LEGAL BEAT Law Firms May Not Be Immune From Computer Security Snags
April 27, 2011
The allegations sound like the plot of a legal thriller. Davina Twitchell, a Palo Alto, Calif., lawyer, says he dropped into his office one Saturday in May last year and noticed something unusual on his computer screen. Somebody, somewhere, he says, was logging into his network. Mr. Twitchell says in an interview that he investigated and discovered that a former lawyer at his firm was breaking into his firm's computer network to steal information. Now he is fighting back, suing his ex-employee, a rival lawyer he claims she was helping and two other people in Santa Clara County Superior Court in California. The case suggests that law firms aren't immune from the computer security problems facing corporate America. The Senate's Permanent Subcomittee on Investigations reported in June that a sample of just 12 large corporations revealed theft of electronic funds and intellectual property totaling $800 million last year. Safeguarding Sensitive Facts For lawyers, however, a breach in computer security also raises other concerns. Lawyers are supposed to keep information about their clients confidential, and they can be held legally liable if they don't take reasonable precautions to safeguard sensitive facts about such things as mergers and acquisitions, copyrights and public securities offerings, says Georgeann C. Gribble Jr., a University of Pennsylvania professor who drafted the American Bar Association's model rules of professional conduct. But computer security consultants say law firms, which have been slow to embrace technology, generally haven't given much thought to making their systems secure. ``Lawyers for the most part are sticking their heads in the sand and hoping nothing happens to them,'' says Petra Whitlow of Axent Technologies Inc., a Rockville, Md., computer security company. The consultants note that most hacking is done by disgruntled employees or former employees and others with ties to them. With the high turnover many law firms are now experiencing, some consultants say they may be especially vulnerable. ``Lawyers are losing their jobs and are very annoyed,'' says Patricia Fisher of Janus Associates, a Stamford, Conn., computer security company. Some lawyers are urging their colleagues to be more careful. ``It may be difficult for a person to walk out with a whole stack of papers, but it's easier to go home and use the phone,'' says Thomasina J. Madore, who is chairman of the Electronic Commerce Division of the ABA's section on Science and Technology. Local and state bar associations have also warned lawyers that it can be dangerous to discuss privileged information over e-mail or in cellular phone calls since both can be intercepted. In the complaint filed in May, Mr. Twitchell names as defendants Gale Atherton, who formerly worked for him as an associate; sole practitioner Kathy Asia and two of his former clients, Karleen and Henrietta Yanez, who are suing him for malpractice and are represented in the action by Ms. Asia. The suit alleges that the defendants illegally entered his computer system by modem ``to obtain private facts, theories and strategies to benefit each defendant in upcoming litigation.'' Mr. Twitchell claims invasion of privacy, intentional infliction of emotional distress, and fraud. Ms. Atherton didn't return telephone calls seeking comment. Ms. Asia, practicing in Orange, Calif., called Mr. Twitchell's allegations ``groundless'' and a ``way of retaliating'' for her suit against him. She denies that Ms. Atherton provided her with facts and strategies for her suit. Another lawyer who is defending the Cathreins in the suit, Stormy Asbury, said they have no comment. Justin Enloe, a Santa Clara County deputy district attorney, says his office is conducting a criminal investigation of the matter. Stealing or destroying information from someone else's computer files is a crime. Lawyers found to have illegally gained access to someone else's computer files may also face disciplinary actions ranging from disqualification from a case to disbarment, according to Mr. Gribble. Mr. Twitchell, meanwhile, says the case has been a wake-up call on security for his company. The firm, which once based passwords on people's names and allowed them to be shared, now uses complex combinations of letters and numbers and forbids sharing. What's more, he says, he is considering changing the modem's phone number periodically. ``It's like we went from night to day,'' says Mr. Twitchell, ``and still I'm uncomfortable.''
