By Kevin Roth

The probability of a malware attack on the legal community is higher than ever.  In 2015, Cisco ranked law firms as the seventh most-vulnerable industry to “malware encounters”.¹ Bloomberg Law reported in 2015 that at least 80 of the 100 biggest [law] firms in the country, by revenue, have been hacked.²  Cybersecurity firm, LogicForce, recently released a report that revealed over 200 U.S. law firms faced hacking attempts for confidential client data between 2016 and 2017, and 40% of the firms didn’t even know the attack had occurred.  Additionally, the LogicForce report found:

• Consistent evidence that cyber-attacks on law firms are non-discriminatory.  Size and revenue don’t seem to matter.
  
• Only 23% of firms have cybersecurity insurance policies.
  
• 95% of assessments conducted by LogicForce show firms are not compliant with their data governance and cyber security policies.
  
• 100% of those firms are not compliant with their client’s policy standards.³
  

The recent WannaCry ransomeware attack infected more than 200,000 computers in a single day.  Users were stunned with a message that read: “Oops, your files have been encrypted!”  Attackers demanded $300.00 in Bitcoin digital currency to restore access.  Experts report that the attackers could ultimately cash in on $1 billion to unlock infected machines.⁴

Other modes of attack are less obvious, and can insidiously collect sensitive client data, which becomes extremely lucrative when sold on the dark web (and, likewise, a financially devastating, and brand damaging, liability to the firm). 

Lawyers and law firms are keenly aware of their responsibility of confidentiality, but what are the parameters in the evolving world of cyber data protection?  Most lawyers agree that confidentiality obligations apply to electronic client data, but it isn’t clear what measures lawyers are required to take to protect it.

ABA Model Rule 1.6 defines the duty of confidentiality broadly, generally interpreted as applying to client information in computer and information systems.  An amendment to ABA Model Rule 1.6, as part of the Ethics 2000 revisions, added Comment 16, which requires reasonable precautions to protect and preserve confidential information: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.⁵

New Jersey outlines general security laws, requiring reasonable measures of protection for personal information.  The State Bar of Arizona Ethics Opinion 09-04 in reference to Opinion 05-04, suggests, “in satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, anti-virus measures, etc.”⁶  

A 2010 Massachusetts law, M.G.L. c. 93H, includes regulations to protect personal information of commonwealth residents.  The regulations contain specific computer system security requirements that include encryption of all transmitted records and files containing personal information that will travel across public networks, of all data containing personal information to be transmitted wirelessly and of all personal information stored on laptops or other portable devices.  Secure user authentication, secure access control, reasonable monitoring to detect unauthorized access, reasonably up-to-date firewall protection, reasonably up-to-date security software (including patches and virus definitions) and education and training of employees are also explicitly outlined.⁷ 

As encryption becomes a security standard, it is likely to become the benchmark for what is reasonable for lawyers.  It has been suggested that legal standards currently applied to financial services can provide a basic framework for lawyers to follow until state and federal laws become more unequivocal.

So how can “competent and reasonable measures” for data security be instituted?  The following list comprises the minimum actions that should be taken to meet the obligation of protection:

• Regularly back up data and check backup integrity, as backups may be the best way to recover critical data from infected systems.  Follow the 3-2-1 backup plan: three copies on two different devices, one of which should be stored off-site. 
  
• Educate employees on secure data handling and ensure anyone who handles data is trained to recognize—and avoid—common modes of cyber-attacks.  It is the responsibility of the firm to make sure all employees are aware of their critical role in protecting the organization’s—and its clients’—data.
  
• Identify and classify sensitive business and client data on computer systems, and conduct regular risk assessments.
  
• Implement preventive measures to control unauthorized access or transmission of sensitive data.
  
• Keep operating systems, software and firmware up to date with regular patch management.
  
• Manage account privileges; limit administrative access to mitigate risk if an attack is successful.
  
• Install antivirus and antimalware solutions that automatically update and conduct regular scans; also employ firewalls to prevent malware from infecting systems.
  
• Create software restriction policies to prevent programs from executing from common ransomware locations.
  
• Have a business continuity plan in place, test regularly and be ready to remediate immediately if a security breach is detected.
  

Not only are these steps necessary to meet “competent and reasonable measures”, 30.7% of law firms and 62.8% of law firms with 500+ attorneys reported that current or potential clients have provided them with security requirements in a 2016 ABA Legal Technology Survey Report.⁸

Cybersecurity might be the most substantial risk facing law firms in 2017 and beyond.  Cybercrime is evolving, and defensive cybersecurity needs to keep up.  The responsibility for keeping data and systems safe can no longer can be pinned on the IT department or third-party security vendors.  Ethics Option 701 from the New Jersey Committee on Professional Ethics stated that “[the obligation to preserve client confidences] requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure”.⁹ 

If you and your firm have not taken “competent and reasonable measures” to keep your clients’ information safe, now is a very good time to start.

Kevin Roth is Vice President of Business Development at Document Solutions LLC.  For over twenty years, Document Solutions LLC’s award-winning team of sales and service professionals has helped thousands of organizations make better decisions about the lease or purchase of their copiers, printers, mail machines and multiple-function office devices.  Kevin may be reached at [email protected]. 

¹https://www.cisco.com/c/dam/assets/global/DE/unified_channels/partner_with_cisco/newsletter/2015/edition2/download/cisco-annual-security-report-2015-e.pdf 

²Rosen, E., March 2015. Most Big Firms Have Had Some Hacking: Business of Law. https://www.bna.com/hackers-seek-corporate-n17179924553/

³http://www.logicforce.com/reports/detail/cyber-security-q1  

⁴Goldman, R., May 2017. What We Know and Don’t Know About the International Cyberattack. https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html

⁵https://www.americanbar.org/content/dam/aba/administrative/ethics_2020/2012_hod_annual_meeting_105a_filed_may_2012.authcheckdam.pdf 

⁶ http://www.azbar.org/Ethics/EthicsOpinions/ViewEthicsOpinion?id=704  

⁷ http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf  

⁸ http://www.abajournal.com/magazine/article/managing_cybersecurity_risk

⁹https://www.judiciary.state.nj.us/notices/ethics/ACPE_Opinion701_ElectronicStorage_12022005.pdf