The "Dark Overlord" Strikes The Practice Of Law: What Law Firms Can Do To Protect Themselves
April 17, 2019 —
Ivo G. Danielle – Newmeyer & DillionCybersecurity breaches involving law firms are on the rise with each passing year. Law firms are prime targets for cyber criminals seeking confidential and sensitive information because of the various types of legal work that law firms normally handle for their clients. Whether it be mergers and acquisitions, the use of intellectual property, purchase agreements, bankruptcy or even litigation involving divorce, law firms are a rich depository for highly confidential and sensitive information. As a result, law firms must employ comprehensive security measures to protect themselves from security breaches or risk being on the losing end of a costly malpractice claim, and suffer severe reputational harm.
Law Firms Continue To Be Targeted By Cybercriminals
According to the American Bar Association ("ABA") 2018 Legal Technology Survey Report, 23% of the law firms who participated in the survey reported that their law firm experienced a data breach. Although this may be just a 1% increase from the 22% who reported a breach in 2017, it is important to understand that this is an increase of 8% from the stable percentages reported from 2013 through 2016.1 The 2018 survey report also revealed that security breaches fluctuated with firm size – 14% for solo law firms, 24% for firms employing 2-9 attorneys, approximately 24% for firms with 10-49 attorneys, 42% for firms with 50-99 attorneys, and approximately 31% for those firms employing 100 or more attorneys.
Latest Law Firm Security Breaches
The notorious criminal group called "The Dark Overlord" has a history of committing data breaches of high profile companies such as Gorilla Glue, Netflix, Larson Studios, multiple healthcare companies, and Little Red Door Cancer Agency. Their goal is simple – steal sensitive information and then extort payment from the victims by threatening to release the sensitive information to the public.
On December 31, 2018, this cybercriminal group announced to the world that they had acquired 18,000 documents containing highly sensitive legal information related to insurance based litigation connected to the 9/11 tragedy. The stolen information was the attorney/client property of Lloyd's of London, Silverstein Properties, and Hiscox Syndicates, Ltd. In its announcement, The Dark Overlord boasted that they were in possession of client sensitive information, such as: "emails; retainer agreements; non-disclosure agreements; settlements, litigation strategies; liability analysis; defense formation; collection of expert witness testimonies; communication with government officials in countries all over the world; voice mails; dealings with the FBI, USDOJ, DOD, confidential communications, and so much more."
Subsequent to the data breach, The Dark Overlord announced to the public that they designed a compensation plan that would allow for public crowd-funding for its organization to permit the public to view the stolen information in exchange for bitcoin payment. The more public funding it receives, the more stolen sensitive information will be unlocked and released to the public. It is estimated that this cybercriminal group already distributed information to the public on two separate occasions during the month of January 2019.
High profile cybersecurity breaches of law firms is nothing new – for example, the infamous Panama Papers breach, where cybercriminals leaked 11.5 million documents exposing the shadowy business of setting up offshore corporations as tax shelters for businesses, celebrities, and politicians - and the infamous Petya Malware attack which resulted in a digital lockdown of one of the world's largest law firms, DLA Piper. However, despite the infrequency of publicized cyber-attacks of law firms by the media, the FBI has recently announced that law firms should expect an increase in security attacks by cybercriminals because law firms are now viewed as "one-stop shops" for cybercriminals. Therefore, in order to combat the inevitable increase in cyber-attacks, law firms must get prepared.
How Law Firms Can Protect Themselves
All law firms will agree that the most serious consequence of a security breach for their firm would be the unauthorized access to sensitive client data. The American Bar Association's Model Rules of Professional Conduct, specifically Rules 1.1 and 1.62 and related Comments, require an attorney to take competent and reasonable measures to safeguard information relating to their clients. This duty to "safeguard' information imposes a significant challenge to firms when using technology in connection with protecting client information because most law firms are not savvy with technology and lack proper cyber security training.
In order for a law firm to protect itself from security breaches and inadvertently violate its duty of safeguarding a client's sensitive information, it is important to take the following actions:
- Start by taking an inventory and risk assessment of the firm to determine what needs to be protected – the inventory should include both technology and data;
- Develop, implement and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations;
- Ensure the cybersecurity program addresses people, policies and procedures, and technology. The cybersecurity program must designate an individual or a group to be in charge and coordinate security;
- Develop an incident response plan scaled to the size of the firm;
- Continually train staff and attorneys to identify and understand potential cybersecurity threats;
- Consider implementing a third-party assessment of firm's cybersecurity program and policies;
- Purchase cyber liability for insurance which not only covers first party losses to law firms (like lost productivity, data restoration, and legal expenses) but also liability protection to third parties;
- Implement authentication and access controls for network, computers and mobile devices used by the firm's staff and attorneys;
- Consider the use of full-drive encryption for computers and mobile devices;
- Have staff and attorneys avoid and/or limit the use of public WiFi when working remotely; and
- Create a disaster recovery plan to backup all data in the event of a cyber-attack or natural catastrophe.
Continually reviewing, implementing, training and updating a firm's cybersecurity program and protocols will help safeguard sensitive and confidential client information and/or data. No law firm wants to be the next data breach headline – so take the necessary steps to avoid a potential disaster.
1 Past ABA Legal Technology Surveys reported 14% in 2016, 15% in 2015, 14% in 2014 and 15% in 2013.
2 On November 1, 2018, California adopted ethics rules patterned after the ABA Model Rules of Professional Conduct.
Ivo Daniele is a seasoned associate in Newmeyer & Dillion's Walnut Creek office. His practice includes representing private and public companies with both their transactional and litigation needs. You can reach Ivo at ivo.daniele@ndlf.com.
About Newmeyer & Dillion
For almost 35 years, Newmeyer & Dillion has delivered creative and outstanding legal solutions and trial results for a wide array of clients. With over 70 attorneys practicing in all aspects of business law, privacy & data security, employment, real estate, construction, insurance law and trial work, Newmeyer & Dillion delivers legal services tailored to meet each client's needs. Headquartered in Newport Beach, California, with offices in Walnut Creek, California and Las Vegas, Nevada, Newmeyer & Dillion attorneys are recognized by The Best Lawyers in America©, and Super Lawyers as top tier and some of the best lawyers in California, and have been given Martindale-Hubbell Peer Review's AV Preeminent® highest rating. For additional information, call 949.854.7000 or visit www.ndlf.com.
Read the court decisionRead the full story...Reprinted courtesy of
My Construction Law Wish List
December 31, 2014 —
Garret Murai – California Construction Law BlogI’ve been good this year.
Not great mind you, but good, and good is the standard, right?
So, here’s my construction law wish list this holiday season:
1.More Transparency. So much uncertainty and resultant litigation exists for the simple reason that contractors and subs don’t know when a higher tiered contractor or owner (on a lender financed project) has been paid for their work. So how about a requirement that owners, contractors and subcontractors of all tiers be required to disclose when payment applications are submitted, when payments are made and in what amount, and what pay applications have been paid. And because I’m pretty sure I’m at least within the 20th percentile of “good” this year how about a requirement that this information be provided through an online database accessible by all persons working on projects valued at over a certain dollar amount, say $500,000.
Read the court decisionRead the full story...Reprinted courtesy of
Garret Murai, Wendel Rosen Black & Dean LLPMr. Murai may be contacted at
gmurai@wendel.com
GA Federal Court Holds That Jury, Not Judge, Generally Must Decide Whether Notice Was Given “As Soon as Practicable” Under First-Party Property Damage Policies
November 01, 2021 —
Edward M. Koch & Lynndon K. Groff - White and WilliamsInsurance policies covering first-party property damage often require insureds to notify insurers of a loss “as soon as practicable.” Where an insured may or may not have given notice “as soon as practicable,” the issue arises as to who should determine whether the insured complied with this requirement: the judge or the jury?
On October 6, 2021, the United States District Court for the Middle District of Georgia addressed this issue in Vintage Hospitality Group LLC v. National Trust Insurance Company, Case No. 3:20-cv-90-CDL, 2021 U.S. Dist. LEXIS 192651 (M.D. Ga. Oct. 6, 2021). In Vintage Hospitality, a July 2018 hailstorm damaged the roof of a hotel owned by the policyholder. The policyholder did not discover leaks from the hotel roof until two months later, in September 2018. The policyholder, not realizing that the hailstorm had caused the leaks, unsuccessfully attempted to repair the leaks. Eventually, in February 2020—19 months after the hailstorm and 17 months after the policyholder discovered the leaks—the policyholder hired a construction company to evaluate the roof. It was not until then that the policyholder learned that the hotel had sustained hail damage from the July 2018 storm. The policyholder notified its July 2018 first-party property damage insurer a few days later.
Reprinted courtesy of
Edward M. Koch, White and Williams and
Lynndon K. Groff, White and Williams
Mr. Koch may be contacted at koche@whiteandwilliams.com
Mr. Groff may be contacted at groffl@whiteandwilliams.com
Read the court decisionRead the full story...Reprinted courtesy of
Appellate Court of Maryland Construes Notice Conditions of A312 Performance Bond in Favor of Surety
January 02, 2024 —
Joel P. Williams - White and Williams LLPThe Appellate Court of Maryland issued a reported opinion in a case construing an American Institute of Architects (“AIA”) A312 performance bond. In Wildewood Operating Company, LLC v. WRV Holdings, LLC, et al. 2023 Md. App. LEXIS 720 (Oct. 30, 2023), the Appellate Court of Maryland held that a performance bond surety was discharged from liability where the owner/obligee failed to give the surety notice of the contractor’s default termination until after a third party had completed the work.
The project concerned the construction of an assisted living facility in St. Mary’s County, Maryland. The owner, Wildewood Operating Company, LLC, entered into an A312-2010 performance bond with Clark Turner Construction, LLC, as contractor, and First Indemnity of America Insurance Company, as surety. When Clark Turner failed to complete certain stormwater management work adjacent to the site, Wildewood, Clark Turner, and other parties entered into a Work Agreement to address completion of the work. The surety was not a party to the Work Agreement.
Read the court decisionRead the full story...Reprinted courtesy of
Joel P. Williams, White and Williams LLPMr. Williams may be contacted at
williamsj@whiteandwilliams.com
Potential Problems with Cases Involving One Owner and Multiple Contractors
January 27, 2014 —
Beverley BevenFlorez-CDJ STAFFAccording to Matthew Devries’ blog, Best Practices Construction Law, problems can arise in a case with one owner and multiple contractors: “Increasingly, two or more contractors may each have a separate contract with the owner for different portions of the work on a single project.”
The problems occur when contractor responsibilities or storage sites become entangled, “for example, from one contractor’s storage of materials on a site where the other has work to perform, or from one contractor’s failure to progress with work that is preliminary to the other’s work.”
Devries adds that in “addition to claims against the other contractor, claims may also be made against the owner for failure to coordinate the work.”
Read the court decisionRead the full story...Reprinted courtesy of
The General Assembly Adds Some Clarity to Contracts and Unlicensed Contractors
March 28, 2018 —
Christopher G. Hill – Construction Law MusingsFor years, the statute regarding performing construction without a valid license (
Va. Code 54.1-1115) was a bit murky. While that statute listed several prohibited acts, among them contracting without the proper class of license or use of the license of another, the consequences of such activity, in particular the effect that such action would have on the enforcement of a construction contract (Section C of the statute), were less than clear.
Read the court decisionRead the full story...Reprinted courtesy of
Christopher G. Hill, The Law Office of Christopher G. Hill, PCMr. Hill may be contacted at
chrisghill@constructionlawva.com
Revisiting Statutory Offers to Compromise
August 28, 2023 —
Kathryne Baldwin - Wilke FleuryThe fourth appellate district published an opinion earlier this year in Smalley v. Subaru of America, Inc. (2022) 87 Cal.App.5th 450 that serves as an excellent refresher on requirements of the “998 Offer,” or a statutory offer to compromise pursuant to Code of Civil Procedure (“CCP”) §998.
In Smalley, set in the context of a Lemon Law action, Defendant Subaru made a 998 Offer for $35,001.00, together with attorneys’ fees and costs totaling either $10,000.00 or costs and reasonably incurred attorneys’ fees, in an amount to be determined by the Court. (Smalley, supra, 87 Cal.App.5th at 454.) Plaintiff objected that the offer was not reasonable and the case proceeded to trial. At trial, a jury found in favor of Plaintiff and awarded him a total judgment award of $27,555.74 – far short of the $35,001.00 offer. The trial court found Plaintiff had failed to beat the 998 at trial and that Subaru’s earlier 998 offer was reasonable. Plaintiff appealed the post-judgment order awarding Plaintiff pre-offer costs and Defendant post-offer costs on the grounds that the 998 was not reasonable in that it did not specify whether Plaintiff would be deemed the prevailing party for purposes of a motion for attorneys’ fees. The fourth district affirmed the trial court’s order and engaged in a helpful review of 998 requirements.
Read the court decisionRead the full story...Reprinted courtesy of
Kathryne Baldwin, Wilke FleuryMs. Baldwin may be contacted at
kbaldwin@wilkefleury.com
Cherokee Nation Wins Summary Judgment in COVID-19 Business Interruption Claim
February 01, 2021 —
Sergio F. Oehninger, Geoffrey B. Fehling & Matt Revis - Hunton Insurance Recovery BlogIn a resounding victory for policyholders, an Oklahoma state court granted partial summary judgment for the Cherokee Nation in its COVID-19 business interruption claim. The Cherokee Nation is seeking coverage for losses caused by the pandemic—specifically, the inability to use numerous tribal businesses and services for their intended purpose.
Based on the “all risks” nature of the policy and the fortuitous nature of its loss, the Cherokee Nation sought a partial summary judgment ruling that the policies afford business interruption coverage for COVID-19-related losses. The policy provided coverage for “all risk of direct physical loss or damage,” which the Cherokee Nation contended was triggered when the property was “rendered unusable for its intended purpose.” In support of this view, and consistent with established insurance policy interpretation principles, such as providing meaning to every term and reading the policy as a whole, the Cherokee Nation argued that a distinction must exist between “physical loss” and “physical damage.” This distinction demands an interpretation supporting the “intended purpose” reading of the policy language. Thus, the physical presence of COVID-19 depriving the Cherokee Nation of the use of covered property for its intended purpose triggered a covered loss.
Reprinted courtesy of
Sergio F. Oehninger, Hunton Andrews Kurth,
Geoffrey B. Fehling, Hunton Andrews Kurth and
Matt Revis, Hunton Andrews Kurth
Mr. Oehninger may be contacted at soehninger@HuntonAK.com
Mr. Fehling may be contacted at gfehling@HuntonAK.com
Read the court decisionRead the full story...Reprinted courtesy of
