Cybersecurity: Solo and Small Firm Perspective on Protecting Client Data – Conclusion
V. Conclusions
All lawyers, including solos and small firms, have ethical duties to maintain the confidentiality of client data used in their practices, to act competently in their practices, and to supervise staff and third parties with access to client data. These duties appear in the ABA Model Rules of Professional Conduct and state rules of professional conduct. These are non-delegable duties. Lawyers must provide leadership and manage the information security functions in their firms and not simply turn over all information security functions to their staffs.
With increasing information security threats from various state and non-state actors, coupled with rapid advances in technology and how it is used, law firms face ever-greater threats to client data. The rules call for attorneys to use reasonable care to protect client data. An effective security program of administrative, physical, and technical safeguards can help a law firm and its lawyers mitigate their information security risks and comply with ethical obligations. Solos and small firms can and must implement reasonable safeguards that are appropriate for the size of their practices. Over time, there will be breaches. Nonetheless, if small practices implement and maintain an effective information security program, they can effectively manage their risk of breaches and resulting liability.
For more information, contact:
Stephen Wu, ssw@svlg.com, 408.573.5737
Drew Simshaw, dts52@georgetown.edu, 202.662.9067
[1] Earlier versions of this article are: Drew Simshaw and Stephen Wu, Ethics and Cybersecurity: Obligations to Protect Client Data.Mar. 15-17, 2015), and Drew Simshaw, Legal Ethics and Data Security: Our Individual and Collective Obligation to Protect Client Data. 30 Am. J. Trial Advoc. 549 (2015).
[2] American Bar Association, Law firms not immune to cybersecurity risks, YourABA, Oct. 2013, http://www.americanbar.org/newsletter/publications/youraba/201310article01.html . (interview with Jill Rhodes and Vincent Polley, who edited the first edition of the ABA Cybersecurity Handbook) [hereinafter “Interview with Rhodes and Polley”].
[3] Bloomberg News, Hackers Linked to China’s Army Seen From EU to D.C.. Bloomberg Business, Jul. 26, 2012, .
[4] Andrew Conte, Unprepared Law Firms Vulnerable to Hackers. TribLive, Sept. 13, 2014, .
[5] Interview with Rhodes and Polley, supra.
[6] See.eff John Roberts, Law Firm DLA Piper Reels Under Cyber Attack, Fate of Files Unclear. Fortune, Jun. 29, 2017, .
[7] See.onathan Crowe, How One of the World’s Largest Law Firms Was Paralyzed by Petya (Jul. 2017), https://blog.barkly.com/dla-piper-petya-ransomware-attack .
[8] Logicforce, Law Firm Cybersecurity Score Card – Q4 2018, .
[9] Id..t 4-5.
[10] Resolution 109, American Bar Association, Cybersecurity Legal Task Force, Section of Science & Technology Law, Resolution and Report to the House of Delegates, August 2013, Resolution at 1, http://www.americanbar.org/content/dam/aba/administrative/house_of_delegates/resolutions/2014_hod_annual_meeting_109.authcheckdam.pdf [hereinafter “ABA Cybersecurity Resolution”].
[11] Id.. Report at 1 & n.1.
[12] Resolution 105A, American Bar Association, Commission on Ethics 20/20, et al., Resolution and Report to the House of Delegates, August 2012, at 4,.
[13] ABA Cybersecurity Legal Task Force, About the Task Force (last visited Sept. 4, 2018), .
[14] Jill D. Rhodes & Robert S. Litt, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.2d ed. 2018) [hereinafter “ABA Cybersecurity Handbook”].
[15] ABA Cybersecurity Resolution, supra. Report at 4.
[16] See.lan Levin & Michael Riley, Hackers With Wall Street Savvy Stealing M&A Data: FireEye. Bloomberg Business, Dec. 1, 2014, . “A group dubbed FIN4 by researchers at FireEye Inc. has been tricking executives, lawyers and consultants into providing access to confidential data and communications, and probably using the information for insider trading . . . .” Id.
[17] Jane LeClair & Gregory Keeley, Cybersecurity in Our Digital Lives. A Volume in the Excelsior College Press Series Protecting Our Future, Hudson Whitman Excelsior College Press 128 (2015) [hereinafter “Cybersecurity in Our Digital Lives”].
[18] Id.
[19] Office of the United States Attorney, Southern District of New York, Manhattan Paralegal Sentenced for Theft of Litigation Trial Plan.Jan. 20, 2002), .
[20] Cybersecurity in Our Digital Lives, supra. at 129.
[21] Matthew Goldstein, Law Firms Are Pressed on Security for Data. New York Times, March 26, 2014, .
[22] Cybersecurity in Our Digital Lives, supra. at 129.
[23] Id.
[24] Shore v. Johnson & Bell. No. 16-cv-4363 (N.D. Ill. complaint filed Apr. 15, 2016).
[25] Id.. 2017 WL 714123 (N.D. Ill. Feb. 22, 2017).
[26] Cybersecurity in Our Digital Lives, supra. at 129.
[27] See generally.BA Center for Professional Responsibility, Model Rules of Professional Conduct.2018).
[28] See, generally. American Bar Association, ABA Commission on Ethics 20/20, http://www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html . “The ABA Commission on Ethics 20/20 was formed to consider changes to the Model Rules of Professional Conduct with an eye in part on the intersection of lawyers’ conduct and advances in technology.” John M. Barkett, Ethics 2015: Don’t Get Tangled in the Web, Shook, Hardy & Bacon L.L.P., Miami, Florida 2 (2014), http://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2015-winter-leadership/010515_ethics_2015__don_t_get_tangled_in_the_web.authcheckdam.pdf .
[29] Sharon Nelson, et al., Information Security for Lawyers and Law Firms.2006).
[30] See generally.BA Cybersecurity Handbook, supra.
[31] Model Rules of Prof’l Conduct R. 1.6(a) (Am. Bar Ass’n 2018).
[32] ABA Cybersecurity Handbook, supra. at 118.
[33] See.avid G. Reis, Cyber Security for Attorneys: Understanding the Ethical Obligations, Law Practice Today, March 2012, at 1, http://www.americanbar.org/content/dam/aba/publications/law_practice_today/cyber-security-for-attorneys-understanding-the-ethical-obligations.authcheckdam.pdf .
[34] Model Rules of Prof’l Conduct R. 1.6(c) (as amended).
[35] Model Rules of Prof’l Conduct R. 1.6 comm. [18] (as amended).
[36] See, e.g.. Will Harrelson, Mobile Device security for Lawyers: How Solos and Small Firms Can Ethically Allow Bring Your Own Device. Curo Legal, June 24, 2014, (“This is a monumental change that sets a new standard suggesting that lawyers are required to implement reasonable technological safeguards to prevent even an ‘inadvertent’ disclosure of a client’s information or data.”).
[37] Model Rules of Prof’l Conduct R. 1.6 comm. [19] (as amended).
[38] Model Rules of Prof’l Conduct R. 1.4(a)(2).
[39] Reis, supra. at 2.
[40] Id.
[41] ABA Comm. on Ethics and Professional Responsibility, Formal Op. 483 (2018).
[42] Model Rules of Prof’l Conduct R. 1.1.
[43] Id.
[44] Model Rules of Prof’l Conduct R. 1.1 comm. [8] (as amended) (emphasis added).
[45] Reis, supra. at 2 (“[Model Rule 1.1] requires attorneys who lack the necessary technical competence for security (many, if not most attorneys) to consult with qualified people who have the requisite expertise.”); ABA Cybersecurity Handbook, supra. at 124 (“Getting expert help is a recurring theme (as well as good advice) in ethics opinions on this subject.”).
[46] ABA Cybersecurity Handbook, supra.. 3, at 124.
[47] Model Rules of Prof’l Conduct R. 5.1(a).
[48] Id... 5.3(a).
[49] See.BA Cybersecurity Handbook, supra. at 137 (explaining that state ethics opinions “make clear that a lawyer must have a basic understanding of the technical aspects of cloud computing, and should conduct due diligence evaluation of the provider to ensure that it has adequate security measures”).
[50] Cloud Ethics Opinions Around the U.S., The American Bar Association (last visited Sept. 6, 2018), http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html (citing OSBA Informal Advisory Opinion 2013-03, https://www.ohiobar.org/ForPublic/LegalTools/Documents/OSBAInfAdvOp2013-03.pdf ). Some states provide more specific requirements. For example, Maine lists seven requirements “the attorney should ensure that the vendor of cloud computing services or hardware” follows. Maine Board of Bar Overseers Opinion #207. The Ethics of Cloud Computing and Storage. http://www.maine.gov/tools/whatsnew/index.php?topic=mebar_overseers_ethics_opinions&id=478397&v=article .
[51] Barkett, supra. at 10 (quoting New Hampshire Bar Ethics Op. #2012-13/4).
[52] ABA Cybersecurity Handbook, supra,.t 137.
[53] Id.
[54] Model Rules of Prof’l Conduct R. 1.6(c).
[55] Model Rules of Prof’l Conduct R. 1.6 comm. [18] (as amended).
[56] For a more thorough discussion of these three types of safeguards, see ABA Cybersecurity Handbook, supra,.t 63.
[57] One possible division of responsibility is between a lawyer/sponsor with budgetary authority and a staff member with technical expertise and day-to-day responsibility.
[58] For a discussion of social media practices, see ABA Comm. on Ethics and Professional Responsibility, Formal Op. 480 (2018).
[59] See generally.BA Comm. on Ethics and Professional Responsibility, Formal Op. 482 (2018). “Lawyers must be prepared to deal with disasters.” Id..t 12.
[60] See generally.BA Comm. on Ethics and Professional Responsibility, Formal Op. 06-442, at 4-5 (2006).
[61] The use of text messages sent to a cell phone as a second factor of authentication has known weaknesses, but the ubiquity of cell phones makes the use of text messages easy to implement for smaller practices and greatly reduces the risks associated with reliance on passwords alone.
[62] ABA Formal Opinion 477 sates that lawyers can transmit information relating to a representation over the Internet if they exercise reasonable care to prevent inadvertent or unauthorized disclosure, but where the nature of the information, client agreement, or legal duty requires heightened security, the lawyer may be required to use special security measures for transmission. ABA Comm. on Ethics and Professional Responsibility, Formal Op. 477 (2017).