Effective Cybersecurity is a Law Firm’s Ethical Obligation

In this current digital age, taking “reasonable efforts” ensure the safety of client information has become an essential aspect of law firm management.

The American Bar Associations Standing committee on Ethics and Professional Responsibility’s 2017 Formal Opinion 477R provides that it is a “lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet.”

Similarly, Formal Opinion 483 expounds on the issue by offering guidelines “on an attorney’s ethical obligations after a data breach.”

These two Formal Opinions make clear that attorneys are not only under obligation to protect client data, but to also inform clients of any data breaches that may affect their confidential information.

A prominent legal malpractice insurer recently estimated that 22 percent of law firms are the victims of cyberattacks or data breaches each year, and that this number is increasing from year to year.  Similarly, a recent American Bar Association survey revealed that, in law firms with 10-49 attorneys, this figure was 35% — meaning over a third of small law firms had been hacked.

Although there are many high-profile examples, one need only look to some of the many recent large firm breaches for evidence that law firms “remain high-priority targets of hackers, ransomware and, more recently, nefarious miners of cryptocurrency.”

The prioritization of cybersecurity has become essential. As the saying goes, an ounce of prevention is worth a pound of cure. In the case of law firms and data-breaches, where liabilities are at stake, a pound of cure might not be enough of a remedy. Prevention is paramount.

Nature of the Cyberthreat

Hearing about high profile data-breaches has become commonplace. These breaches are especially devastating in the legal profession because of all of the sensitive information attorneys require and store in order to adequately represent their clients. The quantities of sensitive and confidential information stored by law firm is one of the core reasons that law firms are so often chosen as targets by hackers.

The recent ABA ethics opinions mentioned above offer specific guidance in terms of a law firm’s responsibilities in the event of a data breach. Formal Opinion 483 correlates the response to cyber threats with various different rules in the Model Rules of Professional Conduct.

  • Model Rule 1.1 requires a duty of competence. Attorneys must have the necessary skills to best represent their client. This extends beyond legal knowledge to any reasonable measure that could help them provide their clients with better service – including but not limited to modern technology.
  •  Model Rule 1.4 outlines a lawyer’s obligation to make sure clients are “reasonably informed” on the status of their matter.
  • Model Rule 1.6 addresses the client and lawyer relationship. It makes it clear that a lawyer should not reveal information about the representation of a client unless the client gives informed permission.
  • Model Rule 5.1 details the responsibilities of a partner or supervisory lawyer to make reasonable efforts to make sure that the firm has effective measures in place to maintain compliance with the Rules of Professional Conduct.
  • Model Rule 5.3 highlights the responsibilities of a law firm to have effective measures giving reasonable assurance that nonlawyers will comply equally with the Rules of Professional Conduct.

These obligations existed before cybersecurity was even much of a concern, but the principles they are designed to protect are still salient.

As the ABA Standing Committee notes, “[c]ompliance with the obligations imposed by the Model Rules of Professional Conduct, as set forth in this opinion, depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”

Although Formal Opinion 483 refers to additional post-breach obligations, it doesn’t go into detail about other existing laws – instead, only stating, “[e]ach statutory scheme may have different post-breach obligations, including different notice triggers and different response obligations.”

To cover all your bases, additional applicable laws or rules relating to post-breach obligations should also be analyzed and addressed.

Recommended Reasonable Efforts

The first step in maintaining preventative cybersecurity measures will always be to make sure all of your software is updated to its latest versions. Software is always being updated to patch out vulnerabilities that may be exploited. That’s what makes using older versions of programs so innocuously dangerous.

A recent article in the ABA Journal notes another interesting point – the required “reasonable efforts” may include “implementing technology systems where it is practical, but also declining a technology solution if a task does not require it. The idea here being that internet-enabled services increase a firm’s vulnerabilities.”

Maintaining safe and up to date technology falls under the purview of Model Rules 5.1 and 5.3 and the obligation to establish ethically compliant internal policies.

Unfortunately, this means if a program that has served a law firm well for years is no longer supported by updates and patches, the safest thing to do would be to discontinue its use and find a program still receives support.

With new stories of data breaches popping up all the time, it’s no wonder clients have become more concerned with the status of the cybersecurity initiatives employed by the law firms that seek to represent them. According to a recent survey from Microsoft, 91 percent of people don’t want to do business with companies using outdated technology.

Email encryption and secure client portals are great ways to implement secure communication and collaboration tools to help safeguard client data.

Client representation cannot happen without communication.  As such – and as provided in Formal Opinion 477R – the lines of communication must be protected and secured as effectively as possible. Accordingly, digital communications should be encrypted wherever possible.

As stated in a report from Above the Law, “email is the weakest link for many law firms, with phishing emails being one of the most common types of hacking encountered by lawyers.” 

Phishing scams or attacks consist of emails that purport to be from trusted sources, but actually, contain malicious links or programs designed to steal information or otherwise gain access to secure systems.

Phishing attacks can be especially dangerous because of their varying levels of sophistication. Some of these scams are fairly easy to recognize, while others will steal or replicate every aspect of the sender they are fraudulently impersonating down to the email address.

The preservation of confidentiality is the crux of Rule 1.6.  As such, attorneys are obligated to take steps to avoid phishing scams at all costs.

The best practice is to teach the entire firm how to recognize and avoid these tactics. Due to the nature of the work, opening emails from unknown senders is part of the job. However, clicking strange links or imputing login information – even to emails that appear to be from trusted senders – must be discouraged at all costs.

In addition, firms should implement a formal password security policy.  Such a policy should include maintaining secure passwords by:

  • Requiring passwords of 12 characters or more
  • Not using personal information that is easy to guess, such as names, dates, pets, etc.
  • Using symbols, numbers, in addition to letters
  • Including both uppercase and lowercase letters
  • Not reusing passwords
  • Changing passwords on a regular schedule

In addition, law firms should consider enabling “Two Factor Authentication” (“2FA”) on all devices and services that provide such a feature.  Most applications require a username and password to be able to login and use the app.  However, 2FA requires the user to also enter a code sent to the user’s cell phone or email address, which makes it harder for a hacked to gain access.

Moreover, law firms should also consider using secure password managers or “Single Sign On” services.

Such features or services make remembering passwords much easier, thereby assisting with keeping different and unique passwords that are not re-use across a law firm.

Despite a practice's best efforts and intentions, data breaches can still take place.  Cybersecurity is ever-evolving and therefore never perfect.  If a firm is too small to have a partner or other resource devoted to information security, law firms can consider hiring consultants for this purpose.

If a breach or other information security incident should occur, Formal Opinion 483 reminds attorneys of their Rule 1.4 obligation to not only make every effort to mitigate the breach but to also inform clients if any of their confidential information was compromised.

Conclusion

A recent ABA Journal article pointed out that “[m]any of the first ethics opinions on this topic wisely recognized that technology would change over time… with ethics committees acknowledging that accepted security standards would likely change as technology advanced and more secure options became available.”

The threat of a data-breach is ever-present in modern society.  Although it’s impossible to completely and “100 percent” insulate your law firm from the possibility of attack, it is still strongly advised that you continue to take every reasonable step to attempt to do so. Moreover, maintaining an action plan in the event of a breach will help you respond more efficiently in a situation where every second counts.