Much has been written, much has been said regarding the future of the practice of law. My crystal ball is just not good enough to become “that guy” who will add to the prognostications. There are plenty of changes, which are now realities, that we

are forced to deal with today.

There are many changes facing lawyers today. You can talk about demographic changes in a graying profession, whether the practice will be multijurisdictional or even multidisciplinary, competition from self-help or DIY tools, alternative legal service providers, LLLTs (limited license legal technicians) and last, but not least, technology. It is this last item that I would specifically like to address. Technology provides incredible tools, but it also creates additional exposures, which dovetail with professional liability.

Even in the past few years, technology has drastically changed, and that change has impacted the legal profession. There have been benefits such as aiding the administration of the firm, enhancing capabilities and providing value added information to the client. However, along with advancements have come increased overhead items, a demand to keep up with the latest and greatest options, new ethical conundrums and professional liability exposures that were never contemplated years ago. I don’t think anyone would argue that technology has meant that the business of law is more complicated. Yes, we still have insureds who are still pretty much paper only, but that number will continue to drop in the near future. Some states now have requirements to participate in CLE regarding technology.

The Oklahoma Rules of Professional Conduct1 require lawyers to be educated about the benefits and risks of relevant technology. Admittedly, that statement is so broad I am not sure how you know when you have arrived at an educational level to be competent in that regard, nor when you can attest to chinning the bar at the minimum required.

Today, most lawyers do the majority of their day-to-day endeavors on a cyber platform (e.g., electronic, digital, virtual and online). Because of that, cyber protection and cyber insurance is critical. The OAMIC LPL policy includes both first- and third-party cyber coverages. Practicing without it makes no sense.

Within your firm’s files, you possess personal identifiable information (PII). PII include names, drivers license numbers, social security numbers, financial records and account numbers, personal password information (hackers love this information) and maybe credit card numbers (hopefully not the latter). In addition, what you post and share can have implications of confidentiality violations and violations of privacy and data security laws.

Privacy laws at the state level include breach notification laws that establish requirements for notifying clients and mitigating damages in connection with breaches where PII and confidential information have been disclosed. The critical part of any breach is whether data has been exfiltrated. Even with no data exfiltration, a breach can be incredibly painful especially when malware has been left behind.

This all implies, and some states have explicitly stated, that a lawyer is required to use reasonable care to prevent third parties from gaining access to client funds in the trust account. Included within “reasonable care” is a need to establish reasonable security measures such as strong password policies and procedures, security software and even encryption. Firms should engage a technology consultant and large firms should have someone qualified on staff. Last, but certainly not least, everyone at the firm who in some fashion assists with the trust account should receive training on the security measures.

I mentioned earlier that along with the enhancements, technology also adds overhead factors. However, be careful not to scrimp on cybersecurity measures because the costs involved are much better than the costs of a data breach, the loss of client funds or even dealing with cyber extortion and malware. In 25 years, we have moved from a norm where not everyone had a desktop/laptop to a point where nobody can function without access to the proprietary “system.”

With respect to cost, even for the small law office, the amount expended per computer to install and maintain security software and firewall routers has decreased over time. This is at a time where not much else has decreased in cost.

A reality of exposure for all businesses, including law firms, is cyber crime, which is often referred to as social engineering. The most common example is the wire transfer/instruction fraud. Estimates are that hundreds of thousands of dollars are scammed from law firms due to false wire transfer instructions. We have seen a few examples involving Oklahoma law firms. To help understand how these matters of fraudulent wire instructions occur, consider the following scenario: A law firm representing a client in a real estate closing receives $250,000 proceeds from the sale. A paralegal at the firm receives a nearly perfect email impersonating the client which provides wiring instructions with routing number and account number. Money is wired as requested and by the time the real client called to inquire about timing of the receipt of funds and the fraud was detected, the monies had been removed from the overseas account. Unfortunately, crimes such as this are usually not automatically included in cyber insurance.

How do you spot fraudulent instruction? Here are some tips:

• Sender might claim to be traveling and available only by email;
• Sender claims urgency;
• Request might appear as coming from a mobile device; or
• Senders email and use of logo might be very similar to a CEO/CFO’s – often off by only a character. For example, CEO@company_xyz.com versus CEO@company-xyz.com.

How can you prevent this type of fraud?

• Always call the actual party to verify, and research the actual phone number to assure speaking to the real party. Common denominator in all these occurrences is failure to verify.

• Use a secure domain. Services like AOL, Gmail and Yahoo are easier targets.
• Do not accept wiring instructions or changes by email solely.
• Always verify, in person or by phone, from a number in your contact information from the file, not from an email.

A large number of data breaches still occur from improper destruction of paper files or from lost/stolen laptops or mobile devices. Also, employee-owned mobile devices can add to risks. Make sure devices can be remotely wiped and install location-tracking apps on the devices.

You should make sure to vet your vendors since third-party vendors can be a vulnerable point of attack for hackers. It has been said that hackers don’t need to successfully hack Fortune 500 companies if they can hack law firms who represent them. In the same way, maybe it is easier for hackers to hack vendors than the law firms.

I remember a few years ago at the Solo & Small Firm Conference several new case management software companies presented their features and benefits. Knowing how normal it is to pressure software developers on speed of providing functionality, I could not help but wonder about their security. The security may be fantastic, but you must ask.

We advocate storing firm and client information in the cloud. However, confirm that a cloud provider provides reasonable assurance that the data is protected. Not all cloud providers are equal.

If you suspect your system has been breached, there are a few things you need to do:

• It is absolutely imperative to bring in forensic technology analysts to do a rapid assessment and mitigation of any damage and to determine if client data has been exfiltrated.
• Familiarize yourself with notification laws and requirements mandating notification and credit monitoring. Back up all data off-site.
• Engage legal counsel to advise and help manage, while also creating attorney/client privilege in the assessment and monitoring.

The largest number of cyber events we have seen with insured firms is cyber extortion (i.e., ransomware). According to the largest cyber claims handling group, ransomware incidents rocketed upward 105% from Q4 2018 to Q1 2019. Reportedly, target has shifted to larger organizations with higher ransom/extortion payments requested. These were between 89-93% higher than 2018. Ransomware, which locks firms out of their data/system is primarily accomplished by “phishing emails.” Help protect the firm by:

• Alerting employees to the flood of phishing emails;
• Train firm members not to open unsolicited attachments; and
• Train firm members to be leery of links requesting login or account information.

In today’s world, even the most highly protected, sophisticated operations experience cyber events. You could take the defeatist attitude of “what’s the use in trying.” Then again, why should we make it easy for extortionists and cyber criminals? Do everything possible to mitigate risks and exposures, which for most all of us includes the transfer of risk through insurance.

ABOUT THE AUTHOR
Phil Fraim has been at Oklahoma Attorneys Mutual Insurance Co. since 1989 and has served as president and CEO since 1993. He is past-president of the National Association of Bar Related Insurance Cos. (NABRICO) and currently serves as secretary of the organization. He also serves as secretary of the Bar Plan Surety & Fidelity Co., is a board member of the National Association of Mutual Insurance Cos. (NAMIC) and is also a member of the Professional Liability Underwriting Society (PLUS).

1. Oklahoma Rules of Professional Conduct, 5 O.S. Supp. 2016 App. 3-A, Rule 1.1.