Worried About Complying with ABA Opinion 483 on Cybersecurity? Fear No More
In response to the omnipresent threat of cyberattacks, the American Bar Association issued Formal Opinion 483, which addresses the obligations imposed upon lawyers to safeguard their clients' data. Here's how to achieve compliance.
November 27, 2018 at 02:15 PM
8 minute read
In response to the omnipresent threat of cyberattacks, on Oct. 16, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 (the “Opinion”). The Opinion addresses the obligations imposed upon lawyers to safeguard their clients' data and to notify them of a data breach. While the ABA meticulously listed the six Model Rules which support its conclusions that lawyers have a duty to become proficient in cybersecurity, it did not identify how to achieve compliance. This article bridges that gap.
|Cybersecurity Obligations Under Formal Opinion 483
The Opinion relies upon ABA Model Rules of Professional Conduct Rule 1.1 (competence), Rule 1.4 (communications), Rule 1.6 (confidentiality of information), Rule 1.15 (safekeeping property), Rule 5.1 (responsibilities of a partner or supervisory lawyer), and Rule 5.3 (responsibilities regarding nonlawyer assistance) to conclude that a lawyer must take reasonable steps to monitor for a data breach, to stop it when it happens, to restore the systems after a breach, to determine what occurred, and to provide notice of the breach if it materially affects the lawyer's ability to represent the client.
When a breach of protected client information is either suspected or detected, Model Rule 1.1 requires the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.
Under Model Rule 1.4, lawyers have a duty to notify clients of a data breach in sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to permit the client to make informed decisions regarding the representation.”
Model Rules 1.6 and 1.15 emphasize the obligation to take reasonable precautions to safeguard client data. The Opinion states, “[l]awyers who maintain client records solely in electronic form should take reasonable steps (1) to ensure the continued availability of the electronic records in an accessible form during the period for which they must be retained and (2) to guard against the risk of unauthorized disclosure of client information.”
Further, the Opinion states that, in support of Model Rules 5.1 and 5.3, lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.
In light of the above, the ABA recommends a fact-specific approach to business security be used which requires the lawyer undergo a process to: (i) assess risks, (ii) identify and implement appropriate security measures responsive to those risks, (iii) verify the measures are effectively implemented, and (iv) ensure they are continually updated in response to new developments. The ABA's recommendation is consistent with cybersecurity best-practices and incorporates the essential elements of a cybersecurity program.
We address each of the steps below and make suggestions to satisfy them.
|Risk Assessment
The ABA recommends a lawyer assess the security risks associated with his or her own law practice. The starting point for this exercise is a cybersecurity risk assessment. This type of assessment focuses on the value of the information stored within a business's computer system (both onsite and cloud based) and anticipates the losses that may incur if that information is exposed, destroyed, stolen or becomes otherwise inaccessible. The assessment identifies and categorizes the electronic data, where the data is located, who has access to it, and the ability of the business' current cybersecurity controls to protect it against harm. This catalog of information will allow the lawyer to build, upgrade and maintain systems, processes and protocols which will ultimately reduce the risk of a cybersecurity incident, limit the exposure should an incident occur, and enable the lawyer to satisfy the duties set forth in the Opinion, as well as respond to any regulatory notification requirements in an efficient manner.
|Policies and Procedures/Chief Information Security Officer
Written policies and procedures for the handling of data are an essential element of a firm's cyber risk management plan. In general, the documents provide a roadmap for day-to-day operations, ensure compliance with laws and regulations, and give guidance for decision-making. In terms of cybersecurity, they ensure sensitive data is appropriately and consistently accessed and handled, systems are hardened and maintained, and detection protocols and procedures are available to guide the firm's response to a critical event.
The stages of policy development include: identifying the needs of the firm, determining who will be on the team, gathering information, drafting policy, consulting with stakeholders, finalizing and approving, and then monitoring, reviewing and revising. This task is typically led by a Chief Information Security Officer (CISO)—historically a member of the firm, but more recently, an outside virtual CISO—who is responsible for establishing and maintaining the firm's overall vision, strategy and program to ensure its digital assets are adequately protected.
|Verification Process
In conjunction with the development of the firm's policies and procedures for handling data and responding to security events, the lawyer must also verify that the measures being adopted are effectively implemented. Similar to the auditor independence rules in the accounting field, cybersecurity and IT consultants should not audit their own work. Rather, a separate firm should be retained to conduct vulnerability assessments and penetration tests to verify that the protections put in place are working. These tools are designed to evaluate the strength or weakness of a particular piece of software (computer operating systems, programs, applications), or hardware (routers, firewalls), or business processes (data flow and usage), and the channels over which the business's information flows (third-party vendors, cloud storage, email). The results these tools yield help refine the firm's ongoing risk assessment and remediation.
|Monitoring Software/Cybersecurity Training
To ensure the firm's systems are continually updated and protected, the firm can avail itself of a number of technological tools and techniques. These include proactive cyber-threat hunting, operating system security and event log review, advanced anti-malware software, and security awareness training programs for employees. Utilizing these tools will align the firm with the Opinion's commentary about knowing when a breach occurs, quickly containing it, and what data is affected. By installing end-point detection and response sensors on the firm's computers and servers, a lawyer can (in near real time) know when the firm's data is at risk, and from which computer/server the threat was spawned. Next generation anti-malware (i.e., machine learning/artificial intelligence) further advances the Opinion's goals regarding containment. Training employees to spot suspicious emails and attachments also furthers the Opinion's directives that lawyers take reasonable precautions to safeguard client data.
|Incident Response Plans
The Opinion specifically recommends a lawyer develop an incident response plan to guide the firm in responding to a breach. “One of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken.”
An incident response plan is a multi-disciplinary approach to addressing and managing both the preparations for, and aftermath of, a security incident. It should include the in-house IT staff, a representative from management, an outside cybersecurity consultant, a public relations firm, and, potentially, outside legal counsel.
From a technical perspective, the primary goals of an incident response plan are to: (A) rapidly contain any ongoing (i) data loss, theft, corruption and/or unauthorized access, and (ii) damage to software and/or hardware; (B) preserve evidence for future analysis/investigation; and (C) reduce recovery time and costs.
Developing an incident response plan is not a task that can be accomplished in a day. It is a process that requires thought and several layers of development. The incident response team must first understand the most critical components of the firm's system and the impact upon the business should those systems become unavailable. Thereafter, the team must define each member's role when an incident occurs, and what steps are to be taken during different scenarios (email compromise vs. ransomware vs. data exfiltration vs. loss of a cell phone or laptop, etc.). Often, incident response teams will simulate scenarios and perform table top exercises to spot pitfalls in the plan, and then adapt the program to address the weaknesses identified.
|Conclusion
Cyberattacks are constantly changing, and even the most diligent lawyer can succumb to a data breach. Adopting the aforementioned security programs, installing threat hunting/monitoring tools, providing an employee training program, and testing your incident response plan will greatly enhance your ability to withstand an attack and satisfy the obligations set forth in the Opinion.
Larry J. Hershman is the managing partner of Black Cipher Security, a cybersecurity consultancy based in Cherry Hill. Jeffrey S. Brenner serves as the firm's digital forensics practice leader.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllFalling Back in Love With Certain Estate Planning Strategies in a Falling Interest Rate Environment
9 minute readThe Crucial Role Parenting Coordinators Play in Helping Former Spouses Co-Parent Effectively
Three's Company: Can a Nonsignatory to an Arbitration Agreement Compel or Be Compelled to Arbitrate?
8 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Abbott, Mead Johnson Win Defense Verdict Over Preemie Infant Formula
- 3Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
- 4Meet the Lawyers on Kamala Harris' Transition Team
- 5Trump Files $10B Suit Against CBS in Amarillo Federal Court
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250