By Nicholas Brunette and Trenton Gill, Guest Contributors, Reminger Legal Professional Liability Practice Group
According to the American Bar Association, one in four law firms is a victim of a data breach. Data breaches not only impact a law firm’s reputation but also may result in significant costs. Accordingly, it is essential for law firms to take preventive measures to safeguard against cyber events.
A cyber event is an occurrence leading to a compromise, misuse, loss or theft of data, information systems, money, professional services or a combination of all. Typically, a data breach involves a cyber event that results in the actual compromise of material client confidential information. Accordingly, a cyber event is not necessarily always a data breach.
Sign up today for our December 12 webinar on Cybersecurity, Social Engineering and Email Phishing. It’s a free benefit of membership in Alta Pro Lawyers RPG. Find out how to join here.
Rule 1.1 of the Model Rules of Professional Conduct imposes a legal and ethical duty on attorneys to remain competent with changes in the law and technology. Under comment 8 of Rule 1.1 of the Model Rules, “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice.”
Additionally, lawyers have an ethical and legal duty to keep client information confidential. Under Rule 1.6 of the Model Rules of Professional Conduct, “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” The modification to Model Rule 1.6 added that, “A lawyer shall make reasonable efforts to prevent inadvertent or unauthorized discloser of, or unauthorized access to, information relating to the representation of a client.” Comment 18 to Model Rule 1.6 elaborates that the factors to be considered in determining the reasonableness of the lawyer’s efforts include, “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent client.”
Reasonable Efforts Required
Further, the obligation for attorneys to use reasonable efforts to prevent loss or access include monitoring for a data breach. According to the ABA Cybersecurity Handbook, “a lawyer cannot take the ‘ostrich’ approach of hiding his head in the sand and hoping that his office or firm will not suffer a data breach that compromises client information.” The handbook continues by stating, “lawyers must implement administrative, technical, and physical safeguards to meet their obligation to make reasonable efforts to protect client information.” When attorneys do not use reasonable efforts to protect the client information, they are exposing themselves to a potential legal malpractice claim.
The foundation of breach preparedness is having a well-prepared incident response team. The response team should include representatives from IT, security, legal, compliance, communications and customer service and a member of the executive management team. Firms should regularly conduct security assessments to reevaluate existing privacy and security systems and procedures. This will help firms identify any vulnerability that should be addressed in the incident response plan.
Install Security Updates
Another key to preventing cyber events is keeping the security patches for your computers up to date. Investing in decent hardware and software is essential. Law firms should use firewalls, anti-virus and anti-spyware software which should be updated daily. Additionally, the use of encryption and changing passwords regularly is necessary. Portable media, such as DVDs, CDs and USB “flash drives,” are more susceptible to loss or theft. This can also include smartphones, MP3 players and other personal electronic devices with a hard drive that ‘syncs’ with a computer. It is important to allow only encrypted data to be downloaded to portable storage devices. Each law firm should create an out-of-band backup of files that will allow access to work in case of a malicious encryption.
Even if your firm invests in hardware, software, and firewalls, legal phishing scams are becoming more prevalent. Phishing scams rely on social-engineering tactics to deceive individuals into disclosing personal information through computer-based means.
Essentially, a perpetrator investigates the intended victim to gather background information needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provides stimuli for subsequent actions that breach security practices, such as revealing sensitive information or granting access to resources. Accordingly, firms are only as strong as their weakest link, which typically tends to be humans. Staff training and awareness is one of the most important steps in avoiding cyber fraud. The earliest detection allows for the quickest response. All personnel must be trained to recognize that a breach may have occurred and to report it at the earliest possible moment. Employees should be aware of the characteristics of risky emails so they will be more likely to recognize them and avoid becoming a victim. Additionally, it is good practice to train all personnel and third-party contractors on basic breach response protocol.
Lastly, if your firm has been subjected to a data breach, all states require notification to affected clients or parties regarding the breach. The specific requirements that must be included in the notification varies by state. Be sure to research the data breach notification laws of your state to remain compliant.
When you’re a member of Alta Pro Lawyers RPG, you get instant access to malpractice prevention experts like Nicholas Brunette and Trenton Gill. They’re part of our claim avoidance and repair program. Learn how to join here.
This article originally appeared in the Legal Professional Liability Newsletter (Fall 2019 issue).
This has been prepared for informational purposes only. It does not contain legal advice or legal opinion and should not be relied upon for individual situations. Nothing herein creates an attorney-client relationship between the Reader and Reminger. The information in this document is subject to change and the Reader should not rely on the statements in this document without first consulting legal counsel.
About the Authors
Nicholas Brunette practices in Reminger Co., LPA’s Indianapolis office. He represents defendants in complex civil litigation. His practice also includes professional liability and licensing, including legal, dental, and medical malpractice defense, employment, product liability, municipal defense, trucking liability defense, and appellate practice.
Trenton Gill also practices in Reminger Co., LPA’s Indianapolis office, where his focus is civil defense litigation. He also represents physicians, dentists, chiropractors, and attorneys in professional liability claims matters.