Despite living in the Information Age, where almost every business is online, many companies still regard cybersecurity as an afterthought. If not an afterthought, something that is low priority. Or something that only needs to be “good enough.” This is especially true with small-to-medium sized businesses (if you’re in a small firm, i.e., your clients). Trying to keep a business running is hard enough, let alone worrying about being singled out by hackers.
This is also true with many law firms. Cybersecurity is something that is seen as an afterthought, if it is given any consideration at all. Yet, as I’ve mentioned before, law firms are often seen as “soft targets” by hackers. Hackers know that law firms tend to be lackadaisical with their security and are often an easy “backdoor” into their clients’ data. Law firms might as well have a target painted on their backs.
While getting hacked and losing the trust of customers and clients would be bad enough, a couple of days ago the U.S. Court of Appeals for the Third Circuit affirmed a district court’s ruling that allowed a lawsuit filed by the FTC to continue for “unfair or deceptive acts or practices in or affecting commerce” when a company has lax cybersecurity standards (PDF of opinion).
Stand With Survivors: Legal Tools To Make A Real Difference This DVAM
Enhance your legal skills to advocate for survivors of intimate partner violence.
In FTC v. Wyndham, No. 14-3514 (3d Cir. 2015), the FTC had received numerous complaints from consumers about identity theft that was originating from the Wyndham Hotel Group. C’mon, they’re a huge hotel group, they’ve got to have at least pretty decent security, right? Here are some of the more egregious allegations from the FTC’s complaint:
- The company allowed Wyndham-branded hotels to store payment card information in clear readable text.
- …to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”
- Wyndham failed to use “readily available security measures”—such as firewalls…
- …it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years.
- It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . . , which were easily available to hackers through simple Internet searches.”
Yikes. And there’s plenty more if you read the opinion. Without a doubt, this is pretty egregious behavior. Storing credit card data in clear text?!? It sounds unthinkable, but it’s something that continues to happen on a fairly regular basis. Same with many of the other allegations in the complaint. In the end, the FTC estimated that there was over $10.6 million in fraud losses suffered by consumers.
I guarantee you that many solos and small firms around the country are likely exhibiting some of this same behavior.
How Filevine Helps In-House Legal Teams Manage Every Matter With Confidence
AI powers tools for data intake, document management, and drafting contracts.
Cybersecurity cannot be something that is not given any attention or relegated to low priority status. It has to be an integral part of a small business (most law firms are small businesses). Given the numerous threats to IT infrastructures, and how much sensitive client data that law firms retain, cybersecurity should be a high priority for small firms.
Unless, in addition to getting a bar complaint from an upset client, you want an FTC complaint too.
Keith Lee practices law at Hamer Law Group, LLC in Birmingham, Alabama. He writes about professional development, the law, the universe, and everything at Associate’s Mind. He is also the author of The Marble and The Sculptor: From Law School To Law Practice (affiliate link), published by the ABA. You can reach him at [email protected] or on Twitter at @associatesmind.