Law firms have recently become prime targets for cybercriminals seeking to steal, expose, sell, or otherwise extort confidential information. Both the digitalization of law firms’ sensitive documents and the increase in means available to perpetrate an online crime exacerbate these risks. Law firms encounter various cybersecurity risks from “insiders”—personnel within the company—and external persons.
As a response, many law firms have adopted cybersecurity obligations to protect its clients’ data and the firm’s integrity and reputation.
Main Cybersecurity Risks Facing Law Firms
Law firms naturally handle sensitive client data and confidential company information. The lack of strong internal controls and compliance programs leaves law firms open to cyber-attacks. These attacks can be committed by insiders within the firm as well as external actors. Some examples of cybersecurity risks for law firms include the following:
Data breaches: This risk involves the theft of personal or sensitive data from law firms and can be perpetrated for a variety of reasons including financial gain or retaliatory purposes. Cyber criminals will typically execute these attacks by accessing the law firm’s computer from a remote location, collecting the personal or sensitive data, and distributing it to third parties.
Ransomware: Ransomware involves encrypting the law firm’s important files and demanding a fee—or ransom—in order for the cyber criminal to restore the file for the law firm’s use.
Phishing: This scam involves sending a scam message to an individual(s) in the hopes of getting them to send back confidential information. This risk is especially prevalent in law firms due to the high volume of emails sent from external persons. If severe, the attorney’s entire email account could be hacked, thus revealing mounds of sensitive client details.
Website attacks: Attorneys visit multiple legitimate websites in a day as a part of their daily responsibilities. Criminals and hackers exploit this by infecting the computers of individuals who visit less secured websites.
Miscellaneous cyber threats: Additional threats to law firms’ security include (1) malpractice lawsuits that follow a breach and (2) cyber-crimes committed by insiders. A client can file a malpractice lawsuit where they believe their attorney has failed to maintain adequate safeguards over their sensitive information. Further, insider threats can originate from former disgruntled employees or current personnel members and are often very challenging to detect because these individuals often have access to the computers storing the data.
“By the time law firms notice the breach, it may have already suffered financial loss, and, consequently, media attention and reputational harm. A robust cybersecurity compliance program would help the firm secure the data against improper access and use. In other words, maintaining strong cybersecurity policies within your firm is key to mitigating liability exposure.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
2020 Statistics on Cybersecurity and Law Firms
The American Bar Association’s Legal Technology Resource Center compiles an annual report on cybersecurity for law firms that discusses the adoption of compliance programs, types of cyber risks, and injuries caused from cybersecurity breaches. The number of law firms reporting a security breach increased from 26% in 2019 to 29% in 2020. Some of these results may have been impacted by COVID-19 since many law firms moved operations online—thus necessitating virtual work environments and online communications.
Security breaches analyzed in the ABA’s report were broad and included stolen computers, exploiting vulnerabilities in websites, and hacking. Law firms experiencing viruses, spyware, or other infection within their company must expend significant amounts of time, energy, and money in correcting the issue.
A recent example, in 2019, a senior director of corporate law and lawyer at Apple was charged and indicted on insider trading charges. The indictment alleged that the lawyer traded confidential information during a blackout period where no stock can be bought or sold.
Legal Obligations for Law Firms: Statutes on Cybersecurity
There is no federal law regulating a law firm’s cybersecurity practices and policies. However, federal law does regulate specific industry practices. For instance, if a law firm has a client within the healthcare, accounting, or financial industry sectors, additional federal obligations may apply.
Clients in the financial industry sector may require that their law firms maintain extra security protection due to the sensitive nature of financial data. The same applies for healthcare companies who store confidential health records of the public. Clients that specialize in accounting practices must comply with the Sarbanes–Oxley Act of 2002, which could impose additional obligations on the law firms representing those clients.
The failure of the law firms to properly safeguard client data in these circumstances could lead to federal investigations, lawsuits, loss of future clients, fines and penalties, and significant reputational harm.
In addition to industry standards encompassed by federal law, each state has its own laws regulating data protection. Law firms in California must be mindful of the California Consumer Privacy Act, while law firms in New York must take account of the regulations of the New York State Department of Financial Services as well as the Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act.
Law firms may also find it beneficial to adhere to cybersecurity guidelines. The National Institute of Standards and Technology (“NIST”) is a non-regulatory agency within the Department of Commerce that provides guidelines for cybersecurity regulations for the federal government. NIST standards are voluntary but compliance with NIST’s Cybersecurity Framework is good practice for law firms and provides good evidence that the law firm took sufficient measures to comply with cybersecurity-related laws and industry practices.
Ethical Obligations for Law Firms: Protecting Client Data and Maintaining Confidentiality
State boards are responsible for regulating the conduct of lawyers and law firms. To do this, state boards often issue ethical opinions to guide them on appropriate cybersecurity practices within their law firms. Specifically, U.S. law firms have to adhere to the ABA’s Model Rules of Professional Conduct.
Model Rule of Professional Conduct 1.4 requires attorneys to make sure that clients are “reasonably informed about the status of the matter” and to “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”
Further, Model Rule of Professional Conduct 1.6 states that lawyers must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 8 to Model Rule 1 explains that, in order to maintain the required knowledge and skill, lawyers should stay abreast of all changes "including the benefits and risks associated with relevant technology."
ABA Formal Opinion 483 on “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” provides that lawyers have a duty to make “reasonable efforts to avoid data loss or to detect cyber-intrusion” and that an ethical violation may occur if the lawyer does not undertake these steps.
Thus, because law firms often do business with colleagues, opposing counsel, federal agencies, and clients via electronic communications, they have an obligation to ensure that all data is properly stored, secured, and safeguarded
Internal Obligations for Law Firms: Strengthening Cybersecurity from the Inside
Law firms are finding it beneficial to adopt or strengthen their internal practices to strengthen overall cybersecurity. Examples of supplements to a law firm’s cybersecurity include the following:
Reboot and backup policies
Risk assessment and internal controls
Robust cybersecurity compliance program
Crisis response plan for cyberattacks
Reliable antivirus software
Strong password combination
Strict controls over personnel access to sensitive information
Using only secured Wi-Fi
Cybersecurity breaches of a law firm’s sensitive or confidential data can lead to lawsuits, investigations, fines and penalties, and unwanted media attention. It can not only hurt the law firm’s ability to attract clients in the future but also the reputation of the individual attorneys.
Attorneys implicated in data breaches and other cybersecurity risks undermine the attorney’s duties of competency and confidentiality.
To prevent such disastrous consequences that will follow from these breaches, many law firms follow strict legal, ethical, and internal obligations regarding strong cybersecurity practices. Obligations such as compliance with industry standards and state laws; ABA ethical rules, and internal best practices within the law firm enable the law firm to mitigate cybersecurity risk.