Many small and mid-sized law firms are at an increased threat
for cyberattacks resulting from failure to take adequate
cybersecurity precautions. Smaller law firms often lack the
expertise and willingness to expend operating costs on proper
cybersecurity. Law firms operating without properly developed
cybersecurity plans and safeguards are at risk for violating Rules
of Professional Conduct and exposure to the very real threat of
cyberhacking.
ABA Model Rules of Professional Conduct (MRPC) require
consideration of cybersecurity issues.
MRPC 1.1 provides, "A lawyer shall provide competent
representation to a client. Competent representation requires the
legal knowledge, skill, thoroughness and preparation reasonably
necessary for the representation." ABA's comment 8 to the
rule states, "To maintain the requisite knowledge and skill, a
lawyer should keep abreast of changes in the law and its practice,
including the benefits and risks associated with relevant
technology."
MRPC 1.6(c) provides, "A lawyer shall make reasonable
efforts to prevent the inadvertent or unauthorized disclosure of,
or unauthorized access to, information relating to the
representation of a client." The rule applies to email
communication.
Additionally, ABA's Formal Opinion 477 states that,
"[A] lawyer may be required to take special security
precautions to protect against the inadvertent or unauthorized
disclosure of client information when required by an agreement with
the client or by law, or when the nature of the information
requires a higher degree of security." While, Formal Opinion
483 provides that, "when a data breach occurs involving, or
having a substantial likelihood of involving, material client
information, lawyers have a duty to notify clients of the breach
and to take other reasonable steps consistent with their
obligations under these Model Rules."
The Opinions make it clear that "the potential for an
ethical violation occurs when a lawyer does not undertake
reasonable efforts to avoid data loss or to detect cyber-intrusion,
and that lack of reasonable effort is the cause of the
breach." The opinion further states that "As a matter of
preparation and best practices, however, lawyers should consider
proactively developing an incident response plan with specific
plans and procedures for responding to a data breach."
Too many law firms are taking cybersecurity for granted;
however, recent email spoofing and hacking incidents are bringing
more light and attention to the issue of cybersecurity.
Smaller law firms often have the mentality that only large firms
are at risk for being targeted. However, in addition to the
traditional approach of throwing out a wider net for potential
hacking targets, computer hackers are now also specifically
targeting smaller law firms because they are seen as easy targets
when compared to larger law firms and financial companies that have
invested in cybersecurity over the years.
Additionally, law firms take for granted the vast amounts of
their clients' confidential information in their possession.
Found with law firms' files is a wide range of information
ranging from personally identifiable information, to private
medical records, and finally personal and corporate financial
information. This information makes law firms very attractive
targets for computer hackers.
Experts recommend that law firms develop and employ adequate
cybersecurity measures. A leading recommendation is implementing
two-factor authentication for access to firms' computer systems
and email, which requires users to authenticate with a second,
constantly changing code available on the user's smartphone.
This assists in preventing cyber-attacks utilizing email spoofing,
leading to recent cases where individuals were fraudulently
convinced to transfer large sums of money to hackers.
Ultimately, as today's hacking and spoofing attacks become
more sophisticated, law firms must recognize and acknowledge the
reality of existing threats, develop and implement reasonable
security measures, and finally consider retaining the services of
outside technical experts and/or outsourcing the firm's
cybersecurity to third-party companies that specialize in this
field.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss