2019 was a banner year for terrifying data breach headlines, winding their way into our news feeds with over 5,000 data breaches reported, constituting almost 8 billion exposed records. Ree Hodge, "2019 Data Breach Hall of Shame." cnet.com (Dec. 27, 2019). To put things in perspective, there were more exposed records than the total number of humans currently populating our planet. Because cyber-attacks are such a booming business for evildoers, rest assured that this scourge is not going away any time soon. The staggering numbers of breaches seen in 2019 are surely just a warm-up for what lies ahead, as cyber criminals continue to refine and intensify their nefarious techniques.

The information stored by law firms is among the most sensitive, and thus, desirable data imaginable. Law firm breaches can have catastrophic effects on people's lives, including wealthy and powerful world leaders. For example, after the hack of the Panamanian law firm, Mossack Fonseca, the offshore dealings of hundreds of politicians were exposed, including those of Russian leader Vladimir Putin. Richard Chirgwin, "'Panama papers' came from email server hack at Mossack Fonseca," The Register (April 5, 2016). Even on a lesser scale, if the details of an acrimonious divorce or business deal were exposed after a data breach, it could result in ruination for personal lives and fortunes alike. As the risks associated with storing information continue to grow exponentially greater, attorneys' ethical responsibility to protect the confidentiality and integrity of the confidential and privileged data they maintain takes on yet greater significance; failure of attorneys to properly understand the technical implications of cybersecurity can result in a devastating impact on their clients.

RPC 1.1 establishes the duty to "provide competent representation to a client" and "requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation," which includes the duty to understand the implications and risks associated with technology being used by the attorney to provide representation. RPC 1.6 further establishes the duty to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Within this context, "inadvertent or unauthorized disclosure" speaks to the duty to understand how to protect data that is being stored electronically, while "unauthorized" adds considerations related to who data is stored with (e.g., cloud services and other third-party providers).

Since the number of lawyers storing data in the cloud continues to grow, reaching almost 60% in 2019 (Dennis Kennedy, "2019 Cloud Computing," www.americanbar.org, Oct. 2, 2019), the primary focus of this article will be on protecting the legal information stored in cloud solutions. The following inquiries address the most pressing concerns related to cloud storage and provide guidance for both current and future solutions used by law firms and businesses in general.

• What security qualifications should a law firm look for when selecting a cloud storage solution? Attorneys have an obligation to understand the security measures and controls that a cloud provider uses to protect data, and to evaluate the adequacy of those measures and controls to safeguard client confidential or privileged information that may be stored within the provider's systems. Attorneys may consider independent third-party auditor certifications (e.g., SOC2) in their evaluation; attorneys may also consider the following four steps as part of their efforts to take "reasonable care" to protect clients' confidential data (NYSBA Opinion 842):

1. "Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information";
2. "Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances";
3. "Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored"; and/or
4. "Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers."

• Who legally owns the client data stored in a cloud storage solution? Rather than taking the risk of waiting until there's a dispute, it is imperative to ensure that all contracts and service level agreements between the attorney and cloud service provider explicitly acknowledge that all data uploaded to or otherwise stored to the cloud storage solution, directly by the attorney or indirectly by the attorney's clients, remains the direct or beneficial property of the attorney.

• What are the requirements/obligations/protections in the event of a subpoena? While performing due diligence before engaging the services of a cloud provider, carefully read the provider's contract and policies regarding timely notice of subpoena (and the provider's definition of "timely.") Understand also that many cloud service providers store data on distributed systems that physically reside in varying locations (that may include states and countries that differ from the provider's primary place of business), and that local jurisdictional laws may apply based on the location where the data is actually stored.

•  What happens if the third-party cloud provider experiences a data breach? RPC 1.4 establishes the duty to "keep the client reasonably informed," which would include the duty to notify a client promptly in the event of a data breach that may have exposed or compromised that client's confidential or protected data. To meet this duty to the client, the attorney requires prompt notification from the service provider if a data breach of the service provider's systems has occurred or is suspected to have possibly occurred. Ensure that the provider's contracts, policies and service level agreements provide for timely breach notice to the attorney so that appropriate actions can be taken to notify the client and work to address potential impacts of the breach.

•  What happens to client data if the third-party cloud solution goes out of business? Attorneys have a duty to maintain and protect client records, and to return them upon termination of representation. RPC 1.15, RPC 1.16. If a cloud provider experiences a system failure without having adequate backups, or if a cloud provider goes out of business without first returning all stored data to the attorney, then the attorney is at risk of failing to be able to meet these ethical obligations. Attorneys need to understand the data protection and backup practices of cloud service providers before entrusting storage of client data, and need their own business continuity and disaster plans in place to ensure access to data (e.g., local replicas) in the event that data becomes unavailable from a cloud provider.

While the aforementioned answers should strengthen a law firm's ability to protect their clients' data, there are further measures that can be taken to provide additional cyber defenses. The list below outlines some of the most effective deterrents against attackers.

• Awareness and Education. First and foremost, security awareness training should be provided on a regular basis to each and every employee. Cyber attackers are perpetually probing employees with spear phishing attacks—looking for their next victim. Educated end-users will be better able to identify and avoid social engineering attempts, creating a virtual human firewall that greatly reduces the risk of falling prey to spear phishing—the most predominant attack vector used by cyber criminals. An especially effective approach is to combine education with a spear phishing simulation tool, which helps identify those users who may require additional training.

• Penetration Testing. What better way to determine if computer systems are vulnerable to compromise than by simulating an actual attack? Ethical hackers can be enlisted to use the same tools as actual attackers, identifying any weaknesses in an IT environment—such as unpatched operating systems or out-of-date firmware—allowing a firm to correct these issues before an actual attack takes place.

• Two-Factor Authentication. While strong passwords are imperative, they should not be the sole barrier between the outside world and client data. By introducing two-factor authentication, a user will have to enter their credentials as well as, for example, acknowledge a request on their mobile phone before remote connectivity commences. Augmenting a password (the first factor—something the user knows) with the phone acknowledgement (the second factor—something the user has) is minimally intrusive while significantly reducing the risk associated with compromised passwords—leading to a data breach.

Electronic storage of client data has provided law firms with the astonishing advantage of being able to access client data from virtually anywhere and at any time. The ability of instantaneous access to client data comes with expectations, chief among them being the ethical responsibility relating to securing this information. While effective data security is no easy task, legal professionals have an ethical obligation to keep their clients' information confidential, safe, and secure.

David J. Rosenbaum and Kevin Ricci are principals at Citrin Cooperman & Company.