Law firm cybersecurity is becoming more critical with each passing year. Law firms are frequently targeted by cybercriminals due to the sensitive client information they possess and the international reach that some of them have.
The American Bar Association is taking notice.
Data from the 2017 ABA Legal Technology Survey found 22% of law firms got hacked or experienced data breaches in 2017. Law firms are also vulnerable to state-sponsored attacks from Russia, Iran and China, as evidenced by a 2019 Chinese hack into a U.S. firm known for its expertise in intellectual property. Cybersecurity for law firms is rapidly becoming a hot topic.
To help firms understand these threats, in October 2018, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack. This opinion follows 2017’s Formal Opinion 477R, that outlined ethical obligations of attorneys to secure client confidential client data when communicating over the Internet.
It is remarkable that the ABA has highlighted ethical obligations regarding data security and it underscores the importance of responding to a data breach with legal and ethical guidelines.
Opinion 483 states that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.”
The opinion rightfully identifies that law firms are custodians of “highly sensitive information” and are at heighted risk for hackers as a result. It is important to note that compliance with any applicable federal and state breach notification laws is required but those requirements may not be sufficient to meet the with the ABA’s ethical obligations.
Opinion 483 provides exhaustive, explicit guidance detailing lawyers’ data security obligations, including responsibilities to clients after breaches or cyberattacks have occurred, including:
- Lawyers must take “reasonable steps” to monitor for data breaches.
- When a breach is detected, lawyers must act “reasonably and promptly” to fix the breach and mitigate resulting damages.
- A lawyer must make reasonable efforts to assess and identify electronic files that were accessed.
- Lawyers have a duty to notify clients of breaches that have significant likelihood of involving client information.
- Lawyers must provide notice to their affected clients of the breach “to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”
- Breaches must be fully and accurately described and disclosed records to affected clients by the impacted firm.
- Lawyers do not have an obligation to inform former clients of a breach; however, many contracts for legal services may include an affirmative duty to notify a former client of a data breach.
Protection for Law Firms
Law Firm cybersecurity is complex. While there are various kinds of intrusion points that criminals can leverage, they can have drastic impact on a firm’s operation and their client’s privacy. Here are some of the best ways a law firm can protect itself and its clients:
- Secure internal systems with in-house IT staff or a well-known managed service provider.
- Educate staff regularly on spam, phishing, malware, ransomware and social engineering attack methods.
- Ensure authentication security and screening for compromised passwords on all internal systems, including Active Directory. Expected password policies have recently changed based on NIST 800-63B guidelines.
- Consider providing extra security measures like encryption, for client files that include legally protected information such as personally identifiable information (PII) or personal health information (PHI).
- Employ proactive security measures to protect systems from external access points, including credential screening for online client accounts. Network security is critical.
- Develop incident response plans to allow for quick and appropriate responses to a data security incident.
- Outline post-breach investigation processes to determine whether the intrusion has been stopped and to evaluate the data lost or accessed.
- Have a method to track data breach contractual requirements with current and former clients.
- Password protect all devices. According to a recent study, 90% of lawyers password protect their laptop. 92% of lawyers password protect their smart phone. Both those numbers should be 100%.
- Understand regulatory or statutory breach notification requirements in all jurisdictions where the firm has activities.
- Adopt a document retention schedule to reduce the amount of information relating to former clients stored in IT systems.
- Adopt methodology to help determine if legally protected information such as PII or PHI was accessed. These are triggers for statutory or regulatory obligations.
- Determine whether the breach accessed client data that may interfere with representation. The ethical guidelines would then be applicable.
- Ensure that everyone in the firm, even the highest-level partners, follow security guidelines and procedures. This is a rampant issue within law firms.
- Offer identity theft protection through a service, like IDShield, as an employee benefit. Since many people use the same password across personal and work accounts, this protects the firm as well.
“Law firms are frequently targeted by criminals due to the sensitive nature of their work. Only 24% of lawyers report that they use a password manager at work. The IT department of law firms are can help to mitigate password related vulnerabilities applying password policies that prevent the use of easy-to-guess passwords.”Josh Horwitz, COO, Enzoic.