All thanks to Mr. Snowden for giving us yet another controversy.
This time it is allegations that the Australian intelligence community intercepted attorney-client privileged communications between an American law firm and a foreign government. Even worse, the Australians allegedly shared those communications with today’s boogeyman, the National Security Agency.
The reaction from the American Bar Association to this news was predictable. It immediately fired off a letter to the NSA, raising concerns about how the U.S. government handles privileged information, especially since the attorney-client privilege “is a bedrock legal principle of our free society” that enables clients to communicate with counsel “in confidence.”
Fine. The ABA’s concerns are legitimate and an explanation from the U.S. government about its procedures and policies here are warranted.
However, this line of inquiry and its likely intensity will almost assuredly distract us from the true problem: lawyers and law firms are in no way immune from cyber espionage. Indeed, the havoc cyber thieves could easily sow pales in comparison with what the NSA may have done.
We can all stipulate that cyber attacks are a terrible problem, but there is not yet a consensus answer on how to tackle the challenge. Some see new laws and regulations as an answer. Others urge the use of a voluntary framework issued by the federal government, and many of my fellow lawyers are warning companies to adopt it or die a slow death of litigation.
For me, that illustrates a major problem. Lawyers are quick to pounce on businesses and individuals for failing to protect information, yet relatively few lawyers have turned their gaze inward and considered the risks they face. That is a mistake—and a big one at that.
The sad truth of cyber attacks is that there are so many of them because they are so cheap and easy to conduct. Indeed it is actually quite easy to launch a successful cyber attack.
As cyber security giant McAfee noted in a report last year, a thriving cyber criminal underworld enables such attacks. For literally a few dollars an hour individuals can be retained to shut down websites through “distributed denial of service attacks.” A few shekels more buys you custom-crafted malware for use on specific targets. This underground cyber-arms bazaar gives basically anyone the ability to shred even the most well-protected systems.
Yet, most lawyers seem to be more concerned about the billable work that can be generated from such attacks than they are about the likelihood that they themselves will be cyber victims.
Why is this? It is not as if cyber espionage and attacks on law firms and lawyers is unheard of. There are plenty of high profile examples of data theft from and cyber espionage campaigns against law firms, and so it is not has if we have not been warned.
Whatever the reason, we lawyers need to confront the reality that our profession is as ripe a target for cyber attacks as any other industry. I have no doubt that distinguished members of the bar will eloquently state the need to punish those who violate the “bedrock” and sacrosanct principle of attorney-client privilege.
To them I say have at it.
But I would also remind them thought that cyber thieves couldn’t give two Bitcoins whether the data they steal, destroy or release into the wild is “privileged.” The consequences of stealing classified government information are far worse than sucking out terabytes of privileged information, yet that has not slowed down such thefts one iota.
As the ABA itself has acknowledged, law firms make attractive cyber targets thanks to their possession of sensitive intellectual property, business strategies, and all sorts of other valuable information. Clients entrust such information with their counsel because of the disclosure restrictions associated with attorney-client privilege.
Cyber criminals, however, don’t care about privilege. All they see is valuable information, so damn the firewalls and full speed ahead with the malware.
To be fair, the ABA has recognized this threat. It adopted a resolution calling for governments to review and amend laws to deter and punish illegal intrusions into law firms, as well to develop international “legal mechanisms, norms and policies to deter, prevent, and punish” attacks on and thefts from lawyers.
All in favor? The ayes have it. Good luck actually making that happen.
So, we are back to where we started. We can litigate all we want about who should be reading what and how we should punish rascally miscreants. While we play that fiddle, voluminous amounts of privileged information will be spirited away.
My advice to my colleagues is the same advice I give to my clients: accept the fact that you will be attacked and lose data. Move on to figuring out how to block as many attacks as you reasonably can. Also, set up defenses to find attacks that succeeded quickly and have a plan to clean them up fast. If you don’t do that, don’t be surprised when other lawyers come after you for being negligent.
And in your spare time, feel free to dictate a cathartic letter to Australia expressing your outrage at the sullying of the immutable laws of privilege. I’ll be happy to hand carry it over to Sydney for you – I’ve always wanted to visit.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at firstname.lastname@example.org.