The "Dark Overlord" Strikes The Practice Of Law: What Law Firms Can Do To Protect Themselves
April 17, 2019 —
Ivo G. Danielle – Newmeyer & DillionCybersecurity breaches involving law firms are on the rise with each passing year. Law firms are prime targets for cyber criminals seeking confidential and sensitive information because of the various types of legal work that law firms normally handle for their clients. Whether it be mergers and acquisitions, the use of intellectual property, purchase agreements, bankruptcy or even litigation involving divorce, law firms are a rich depository for highly confidential and sensitive information. As a result, law firms must employ comprehensive security measures to protect themselves from security breaches or risk being on the losing end of a costly malpractice claim, and suffer severe reputational harm.
Law Firms Continue To Be Targeted By Cybercriminals
According to the American Bar Association ("ABA") 2018 Legal Technology Survey Report, 23% of the law firms who participated in the survey reported that their law firm experienced a data breach. Although this may be just a 1% increase from the 22% who reported a breach in 2017, it is important to understand that this is an increase of 8% from the stable percentages reported from 2013 through 2016.1 The 2018 survey report also revealed that security breaches fluctuated with firm size – 14% for solo law firms, 24% for firms employing 2-9 attorneys, approximately 24% for firms with 10-49 attorneys, 42% for firms with 50-99 attorneys, and approximately 31% for those firms employing 100 or more attorneys.
Latest Law Firm Security Breaches
The notorious criminal group called "The Dark Overlord" has a history of committing data breaches of high profile companies such as Gorilla Glue, Netflix, Larson Studios, multiple healthcare companies, and Little Red Door Cancer Agency. Their goal is simple – steal sensitive information and then extort payment from the victims by threatening to release the sensitive information to the public.
On December 31, 2018, this cybercriminal group announced to the world that they had acquired 18,000 documents containing highly sensitive legal information related to insurance based litigation connected to the 9/11 tragedy. The stolen information was the attorney/client property of Lloyd's of London, Silverstein Properties, and Hiscox Syndicates, Ltd. In its announcement, The Dark Overlord boasted that they were in possession of client sensitive information, such as: "emails; retainer agreements; non-disclosure agreements; settlements, litigation strategies; liability analysis; defense formation; collection of expert witness testimonies; communication with government officials in countries all over the world; voice mails; dealings with the FBI, USDOJ, DOD, confidential communications, and so much more."
Subsequent to the data breach, The Dark Overlord announced to the public that they designed a compensation plan that would allow for public crowd-funding for its organization to permit the public to view the stolen information in exchange for bitcoin payment. The more public funding it receives, the more stolen sensitive information will be unlocked and released to the public. It is estimated that this cybercriminal group already distributed information to the public on two separate occasions during the month of January 2019.
High profile cybersecurity breaches of law firms is nothing new – for example, the infamous Panama Papers breach, where cybercriminals leaked 11.5 million documents exposing the shadowy business of setting up offshore corporations as tax shelters for businesses, celebrities, and politicians - and the infamous Petya Malware attack which resulted in a digital lockdown of one of the world's largest law firms, DLA Piper. However, despite the infrequency of publicized cyber-attacks of law firms by the media, the FBI has recently announced that law firms should expect an increase in security attacks by cybercriminals because law firms are now viewed as "one-stop shops" for cybercriminals. Therefore, in order to combat the inevitable increase in cyber-attacks, law firms must get prepared.
How Law Firms Can Protect Themselves
All law firms will agree that the most serious consequence of a security breach for their firm would be the unauthorized access to sensitive client data. The American Bar Association's Model Rules of Professional Conduct, specifically Rules 1.1 and 1.62 and related Comments, require an attorney to take competent and reasonable measures to safeguard information relating to their clients. This duty to "safeguard' information imposes a significant challenge to firms when using technology in connection with protecting client information because most law firms are not savvy with technology and lack proper cyber security training.
In order for a law firm to protect itself from security breaches and inadvertently violate its duty of safeguarding a client's sensitive information, it is important to take the following actions:
- Start by taking an inventory and risk assessment of the firm to determine what needs to be protected – the inventory should include both technology and data;
- Develop, implement and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations;
- Ensure the cybersecurity program addresses people, policies and procedures, and technology. The cybersecurity program must designate an individual or a group to be in charge and coordinate security;
- Develop an incident response plan scaled to the size of the firm;
- Continually train staff and attorneys to identify and understand potential cybersecurity threats;
- Consider implementing a third-party assessment of firm's cybersecurity program and policies;
- Purchase cyber liability for insurance which not only covers first party losses to law firms (like lost productivity, data restoration, and legal expenses) but also liability protection to third parties;
- Implement authentication and access controls for network, computers and mobile devices used by the firm's staff and attorneys;
- Consider the use of full-drive encryption for computers and mobile devices;
- Have staff and attorneys avoid and/or limit the use of public WiFi when working remotely; and
- Create a disaster recovery plan to backup all data in the event of a cyber-attack or natural catastrophe.
Continually reviewing, implementing, training and updating a firm's cybersecurity program and protocols will help safeguard sensitive and confidential client information and/or data. No law firm wants to be the next data breach headline – so take the necessary steps to avoid a potential disaster.
1 Past ABA Legal Technology Surveys reported 14% in 2016, 15% in 2015, 14% in 2014 and 15% in 2013.
2 On November 1, 2018, California adopted ethics rules patterned after the ABA Model Rules of Professional Conduct.
Ivo Daniele is a seasoned associate in Newmeyer & Dillion's Walnut Creek office. His practice includes representing private and public companies with both their transactional and litigation needs. You can reach Ivo at ivo.daniele@ndlf.com.
About Newmeyer & Dillion
For almost 35 years, Newmeyer & Dillion has delivered creative and outstanding legal solutions and trial results for a wide array of clients. With over 70 attorneys practicing in all aspects of business law, privacy & data security, employment, real estate, construction, insurance law and trial work, Newmeyer & Dillion delivers legal services tailored to meet each client's needs. Headquartered in Newport Beach, California, with offices in Walnut Creek, California and Las Vegas, Nevada, Newmeyer & Dillion attorneys are recognized by The Best Lawyers in America©, and Super Lawyers as top tier and some of the best lawyers in California, and have been given Martindale-Hubbell Peer Review's AV Preeminent® highest rating. For additional information, call 949.854.7000 or visit www.ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
Even Toilets Aren’t Safe as Hackers Target Home Devices
June 11, 2014 —
Amy Thomson – BloombergCome home to a hot iron and smoldering clothes this afternoon? Soon, it may not be a sign of forgetfulness, but rather evidence that you’ve been hacked.
In coming years, your smartphone will be able to lock your house, turn on the air conditioning, check whether the milk is out of date, or even heat up your iron. Great news, except that all that convenience could also let criminals open your doors, spy on your family or drive your connected car to their lair.
“As these technologies become more sophisticated, it opens up a broader spectrum of threats,” said Gunter Ollmann, chief technology officer of IOActive, a tech security firm in Seattle. A world of connected devices makes it possible “for the bad guys to have permanent entry into your household.”
Read the court decisionRead the full story...Reprinted courtesy of
Amy Thomson, BloombergMs. Thomson may be contacted at
athomson6@bloomberg.net
Baby Boomer Housing Deficit Coming?
October 29, 2014 —
Beverley BevenFlorez-CDJ STAFFAccording to Builder magazine, a new study by Epcon Franchising and Metrostudy found that “10 metro areas are expected to have a significant housing gap for baby boomers.” Furthermore, “52 percent of new-home buyers will be over 55 in the next five years.”
Builder listed the top 10 markets that are expected to have a baby boomer housing deficit. The top three are Dallas-Fort Worth, Houston, and the District of Columbia.
Read the court decisionRead the full story...Reprinted courtesy of
U.K. Construction Growth Unexpectedly Accelerated in January
February 05, 2015 —
Tom Beardsworth – Bloomberg(Bloomberg) -- U.K. construction growth unexpectedly accelerated last month as housing strengthened and civil engineering bounced back from a contraction.
Markit Economics said its Purchasing Managers’ Index rose to 59.1 from 57.6 in December. A reading above 50 indicates expansion. Economists forecast the gauge would fall to 57, according to the median estimate in a Bloomberg News survey.
Read the court decisionRead the full story...Reprinted courtesy of
Tom Beardsworth, BloombergMr. Beardsworth may be contacted at
tbeardsworth@bloomberg.net
Insurer's Motion to Dismiss Complaint for Collapse Coverage Fails
March 22, 2018 —
Tred R. Eyerly.- Insurance Law HawaiiThe insurer's motion for summary judgment seeking dismissal of the insured's claim for collapse coverage was rejected by the Supreme Court of New York. Parauda v. Encompass Ins. Co. of Am., 2018 N.Y. Misc. LEXIS 269 (N.Y. Sup. Ct. Jan. 25, 2018).
The insureds submitted a claim to Encompass for damage to the brick siding, or façade, of their home, which was bulging near the front door. Encompass hired H2M Architects and Engineers to inspect the home and issue a report. H2M determined that the brick façade near the front door was separated from the house. Photos showed that the bricks had separated, the mortar joints were cracked, and there were cracks and deterioration in the mortar. H2M concluded that the brick façade was in poor condition and need repairs and/or replacement. H2M concluded that the separation of the brick façade was caused by water infiltration behind the wood trim and brick façade, occurring over a several year period. Encompass denied the claim based upon exclusions for "freezing, thawing," "wear and tear," and "inadequate maintenance."
Read the court decisionRead the full story...Reprinted courtesy of
Tred R. Eyerly, Insurance Law HawaiiMr. Eyerly may be contacted at
te@hawaiilawyer.com
Insureds' Not Entitled to Recovery for Partial Collapse
February 04, 2025 —
Tred R. Eyerly - Insurance Law HawaiiThe Sixth Circuit affirmed the District Court's decision that the insureds could not recover for a partial collapse of a wall. Builders Mut. Ins. Co. v. GCC Construction, LLC, 2024 U.S. App. LEXIS 31518 (6th Cir. Dec. 11, 2024).
Tahini Main Street bought a century-old building in Chattanooga, Tennessee. The building was constructed using what masons call three-wythe construction. This meant that the building's walls consisted of three brick layers - each layer was a "wythe" - that sit next to each other. When Tahini renovated the building, it hired GCC Construction, LLC (GCC). GCC planned to add windows which meant cutting a new opening into the building's western wall, boring straight through all three brick layers. When they finished slicing through the wall, some bricks fell from the opening's top. The middle rows fell into the new gap, leaving the two outside row with nothing in between. Accordingly, the wall lost its middle.
Read the court decisionRead the full story...Reprinted courtesy of
Tred R. Eyerly, Damon Key Leong Kupchak HastertMr. Eyerly may be contacted at
te@hawaiilawyer.com
Assignment of Construction Defect Claims Not Covered
April 20, 2017 —
Tred R. Eyerly - Insurance Law HawaiiAssignment of insurance proceeds as part of a settlement against the subcontractor for faulty workmanship was not covered under the CGL policy in accordance with Illinois law. Allied Prop. & Cas. Ins Co v. Metro North Condominium Assoc., 2017 U.S. App. LEXIS 4107 (7th Cir. March 8, 2017).
Metro North Condominium Association hired a developer to build a condominium. The developer used CSC Glass to install the building's windows. CSC installed the windows defectively, causing the building to sustain significant water damage following a rain storm.
Metro North sued the developer, who turned out to be insolvent. Metro North amended its complaint to add a claim against CSC for breach of the implied warranty of habitability. Metro North eventually dismissed its lawsuit in exchange for an assignment of CSC's policy with Allied and payment of any right to $700,000 worth of insurance coverage. The settlement specified that it was not intended to compensate Metro North for the cost of repairing or replacing CSC's defectively installed windows, but rather for the damage to the remaining parts of Metro North's condominium.
Read the court decisionRead the full story...Reprinted courtesy of
Tred R. Eyerly - Insurance Law HawaiiMr. Eyerly may be contacted at
te@hawaiilawyer.com
The (Jurisdictional) Rebranding of The CDA’s Sum Certain Requirement
April 15, 2024 —
Jordan A. Hutcheson and Stephanie Rolfsness - Watt TiederThe Contract Disputes Act (the “CDA”), 41 U.S.C.A. §§ 7101 et seq., which has provided the statutory framework for resolution of most contract disputes between the federal government and its contractors since 1978, has recently been the subject of changes in judicial interpretation, despite no corresponding statutory changes. The CDA’s implementing provisions in the Federal Acquisition Regulations (FAR), require that contractors submit a claim to the government in the form of written demand to a contracting officer requesting a final decision and seeking the payment of money in a sum certain prior to pursuing resolution via board or court. However, with respect to the sum certain requirement, the United States Court of Appeals for the Federal Circuit issued an opinion in late 2023 determining that this requirement “should not be given the jurisdictional brand” as it has categorically received in the past. Rather, the court concluded that the sum certain requirement is merely an element of a claim for relief under the CDA that a contractor must satisfy to recover. This rebranding does not debase the sum certain requirement, but it does indicate a renewed focus on what constitutes “jurisdictional” in government contracts litigation.
Reprinted courtesy of
Jordan A. Hutcheson, Watt Tieder and
Stephanie Rolfsness, Watt Tieder
Ms. Hutcheson may be contacted at jhutcheson@watttieder.com
Ms. Rolfsness may be contacted at srolfsness@watttieder.com
Read the court decisionRead the full story...Reprinted courtesy of
