There continues to be an overwhelming amount of daily news about the impact of Artificial Intelligence (“AI”) on our lives, and rightfully so. President Biden’s Executive Order concerning the safe and secure use of AI was issued on October 30, 2023, but by the time you are reading this in December 2023, the misuse of AI undoubtedly will have increased.
The use of generative AI has already made it easier to impersonate others, transform ordinary pictures into fake images to spread across the internet, create fraudulent emails and messages more effectively, such as AI-generated voice phishing (“vishing”) fraud, all of which will be harder to detect. See, 2023 ForgeRock Identity Breach Report. Attackers already have generated “deep fake” AI voice cloning impersonation to cause unauthorized fund transfers. Underground hacking communities are already using the voice and imaging analysis capabilities of ChatGPT 4.0 to generate new voice messages and images in their ever-expanding toolbox for fraudulent schemes.
However, let’s not forget that HI (human intelligence), or the lack thereof, (more politely, the misuse of biases and other human attributes) has been and remains the most prevalent cause of data breaches across all industries. Law firms are choice targets given the vast amount and type of confidential information they possess on their clients. Not surprisingly, some of the largest law firms have been targeted and successfully breached.
I have previously written in the Bar Journal about the need to have an incident response plan and to make sure you meet your cyber insurance coverage requirements on an ongoing basis. See, Four Tips to Avoid Denial of Cyber Insurance Coverage for a Data Breach, April 3, 2023 (Page 25). In addition to your own cybersecurity measures, you need to make sure all of your third-party vendors have similar security measures in place—the weakest link in the chain concept.
Your third-party vendors’ (court reporters, forensic and eDiscovery providers, private investigators, etc) cybersecurity practices must be compliant with your cybersecurity requirements. You should conduct a risk assessment of their data protection policies, security controls, and incident response capabilities. Inform them of your requirements and monitor and update them regularly to verify compliance with your policies. Remember, the data they have is most likely confidential and you should have a plan to secure and reclaim all of the data managed by that vendor in the event of a data breach of their systems.
Part of your evaluation must include your third-party vendor agreement and, in particular, the limitations on liability and indemnity requirements. Based on personal experience, I have refused to use certain forensic examiners for this reason. You are responsible for the breach of your clients’ data, even if the breach occurred at the third-party vendor, and you will suffer the consequences regardless.
1. While the rapid speed at which AI capabilities are advancing, human error continues to be the most prevalent cause of data breaches.
2. Law firms are a ripe target for attackers given the amount of confidential information stored on their clients.
3. Prepare and implement an Incident Response Plan that includes the possibility that your third-party vendors may have confidential information that is at risk.
4. Third-party vendors can be the weakest link in the cybersecurity chain – it is your firm’s responsibility to evaluate a vendor’s capability to protect your client’s data and ensure they are complying with your cybersecurity requirements, including cyber insurance coverage requirements.
AI is a burgeoning area of concern, but we can’t neglect the problems that already exist and continue to be the main source of data breaches.
©2023 Reprinted with permission by the Palm Beach County Bar Association. This article was first published in the Palm Beach County Bar Association's Bulletin magazine in December 2023.
Jones Foster Shareholder Robert W. Wilkins is chair of the Complex Litigation & Dispute Resolution Practice Group and is Board Certified by The Florida Bar in the areas of Business Litigation and Civil Trial. Rob represents and counsels clients in complex business litigation matters, including e-discovery and data privacy issues. He serves as Co-Chair of the Data Security Subcommittee of the ABA Section of Litigation’s Commercial and Business Litigation Committee (CBL) and an active member of Working Group 11 of The Sedona Conference on Data Security and Privacy Liability.
Jones Foster is a commercial and private client law firm headquartered in West Palm Beach, Florida. Established in 1924, the Firm has served as an integral part of South Florida’s growth and prosperity for nearly a century. Through a relentless pursuit of excellence, Jones Foster delivers original legal solutions that help clients, colleagues, and the community to move forward. Notably, the majority of the firm’s Shareholders have received the designation of Board-Certified Specialist by The Florida Bar in their specific practice area. The firm’s attorneys focus their practice in Real Estate, Complex Litigation & Dispute Resolution, Private Wealth, Wills, Trusts & Estates, Corporate & Tax, and Land Use & Governmental. For more information, please visit www.jonesfoster.com.