In today’s digital world, all businesses are at risk for electronic data breaches and other cyber attacks. But law firms are particularly vulnerable, in part because they are such enticing targets for cybercriminals. According to the ABA’s most recent Legal Technology Survey Report, 26 percent of respondents have experienced some sort of security breach.

This is not surprising, given the sensitive client data that may be contained on a firm’s servers, computers and mobile devices. Examples include: Privileged communications, confidential business and financial information, medical records and other protected health information, insider information about planned mergers and acquisitions, proprietary trade secrets and other intellectual property and internal memoranda and documents revealing protected attorney work product.

Theft or destruction of this information can be devastating to a firm’s reputation and client relations. Moreover, failure to take reasonable steps to protect it can violate professional conduct rules and expose a firm to potential malpractice liability. It is critical for firms to have strong cybersecurity programs. Nevertheless, many firms do not give cybersecurity the attention it demands. According to the ABA report, 19 percent of respondents said they did not know whether their firms had ever experienced a security breach and only 31 percent reported having an incident response plan.

Obligations to Protect Client Information

ABA guidance spells out the duties of lawyers to safeguard electronic information under the Model Rules of Professional Conduct. For example, ABA Formal Opinion 477, Securing Communication of Protected Client Information, describes a lawyer’s duty to understand how and where confidential information is transmitted and stored, keep abreast of technology benefits and risks, and implement reasonable electronic security measures. It also emphasizes Model Rule 1.6(c), which requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

In addition, ABA Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, concludes that lawyers are obligated to make reasonable efforts to monitor their technology for data breaches, stop detected breaches and mitigate the damages. It also interprets Model Rule 1.4 — which requires lawyers to keep clients “reasonably informed” about the status of a matter — to impose a duty to notify clients of data breaches “involving, or having a substantial likelihood of involving, material client information. . . .”

Steps You Should Take

To ensure that your firm’s data is secure, consider the following steps:

• Conduct a cybersecurity risk assessment to take inventory of your data, hardware and software, map out data flows and access points and evaluate your information security policies, procedures and controls. If necessary, update policies, procedures and controls to ensure data is secure;
• Make sure you are using up-to-date software and devices with the latest security patches and features;
• Adopt best practices, such as strong passwords, two-factor authentication, data encryption (including encrypted email) and robust mobile device management protocols and systems;
• Train employees on good cybersecurity practices, including how to spot and avoid phishing emails and other social engineering techniques;
• Move data to the cloud. Typically, data is more secure in the cloud than it is on your firm’s in-house servers, so long as you conduct proper due diligence on technology vendors; and
• Implement effective backup and recovery systems. This is critical in the event a ransomware or other attack erases, damages or prevents access to your data.

Keep in mind that your firm need only make “reasonable efforts” to keep client data secure. The ABA stresses that determining what is reasonable is a fact-based analysis that depends on your firm’s particular risk profile and resources. Factors to consider in making this determination include the sensitivity of the information, the likelihood of disclosure absent additional safeguards, the cost and difficulty of implementing such safeguards and the extent to which the safeguards adversely affect your ability to represent clients; for example, by making a critical device or program excessively difficult to use.

For more information, contact Jacqueline Janczewski at [email protected] or 312.670.7444. Visit ORBA.com to learn more about our Law Firm Group.

© 2019