As technology continues to expand, the risk of cyber events and potential legal malpractice claims increase. As shown in instances such as the DLA Piper and Foley and Lardner cyber events, law firms may be targets to hackers due to their access to highly sensitive information. Such information includes social security numbers, credit card numbers, health information, and other personal information. According to the American Bar Association, one in four law firms is a victim of a data breach. Data breaches not only impact a law firm’s reputation but also may result in significant costs. Accordingly, it is essential for law firms to take preventive measures to safeguard against cyber events.
A cyber event is an occurrence leading to a compromise, misuse, loss or theft of data, information systems, money, professional services or a combination of all. Typically, a data breach involves a cyber event that results in the actual compromise of material client confidential information. Accordingly, a cyber event is not necessarily always a data breach.
Rule 1.1 of the Model Rules of Professional Conduct imposes a legal and ethical duty on attorneys to remain competent with changes in the law and technology. Under comment 8 of Rule 1.1 of the Model Rules, “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice.”
Additionally, lawyers have an ethical and legal duty to keep client information confidential. Under Rule 1.6 of the Model Rules of Professional Conduct, “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” The modification to Model Rule 1.6 added that, “A lawyer shall make reasonable efforts to prevent inadvertent or unauthorized discloser of, or unauthorized access to, information relating to the representation of a client.” Comment 18 to Model Rule 1.6 elaborates that the factors to be considered in determining the reasonableness of the lawyer’s efforts include, “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent client.”
Further, the obligation for attorneys to use reasonable efforts to prevent loss or access include monitoring for a data breach. According to the ABA Cybersecurity Handbook, “a lawyer cannot take the ‘ostrich’ approach of hiding his head in the sand and hoping that his office or firm will not suffer a data breach that compromises client information.” The handbook continues by stating, “lawyers must implement administrative, technical, and physical safeguards to meet their obligation to make reasonable efforts to protect client information.” When attorneys do not use reasonable efforts to protect the client information, they are exposing themselves to a potential legal malpractice claim.
The foundation of breach preparedness is having a well-prepared incident response team. The response team should include representatives from IT, security, legal, compliance, communications and customer service and a member of the executive management team. Firms should regularly conduct security assessments to reevaluate existing privacy and security systems and procedures. This will help firms identify any vulnerability that should be addressed in the incident response plan.
Another key to preventing cyber events is keeping the security patches for your computers up to date. Investing in decent hardware and software is essential. Law firms should use firewalls, anti-virus and anti-spyware software which should be updated daily. Additionally, the use of encryption and changing passwords regularly is necessary. Portable media, such as DVDs, CDs and USB “flash drives,” are more susceptible to loss or theft. This can also include smartphones, MP3 players and other personal electronic devices with a hard drive that ‘syncs’ with a computer. It is important to allow only encrypted data to be downloaded to portable storage devices. Each law firm should create an out-of-band backup of files that will allow access to work in case of a malicious encryption.
Even if your firm invests in hardware, software, and firewalls, legal phishing scams are becoming more prevalent. Phishing scams rely on social-engineering tactics to deceive individuals into disclosing personal information through computer-based means. Essentially, a perpetrator investigates the intended victim to gather background information needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provides stimuli for subsequent actions that breach security practices, such as revealing sensitive information or granting access to resources. Accordingly, firms are only as strong as their weakest link, which typically tends to be humans. Staff training and awareness is one of the most important steps in avoiding cyber fraud. The earliest detection allows for the quickest response. All personnel must be trained to recognize that a breach may have occurred and to report it at the earliest possible moment. Employees should be aware of the characteristics of risky emails so they will be more likely to recognize them and avoid becoming a victim. Additionally, it is good practice to train all personnel and third-party contractors on basic breach response protocol.
Lastly, if your firm has been subjected to a data breach, all states require notification to affected clients or parties regarding the breach. The specific requirements that must be included in the notification varies by state. Be sure to research the data breach notification laws of your state to remain compliant.