Post Authored by David A. Wheeler and Abigail E. Flores
Strong cybersecurity and privacy procedures and practices are important to ethical compliance and client management in law firms. The statistics reported by Logicforce in its Law Firm Cybersecurity Scorecard 2019 support that more law firms are taking cybersecurity concerns seriously and, in turn, more likely meeting their ethical duties regarding the ever-changing landscape of cybersecurity and privacy. However, law firms continue to be victims of cybersecurity attacks. Therefore, firms should continue to update and monitor their cybersecurity and privacy practices. The following statistics outline the state of cybersecurity practices in law firms at the end of 2019:
- 70% of law firms had formally documented cybersecurity policies;
- 51% of firms reported being audited by a client;
- Only 49% of firms have an information security officer in charge of cybersecurity practices;
- 68% of firms offer formal cybersecurity training;
- 83% of firms conduct vulnerability testing;
- About 40% of firms don’t have insurance for data breaches; and
- About 90% of firms conduct risk assessments on third-party providers, with 62% of them conducting the assessment through a third-party. 
Currently, COVID-19 has pushed lawyers and other employees to work from home for an unknown amount of time. This brings the unique role cybersecurity and ethical obligations play in law firms to the forefront. In normal circumstances, a majority of employees in a firm work from the same location with firm resources, which limits exposure to cybersecurity threats. In the current climate, unpredictable factors are abundant, and firms should monitor the status of their cybersecurity and privacy frameworks and practices. Firms have always been frequent targets of cybersecurity attacks, due to the large amount of valuable data they handle and store. However, with the COVID-19 outbreak, there is an increased risk of attack, because more people in firms are working remotely. As a result, law firms are in a unique position to either use or develop their contingency plans for security and privacy practices, due to the pandemic.
As stated above, it is vital for firms to stay up to date on cybersecurity and privacy practices, so attorneys meet their ethical obligations. This involves everything from monitoring document retention to informing staff about novel technology risks. The ABA Model Rules of Professional Responsibility should guide the decisions and procedures that firms take to protect clients from cybersecurity/privacy risks. As cybersecurity issues in the legal field became more prominent, the American Bar Association (“ABA”) issued Formal Opinions to help attorneys meet their ethical obligations.
In Formal Opinion 477R, Securing Communication of Protected Client Information, the ABA Standing Committee on Ethics and Professional Responsibility (“ABA Committee”) stated that while lawyers can transmit client information over the internet, they must make “reasonable efforts” to prevent the inadvertent disclosure of confidential information. It also recognized that the cybersecurity landscape is constantly changing. Therefore, in order to determine what constitutes “reasonable efforts,” a fact-based analysis is required. Comment 18 to Model Rule 1.6(c) includes a list of nonexclusive factors that a lawyer can use to guide this determination. Determining what reasonable efforts to take should be made on a case by case basis, and takes each client and the information to be transmitted into consideration. Formal Opinion 477R presents guidance on steps and a process to follow when determining what is necessary to protect against inadvertent disclosure of client information.
Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach of Cyber Attack, focuses on a lawyer’s responsibility to inform clients about cyberattacks and data breaches under Model Rule 1.4. While lawyers and firms have an ethical obligation to inform clients of data breaches in certain situations, they must also be aware of privacy laws and other statutory schemes requiring notification. In this opinion, the ABA Committee defined a data breach as the “misappropriation, destruction or compromise of client confidential information or a situation where a lawyer’s ability to perform the legal services for which the lawyer was hired is significantly impaired by the event.” When a data breach occurs, and either involves client confidential information or is substantially likely to involve such information, the lawyer has a duty to notify the client. The disclosure to clients must give enough information to allow them to make decisions about the next steps. This means lawyers “must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed.”  The ABA Committee does not require notice to former clients under Model Rule 1.9 but cautions that a lawyer may have obligations to inform former clients under other laws and contractual agreements about record retentions.
Both Formal Opinions discuss the Model Rules that “address the risks that accompany the benefits of the use of technology by lawyers.” Model Rule 1.1 addresses the duty of competency; Comment 8 to the Rule further states that “a lawyer should keep abreast of changes in the law and its practices, including the benefits and risks associated with relevant technology.” Under this Rule, a lawyer has the duty to mitigate damage and stop a breach. Generally, under Model Rules 5.1 and 5.3, managerial lawyers have the duty to ensure that all lawyers and staff follow the Rules of Professional Conduct by developing internal policies and procedures. This general duty is expanded to require lawyers to “monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” These specific Model Rules, among others, obligate lawyers and firms to develop and maintain procedures and policies for cybersecurity and privacy.
Developing cybersecurity and privacy procedures and policies involves an assessment of the appropriate physical, technical and administrative measures. The result of the assessment will determine the security level appropriate to the risks associated with processing client information and meeting ethical obligations. The assessment should take into account the nature, scope, context and purposes of processing client information, the state of the art, and the costs of implementing the measures. As a matter of good hygiene, law firms should take all relevant rules and laws into consideration when developing their policies and procedures. As a starting point for compliance with ethical obligations, firms should consider the following:
- Developing and implementing cybersecurity policies;
- Performing penetration and vulnerability testing;
- Implementing full disk encryption;
- Employing multifactor authentication;
- Deploying data loss prevention services;
- Conducting cybersecurity awareness and training;
- Developing and testing incident response plans;
- Developing and following records management policies;
- Employing a cybersecurity executive; and
- Employing a third party to perform annual risk assessments.
When assessing the state of cybersecurity and privacy practices, law firms should also consider the National Institute of Standards and Technology’s Cybersecurity and Privacy Frameworks (“NIST Frameworks”). The NIST Frameworks were designed to guide organizations of any size and any level of knowledge about cybersecurity and privacy practices, specifically when assessing the current state and implementation of best practices. These are not “one-size-fits-all” approaches to managing risks. However, they are flexible frameworks that allow each organization to consider their particular needs and current understanding. The NIST Frameworks do not ensure compliance with any rule or regulation. Organizations cannot comply with the NIST Frameworks themselves, because of the Frameworks’ flexible natures. Rather, the NIST Frameworks are tools used in risk assessment and mitigation.
Regardless of the tools or procedures used to monitor and deal with cybersecurity and privacy risks, each firm should evaluate its current situation and ensure compliance with ethical obligations. Although law firms seem to be more aware of ethical obligations in these areas, the ever-changing landscape of cybersecurity and privacy requires reassessment and reconfiguration of practices in light of COVID-19.
About the Authors:
David A. Wheeler is a Partner at Neal, Gerber & Eisenberg in the Intellectual Property and Data Privacy and Information Governance practice groups.
Abigail E. Flores is an Associate at Neal, Gerber & Eisenberg in the Intellectual Property practice group.
 Law Firm Cybersecurity Scorecard 2019, LOGICFORCE, p. 1, https://www.logicforce.com/2019/10/07/cyber-security-scorecard-q4-2019/.
 See Kartikay Mehrotra et al., Cyber Risks Abound as Employees Shift From Offices to Homes(1), Bloomberg L. (Mar. 19, 2020), https://www.bloomberglaw.com/product/privacy/document/XCC8VJ3G000000?criteria_id=7a405c6607473e3d695aad42940e95d5&searchGuid=4f8fdc5f-9c65-412e-8825-4cb9582c1a9d&bna_news_filter=privacy-and-data-security.
 See Garth Landers, INSIGHT: Tax Season & Covid-19-Peak Time For Law Firm Cyber Threats, Bloomberg L. (Mar. 19, 2020), https://www.bloomberglaw.com/document/X4S9H1G8000000?bna_news_filter=privacy-and-data-security&jcsearch=BNA%252000000170d450d39cab7cd55a87380001#jcite.
 Crystal Tse, Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls, Bloomberg L. (Mar. 20, 2020), https://www.bloomberglaw.com/product/privacy/document/X26RK31C000000?criteria_id=7a405c6607473e3d695aad42940e95d5&searchGuid=4f8fdc5f-9c65-412e-8825-4cb9582c1a9d&bna_news_filter=privacy-and-data-security.
 See ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 477 (2017); ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 483 (2018).
 Model Rules of Prof’l. Conduct r 1.6 (Am. Bar. Ass’n. 2019); ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 477 (2017).
 ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 477, p. 4-5 (2017); Model Rules Prof’l. Conduct r 1.6 cmt. 18 (Am. Bar. Ass’n. 2019).
 ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 477 (2017).
 See ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 483 (2018); Model Rules of Prof’l. Conduct r. 1.4(a)(3) (Am. Bar. Ass’n. 2019) (stating that a lawyer must “keep the client reasonably informed about the status of the matter”); Model Rules of Prof’l. Conduct r. 1.4(b) (Am. Bar. Ass’n. 2019) (“A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding representation.”).
 ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 483, p. 11 (2018).
 Id. at p. 14.
 Id. at p. 13.
 See id. at p. 1.
 Model Rules of Prof’l. Conduct r 1.1 (Am. Bar. Ass’n. 2019).
 ABA Comm. on Prof’l Ethics and Responsibility, Formal Op. 483, p. 6 (2018).
 Id. at p. 4.
 Id. at p. 5.
 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, Nat’l Inst. of Standards and Tech. (Apr 16, 2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
 NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0, Nat’l Inst. of Standards and Tech. (Jan. 16, 2020) https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf.