On October 17, 2018, the ABA released Formal Opinion 483, titled “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack”. In addressing lawyers’ ethical obligations, the Opinion underpinned its central message with an emphasis on a lawyer’s duty to be technologically competent. The practice of law and technological competence seem paradoxical; technology - progressive and fast-paced - reluctantly exists within the confines of the law - an archaic and reactive field. As such, it should come as no surprise that the ABA published this Opinion following a multitude of high profile law firm data breaches that captured international headlines. Cyber attacks involving law firms have only increased in the years following the publication of this Opinion, further supporting the notion that adequately investing in cybersecurity is not only a matter of professional responsibility but also a necessary survival strategy. Cyber criminals constantly utilizing cutting-edge technology to attack their targets, and law firms are squarely in their bullseye.
To the threat actor opportunists, a law firm presents one of the most lucrative targets on the internet. For starters, law firms deal with highly sensitive data. Trade secrets, financial information, and detailed personal information are all examples of sensitive data that can be obtained from one client. After multiplying this by the number of clients a large firm typically handles (ranging from dozens to hundreds), one can see why the sheer amount of sensitive data presents a virtual goldmine to malicious actors. The FBI has even gone so far as saying that law firms are often viewed as “one-stop shops” for attackers. Compounding this problem is the legal profession’s reluctance to invest adequate time and resources into cybersecurity: In a 2018 Survey on Cybersecurity Preparedness, 45% of law firms reportedly did not have any cybersecurity policies in place. Often, firms rarely staff a dedicated cybersecurity professional. Usually this task is relegated to traditional “IT staff”, who are often understaffed themselves. In a self-regulated industry, this lack of proactive prevention raises major liability issues for clients and lawyers alike.
Thankfully, clients have led the push for cybersecurity in law firms. In recent years, corporate clients have scrutinized the security of their vendors. Whether in SEC filings or acquisitions, a cybersecurity or data protection clause is now standard in due diligence reviews. Increasingly, corporate clients on the verge of historic deals will not engage with a vendor, law firm or not, without at least commercially reasonable cybersecurity measures. What qualifies as “commercially reasonable”? Although the exact requirements may differ depending on the jurisdiction, minimum safeguards include the use of strong passwords, encryption of highly sensitive data, and up-to-date software. Additionally, firm-wide training of security policies and procedures is crucial. After all, the best defense measures are easily circumvented through the actions of a careless employee.
For small to midsize practitioners, these concerns also scale downwards - and rightfully so. While a data breach may be damaging to a large retailer, it may prove fatal to a mom-and-pop operation. Similarly situated law firms should take note. Smaller and mid-size firms, lacking the manpower and resources dedicated to cybersecurity as their larger colleagues, must be especially proactive about their security. Without dedicated security staff, smaller law firms must either rely on outsourced support or rely on their own lawyers to handle cybersecurity concerns. This places smaller firms in a dangerous predicament, as they are exposed to the same type and sometimes, level, of risk that larger firms face, without the same defenses required to address such risks.