|Westby speculated about possible motives for filing the 45 fraudulent claims.
"To steal identifies, to sell the identities, to commit medical fraud, to file future fraudulent claims or all of the above," Westby said.
Westby offered suggestions for what other companies should do to prevent a similar situation.
"Law firms should conduct annual cyber risk assessments against best practices and privacy/security compliance requirements, identify weaknesses and remediate, and continually try to improve their security posture and stay abreast of current threats," Westby said. "They should have dedicated IT and security personnel who have training and certifications. Small firms can utilize cloud services and third-party security service providers to ensure their security program is robust. Law firms also must have a full set of security policies and procedures, train every single person who has access to the system on security awareness and compliance with the policies and procedures, log activity and monitor access."
Westby said there is a growing trend of targeting all businesses worldwide, including legal practices in cyber attacks.
"Law firms are businesses," Westby said. "They have rich data repositories that are attractive to criminals. They are continually targeted, especially those that are involved in litigation or legal matters that involve discovery of large amounts of documents and data, including intellectual property and other 'delicious data'. For several years, the FBI has warned that law firms are targets of attacks."
Westby said law firms must address these concerns in today's digital environment?
"Law firms need to realize that they have an ethical responsibility to protect their clients’ data and if they fail to do so, they may be subject to negligence suits as well as disciplinary complaints," Westby said. "New commentary to Rule 1.1 requires attorneys to 'keep abreast changes in the law and its practice, including the benefits and risks associated with relevant technology'. Commentary to the Rule requires lawyers to act competently in safeguarding information. What all of this means is that an attorney may avoid an ethics violation if he/she has acted competently and taken measures to safeguard client information. That said, they may still have to notify the client of the breach. It is my view that Rule 1.4 on communications with clients and the restatement (third) of the law governing lawyers require attorneys to notify clients in the event their client information was breached, irrespective of whether the data accessed would trigger a state breach notification law."