Ransomware: The macabre battle with new rules – Lawyers’ Lawyer Newsletter | Hinshaw & Culbertson – Lawyers Newsletter
The Ransomware Business – A New Normal
In the first half of 2021, Accenture recorded triple-digit growth in cyber intrusion activity, including ransomware attacks against the legal, accounting and insurance industries globally. Over the same period, average extortion demand increased by 518, from just over $1 million in 2020 to $5.3 million, while actual ransomware payments increased by 82 %.
Ransomware payments themselves are just one category of losses caused by cyberattacks. Others include business interruption, the costs of returning a victim’s network to its original state, the legal and regulatory costs of notifying and responding to the breach, and possible litigation arising from a breach. Together, these damages cost around $20 billion worldwide in 2021.
With so much money to be made, ransomware has become big business, and the resources available to ransomware gangs now rival those of nation-state actors. For example, between April 2017 and February 2022, the Conti ransomware gang received approximately $2,707,466,220.29 in BitCoin.
Factors that Fueled the Ransomware Outbreak
Various factors have contributed to this ransomware boom, including the rise of remote working. Hackers are also introducing ransomware in software updates and increasing the use and sophistication of phishing and social engineering. In response to victims rebuilding networks from backups, hackers have also begun to neutralize those backups before launching an attack.
This epidemic has also been fueled by the growth of “ransomware as a service” (RaaS) where, for a monthly fee and a percentage of any extortion payments received, ransomware gangs rent or sell sophisticated malware hacking tools. ransomware to anyone looking for a “side hustle.”
The impact of ransomware on the cyber market
Cyber operators are now actively assessing the cyber risk of lawyers and law firms, sometimes refusing to provide cover to those who do not have sufficient guarantees. Carriers have also started reducing their available coverage by up to 50% and adding exclusions to policies for known vulnerabilities.
Lawyers’ ethical obligation to protect against ransomware
Model Rule 1.6 states that a lawyer “shall not disclose” any information “relating to the representation of a client unless the client gives his informed consent, [or] disclosure is implicitly permitted. . . perform the performance. » This extends to disclosures “which do not in themselves reveal protected information but could reasonably lead to the discovery of such information by a third party”.
Model Rule 1.6 therefore requires lawyers to take “reasonable steps” to protect their electronic files. This requires lawyers to take “reasonable steps” to ensure that “only authorized persons have access to electronic files” and that they “are protected against outside intrusion”. “What constitutes reasonable efforts is not susceptible to an absolute rule, but depends on a series of factors”, including:
- sensitivity of information;
- likelihood of disclosure without safeguards;
- cost and difficulty of using backups;
- the extent to which safeguards adversely affect a lawyer’s ability to represent a client; and
- the client’s request or informed consent to waive certain security measures.
Other factors include the nature of a law firm’s practice area(s), size, locations, clientele, and technological sophistication. Although the ethics notices explain that extra precautions should be considered in various contexts when “highly” or “particularly” sensitive information is involved, they do not generally define or discuss the types of information that would be covered. Thus, law firms should consider the sensitivity of client information when retaining it.
Of course, the duty of care does not require measures that “guarantee” against unauthorized access. Indeed, state ethics opinions generally allow attorneys to use their “good professional judgment” to determine what will work best. Conversely, the HIPAA security rule also applies to attorneys and requires various safeguards to ensure the confidentiality, integrity, and access to electronic personal health information.
A lawyer’s duties do not require that an attorney-client relationship exist before those duties are triggered. The duty of confidentiality in Rule 1.6 does not end when the attorney-client relationship ends. “A lawyer who has previously represented a client in a matter or whose current or former firm has previously represented a client . . . shall not subsequently . . . (2) disclose information relating to the representation unless the these rules permit or require it with respect to a client.”
Given the current level of data breach risk, records and data should not be retained for longer than necessary. Companies should consider developing record retention schedules and procedures to retain and dispose of information securely. At the end of any assignment, all records that can be returned to the client must be returned.
The federal government’s Cybersecurity and Infrastructure Security Agency (CISA) has a wealth of information on ransomware defenses, including free vulnerability scanning. You can obtain this service by contacting [email protected] Once launched, the CISA service provides weekly reports.
 See: https://newsroom.accenture.com/news/global-cyber-intrusion-activity-more-than-doubled-in-first-half-of-2021-according-to-accentures-cyber-incident-response- update.htm [Newsroom Accenture].
 Available at: https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/#:~:text=The%20latest%20forecast%20is%20for,every%2040%20seconds%20in%202016.
 Krebson Security, at: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/
 Model Rules of Professional Conduct R. 1.6(a) (2013).
 Model rules of professional conduct R. 1.6 Cmt.  (2013).
 To the. State Bar, Ethics Op. 2010-2 (2010).
 ID. (the explanation of these steps includes the use of firewalls, intrusion detection software, and backups of all electronically stored files).
 ABA Comm on Ethics & Prof’l Responsibility Formal Op. 477R (2017).
 Model Rules of Conduct Prof’l R. 1.6 cmt.  (2013).
 See, for example., Arizona State Bar, Ethics Op.90-04 (2009); NJ Sup., CT. Op. 701 (2006) (acknowledging that a “guarantee” against unauthorized access “is impossible”); Va State Bar, Legal Ethics Op. 1872 (2013) (noting that a lawyer is not obliged to “guarantee that a breach of confidentiality cannot occur when using an outside service provider “).
 Arizona State Bar, Ethics Op. 05-04 (2005) (“Precisely which of these software and hardware systems should be chosen – and to what extent they should be used – is beyond the scope and jurisdiction of the Committee. That’s the kind of thing every lawyer needs to assess.”); NJ Sup. CT., op. 701 (2006) (explaining that a lawyer “is required to exercise professional judgment about the steps necessary to protect client confidences from foreseeable attempts at unauthorized access”); Mass. Bar Ass’n, Ethics Op. 12-03 (2012) (“Ultimately, the question of whether the use of Google docs, or any other provider of data storage services on the Internet, is compatible with [a] The lawyer’s ethical obligation to protect his client’s confidential information is an obligation that the lawyer must meet for himself on the basis of the criteria set out in this opinion…. “).
 See 45 CFR §§160.101-160.552, 164.102-164.106, 164.302-164.318 (2014).
 See Model Rules of Prof’l Conduct R. 1.18(b) (2013) (responding to information received from “potential” clients and explaining “[e]even where no solicitor-client relationship ensues, a solicitor … shall not use or disclose such information except as permitted by Rule 1.9”).
 See Model Rules of Conduct Prof’l R. 1.6 cmt.  (2013); NY City Bar Ass’n Formal Op. 2017-5 (2017) (noting that the reasonable efforts requirement of Rule 1.6(c) applies to “information obtained from potential, current and former customers”). Rule 1.9(c) extends the obligation of confidentiality to “former clients”). Rule 1.9(c) extends the obligation of confidentiality to “former clients” and provides:
 Model Rules of Professional Conduct R. 1.9(c) (2013).