The Ethical Obligation of Maintaining Reasonable Cybersecurity Measures

Although data breaches have become frequent, the consequences can be severe, and businesses of all kinds must seek to avoid breaches outright. However, in the event of a successful attack, how a business responds can be just as important.

As to law firms in particular, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 provides guidance “on an attorney’s ethical obligations after a data breach.”

This Formal Opinion maintains the expectation that law firms will have data protection systems already in place.  However, it also mandates that lawyers must make clients aware of confidentiality-compromising data breaches.

According to a 2019 Law.com investigation, over 100 law firms have recently reported data breaches, and the issue seems to be getting worse, not better. For example, the investigation found that the number of reports spiked significantly in 2018 and continued at high levels in 2019.

Instead of waiting for a cyberattack to hit their firms, lawyers should learn from this ever-growing list of cautionary tales, and make cybersecurity and data breach prevention a priority.

Law Firms Are Prime Targets of Cyberattacks

It is a necessity of the legal profession to deal with sensitive information for clients. For this reason alone, law firms tend to be prime hacker targets.  Sensitive client information could be anything from confidential stock or tax information to private trade secret information, personally compromising information to medical records, and the list goes on and on.

Less than 30 years ago, espionage of this type would’ve meant physically breaking into a law office and copying or stealing confidential documents. Today, if a lawyer or administrative employee carelessly clicks on the wrong link, they can open up their entire firm to a devastating cyberattack launched from half a world away.

Should a law firm become the victim of such an attack, Formal Opinion 483 lays out the proper course.

It references five of the Model Rules of Professional Conduct as the foundation of the opinion. These rules pertain to the duty of competence, the expectation of keeping clients reasonably informedattorney-client confidentiality, and the responsibility of a managing or supervisory attorney to ensure a firm’s compliance with the Rules of Professional Conduct for both attorney and non-attorneys alike.

The ABA Standing Committee notes that “[c]ompliance with the obligations imposed by the Model Rules of Professional Conduct, as set forth in this opinion, depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”

It should be mentioned that Formal Opinion 483 does not explicitly discuss other laws with post-breach requirements of their own. Quite the contrary, the Opinion states that “[e]ach statutory scheme may have different post-breach obligations, including different notice triggers and different response obligations.”  Thus, the opinion puts the onus on the attorney to further look into any additional obligations not laid out directly by the opinion itself.

Reasonable Recommendations

Data breach prevention is not a ‘one and done’ affair, it takes ongoing vigilance. That said, there are numerous ways of greatly reducing your susceptibility.

It is more important than you may realize to make sure all of the technology in use at your firm is up to date. Software updates commonly come with “patches” that fix points of vulnerability. The notifications can be innocuous and easy to ignore, and it may seem like an inconvenience to restart the computer, mobile phone, or other system. However, if you don’t have the most up to date version of the software you’re using, in all likelihood, you are leaving an unnecessary opening for hackers to exploit.

Unfortunately, this means if the technology you employ is no longer supported by its manufacturer, it’s time to replace it. This applies even to programs and devices that otherwise still work fine. It can be a hard pill to swallow, particularly if the firm has gotten used to the particular software or hardware. But, it is far better than the alternative of getting hacked.

Adhering to these cybersecurity best practices is not just about avoiding trouble with an attorney regulator. More and more clients are requiring a steadfast commitment to data protection.  For example, Microsoft recently reported survey results showing 91 percent of people wouldn’t do business with a company using outdated technology.

Although data protection is certainly a constant endeavor, it often doesn’t need to be a difficult one.  Just make sure you stay on top of the updates.

In addition, Google and Microsoft have security controls already woven into their respective email platforms –you just need to turn them on, and keep them on.  Moreover, email encryption software and secure client portals are as easy to find as they are to implement.

The Human Component

Having the most secure technology is unfortunately not enough. It is the proper application of this technology that truly safeguards against attack.

According to a report from Above the Law, “email is the weakest link for many law firms, with phishing emails being one of the most common types of hacking encountered by lawyers.”

When most people think of hacking, they imagine someone with high-tech equipment, running programs to try thousands upon thousands of potential passwords to break into someone’s account. These are not the most prevalent forms of attack. It is far easier to attack the person using the program, than the program itself. These attacks are called phishing.

In a phishing attack, a hacker will create an email designed to appear to be from a trusted or reputable source. Inside the email, it will either ask you flat out to input sensitive login information or it will provide a link that, when clicked, will download malicious programs to your computer (usually unbeknownst to you). These programs may steal information outright or track your traffic and keystrokes to extrapolate your passwords.

A good spam filter should catch the majority of these phishing emails. Still, some of them are crafted such shocking sophistication that they may slip through the cracks. A general rule of thumb is to avoid clicking links in emails full stop.

It’s bad enough to be breached, but you don’t want to unintentionally give hackers the keys yourself. Teaching employees about these types of attacks, how to recognize and avoid them, and making sure they handle sensitive information securely is a great way to satisfy Rule 1.6 confidentiality obligations.

Additional Measures

Cybersecurity doesn’t have to be guesswork. There are experts you can consult that find and plug potential points of vulnerability in your firm. The effectiveness of having a detailed cybersecurity game plan cannot be overstated. Moreover, having a plan in place in case of a breach is likely equally important.

As Formal Opinion 483 notes, in reference to Rule 1.4, lawyers must act reasonably and promptly to minimize the damage of a breach as much as they possibly can.

No cybersecurity system is 100% safe. If the worst should happen, trying to hide it from clients is an understandable impulse. However, this is the ethically incorrect approach, and could land you in serious trouble. If the breach affects their confidential information, your clients have a right to know immediately.

Sophisticated frameworks, such as those promulgated by the National Institute of Standards and Technology (NIST), are available to provide more detailed information.  However, this cursory incident response plan created by the American Bar Association can serve as a starting point:

  • Confirm the extent of the damage.
  • Appoint someone to spearhead an investigation?
  • Fix problem (most often removing hackers from your network) without deleting evidence of the incursion.
  • Decide whether the situation requires the help of outside experts or if internal resources will suffice.
  • In the case of a data breach, determine and execute all legal requirements.
  • Redouble your security efforts to make sure this specific type of incident never happens again.

Conclusion

Although data breaches are not a risk singular to law firms, law firms the nature of their work does make them more attractive targets. That is why bodies like the ABA Standing Committee and various State governing bodies have rules and laws in place to deal with their eventuality.

As technology continues to advance, expect more and more guidance from these organizations.  There is no end zone when it comes to data protection. The more sophisticated the defense system, the more imaginative the attacks become.

This should not discourage proper data management, however. Not only is it your ethical and legal requirement, but clients demand it as well.

The article was first published in Law Practice Today on 12/15/2019.