Risk Update

Technology Risk — More Law Firm Hacking News, AI Ethics Rules Evolving

Allen & Overy data hit by hackers in ransomware attack” —

  • “Allen & Overy, the ‘magic circle’ law firm, has suffered a cyber attack on its systems, making it the latest big corporate to fall victim to a ransomware hack.”
  • “A&O confirmed it had ‘experienced a cyber security incident impacting a small number of storage servers’, after posts on social media platform X on Wednesday claimed the hacking group LockBit had attacked the legal giant and threatened to publish data from the firm’s files on November 28.”
  • “‘Investigations to date have confirmed that data in our core systems, including our email and document management system, has not been affected,’ A&O said on Thursday. ‘As a matter of priority, we are assessing exactly what data has been impacted, and we are informing affected clients.’”
  • “The UK’s National Cyber Security Centre has warned that law firms present an attractive target for hackers due to the wealth of information they hold on companies across most sectors and regions. Hackers such as LockBit target companies and governments with ransomware that disables access to computer systems. Groups then often demand payments or threaten to release private data and communications.”
  • “‘Our technical response team, working alongside an independent cyber security adviser, took immediate action to isolate and contain the incident,’ A&O said. ‘We appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our clients’ data safe, secure, and confidential is an absolute priority.”

Allen & Overy risks losing trust if it stays silent on cyberattack” —

  • “The Australian arm of Allen & Overy risks losing trust with clients and the public if it stays silent on the cyberattack the international legal firm suffered last week, the former boss of the government’s cybersecurity agency said.”
  • “Alastair MacGibbon, the former head of the Australian CyberSecurity Centre and an adviser to two prime ministers, told The Australian Financial Review that ‘the fact [Allen & Overy] is not making any comment is unhelpful’. The firm, which has approximately 25 partners and 130 fee-earning lawyers in Australia, counts critical infrastructure assets NBN Co and Port of Melbourne among its Australian clients. Russian-linked hacking group LockBit is threatening to release files stolen from the London-based firm on the dark web from November 28.”
  • “Mr MacGibbon, who is now chief strategy officer at CyberCX, said ‘I suspect, since they are a law firm, they are spending most of their time worrying about the legal implications of speaking’.”
  • “Earlier this year, Australia’s largest law partnership, HWL Ebsworth, had 2.5 million files stolen in a cyberattack, affecting major banks, insurers and 65 government agencies.”
  • “Overseas, major law firms including DLA Piper, K&L Gates and Kirkland & Ellis have all fallen victim to cyberattacks in recent years.”

Hackers are exploiting ‘CitrixBleed’ bug in the latest wave of mass cyberattacks” —

  • “Security researchers say hackers are mass-exploiting a critical-rated vulnerability in Citrix NetScaler systems to launch crippling cyberattacks against big-name organizations worldwide.”
  • “These cyberattacks have so far included aerospace giant Boeing; the world’s biggest bank, ICBC; one of the world’s largest port operators, DP World; and international law firm Allen & Overy, according to reports.”
  • “Thousands of other organizations remain unpatched against the vulnerability, tracked officially as CVE-2023-4966 and dubbed “CitrixBleed.” The majority of affected systems are located in North America, according to nonprofit threat tracker Shadowserver Foundation. The U.S. government’s cybersecurity agency CISA has also sounded the alarm in an advisory urging federal agencies to patch against the actively exploited flaw.”

Proposed Advisory Opinion 24-1 Regarding Lawyers’ use of Generative Artificial Intelligence – Official Notice” —

  • “The Florida Bar Board of Governors’ Review Committee on Professional Ethics has issued Proposed Advisory Opinion 24-1, reprinted below.”
  • “The board will consider any comments received at a meeting scheduled to be held on Friday, January 19, 2024, at the AC Hotel in Tallahassee, Florida. Comments must contain the proposed advisory opinion number and clearly state the issues for the committee to consider.”
    • “Due to these concerns, lawyers using generative AI must take reasonable precautions to protect the confidentiality of client information, develop policies for the reasonable oversight of generative AI use, ensure fees and costs are reasonable, and comply with applicable ethics and advertising regulations.”
    • “A lawyer’s first responsibility when using generative AI should be the protection of the confidentiality of the client’s information as required by Rule 4-1.6 of the Rules Regulating The Florida Bar.”
    • “When using a third-party generative AI program, lawyers must sufficiently understand the technology to satisfy their ethical obligations. For generative AI, this specifically includes knowledge of whether the program is ‘self-learning’. A generative AI that is ‘self-learning’ continues to develop its responses as it receives additional inputs and adds those inputs to its existing parameters. Neeley, supra n. 2. Use of a ‘self-learning’ generative AI raises the possibility that a client’s information may be stored within the program and revealed in response to future inquiries by third parties.”
    • “Existing ethics opinions relating to cloud computing, electronic storage disposal, remote paralegal services, and metadata have addressed the duties of confidentiality and competence to prior technological innovations and are particularly instructive… While the opinions were developed to address cloud computing, these recommendations are equally applicable to a lawyer’s use of third-party generative AI when dealing with confidential information.”
    • “It should be noted that confidentiality concerns may be mitigated by use of an inhouse generative AI rather than an outside generative AI where the data is hosted and stored by a third-party. If the use of a generative AI program does not involve the disclosure of confidential information to a third-party, a lawyer is not required to obtain a client’s informed consent pursuant to Rule 4-1.6.”
    • “While Rule 4-5.3(a) defines a nonlawyer assistant as a ‘a person’, many of the standards applicable to nonlawyer assistants provide useful guidance for a lawyer’s use of generative AI.”
    • “First, just as a lawyer must make reasonable efforts to ensure that a law firm has policies to reasonably assure that the conduct of a nonlawyer assistant is compatible with the lawyer’s own professional obligations, a lawyer must do the same for generative AI. Lawyers who rely on generative AI for research, drafting, communication, and client intake risk many of the same perils as those who have relied on inexperienced or overconfident nonlawyer assistants.”
    • “Second, a lawyer must always review the work product of a generative AI just as the lawyer must do so for the work of nonlawyer assistants such as paralegals. Lawyers are ultimately responsible for the work product that they create regardless of whether that work product was originally drafted or researched by a nonlawyer or generative AI.”

California Bar to Vote on AI Guidelines Over Disclosure, Billing” —

  • “California State Bar committee is calling for state lawmakers to consider regulations on non-lawyer use of AI legal products and recommending guidance for attorneys who use the technology.”
  • “Generative AI’s increasingly sophisticated legal tools hold the promise of improving access to justice by offering free or low-cost legal advice to people who can’t pay for an attorney. But ‘while generative AI may be of great benefit in minimizing the justice gap, it could also create harm if self-represented individuals are relying on generative AI outputs that provide false information,’ the conduct committee said.”
  • “The committee is calling for the board of trustees to work with California’s legislature and supreme court to determine if the unauthorized practice of law needs to be more clearly defined, and whether legal generative AI products require licensing or regulating.”
  • “The California committee’s recommendations also include non-binding best practices for lawyers using generative AI but stop short of setting ethics rules. It described the proposed guidelines as an ‘interim step to provide guidance on this evolving technology while further rules and regulations are considered.’”
  • “The ‘practical guidelines’ ask attorneys to consider disclosing to clients when they use AI in their representation, and to not charge hourly fees for the time saved by using generative AI. Costs associated with generative AI may be billed ‘in compliance with applicable law,’ according to the guidelines.”