One of the most pressing issues facing our legal profession, whether you are a solo practitioner or from a large firm, is the need for cybersecurity protection of confidential and proprietary client and law firm electronic information. Thus, on June 13, 2020, the House of Delegates of the New York State Bar Association (NYSBA) overwhelming approved the Report of the Committee on Technology and the Legal Profession, presciently proposed prior to the pandemic, to recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be modified to require one credit of cybersecurity for each of the next two-year CLE cycles.
The Report was supported by the NYSBA Committee on Continuing Legal Education. In addition, it was supported by the Young Lawyers Section, the Elder Law and Special Needs Section, and the Women in the Law Section, as well as substantive sections consisting of the Trial Lawyers Section, the Commercial and Federal Litigation Section, the Corporate Counsel Section, and the Trusts and Estates Law Section. Only the State and Local Government Section opposed the Report. If approved by the CLE Board, New York State would be the first state in the nation to have a cybersecurity CLE requirement.
Social engineering is the psychological manipulation of people in order to convince them to divulge confidential information. Educating lawyers on how to avoid social engineering attacks is imperative because studies have shown that upwards of 97% of malware attacks targeted users through social engineering hacking attempts, and only 3% targeted the technical infrastructure of a company.
Through social engineering, appearing to be associated in one form or another with a lawyer, the law firm, a vendor or friend, a bad actor may seek to convince a lawyer or her staff to provide to him access to confidential information, secured information or a password. Everyone knows or has heard of a lawyer who has been digitally scammed and money wired by a law firm that was diverted to criminals, or has clicked on a malicious link or attachment at the office or on a mobile device causing havoc to a computer network. If lawyers, whether from a solo practitioner or a large firm, are educated on how to recognize and then prevent phishing and hacking attempts, they can minimize damage to their own practice and to their clients who may get infected through a law firm’s virus. Lawyers also need to be educated on how insurance may cover them in the event of such an attack.
Education of lawyers is key where ransomware attacks caused by insidious emails have shut down law firms, school districts and municipalities. Significantly, government employees, including lawyers, who utilize mobile devices, are increasingly being targeted, and one recent scam involved COVID-19 messaging that directed government employees to a website disguised as a page for arranging meal deliveries. The ploy was designed to steal government workers’ Google account login credentials.
The Statistics Demonstrate Lawyer Education Is Required
The New York Law Journal (NYLJ) reported in an October 2019 article, entitled “Eight NY Law Firms Reported Data Breaches as Problems Multiply Nationwide,” that the number of law firm data breaches in New York State doubled in 2018 and that “[d]espite a number of high-profile breaches putting firms on notice of cyber risks in recent years, there are indications that law firm breaches are occurring more frequently, not less.” The article reported that some cybersecurity lawyers and consultants said the numbers “likely represent a tiny fraction of the breaches affecting the legal industry. Law firms, like other privately held businesses, don’t often publicize when their data is breached, and many may not report it to state officials, depending on the law.” The NYLJ also reported in another October article entitled, “How Vendor Breaches Are Putting Law Firms at Risk,” that “[e]xternal breaches, including phishing and hacking as well as vendor incidents, were the most commonly identified source of data exposure events reports by law firms.”
Also, in an October 2019 article, entitled “As Hackers Get Smarter, Can Law Firms Keep Up?,” the NYLJ reported that “large and small law firms can do much better in preventing and reacting to data breaches” and “cautioned that the legal sector may risk falling behind other industries.” The NYLJ noted that “[w]hile hackers are getting smarter, it’s also the case that some law firms aren’t keeping up with security guidelines developed inside the industry and in other professional fields, according to legal industry surveys and interviews with security consultants and law firm leaders.” Critically, the NYLJ article made clear that “[e]thics laws require lawyers to keep pace with technology to protect client information. Still, some observers point to a slow pace of budding ethics rules on cybersecurity questions.”
New York’s Ethical Framework
NYSBA Committee on Professional Ethics Op. 950 provides:
A fundamental principle in the client-lawyer relationship “is that, in the absence of the client’s informed consent or except as permitted or required by the Rules of Professional Conduct (the “Rules”), the lawyer must not knowingly reveal information gained during and related to the representation, whatever its source.” Rule 1.6, Cmt. . The attorney not only has an obligation to refrain from revealing such information, but also must exercise reasonable care to prevent its disclosure or use by “the lawyer’s employees, associates, and others whose services are utilized by the lawyer.” (emphasis added).
NYSBA Committee on Professional Ethics Op. 1019 further provides that the duty of “reasonable care”:
does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered to determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
In fact, NYSBA Committee on Professional Ethics Op. 842 provides that a lawyer must take reasonable care to affirmatively protect a client’s confidential information. It further notes that:
Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system.
* * *
In light of these developments, it is even more important for a law firm to determine that the technology it will use to provide remote access (as well as the devices that firm lawyers will use to effect remote access), provides reasonable assurance that confidential client information will be protected. Because of the fact-specific and evolving nature of both technology and cyber risks, we cannot recommend particular steps that would constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients, including the degree of password protection to ensure that persons who access the system are authorized, the degree of security of the devices that firm lawyers use to gain access, whether encryption is required, and the security measures the firm must use to determine whether there has been any unauthorized access to client confidential information.
New York ethics opinion thus make clear that lawyers have an affirmative duty to protect confidential and proprietary client and law firm information and to stay current on cybersecurity threats, including the risk of being electronically compromised and what anticipatory or counter-measures should be reasonably implemented in order to safeguard client and law firm confidential and proprietary information.
The SHIELD Act Needs to Be Taught
Required education of lawyers on the issue of cybersecurity has become even more imperative now that New York has enacted the Stop Hacks and Improve Electronic Data Security or “SHIELD” Act, which applies to all law firms. Lawyers need to understand what is required under the SHIELD Act of them and their clients. The SHIELD Act creates, for the first time, substantive security requirements for persons or businesses that hold the “private information” of New York residents, and it: (1) expands the types of data that may trigger data breach notification to include user names or e-mail addresses, and account, credit or debit card numbers; (2) broadens the definition of a breach to include unauthorized “access” (in addition to unauthorized “acquisition”); and (3) creates a new reasonable security requirement for companies to “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of” private information of New York residents. Safeguards may include designating employees to coordinate a security program, conducting risk assessments and employee training on security practices and procedures, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and securely disposing of private information within a reasonable time.
The SHIELD Act, as it applies to solo practitioners and small law firms, requires those persons and entities to ensure that there “are reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”
Mark A. Berman is a partner at Ganfer Shore Leeds & Zauderer and an ex officio co-chair of the New York State Bar Association’s Committee on Technology and the Legal Profession, which authored the subject Report. He was also the founding co-chair of the Social Media Committee of NYSBA’s Commercial and Federal Litigation Section as well as a former Chair of the Section.