Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers
FIRMS OFTEN LAG BEHIND
As in-house counsels heighten their focus on cybersecurity, they are increasingly trained to ensure that any outside law firm has practices at least as secure as the client. To date, the opposite is more often the case: Law firms may have weaker cyberdefenses and less robust breach-response plans than clients, many of which have long operated in regulated industries that impose specific cybersecurity requirements. Partly for cultural reasons and partly for economic reasons, law firms have been slow to invest in and adopt strong cybersecurity measures. In particular, a small law firm may find it difficult and seemingly cost-prohibitive to keep abreast of the latest threats and defenses. And large firms that rely extensively on international electronic communications may be vulnerable—especially if they operate in countries like Russia and China, where hacking is commonplace. Indeed, while in government, we saw foreign adversaries deliberately target law firms and sought to warn firms of the dangers.
Finally, law firms may be victimized by cyberattacks even if they are not specifically targeted, as happened with the Petya ransomware. Phishing and other attacks often operate indiscriminately, infecting anyone who happens to open a link containing malware. The 2016 Mirai botnet attack shows how the use of internet-enabled devices can increase risk. In that case, malware infected internet of things devices such as printers, webcams and copy machines and used them as the basis for a denial of service attack.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
The consequences of a cyberattack for a law firm can be devastating. Most obvious are the immediate financial costs flowing from the attack. A firm may need to hire a forensic investigator to determine the scope of the breach and ensure it is remediated. Valuable time that could have been spent on client matters might be dedicated to a prolonged breach response. Attorneys and other staff may leave, requiring resources to be spent finding and training replacements. The damage to a law firm’s reputation and business can be equally serious: If clients do not have faith in a law firm’s ability to protect their confidences, they are likely to take their business elsewhere.
LAYERS OF REGULATIONS
Beyond the financial costs, law firms have both legal and ethical obligations to safeguard the confidential information of their clients, and the failure to comply with these obligations can have serious consequences. At the federal level, Congress and agencies have imposed a number of sector-specific data-security obligations. Regulations promulgated under the Gramm-Leach-Bliley Act, for example, require all banks to establish written information-security programs describing how they will protect clients’ nonpublic information. And the Health Insurance Portability and Accountability Act of 1996 requires covered entities to take steps to ensure the integrity and confidentiality of protected health information. Businesses subject to these data-protection obligations often require that they be observed by contractors such as their law firms. As a result, a law firm that obtains protected information from its client may be required to protect that information as well.
In addition to federal laws and regulations, many state laws require the protection of various kinds of information. Some states, including California, impose a general duty to implement “reasonable” security procedures and practices. Others, like Massachusetts, are more specific, requiring businesses to implement minimum safeguards, including malware and firewall protection, encryption on laptops and portable devices, and various user-authentication procedures to protect certain types of data. The ABA Cybersecurity Handbook, which was recently published, lists the relevant state and federal laws as of the date of publication, but lawyers should be sure to check for more recent legislation or regulation in this rapidly changing field.
International data-protection rules vary widely from country to country. At present, there are over 100 national data-protection regimes around the world. The European Union is preparing to implement its General Data Protection Regulation, which goes into effect in May. It provides a strong privacy framework for entities doing business in member states or processing personal information obtained from people within the EU. It is enforceable by potentially substantial fines. National laws not only vary widely in their scope and substance but also are changing rapidly, and lawyers must stay up to date.
Apart from legal rules, however, a lawyer’s ethical duty to protect information obtained from a client imposes obligations to act prudently and with discretion in the digital world as well as the physical one. Rule 1.6 of the ABA Model Rules of Professional Conduct requires a lawyer to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” and a comment to Rule 1.1 makes clear that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” This rule applies across a variety of contexts; for example, in May 2017 the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Ethics Opinion 477R, which modified an earlier opinion to make clear that it is not always permissible for a lawyer to conduct confidential client communications by unencrypted email and set out steps a lawyer should take to guard against unauthorized disclosure of information.
John P. Carlin is a partner at Morrison & Foerster. Robert S. Litt, of counsel at Morrison & Foerster, is a former general counsel for the director of national intelligence. Hayley R. Curry and R. Taj Moore are associates at the firm.