The article deals with the question of the liability of law firms in the event of a hacking attack, in particular with regard to their due diligence obligations under the attorney-client privilege. The article was written by Dr. iur. Dr. rer. pol. Fabian Teichmann in collaboration with Chiara Wittmann and published in the Journal of Financial Crime in April 2022. The Internet poses dangers to every user of electronic devices connected to the Internet. According to one study, 54% of all organizations have been victims of hacker attacks. Although this threat is ubiquitous and the majority of attacks can be repelled, law firms need to be particularly cautious as they hold extremely confidential information that requires protection. Particularly in the Anglo-American world, hacking attacks on law firms can have criminal consequences. Many firms attempt to limit their liability through force majeure clauses. The term "force majeure" refers to an event causing damage that is unavoidable and could not have been prevented even with reasonable care. However, force majeure clauses are interpreted restrictively by courts. It is important to note that the foreseeability of a damage-causing event usually means that the said clause cannot be applied. A law firm is therefore obliged to take all appropriate measures to avert a hacking attack and, in the event of a successful attack, to minimize the damage. Failure to take such measures constitutes gross negligence, which is why a law firm may be held liable in the event of a hacking attack. Most hacking attacks are enabled because an employee within the target organization opens an email that contains a virus, which allows the hacker to penetrate the system. Therefore, it is a top priority for the disclaimer that organizations train their employees to increase their sensitivity to suspicious emails.
About the author: Fabian Teichmann is a lawyer, notary, management consultant and lecturer at various universities.
For more on this topic, see Teichmann, F. & Wittmann, C (2022). When is a law firm liable for data breach? An exploration into the legal liability or ransomware and cybersecurity. Journal of Financial Regulation and Compliance. https://doi.org/10.1108/JFC-04-2022-0093.