As lawyers we hold some of our clients’ most sensitive information. A vibrant black market targets it. So law firms face greater security risks than ever before.
Hackers target lawyers because they see us as the “back door” around our clients’ often more stringent security. The FBI has issued alerts to law firms, warning of spear-phishing emails containing malware and schemes in which criminals pretend to be overseas “clients.” An ABA survey reports that nearly 14 percent of responding attorneys had suffered a security breach. The figure rises to 19 percent for firms with 10 to 49 attorneys, which means that every firm, large and small, is vulnerable to cyber risks.
Statistics don’t tell the whole story, of course, because many of us don’t realize we’ve been hacked and even when we do, we’re reluctant to “go public.” Or we’re limited in what we can say because we have an ongoing duty to safeguard our clients’ data.
This ethical duty of cybersecurity is reflected in New York’s Rules of Professional Conduct. Rule 1.1, for example, requires a lawyer to provide competent representation to a client, using the legal knowledge and skill reasonably necessary for the representation. To maintain the requisite knowledge and skill, Comment 8 to this rule requires a lawyer to “keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.”
But it’s not enough to know the risks. As Rule 1.4 requires, a lawyer must communicate with the client about the means – including, of course, the technological means – by which the lawyer will accomplish the client’s objectives.
Obne of these objectives is to safeguard the client’s confidential information. This includes not only information protected by the attorney-client privilege and the work-product doctrine, but also any information gained during the representation, whatever its source. This broad category includes personal information that could identify the client, or PII; personal-health information, or PHI; financial information; intellectual property; trade secrets; and other proprietary data.
Rule 1.6, then, requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to,” any confidential information. Unauthorized access or disclosure could happen anyway. But it does not violate this rule as long as a lawyer has made “reasonable efforts” to prevent it.
In determining what’s reasonable, certain factors are considered, including (1) the sensitivity of the client’s information; (2) the likelihood of access or disclosure without added safeguards; (3) the costs of those safeguards; (4) the difficulty of implementing them; and (5) the extent to which those measures affect the lawyer’s ability to represent clients by, for example, making a device or software too hard to use.
Taken together, the rules of professional conduct require a lawyer to be competent in the use of technology, to communicate with the client about known risks and to take reasonable steps to safeguard the client’s information.
Because the touchstone is what a “reasonable” lawyer would do, there is no “one size fits all” standard for law-firm cybersecurity. Bar associations have offered some guidance in the form of ethics opinions relating to the use of email, outsourcing, metadata and storage in the cloud.
In an opinion issued this spring, the ABA’s Standing Committee on Ethics and Professional Responsibility described the 2012 “technology amendments” to the Model Rules of Professional Conduct. These amendments confirm that a lawyer’s core duties of competence, communication and confidentiality extend to the technology the lawyer uses in representing a client. In the committee’s words, compliance with these core duties “in an ever-changing world requires some reflection.”
Here is a proposed checklist for compliance:
Develop a cyber-risk plan. Following a reliable set of industry standards is critical. The U.S. National Institute of Standards and Technology published a non-binding “Framework for Improving Critical Infrastructure Cybersecurity.” Written in non-technical terms, it sets best practices to help organizations manage cyber risks. The International Organization for Standardization’s ISO 27001 is a highly regarded standard, as well.
Adopt reasonable safeguards. As important as a complete cyber-risk plan is, certain minimum safeguards lend substantial protection up-front. These safeguards include multi-factor authentication; encryption of sensitive data; installation of anti-malware software, including all patches when they are issued; complex, or “smart,” passwords that are changed regularly; and restrictions on physical and electronic access to client data and firm infrastructure. Only those who need access should have it.
Train your employees. The best plans and safeguards won’t help unless everyone is trained to comply. Hold lunch-and-learns or other regular training sessions designed to teach particular aspects of your plan.
Assess yourself regularly. Conduct regular penetration tests. Drills or “table-top” exercises will help you practice handling cybersecurity events and foster discussion on how to improve your safeguards. “Social-engineering” tests – inviting employees to click on email attachments, respond to unusual IT requests or plug in flash drives planted in the workplace – will help you gauge how well you’re training your team.
Set the tone from the top. Cybersecurity is more than an IT issue; it’s a leadership issue. Management should enforce the notion that the protection of client data and the firm’s critical infrastructure is a high priority. The managing committee and practice leaders should meet regularly to discuss implementation and compliance issues.
Develop an incident-response plan. Form a team comprised of the managing partner and other key partners, managers and personnel. Devise a plan so that the team knows precisely what to do and whom to contact if a cybersecurity event occurs. Practice implementing the plan so that when something does happen, you’re ready to respond.
Purchase cyber insurance. Many general- and professional-liability policies do not cover the full scope of a firm’s cyber risks. A cyber policy should cover the firm not only for its potential liability to third parties but for costs the firm itself incurs to investigate and respond to a cyber event. Review your existing coverage and supplement it if need be.
Cybersecurity is the ethical duty of every lawyer. Fortunately, law firms large and small have access to the resources they need to protect clients’ data. That’s good news, because the cyber risks lawyers face are not going away.