Part 1 of a special three-part series on cybersecurity
Our world is evolving because of technology. Lawyers and law firms need to keep pace. In fact, it is our ethical duty to do so — a duty that we need to take much more seriously.
We are stewards of our clients’ most sensitive information. Yet, as an industry, lawyers and law firms lag far behind accepted standards for safeguarding information, rendering us attractive and lucrative targets for cyber-attack. We have put ourselves in this vulnerable position, even though our business success depends on our professional reputation, which would be tarnished or ruined by a breach. We do so even though we are also bound by some of the most rigorous ethical and fiduciary duties applicable to any service provider.
As a result, the American Bar Association amended the Model Rules of Professional Conduct in 2012 to address the impacts of technology on the practice of law. New Hampshire largely adopted those modifications effective January 1, 2016.
One of the most basic changes is to require lawyers and law firms to keep pace with technology as a part of our duty of competence. In New Hampshire, that requires us to “keep reasonably abreast of readily determinable benefits and risks associated with applications of technology used by [us], and benefits and risks of technology lawyers similarly situated are using.” N.H. Rule of Professional Conduct 1.1, Ethics Committee Comment.
The ABA and New Hampshire also amended the ethics rules to more expressly address our duty with respect to information security. Rule 1.6 had always required lawyers and law firms to maintain the confidentiality of client information. Now, comment 18 explains that, to satisfy that duty, we must affirmatively implement reasonable safeguards to protect information from theft or unauthorized disclosure:
[Rule1.6(c)] requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.
N.H. Rule of Professional Conduct 1.6, comment 18. In addition to this rule change, the ABA also published a handbook in 2013 on information security, called “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.”
Despite these rather public attempts to grab our industry’s attention about information security, most lawyers and law firms did not respond accordingly. The next forays into this topic by the ABA and New Hampshire Ethics Committee were opinions addressing particular information security issues. See ABA Formal Opinion 483 (October 17, 2018) (duty to notify clients of breach); ABA Formal Opinion 477R (May 22, 2017) (duty to encrypt email); N.H. Ethics Committee Advisory Opinion 2012-13/4 (February 21, 2013) (duties when using cloud storage).
These opinions conspicuously outline the broad duties of lawyers and law firms to affirmatively implement reasonable measures to protect client information. Quoting the Cybersecurity Handbook, the ABA repeatedly warned that our ethical duties require us to engage in the following information security risk management process:
[A] fact-specific approach to business security obligations … requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and assure that they are continually updated in response to new developments.
Id., at 9; ABA Formal Opinion 477R, at 4. “[T]he potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” Id., at 6. By contrast, “Rule 1.6 is not violated even if data is lost or accessed if the lawyer has made reasonable efforts to monitor [and prevent] breaches of confidential information.” Id., at 9.
Because information security is a fact-driven process tailored to the business of each lawyer and law firm, “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent on a set of factors.” ABA Formal Opinion 477R, at 4. Some such factors and specific security techniques are mentioned in the opinions and comments to the rules.
- Evaluate the “sensitivity of the information,” Rule 1.6, comment 18, and the “nature of the threat” involved, ABA Formal Opinion 477R, at 4 (“‘Reasonable efforts’ in higher risk scenarios generally means that greater effort is warranted.”)
- Assess “the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients ….” Rule 1.6, comment 18.
- “[U]nderstand how the firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. … Each access point, and each device, should be evaluated for security compliance.” Id., at 6.
- “[U]se electronic security measures to safeguard client communications and information. A lawyer has a variety of options …, [like] … the use of a Virtual Private Network or other secure internet portals …, using unique complex passwords changed periodically, implementing firewalls and anti-malware/anti-spyware/antivirus …, and applying all necessary security patches and updates …. It also may be reasonable to use commonly available methods to remotely disable lost or stolen devices, and destroy the data contained on those devices …. Other available tools include encryption of data that is physically stored on a device and multi-factor authentication to access firm systems.” Id., at 6-7.
- “[E]stablish policies and procedures, and periodically train employees … in the use of reasonable security methods …. [F]ollow up to ensure that these policies are being implemented ….” Id., at 9.
While ethics rules require lawyers and law firms to implement reasonable information security measures, most of us lack the expertise to do so without help. Accordingly, the next article in this series will address the team to assemble for the information security process (i.e., an experienced information security attorney, an outside technology security company, and your firm’s own business and information technology leaders), and the final article in the series will discuss the steps for performing an information security risk management process.