It’s now commonly understood that cyber threat actors — both criminals and nation-states — target and infiltrate law firms due to a high concentration of sensitive client data. But what happens when a prominent political asylum client warns you to batten up the cyber hatches, you agree to take special precautions to prevent disclosures of confidential information, and then after being engaged, you don’t? Hint: a panoply of finger-pointing and a growing comprehension within the legal community that cyber vigilance is the new normal.
Chinese tycoon and self-exiled political dissident Guo Wengui sued law firm Clark Hill for malpractice, breach of contract, and breach of fiduciary duty based on a fact pattern which implicates a targeted hack of the firm by the Chinese government.
While the DC District Court recently determined to dismiss Wengui’s demand for punitive damages and his claims that the firm’s subsequent withdrawal from the case constituted a legal remediable wrong (as is required to proceed with a tort claim) in a February 20, 2020, ruling, the claims around the firm’s misrepresentations around securing his confidential information and the mishandling of such information are proceeding to trial.
From a security practitioner’s point of view, it’s an interesting case. Unpeeling the layers around Wengui and his climb to the being the 73rd-richest person in China based on his trajectory in successfully developing real estate and investments in mainland China provides an interesting backdrop, and it is exceedingly fair to state that Wengui is no stranger to litigation, as either defendant or plaintiff.
Wengui is a colorful figure within social media outlets, outspoken on his views of the Chinese Communist Party (CCP), and has been the subject of extensive misinformation campaigns by the Chinese government. According to Wikipedia, a South China Morning Post report found that more than 38,000 tweets from 618 of the now-suspended Twitter accounts controlled by the Chinese government and disseminating information around protesters in the 2019 Hong Kong Anti-Extradition Riots targeted Wengui.
Prior to engagement, Wengui’s warnings to the firm about the requisite level of security were explicit. As a political dissident residing in New York since 2015 when he fled China, he claimed he had already experienced the reach of the CCP when protesters demonstrated outside his US home and the government subjected him to targeted cyber attacks. He told Clark Hill they should similarly “expect to be subjected to sophisticated cyber attacks” upon engagement. Clark Hill agreed to take “special precautions” to prevent his information from leaking, including not placing any of his information on the firm’s server.
Post-engagement, the firm was hacked, and Wengui and his wife’s personal information (including passport numbers) was exposed along with the asylum application itself, which was published on social media. There seems to be no dispute as to the source of the hacking –- both parties implicitly understanding it was the CCP –- and the hack is described to have been executed “with no great difficulty.”
Say What You Do And Do What You Say
In dismissing Clark Hill’s motion for dismissal of the breach of fiduciary duty, the district court noted that Wengui sufficiently demonstrated the breach of duty of loyalty and good faith in misrepresenting how they would protect his confidential information. Similarly, the court declined to dismiss the legal malpractice claim citing the duty of reasonable care owed by attorneys to their clients.
While speculative, there is little doubt that all parties were well-intentioned in the engagement. It’s also clear that this litigation is ongoing and still could go in many directions until resolved. But a few questions and some lessons to pick through are here for those of us who are tracking the evolution of cybersecurity standards through the legal industry.
First, how will the court’s ultimate findings affect an insurance carrier’s willingness to pay out on a claim originating from a law firm under these circumstances? Second, what is the reasonable standard of cyber care required when firms represent political targets of the CCP, and hold their most personal information from nation states?
On the flip side, from the security side of the house, many law firms pride themselves on staying on the cutting edge of cyber –- whether running their network environment through rigorous external or collaborative testing or paying outside experts to come in to test their physical perimeters on a regular schedule. For them, security is viewed as a differentiator and the tip of the spear. Indeed, for most law firms who offer a cyber practice, it would be hypocritical to claim to be well positioned to provide counsel on cybersecurity, privacy law, and trade secret protection, but not also walk the walk.
At the end of the day, it’s not just political asylum seekers who need best-in-class protection. In a world where literally anyone can be extorted, doxed or profited from, the individual client all the way over to the companies who are on the precipice of SEC filings deserve a hardened-down environment and best practices within which cybersecurity is an active defense that is not an endpoint but journeys in parallel to their adversaries.
And, if there is a lesson in this for us that harkens back to law school even, perhaps it’s just this for now: listen to your clients. And when your clients are concerned about digital security because they are legitimately a public target of a nation-state known for its offensive cyberattack capabilities, that’s all the more reason to lean in.
Jennifer DeTrani is General Counsel and EVP of Nisos, a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr, where she served as General Counsel for five years. You can connect with Jennifer on Wickr (dtrain), LinkedIn or by email at dtrain@nisos.com.