Cybersecurity Education for Lawyers
In his column on State E-Discovery, Mark A. Berman discusses the importance of educating lawyers about cybersecurity protection of confidential and proprietary client and law firm electronic information.
July 06, 2020 at 01:00 PM
9 minute read
One of the most pressing issues facing our legal profession, whether you are a solo practitioner or from a large firm, is the need for cybersecurity protection of confidential and proprietary client and law firm electronic information. Thus, on June 13, 2020, the House of Delegates of the New York State Bar Association (NYSBA) overwhelming approved the Report of the Committee on Technology and the Legal Profession, presciently proposed prior to the pandemic, to recommend to the New York State Continuing Legal Education Board that the biennial CLE requirement be modified to require one credit of cybersecurity for each of the next two-year CLE cycles.
The Report was supported by the NYSBA Committee on Continuing Legal Education. In addition, it was supported by the Young Lawyers Section, the Elder Law and Special Needs Section, and the Women in the Law Section, as well as substantive sections consisting of the Trial Lawyers Section, the Commercial and Federal Litigation Section, the Corporate Counsel Section, and the Trusts and Estates Law Section. Only the State and Local Government Section opposed the Report. If approved by the CLE Board, New York State would be the first state in the nation to have a cybersecurity CLE requirement.
Social engineering is the psychological manipulation of people in order to convince them to divulge confidential information. Educating lawyers on how to avoid social engineering attacks is imperative because studies have shown that upwards of 97% of malware attacks targeted users through social engineering hacking attempts, and only 3% targeted the technical infrastructure of a company.
Through social engineering, appearing to be associated in one form or another with a lawyer, the law firm, a vendor or friend, a bad actor may seek to convince a lawyer or her staff to provide to him access to confidential information, secured information or a password. Everyone knows or has heard of a lawyer who has been digitally scammed and money wired by a law firm that was diverted to criminals, or has clicked on a malicious link or attachment at the office or on a mobile device causing havoc to a computer network. If lawyers, whether from a solo practitioner or a large firm, are educated on how to recognize and then prevent phishing and hacking attempts, they can minimize damage to their own practice and to their clients who may get infected through a law firm's virus. Lawyers also need to be educated on how insurance may cover them in the event of such an attack.
Education of lawyers is key where ransomware attacks caused by insidious emails have shut down law firms, school districts and municipalities. Significantly, government employees, including lawyers, who utilize mobile devices, are increasingly being targeted, and one recent scam involved COVID-19 messaging that directed government employees to a website disguised as a page for arranging meal deliveries. The ploy was designed to steal government workers' Google account login credentials.
|The Statistics Demonstrate Lawyer Education Is Required
The New York Law Journal (NYLJ) reported in an October 2019 article, entitled "Eight NY Law Firms Reported Data Breaches as Problems Multiply Nationwide," that the number of law firm data breaches in New York State doubled in 2018 and that "[d]espite a number of high-profile breaches putting firms on notice of cyber risks in recent years, there are indications that law firm breaches are occurring more frequently, not less." The article reported that some cybersecurity lawyers and consultants said the numbers "likely represent a tiny fraction of the breaches affecting the legal industry. Law firms, like other privately held businesses, don't often publicize when their data is breached, and many may not report it to state officials, depending on the law." The NYLJ also reported in another October article entitled, "How Vendor Breaches Are Putting Law Firms at Risk," that "[e]xternal breaches, including phishing and hacking as well as vendor incidents, were the most commonly identified source of data exposure events reports by law firms."
Also, in an October 2019 article, entitled "As Hackers Get Smarter, Can Law Firms Keep Up?," the NYLJ reported that "large and small law firms can do much better in preventing and reacting to data breaches" and "cautioned that the legal sector may risk falling behind other industries." The NYLJ noted that "[w]hile hackers are getting smarter, it's also the case that some law firms aren't keeping up with security guidelines developed inside the industry and in other professional fields, according to legal industry surveys and interviews with security consultants and law firm leaders." Critically, the NYLJ article made clear that "[e]thics laws require lawyers to keep pace with technology to protect client information. Still, some observers point to a slow pace of budding ethics rules on cybersecurity questions."
|New York's Ethical Framework
NYSBA Committee on Professional Ethics Op. 950 provides:
A fundamental principle in the client-lawyer relationship "is that, in the absence of the client's informed consent or except as permitted or required by the Rules of Professional Conduct (the "Rules"), the lawyer must not knowingly reveal information gained during and related to the representation, whatever its source." Rule 1.6, Cmt. [2]. The attorney not only has an obligation to refrain from revealing such information, but also must exercise reasonable care to prevent its disclosure or use by "the lawyer's employees, associates, and others whose services are utilized by the lawyer." (emphasis added).
NYSBA Committee on Professional Ethics Op. 1019 further provides that the duty of "reasonable care":
does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered to determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
In fact, NYSBA Committee on Professional Ethics Op. 842 provides that a lawyer must take reasonable care to affirmatively protect a client's confidential information. It further notes that:
Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm's document system.
* * *
In light of these developments, it is even more important for a law firm to determine that the technology it will use to provide remote access (as well as the devices that firm lawyers will use to effect remote access), provides reasonable assurance that confidential client information will be protected. Because of the fact-specific and evolving nature of both technology and cyber risks, we cannot recommend particular steps that would constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients, including the degree of password protection to ensure that persons who access the system are authorized, the degree of security of the devices that firm lawyers use to gain access, whether encryption is required, and the security measures the firm must use to determine whether there has been any unauthorized access to client confidential information.
New York ethics opinion thus make clear that lawyers have an affirmative duty to protect confidential and proprietary client and law firm information and to stay current on cybersecurity threats, including the risk of being electronically compromised and what anticipatory or counter-measures should be reasonably implemented in order to safeguard client and law firm confidential and proprietary information.
|The SHIELD Act Needs to Be Taught
Required education of lawyers on the issue of cybersecurity has become even more imperative now that New York has enacted the Stop Hacks and Improve Electronic Data Security or "SHIELD" Act, which applies to all law firms. Lawyers need to understand what is required under the SHIELD Act of them and their clients. The SHIELD Act creates, for the first time, substantive security requirements for persons or businesses that hold the "private information" of New York residents, and it: (1) expands the types of data that may trigger data breach notification to include user names or e-mail addresses, and account, credit or debit card numbers; (2) broadens the definition of a breach to include unauthorized "access" (in addition to unauthorized "acquisition"); and (3) creates a new reasonable security requirement for companies to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of" private information of New York residents. Safeguards may include designating employees to coordinate a security program, conducting risk assessments and employee training on security practices and procedures, selecting vendors capable of maintaining appropriate safeguards and implementing contractual obligations for those vendors, and securely disposing of private information within a reasonable time.
The SHIELD Act, as it applies to solo practitioners and small law firms, requires those persons and entities to ensure that there "are reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information the small business collects from or about consumers."
Mark A. Berman is a partner at Ganfer Shore Leeds & Zauderer and an ex officio co-chair of the New York State Bar Association's Committee on Technology and the Legal Profession, which authored the subject Report. He was also the founding co-chair of the Social Media Committee of NYSBA's Commercial and Federal Litigation Section as well as a former Chair of the Section.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAs Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
As 'Red Hot' 2024 for Legal Industry Comes to Close, Leaders Reflect and Share Expectations for Next Year
7 minute readLaw Firms Mentioned
Trending Stories
- 1The Key Moves in the Reshuffling German Legal Market as 2025 Dawns
- 2Social Media Celebrities Clash in $100M Lawsuit
- 3Federal Judge Sets 2026 Admiralty Bench Trial in Baltimore Bridge Collapse Litigation
- 4Trump Media Accuses Purchaser Rep of Extortion, Harassment After Merger
- 5Judge Slashes $2M in Punitive Damages in Sober-Living Harassment Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250