The Oklahoma Bar Journal December 2022

Avenue executives’ emails. Ocean Avenue ultimately learned of the attacks and filed a federal lawsuit alleging extortion, intimidation and hacking against Blair’s com pany, which resulted in an undis closed settlement. The bodyguard and the investigator who hired Mr. Gupta were charged by the FBI with hacking and pleaded guilty to their role in the attacks. Mr. Gupta was also charged by the FBI but to date has not been apprehended. 14 According to the Reuters story, the FBI has been investigating others who may have hired Mr. Gupta or his company to hack American targets since 2018 but has not brought any further charges. 15 Although the data obtained by Reuters uncovered the targets and methods of these hacks, the data doesn’t answer key questions, such as who hired the hackers, whether the hacks were successful or even if any stolen information was used. WHAT RISKS DO LAWYERS FACE FROM THESE HACK FOR-HIRE ATTACKS? There are obvious risks for criminal and civil liability for lawyers if they were to hire a hack-for-hire firm or use informa tion obtained from these firms or if sensitive, private information regarding clients or parties is compromised. 16 However, these hacking schemes particularly put attorneys at risk for disciplinary action and malpractice claims for violating duties imposed by the rules of professional conduct. Of course, attorneys who hire these firms or who obtain or rely on information they knew or should have known was obtained by such hacks would clearly violate the rules of professional con duct. 17 But the chief concern for most lawyers should be the risk for discipline or malpractice if

sensitive or privileged information is compromised. Attorneys have ethical duties to take reasonable measures to safe guard client information. 18 These duties are sometimes a challenge to attorneys because “most are not technologists and often lack training and experience in secu rity.” 19 Several ethics rules specif ically address the lawyer’s duties to safeguard client information, including competence (Rule 1.1), communication (Rule 1.4), con fidentiality of information (Rule 1.6) and supervision (Rules 5.1, 5.2 and 5.3). The rules of professional conduct specifically impose a duty for lawyers to be aware of and safeguard against risks associated with technology. 20 As noted in the ABA’s 2021 Legal Technology Survey Report, the rules of professional conduct require attorneys regarding the use of technology to:

inboxes of about 1,000 attorneys at 108 different law firms. Among the law firms targeted were global practices, including U.S.-based Baker McKenzie, Cooley, and Cleary Gottlieb Steen & Hamilton. Major European firms, includ ing London’s Clyde & Co. and Geneva-based arbitration special ist LALIVE, were also hit. 11 These firms declined to comment or did not return messages, which is not surprising. Their failure to respond to the Reuters investigation is not to say that no action was taken, as we suspect that defenses against such attacks were expeditiously fortified. WHAT WERE THE SPIES AFTER? The Reuters investigation found the legal cases targeted varied in profile and importance, from per sonal disputes to those involving multinational companies with a lot of money at stake. From London to Lagos, at least 11 separate groups had their emails leaked publicly or introduced as evidence mid-trial. In several cases, court records showed stolen documents affected the verdict. 12 Not surprising, but quite alarming. “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles,” said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm. 13 WHO HIRED THESE HACK FOR-HIRE FIRMS? In 2013, Ryan Blair, a Silicon Valley direct sales entrepreneur, asked his bodyguard to find “com promising material” on Ocean Avenue, a rival company against whom his diet shake company had filed a series of lawsuits. The bodyguard retained a pri vate investigator who then hired Mr. Gupta’s firm to hack Ocean

1) Employ competent and reasonable measures to

safeguard the confidential ity of information relating to clients, ents about attorneys’ use of technology and obtain informed consent from cli ents when appropriate and

2) Communicate with cli

3) Supervise subordinate attorneys, law firm staff and service providers to make sure they comply with these duties. 21 Therefore, it is important for lawyers and law firms to become educated about potential hacking activity and what steps can be taken to prevent it.

26 | DECEMBER 2022

THE OKLAHOMA BAR JOURNAL