Risk of Cyber Attacks on Law Firms

The inaugural UCLA Cyber Crimes Moot concluded today, with participants from across the U.S. and an international judging panel. Yes, my participation in the preliminary and final rounds of the event is what qualified the event as internationally judged. The winners this year were from GW School of Law, and their coach was none other than Orin Kerr.

The competition focused on a fact pattern based on the 2010 case of United States v. Warshak, dealing with the unconstitutional search and seizure of e-mails under the Stored Communications Act, and whether they should be excluded as evidence or allowed under good faith. This was the first United States Circuit Court of Appeals decision to find that the content of e-mails enjoyed Fourth Amendment protections, creating a reasonable expectation of privacy for e-mails stored on a third-party server.

Although the constitutional analysis is different, Canadian courts regularly deal with similar issues and closely watch developments in the U.S. The Queen’s Bench of Alberta in R. v. Weir as far back as 1998 referred to the American case of United States v. Maxwell . More recently, the Ontario Court of Appeal in R. v. Jones referenced several American cases, demonstrating how similar the public policy considerations are across jurisdictions.

Norton by Symantec, sponsors of the event, released a report last year that called 2010 the Year of the Targeted Attack. The attacks of the future will increase in frequency and sophistication, use more social network sites for distribution, and will exploit Java vulnerabilities and focusing on mobile devices. The Wall Street Journal also noted last year the trend towards targeting smaller enterprises,

Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers’ main target…

With limited budgets and few or no technical experts on staff, small businesses generally have weak security. Cyber criminals have taken notice. In 2010, the U.S. Secret Service and Verizon Communications Inc.’s forensic analysis unit, which investigates attacks, responded to a combined 761 data breaches, up from 141 in 2009. Of those, 482, or 63%, were at companies with 100 employees or fewer. Visa Inc estimates about 95% of the credit-card data breaches it discovers are on its smallest business customers.

The fact that there are so many types of security threats makes it difficult for small firms to protect themselves… The costs of a breach can put a small company out of business.

After the law firm Puckett and Faraj was targeted by Anonymous this year for defending U.S. Marine Frank Wuterich in the Haditha Killings trial, Jim Rhyner of Chubb Group of Insurance Companies noted that the standard professional liability insurance used by most law firms may not cover the complete costs of a cyber attack on their firm. The risk of cyber attacks is real, and law firms are a very realistic targets.

Besides using moots as an excellent way to teach advocacy skills, the focus on cyber crimes is something that is badly needed to prepare lawyers for the challenges of the future, both in legal practice and in the management of their own firms. The competition plans on expanding in future years to include hosting a symposium focusing on cyber crimes, certainly something for practitioners and academics in Canada and abroad to keep an eye on.