Cyber Risk and the Law Firm
The March 2017ABA Journal‘s lead article is on managing cyber risk. This informative piece contains startling numbers: One cybersecurity firm estimated that at least 80 of the largest 100 firms by revenue have been hacked since 2011. Crains’s Chicago Business reported that last year one foreign hacker alone targeted 46 law firms in the United States, and others elsewhere. The threat is clear and present, so what are lawyers to do about it?
Attorneys have ethical obligations to safeguard client property. There are several interrelated Rules of Professional Conduct that guide New Jersey counsel. First is competence. RPC 1.1. Lawyers are expected to understand the benefits and risks associated with the use of technology. Second is the obligation to preserve a client’s confidential information. RPC 1.6. Specifically, RPC 1.6(f) states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” RPC 1.15 addresses safeguarding a client’s property.
Besides being well-versed in these and other RPC’s, a lawyer should consult the Supreme Court of New Jersey Advisory Committee on Professional Ethics’ Advisory Opinion 701 (April 10, 2016) for guidance regarding the risk of unauthorized access. There, the Advisory Committee stated that the obligation to preserve a client’s information requires the attorney “to take reasonable affirmative steps to guard against the risk of inadvertent disclosure.” This requirement of reasonable care does not mean that a lawyer guarantees that the electronically stored information will not be hacked, just as a lawyer cannot guarantee a robber will not break and enter the law firm premises and steal paper documents. The Committee noted the obvious. Reasonable care cannot be defined with precision. “What the term ‘reasonable care’ means in a particular context is not capable of sweeping characterizations… [b]ut it certainly may be informed by the technology reasonably available at the time…”
Notably, as the Official Comment to RPC 1.6 states, a lawyer does not violate this rule even if client property is accessed, provided the lawyer made reasonable efforts to prevent access. The comment lists non-exclusive factors to be considered in making the determination whether the lawyer made reasonable efforts. Know them. And know, too, that just because a lawyer may not violate the RPC’s if there is a cyber attack, exposure to legal liability for disclosure of sensitive information, such as social security numbers and medical data, is a different analysis all together.
Insurance companies underwriting the risks of cyber attacks have developed comprehensive questionnaires for law firms seeking coverage. These questions provide a good starting point of reference, and include, by way of general example:
- Who is in charge of network security?
- Is there a backup system and disaster recovery plan in place?
- Are there firewalls and anti-virus software?
- Is data encrypted?
- Is there employee training regarding security issues?
- Are there policies regarding the creation and automatic updating of passwords?
There is much more to delve into, well beyond the scope of this blog. Suffice it to say that lawyers can expect the ABA to publish a valuable resource later this year. The aforementioned ABA Journal notes that a new edition of its cybersecurity handbook will be published before the annual meeting in August. The manual will have a full chapter on technology, and will address the legal and ethical obligations lawyers have, obligations this post merely touched upon.
