“Three may keep a secret, if two of them are dead.”
– Benjamin Franklin, Poor Richard’s Almanac
From law firms with fewer than 10 attorneys to those with more than 500 and from bar associations to state courthouses, dozens of organizations involved in the legal profession have reported experiencing cyberattacks compromising their confidential information in the past few years. The American Bar Association (ABA) reported that more than 100 such organizations disclosed similar attacks from 2014 to 2019; and more than one in four law firms disclosed experiencing data breaches from 2021 to 2022. In the first quarter of 2023, the global rate of cyberattacks rose by seven percent, with one in 40 focused on law firms or insurance providers, proving it to be an accelerating (albeit not new) phenomenon.
Not surprisingly, attorneys regardless of firm size have voiced significant and increasing concerns over protecting the privacy and security of the confidential information entrusted to them. When it comes to security defenses, however, many law firms lag well behind most other organizations, including their own clients. According to the ABA report, only 49 percent of firms regularly use file encryption and only 40 percent regularly use email encryption—both common cybersecurity defense techniques used by businesses across the country.
The result is that hackers have come to view the legal profession as a preferred point of attack. Data breaches at five prominent law firms made the news in 2023. These incidents are not just a mess that firms must clean up in house. Clients-become-plaintiffs have filed at least five class actions claiming that the named firms failed in their duties to sufficiently guard confidential information against disclosure.
In response to these pressures, many firms have wisely added cyber insurance policies to their insurance portfolios. Unfortunately, while helpful, even the best cyber insurance policies do not come close to adequately mitigating the damages caused by data breaches. Attorneys and their firms cannot insure against the time lost in opening locked-down systems and retrieving lost data. Nor can they insure against the licensure implications of failing to comply with professional ethical rules that require better safeguards or the potentially serious penalties associated with violations of federal and state laws. There are also important questions involving the waiver of attorney-client privilege where attorneys fail to take reasonable measures to safeguard the confidentiality of their clients’ information. Consider also the significant costs of losing clients and the negative public relations implications of losing control of sensitive and confidential client information—information that is often sold to the highest bidder on the dark web or made public. The limitations of cyber insurance could not be any clearer, making it especially important that attorneys proactively manage and mitigate cyber risks both before and in response to attacks when they occur.
Interested in learning more? Check out ALI CLE’s upcoming webcast, Generative AI on Trial on October 21, 2024!
ABA MODEL RULES OF PROFESSIONAL CONDUCT
A variety of attorney ethical rules clearly require attorneys to take objectively reasonable measures to identify and manage these risks. Our analysis focuses on the ABA Model Rules of Professional Conduct.
The ABA Model Rules of Professional Conduct make it clear that attorneys shoulder the obligation to maintain the confidentiality of their clients’ information in whatever technological environment they work within. ABA Model Rule Section 1.1 provides that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”1 Focusing on the technological environment, Comment 8 to Model Rule 1 makes clear that “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Clearly in today’s day and age, under the ABA Model Rules, the duty of competency requires a reasonable level cybersecurity understanding.
The ABA Model Rules also make it clear that attorneys have an obligation to ensure that the tools used to maintain and communicate client information are secure. ABA Model Rule Section 1.6(c) provides that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 sets forth the factors to be considered in determining the reasonableness of the lawyer’s efforts, including, but not limited to:
the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).2
ABA Formal Opinion 477 adds additional clarity, providing that:
[a] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.3
Following upon Formal Opinion 477, Formal Opinion 483 strikes directly at the matter of cybersecurity, stating “[t]he potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”4 Opinion 483 further states that “[a]s a matter of preparation and best practices… lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”5
In a world where most information is received, stored, used, and transmitted electronically, the ABA Model Rules require attorneys to undertake proactive reasonable efforts to protect that information, and to prepare to respond to potential breaches.
Interested in learning more? Check out ALI CLE’s upcoming webcast, Declutter Your Law Practice: Advanced Tips for Bringing Order to Chaos, on October 23, 2024!
FEDERAL AND STATE LAWS
In addition to attorney ethical rules, multiple federal laws governing the protection of certain information require attorneys and their firms to take proactive, effective actions to safeguard that information. While a full accounting and explanation of the federal laws are beyond the scope of this article, many law firms face one central and well-known law—the Health Insurance Portability and Accountability Act of 1996, and its progeny law, the Health Information Technology for Economic and Clinical Health Act (together as HIPAA).6 As HIPAA business associates, law firms that receive, store, use, or transmit HIPAA-defined Protected Health Information are required to maintain adherence to HIPAA’s privacy and security requirements.
For information security, HIPAA provides the HIPAA Security Rule, containing more than 60 required or addressable actions. Serious civil and/or criminal penalties can be assessed for violations of HIPAA’s requirements. For the years 2023 and 2024, civil penalties range between $137 per violation to a whopping $68,928 per violation, depending upon level of culpability, with an annual penalty limit of $2,067,813. Criminal penalties can include fines of up to $250,000, imprisonment of up to 10 years, or both.7
In addition to the federal laws, numerous states have enacted laws that require businesses that own, license, or maintain personal information to implement and maintain “reasonable security procedures and practices” to protect personal information from unauthorized access.8 At this time, all 50 states and the District of Columbia have enacted legislation requiring businesses and other entities to notify affected individuals when data breaches involving their personal information occur.9 In addition, 32 states plus the District of Columbia require that notice of the breaches be made to certain state agencies and law enforcement authorities, typically to the state attorney general’s office and/or office of consumer protection.10
CLICK HERE to read the full article, which was originally published in ALI CLE’s The Practical Lawyer.
To find our more about ALI CLE’s in-person courses or webcasts, or to check out on-demand CLE, click here.