The interconnectivity that makes technology so convenient is the very factor that makes networks so vulnerable. It can be easy to slip up even if you’re trying to be careful. Opening the wrong link on the wrong network can give a bad actor all the access they need.
From email phishing scams to high-level exploits and targeted attack campaigns against specific networks, law firms are especially common targets of hackers. Although a data breach is a major inconvenience for anyone, it is especially damaging for legal professionals. Because of the nature of the work, attorneys often serve as repositories for their client’s sensitive information. As such, lawyers are bound to a high ethical standard to protect the confidentiality of this information.
ABA Formal Opinion 477R illuminates the reality of the situation by saying, “Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if.’”
In decades past, the only way to access this information would have been to physically come into contact with paper files held under lock and key. It required a level of espionage that made the endeavor impractical and unusual. Today, a hacker could potentially gain access to every file a law firm has from half a world away without the firm even realizing it.
All the same, this does not change an attorney’s duty to keep their clients' information safe. Law firms must rise to the challenge presented by cyber-threats.
The protection of client information is not just a suggestion; it has been enumerated by several ethical rules by the American Bar Association. It falls under the umbrellas of competence (Model Rule 1.1), communication (Model Rule 1.4), the confidentiality of information (Model Rule 1.6), and supervision (Model Rules 5.1, 5.2 and 5.3).
Rule 1.1 was amended in 2012 to explicitly address an attorney’s obligation to maintain a competent understanding of relevant technology. Put another way, if you’re going to use the technology (which you’re more or less already obligated to do in order to serve clients these days), you have to use it in a way that enhances the service you can provide your client. That means vigilantly safeguarding their information.
As of this year, most states in the United States adopted this provision or provisions like it to Model Rule 1.1. The importance of the competent use of technology is easy to see.
When it comes to Model Rule 1.4, the focus of which is communication, the association with cybersecurity may not be as immediately obvious. Attorneys have an ethical obligation to keep their clients informed of any pertinent information involving them or their matter. That means that should your firm become the victim of a cyberattack that involves any of their information, you have an ethical obligation to notify them about such a breach. This is contrary to the natural inclination to try to quietly fix the situation and avoid embarrassment. The client has a right to know.
Confidentiality is covered by Model Rule 1.6. This duty to confidentiality does not only cover sensitive information but any “information relating to the representation of a client.” Typically, the only condition in which it is appropriate to share information on a client’s matter is with their informed consent. Not only do they have to agree to the disclosure, but they must also do so fully understanding the potential ramifications of such an action.
Of course, this doesn’t simply apply to the intentional sharing of information, but inadvertent leaks as well. This is why the 2012 revision to the Model Rule makes it clear that attorneys must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
It is important to note that the revisions from 2012 are not additions to an attorney’s ethical obligation. Instead, they are simply making crystal clear what was already intended by the rules for a more technologically advanced context.
In addition, Model Rule 5.1 effectively makes it clear that these ethical obligations are extended to everyone who works in a firm. From partners and managers to nonlawyer assistants, everyone is expected to maintain ethical vigilance in terms of client information. No one is exempt, everyone is culpable.
Many state ethics opinions have remarked on the ethical duty law firms have to maintain cybersecurity standards to the best of their abilities. These standards are both reasonable and elucidate a level of competence with modern technology.
For example, ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” states that even if a firm took every reasonable step to protect client information, following every relevant model rule to the letter, should a breach still occur, it is the firms duty to inform the client immediately and explain the situation to the extent that it allows them to make an informed decision on what to do next.
It should also be noted that when it comes to ethical obligations, “simply doing your personal best” may not satisfy compliance. If a lawyer is not abreast of cybersecurity best practices their ignorance would not be a safeguard against potential retaliation. On the contrary, it is incumbent upon them to find someone familiar with cybersecurity. This is especially important as cybersecurity is not a one-and-done affair. It requires near-constant attention and regular maintenance.
The speed and convenience of electronic communication have made it far and away the preferred form of contact for most business professionals, attorneys included. Unfortunately, with the ease of use also comes the ease of exploitation. These exploits can make it relatively easy for hackers to obtain information from unencrypted communications. Attorneys must not only know the risks inherent in the form of communication but also how to guard against them.
Specific revisions to Model Rule 1.6 were added in 2000 to address the growing ubiquity of electronic communications. The language is plain, requiring “reasonable precautions to prevent the information from coming into the hands of unintended recipients.”
What is of particular note is that the Model Rule doesn’t explicitly require additional security is the means by which the communication is taking place provides a reasonable expectation of security. Conversely, the ethical obligation is to protect client data more than it is to follow the rules about protecting client data. As such, if additional security measures could have been implemented and a breach happens, the attorney may still have some explaining to do.
This conundrum most often takes the form of the debate between encrypted and unencrypted emails. Following the letter of the Model Rule, only special circumstances require additional security measures like encryption. However, it has been argued that unencrypted emails do not rise to the level of the “expectation of privacy.” The idea of unencrypted emails being analogous to postcards (that anyone can read in transit) and encryptions serving as envelopes (protecting the correspondence from unintended eyes) has been used by several outlets – most notably by Google and many others.
Furthermore, there is the argument that because Rule 1.6 states “the extent to which the privacy of the communication is protected by law,” the fact that unauthorized interception of electronic communications is against the law, encryption should not be necessary. However, this is another example of a situation where the intended purpose of the rule should outweigh the exact letter of the rule itself, especially in practical terms. Alternatively put: Better safe than sorry.
Letter of the Law vs. Spirit of the Law
It’s worth noting that an ABA ethics opinion from 1999 concluded that special security measures are not generally necessary for confidential email correspondence. That said, a lot has happened since 1999. Technology and our understanding of it have advanced by leaps and bounds.
According to the 2017 ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 477R, unencrypted email correspondence is still generally considered acceptable. However, there are circumstances where the additional security measure is not only suggested but required. It comes to the somewhat unhelpful conclusion that ‘it’s necessary when it’s necessary.’ The direct quote reading, “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
This conclusion makes it clear that the best way to maintain ethical and legal obligations is to be on the same page with your client about cybersecurity expectations, especially in terms of electronic communications. Having it in writing is a surefire way to solidify that everyone is aware of everyone else’s expectations. It creates an agreed-upon list of do’s and don’ts so that matters like the use of encryption are no longer nebulous.
Local and Contractual Duties
Attorneys are not only bound to ethical responsibilities; they must also comply with common law expectations as defined by relevant case law wherever they happen to practice. This means that according to The Restatement, Third, of Law Governing Lawyers from 2000, even if they adhere to the ABA’s Model Rules, if they are not complying with local obligations they may still be open to claims of malpractice.
Clients especially concerned with confidentiality (most specifically those in regulated industries) have started making additional cybersecurity measures part of their representations contractual obligations. This adds yet another layer to the duty of protection expected from modern law firms.
Law firms take on an additional duty from federal and state laws that protect the information of employees, clients, the employees of clients, the customers of clients, and anyone else whose information may have been compromised in the event of a breach. This extends well beyond the ethical requirements of communication with your clients. That’s a lot more uncomfortable phone calls than is covered by mere compliance to ABA ethical obligations.
Cybersecurity in Practice
The old cliché that knowing is half the battle may be trite, but not untrue. It’s difficult to maintain all of these responsibilities if you are unaware of them. Once you know all of your cybersecurity obligations you can start coming up with a plan to maintain compliance with them. This will almost certainly take the form of creating a risk-dependent cybersecurity system.
Numerous technological tools can help with this process, but it won’t be as simple as downloading a program and calling it a day. It will require training all of your employees in at least the basics of cybersecurity best practices. It may even require hiring a dedicated cybersecurity specialist to help keep up with the ever-evolving threats to your data.
When it comes to cybersecurity, the importance of accountability can’t be stressed enough. Only allowing access to those who absolutely need it can help insulate sensitive data from leaking. The fewer people who have access to something, ostensibly, the chances it has to leak. Moreover, restricting access to as few people as possible will help you pinpoint the source of a leak, should a breach ever occur. If you know who has access to what information, there is less wasted effort in determining how to plug the leak in the future.
The next step is implementing reasonable security measures against both physically and electronically, prioritizing high-risk areas. This entails making sure everyone who needs to interact with protected information is equally aware of potential threats and how to avoid and/or rebuff them. The basic order of operations is as follows:
- Identify potential threats
- Institute measures to protect against them
- Detect any breaches
- Respond appropriately to any breaches, taking into account all ethical, legal, contractual, and regulatory responsibilities
- Recover as best you can and make sure you are not susceptible to the same kind of attack in the future.
You don’t have to start from scratch. Cybersecurity is on everyone’s mind as everyone is vulnerable in one way or another. That is why there are widely held standards that (in some cases) provide step by step instructions on how to best protect your online network.
The National Institute for Standards and Technology (NIST) and the International Organization for Standardization’s (ISO) are two of the most commonly used and regularly updated resources when looking to implement a cybersecurity framework. There’s even information specifically for smaller firms that can be found on the website for the Federal Trade Commission in its Cybersecurity for Small Business publication, as well as the NIST’s Small Business Cybersecurity Corner.
Cybersecurity is going to be an investment in both time and money, but it is more than worth it. The alternative is far more costly. A single breach can dash the reputation of a law firm, torpedoing its viability (potentially permanently). If all of this seems (understandably) daunting, it would be a good idea to either hire or consult an IT professional to either maintain your cybersecurity needs. In addition, law firms make sure all of the apps they use have robust data security and protection policies. Protecting client information is too important to try to wing it.
The cybersecurity landscape affecting lawyers and law firms is complex, and the suggestions offered above only entail the bare minimum in terms of cybersecurity best practices. This level of compliance will satisfy your ethical obligations but it is by no means the high-water mark in terms of protecting client data.