors: A Lawyer’s Ethical Duty

by Kristin L. Yokomoto

These days, cyber security issues and ransomware stories are constantly in the headlines, from hackers breaking into government systems to stealing celebrity information. On April 29, 2021, BakerHostetler released its 2021 Data Security Incident Response Report detailing risk mitigation and compromise response intelligence from more than 1,250 data security incidents to which the firm helped manage responses in 2020, including ransomware and vendor incidents. Of these incidents, 24% involved vendor-causes, 80% of the 24% required the company to notify the person or other company whose information was impacted by the incident, and 25% of that 80% involved regulatory inquiries. Ransomware matters involved high demands and payments. The largest ransom demand was $65+ million (compared to $18 million in 2019) and the largest paid was $15+ million (compared to $5 million in 2020), with an average paid ransom of $742,620 (compared to $303,539 in 2019). BakerHostetler, 2021 Data Security Incident Response Report (April 29, 2021), https://www.bakerlaw.com/press/bakerhostetler-2021-data-security-incident-response-report-security-disruption-and-transformation.

Law firms are attractive to hackers because they collect and maintain a large body of confidential, sensitive, and valuable information regarding many clients. In May 2020, a law firm disclosed its involvement in an incident involving information regarding its celebrity clients, including Lady Gaga, Madonna, Bruce Springsteen, and others. In an October 2020 report published by the American Bar Association (ABA), 29% of law firms reported a security breach, one in five law firms were not sure if they had experienced a breach, and 36% of law firms reported past malware infections in their systems. John G. Loughnane, 2020 Cybersecurity (Oct. 19, 2020), https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/.

As organizations rely more frequently on third-party vendors, the number of incidents involving vendors will likely continue to rise. In February 2021, Law 360 reported that an international law firm based in the United States may have been impacted by a cyberattack on Accellion Inc., a third-party vendor that the firm, plus additional law firms, used to transfer large data files. According to that report, the hacking group claimed to have obtained confidential information of those firms’ clients. Ben Kockman, Law 360 (February 16, 2021), https://www.law360.com/articles/1355793/jones-day-hit-by-third-party-data-breach. Additional law firms and companies also disclosed that some of their clients may have had confidential data exposed when Accellion was hacked. Not surprisingly, a collection of lawsuits has been filed against Accellion.

These statistics and events serve as a continuing reminder to law firms, whether one lawyer in a single office or thousands of lawyers in offices around the world, to invest time and resources to conducting risk assessments to identify and address likely significant risks, including risks related to third-party vendors. The American Bar Association (ABA) has stated that “we are in a world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if’.” ABA Formal Op. at 2 (ABA 17-477R) (2017). The response to a potential incident may involve legal and forensic fees to investigate the incident, costs to notify individuals, and then—if there are regulatory investigations or lawsuits—additional related costs.

In addition, due to a recent change in the California Rules of Professional Conduct, law firm owners and supervising lawyers now must adhere to explicit ethical obligations related to technology and security. In October 2019, the Orange County Lawyer published an article by this author entitled “Ethical Duty of Technology Competence.” At that time, thirty-six states had followed the ABA’s modification to Model Rule 1.1 to add a technology competence component, and California was following with a proposed amendment. On February 18, 2021, California became the thirty-ninth state to formally adopt an ethical duty of technology competence. The duty of competence embedded in California Rule of Professional Conduct 1.1 now includes the following Comment 1: “The duties set forth in this rule include the duty to keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology.” Cal. Rules of Professional Conduct, rule 1, comment 1.1. This new rule imposes significant duties on law firms to, among other things, ensure their clients’ information on their systems, and the systems of all third-party vendors they use, are protected against data breaches.

Vetting Vendors
Law firms need to vet third-party vendors and then effectively oversee them after they are chosen. Below are some due diligence tips to ensuring that firms’ confidential client data and reputation will be protected.

Law firms often outsource functions such as IT, e-discovery, legal research, billing, and copying, and have a host of vendors such as accountants, payroll companies, marketers, travel agencies, and more. Firms should determine what client data, employee data, and firm data the firm shares with each vendor.

Law firms exchange data with opposing counsel, cooperative counsel, experts, courts, law enforcement agencies, cloud service providers, and software providers; they should address responsibilities for privacy, security, and oversight related to those exchanges.
Inquire about the infrastructure that the third-party vendor is using and where the data is or will be physically located. Find out if data will be transmitted or stored on a fourth-party vendor, in which case, conduct due diligence on the fourth-party vendor.
Ask vendors about their security measures, incident response plans, and business continuity and disaster recovery plans. Once a breach occurs, the timing of the response to, and handling of, the incident will be of utmost importance for damage control. Consult with outside counsel if any part of a vendor’s incident response plan is unclear.

If sensitive data is involved, specific measures about which to inquire include access controls (e.g., multi-factor authentication) and encryption.

Review the contracts that are in place with current vendors. Confirm that the agreements mandate the vendor to be in compliance with relevant state, federal, and international law at all times.

Determine if the contracts clearly provide what happens if there is a breach of the vendor’s system that impacts the firm. Scrutinize the cybersecurity language in all contracts for limitations of liability.

Law firms can monitor vendors with a security ratings platform which provides visibility into potential security vulnerabilities.

Ask prospective vendors to complete a cybersecurity questionnaire. Request a copy of the third-party vendor’s insurance policy.

Engagement Letters
Law firms that use third-party vendors may consider adding a provision in engagement letters to notify the client of the use of vendors for certain services, along with a provision where the client acknowledges the use of vendors for services that involve access to confidential information. Some firms add a provision stating it will not be liable for any data breach; however, such provision may not be enforceable in all circumstances.

Purchase Cyber Insurance
Firms are encouraged to obtain cyber insurance or review their existing policy. The firm should have a solid understanding of covered acts and excluded acts.

Notice Requirements
If a data breach occurs, whether on a third-party vendor’s system or the firm’s system, the firm will need to decide whether to give notice of such breach and to whom. The State Bar’s Standing Committee on Professional Responsibility and Conduct (COPRAC), in Formal Opinion No. 2020-203, provides that a lawyer’s ethical obligation to disclose the occurrence of a data breach extends to current clients, but not to former clients. However, in footnote 6, COPRAC acknowledges that data privacy, common law, and contractual arrangements may require notice to former clients, plus the Maine Professional Ethics Commission Opinion No. 220 (April 11, 2019) provides that, with respect to a data breach, a former client is entitled to the same protection and candor as a current client. Note that, under California law, businesses have an obligation to notify any California resident whose encrypted personal information was acquired or reasonably believed to have been acquired, by an unauthorized person, which must contain specific information and be no smaller than ten-point size font, and use this clear heading at the top: “Notice of Data Breach.” Cal. Civ. Code § 1798.82(a).

Be Proactive
It is all too easy to put cybersecurity issues off; it will involve much less time, money, and stress to be proactive and ensure the right systems and protections are in place now than it will after a breach occurs. As the ABA says, it’s not “if,” it’s “when.”

Kristin L. Yokomoto is a partner at BakerHostetler in Costa Mesa where she focuses her practice on private wealth planning. Kristin is a Certified Specialist in Estate Planning, Trust, and Probate Law by the State Bar of California Board of Legal Specialization. Kristin thanks Craig A. Hoffman, Esq., Co-Leader of BakerHostetler’s Digital Risk Advisory and Cybersecurity Team, and Marcus McCutcheon, Esq., who is part of BakerHostetler’s team of 50 attorneys that help companies respond to data security incidents, for their contributions to this article. The views expressed herein are her own. She can be reached at kyokomoto@bakerlaw.com.