SONORA — Wheeler & Egger CPAs LLP discovered a data breach at their firm in August involving several of the firm's clients who filed a 2015 tax return extension.
After an investigation, the company announced the breach occurred between Aug. 3-9. The alleged perpetrators hacked into the system to fraudulently file 45 tax returns on behalf of clients.
Jody Westby, CEO of Global Cyber Risk LLC and adjunct professor at the Georgia Institute of Technology, School of Computer Science, said the clients, both entitities and individuals, affected by the data breach were sent letters from the firm. A press release issued by Wheeler & Egger did not say how the threat was discovered, but that proactive measures were being taken to tighten security. After the breach was discovered, the release said the company immediately contacted its IT consultant to secure the network and hired a third party forensic security firm to fully investigate the "breadth of the exposure."
The malware was reportedly removed and changes and upgrades to the system were performed, the release said. The firm also reported the breach to numerous federal agencies, including the U.S. Federal Bureau of Investigation, U.S. Internal Revenue Services and the U.S. Secret Service, in addition to all three consumer reporting agencies and applicable state attorney generals.
"I don’t have any way of knowing how the threat was discovered," Westby told the Northern California Record. "That would be known to the firm but not revealed in the press report. The firm could have gotten a tip from law enforcement, a client(s) could have notified them of activity, etc. Unlike credit card numbers that are voided and replaced after they are stolen, names, birthdates and social security numbers remain the same and are valuable fields in identity theft."
Wheeler & Egger recommends that those potentially affected by the breach review all bank account and brokerage statements and free credit reports. They also may wish to change the bank account numbers provided to the firm and notify the bank about the incident.
|Westby speculated about possible motives for filing the 45 fraudulent claims.
"To steal identifies, to sell the identities, to commit medical fraud, to file future fraudulent claims or all of the above," Westby said.
Westby offered suggestions for what other companies should do to prevent a similar situation.
"Law firms should conduct annual cyber risk assessments against best practices and privacy/security compliance requirements, identify weaknesses and remediate, and continually try to improve their security posture and stay abreast of current threats," Westby said. "They should have dedicated IT and security personnel who have training and certifications. Small firms can utilize cloud services and third-party security service providers to ensure their security program is robust. Law firms also must have a full set of security policies and procedures, train every single person who has access to the system on security awareness and compliance with the policies and procedures, log activity and monitor access."
Westby said there is a growing trend of targeting all businesses worldwide, including legal practices in cyber attacks.
"Law firms are businesses," Westby said. "They have rich data repositories that are attractive to criminals. They are continually targeted, especially those that are involved in litigation or legal matters that involve discovery of large amounts of documents and data, including intellectual property and other 'delicious data'. For several years, the FBI has warned that law firms are targets of attacks."
Westby said law firms must address these concerns in today's digital environment?
"Law firms need to realize that they have an ethical responsibility to protect their clients’ data and if they fail to do so, they may be subject to negligence suits as well as disciplinary complaints," Westby said. "New commentary to Rule 1.1 requires attorneys to 'keep abreast changes in the law and its practice, including the benefits and risks associated with relevant technology'. Commentary to the Rule requires lawyers to act competently in safeguarding information. What all of this means is that an attorney may avoid an ethics violation if he/she has acted competently and taken measures to safeguard client information. That said, they may still have to notify the client of the breach. It is my view that Rule 1.4 on communications with clients and the restatement (third) of the law governing lawyers require attorneys to notify clients in the event their client information was breached, irrespective of whether the data accessed would trigger a state breach notification law."