Technology

Cybersecurity, Confidentiality, And Your Ethical Obligations To Your Clients (Part II)

Law firms are not immune from cyber attack -- it’s not a matter of if, but when.

By  
on

Without question, the advent of the internet and proliferation of technology connecting lawyers and clients has made the practice of law more efficient in many ways, yet more challenging in others.  The ability for lawyers and clients to communicate via electronic means (like email and text) have been a revelation for attorney-client communication.  In the same vein, however, the use of this technology has created additional problems when it comes to the security of client data. In my prior column (Part I), I set forth the foundation for an attorney’s ethical obligation to ensure the cybersecurity of client confidential information (“CCI”) that they have in their care. In this column, we will go a step further to discuss the steps that every attorney (and their firm) should take, at a minimum, to be proactive managing such CCI.

As previously outlined, a lawyer’s ethical obligations do not end when an email is sent or a document is saved on their network, but extend well beyond those actions.  Consistent with the duty of competence and duty of confidentiality set forth in Model Rules 1.1 and 1.6 of the ABA Model Rules of Professional Conduct and as implemented by each jurisdiction, the use of technology does not abrogate such ethical obligations, but rather, extends them. This position was first set forth in early ABA Formal Opinions to guide state bar associations regarding the use of email.  This rationale was extended in ABA Formal Opinion 477R involving the transmission of  CCI over the internet so long as “the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.”  Now, this line of reasoning has culminated in ABA Formal Opinion 483, issued in October 2018, which addresses the ethical duty of lawyers to notify clients of an electronic data breach and outlines reasonable steps necessary to stop any further breach and mitigate the damage caused by the breach.

Certainly, the practice of law can be difficult enough without having the intricacies of technology foisted upon attorneys who wish to use it ethically.  Thankfully, the ethical guidance and opinions do not require attorneys to become IT specialists, but rather, a good dose of common sense.  In essence, the guidance requires both an awareness of the technology being used and how it affects CCI.  With that in mind, here are 5 practical considerations that every attorney and firm should keep in mind when dealing with CCI housed within their network:

1.     Perform a Risk Assessment. A risk assessment is a review that identifies the various information assets that could be affected by a cyber attack (e.g., hardware, software, systems, client data and intellectual property), and identifies the various risks that could affect those assets.  The goals are to identify risks and vulnerabilities in your network, rate the severity of such risks, determine the effectiveness of your current security resources and calculate these factors into an overall risk threshold.  The National Institute of Standards and Technology (“NIST”) has created a voluntary Cybersecurity Framework that consists of standards, guidelines and recommended practices to manage the data security risk.  For firms with an IT staff, understanding and implementing this framework is strongly recommended.  For smaller firms and solo practitioners, it is essential to engage qualified IT and cybersecurity consultants who can work with you to assess areas of risk.  This risk assessment is a MUST — without it, you have no understanding of potential risk.

2.     Implement Cybersecurity Policies & Procedures.  Every firm should have a set of policies and procedures for both lawyers and support staff to follow, and cybersecurity should be a part of it.  This is a brand proposition, so at a minimum, every firm should have a(n): Electronic Communications and Internet Use Policy, Social Media Policy, Document Retention Policy, Secure Password Policy, and written Incident Response Plan.  These requirements can be implemented in different ways, but the point is that you need to be clear about what lawyers and staff can and can’t do on a network.  To date, the single biggest threat to data security in  company (or law firm) environment is (and remains) the people working there.  Whether it be from clicking on links within phishing emails or plugging in infected USB thumb drives, people are statistically the biggest threat to CCI.  Proper policies and procedures are, therefore, not just reasonable, but necessary.

3.     Train Your Lawyers AND Staff on Proper Procedures.  This point is an extension of the previous one — if people are an inherent risk to CCI, training them on the proper procedures to protect CCI is a must.  You need to train the entire workforce to be in compliance with policies and good “cyber-hygiene” (such as not clicking on attachments automatically, etc.).  In fact, there is a reasonable argument to ”phish” the lawyers and staff in the firm regularly.  When problems are uncovered, violators can be educated to deter future problematic conduct. Remember:  You cannot go wrong by being proactive.

4.     Use Technology to Your Advantage. I know, I know — I just wrote about how people are the biggest threat to data security, so why am I now ow focusing on technological measures to protect CCI?  Because it is reasonable  to do so.  From firewalls and intrusion detection and prevention systems to more sophisticated behavioral algorithms for antivirus and malware detection, technological solutions should not (and cannot) be ignored.  Of course, this doesn’t mean that every firm needs to spend huge sums of money on the most advanced features currently available.  What is does mean is that every firm needs to implement reasonable technological solutions commensurate with the level of risk (i.e., the level uncovered from the risk assessment).

Sponsored

5.     Have an Incident Response Plan.  This point is a big one, so I cannot stress it enough – your firm MUST have an incident response plan in place.  As indicated in ABA Formal Opinion 483, lawyers have an ethical duty to stop the electronic data  breach and mitigate the damage.  This task is best served by following the steps set forth in an incident response plan.  An incident response plan is designed to address where security compromised (i.e., a data breach), but can also cover attempted breaches, security alarms, unauthorized access by employees, etc. Simply put, it creates a mechanism to methodically address security breaches so that when stuff really hits the fan (i.e. an electronic data breach is uncovered), the proper steps can be promptly taken to address it rather than trying to figure out what to do.  Such a checklist to address the breach and mitigate it is critical when all heck is breaking loose.  Make no mistake — you do not want to address an electronic data breach without one in place.

These points only address some of the steps that lawyers should take when addressing the security of CCI on their networks.  That said, it is important to understand just how critical it is to take certain reasonable steps to address the security of CCI as an attorney.  Indeed, the formal ABA guidance indicates that such steps are not only critical, but ethically required at this point. Remember: Law firms are not immune from cyber attack — it’s not a matter of if, but when — so be proactive and take reasonable steps to address the security of CCI accordingly before it’s too late.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

CRM Banner

Topics

, , , ,