Cybersecurity Ethics For Attorneys And Law Firms
As law firms increasingly digitize their systems and practically all facets of the practice of law move into the cloud, there is significant danger lurking in the shadows in the form of breaches. Although organizations of all types and sizes see marked upticks in cybersecurity incidents, lawyers, with their ethical obligations to keep clients’ information confidential, need to be especially vigilant. Whether a solo lawyer or a large multinational firm, there are best practices and mandatory security measures that need to be undertaken to avoid both breaches of professional responsibility proceedings and malpractice actions.
The Ethical Duty Of Technical Competence
With the practice of law increasingly becoming a digital and cloud-based operation, state regulatory agencies governing lawyer ethics frequently mandate a minimum standard of technical competence. For instance, California, with approximately 13% of licensed lawyers in the country, became the 39th state to institute an ethical duty of technology competence for lawyers. The state’s Rules of Professional Conduct dictate that a lawyer’s duty of competence encompasses “the duty to keep abreast of the changes in the law and law practice, including the benefits and risks associated with relevant technology.” An interactive map outlining which states have adopted technology competence under the rules can be viewed here. The rules that states have adopted are based on the American Bar Association’s (ABA) Model Rules of Professional Conduct which, in 2012, was amended to include Comment 8 to Model Rule 1.1, which pertains to competence and reads as follows:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Comment 8 to Model Rule 1.1
Different Risk Postures Depending On Firm Profile
The risks and necessary associated measures to protect confidential information and a firm’s general integrity will differ depending on the scenario. While the standard from an ethics perspective is “the reasonableness standard,” each firm will have its threshold that it needs to meet.
Generally, the two core details that drive the direction of security measures are the size of the firm and the kind of matters it handles. For example, the solo firm would need to take a different risk mitigation approach than the multinational law firm with complex IT systems that span the globe. Further, even a small firm with a relatively simple technical infrastructure setup will need to take significantly more robust action than a solo handling a neighborhood real estate closing if they are handling high-risk or valuable data. To illustrate, the ABA’s 2021 cybersecurity summary from its 2021 Legal Technology Survey Report notes that 25% of law firms have suffered a data breach at some point. Further, as of only five months into 2024, 2024 is on pace to be the biggest year in the history of law firm data breach reports. Specifically, according to Law.com at least 21 law firms filed data breach reports to state attorneys general offices this year. By contrast, “2023 saw 28 law firm breach reports, while 2022 had 33 breach reports and 2021 had 38.” Regardless, these stats illustrate the growing threat that law firms face.
With all that said, even the most mundane matters can be of value to bad actors. While the large hacking syndicates or state actors might be interested in firms with high-value information that they can leverage and perform intentional and strategic hits, there are dangers that small firms need to be wary of too. For example, automated hacking, such as websites of a small firm or solo, also poses a risk, whether from a systems integrity perspective or even client matter disclosure. A report by Coveware on ransomware and related data breaches stated concerning law firms:
Small and medium-sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks. Unfortunately, the economics of many small professional service firms do not encourage or enable adequate cybersecurity.
Coveware Ransomware Report
It is important to remember that even what might not seem interesting at first glance may be useful to various bad actors. For example, in 2020, at the height of the presidential campaign cycle between Donald Trump and Joe Biden, Grubman Shire Meiselas & Sachs, an entertainment and media law firm, was hit by ransomware. The firm had previously represented President Trump, and the hacking group claimed it stole close to one terabyte of sensitive client data, including confidential information about President Trump. In addition, the group demanded a large sum of money, or it would make the information public.
Beyond niche and smaller targets, many of the largest law firms with IT and security budgets in the millions of dollars have been attacked too. Often these firms are hit due to their vast and complex IT systems, numerous attack vectors, and highly sensitive information. For example, Jones Day experienced a data breach due to a zero-day vulnerability in vendor Accellion, which provided the firm with data transfer services. Bob Dooling, a cybersecurity specialist at Redox, stated that “Accellion has a track record of severe, readily exploitable vulnerabilities in the FTA product.”
Perhaps the most infamous breach of a law firm was Mossack Fonseca, a now-shuttered Panamian headquartered practice. The fourth-largest financial offshoring provider at the time, the firm had vast troves of client information leaked to the press, which led to the “Panama Papers” published in 2016. The leak implicated many politicians and other known figures in alleged tax avoidance and criminal schemes. While journalists lauded the incident as shining a light on matters of public interest, it was disastrous for the firm and its clients. In line with this, both existing and potential clients will direct their matters away from law firms with a poor track record when it comes to safeguarding information.
Simple Steps Go A Long Way
As anyone in the field of cybersecurity and data breach incident response work is likely aware, the question is not if but when an attack will occur. While the maxim is true, simple steps go a long way to mitigating any attempted attacks and subsequent damage. General awareness of the main risks to IT system security and integrity is critical to formulating proper measures and avoiding the most common threats. For example, any lawyer needs to know what phishing attempts look like and good digital hygiene, such as not using insecure WiFi connections.
Beyond awareness, securing adequate cyber insurance in addition to general malpractice coverage that includes any incidents and subsequent remedial actions should be a priority. Insurance is not only essential in instances where there is an incident, though. Clients are increasingly seeking firms acting as outside counsel to have cyber insurance policies for indemnification, among other purposes.
Effective technical measures and administrative safeguards are also of utmost importance and should include:
- backing up systems routinely
- requiring two-factor authentication
- limiting remote and non-tiered access
- incorporating threat detection and mitigation systems
- updating systems and applications regularly
- regular employee training, testing, and reporting regimen
- consistent review of system integrity by technical experts
- creation of an incident and breach response plan
The moral of the story is that regardless of size, firms of all stripes are potential targets, and an analysis of the risk profile of each firm is necessary. The implementation of corresponding reasonable security measures is critical. A comprehensive approach that aligns with the latest realities of a highly emergent and dynamic threat landscape is integral to protecting the firm, whether from ethics and professional responsibility obligations, malpractice or other private actions, or potentially firm-ending reputational harm.