In late October, the American Bar Association’s Legal Technology Resource Center released its ABA TechReport 2019. Unfortunately, the report was not good news for lawyers. The report, based upon responses from lawyers across the country as provided in the Legal Technology Survey Report, reveals that lawyers have made little progress in the past year, if not, the past few years, in protecting themselves and their practices from cybersecurity risk.
The ABA’s annual survey and report explores how lawyers are using technology in their practice and addresses various areas such as online research, tech basics and security, law office technology, marketing and communication technology and life and practice. The survey collected responses from law firms of all sizes and practice areas and asked questions related to technology policies, security tools, security breaches, viruses/spyware/malware, physical security measures and data backup. The results of the survey, as to cybersecurity in particular, demonstrated little improvement by law firms over past years.
The danger to law firms is great. Over the course of providing legal services to clients, we collect and maintain vast amounts of personal, business, sensitive and/or confidential information related to our clients and others in handling legal matters. Not to mention the information we collect and maintain with respect to our own firm operations and employees. As recently reported by Law.com, more than 100 law firms have reported data breaches to authorities in 14 states since 2014. This number does not include cyber events that do not result in actual data breaches nor does it include data breaches that occur which are not required to be reported pursuant to the applicable law of the jurisdiction. Perhaps even more disturbing, the ABA’s 2019 survey results indicate that 26% of respondents reported that their firms experienced a security breach (which may or may not have resulted in the exposure of client information), and 19% of respondents reported that they did not know whether their firm had ever experienced a security breach.
The risk to our practice is both real and significant. Not only should we take precautions to protect our own business interest, we have an ethical obligation to our clients to protect their interests when it comes to cybersecurity. Comment 8 to ABA Model Rule of Professional Conduct 1.1 requires that we “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology”. Such requirement no doubt includes a lawyer’s obligation make reasonable efforts to protect his or her clients personal, sensitive and confidential electronic information through cybersecurity.
So why do lawyers continue to fall short on cybersecurity and how can we do better? It may be impossible to protect against every cybersecurity threat, but even for the most technologically wary or unsavvy among us, there are steps we can and should take to protect ourselves and our clients against cybersecurity risks. Many of the steps are relatively simple and don’t necessarily require professional IT assistance. Begin by adopting a strong cybersecurity culture in your practice to minimize risk to you and your clients. In developing a strong cybersecurity culture, you should consider:
- Preparing a cybersecurity plan for your firm. A cybersecurity plan may include identification and implementation of expectations of your firm relating to use of technology by employees or anyone who may have access to the firm’s network and electronic information.
- Protecting and securing your electronic systems, including use of an appropriate firewall, anti-virus software and data loss prevention software, use two-factor authentication when possible, enabling anti-spam filters on email servers and Outlook clients. Security patches and updates should be done in timely manner.
- Protecting and securing all hardware and mobile devices which have access to your system, including use of anti-theft software. Make sure to require that all computers, laptops and other devices that will be used outside of your office have the same or similar level of protection in place. If there is access to your system on the device, it must be adequately protected.
- Do not use public Wi-Fi. Using an unsecured network allows anyone on that network to access any data that you pass through the network.
- Using strong passwords and changing passwords frequently. Recent guidance indicates that a password should consist of 12 or more characters including a mix of upper- and lower-case letters, numbers and symbols. Passwords should be changed at least every 90 days.
- Implementing safe email policies and procedures, including encryption. While the ABA Model Rules of Professional Conduct and Formal Opinion 477R do not require that all emails be encrypted, electronic communications which contain personal identifying information or other protected information should be encrypted.
- Backing up your data frequently. Backing up your firm’s electronic data makes you less susceptible to suffering the consequences of an attack against the system such as in the case of ransomware.
- Ensuring all vendors with access to your system, firm or client information have appropriate cybersecurity procedures in place.
- Prepare and maintain an Incident Response Plan. An IRP does not have to a complicated or lengthy document. It should be appropriate to fit your firm’s unique practice and risks and should act as an evacuation plan for your firm in the event of a cybersecurity incident.
- Obtain appropriate cybersecurity insurance.
- Educate your firm employees. Your firm’s individual employees are the last line of defense in protecting your devices, the firm’s electronic system and data. You are only as strong as your weakest link.
While it may be impossible to protect against every cybersecurity threat that may face our firms and legal practice, as lawyers, we are obligated to take reasonable steps to protect data and information we collect and maintain. Moreover, it is simply good business.
This article was prepared by Holly M. Whalen, Esq. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and Cyber Liability insurance, contact Greg Cooke at USI Affinity today.
 See ABA releases 2019 TECHREPORT and Legal Technology Survey Report on legal tech trends, www.americanbar.org/news, October 23, 2019. A copy of the Report is available for purchases through the ABA’s website at www.shopaba.org.
 More than 100 Law Firms Have Reported Data Breaches. And the Problem is Getting Worse, Christine Simmons, Xiumei Dong and Ben Hancock, Law.com, October 15, 2019.
 See TechReport 2019 – 2019 Cybersecurity, John G. Loughnane, October 16, 2019.
 See e.g. ABA Model Rules of Professional Conduct Rules 1.1, 1.4, 1.6, 5.1 and 5.3. See also, ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 477R (2017), Securing Communication of Protected Client Information and ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, (2018).