Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. They take a variety of forms, ranging from email phishing scams and social engineering attacks to sophisticated technical exploits resulting in long-term intrusions into law firm networks. They also include lost or stolen laptops, tablets, smartphones and USB drives, as well as inside threats—malicious, untrained, inattentive, and even bored personnel. These threats are a particular concern to attorneys because of their ethical duties of competence and confidentiality.

Effective cybersecurity requires an ongoing, risk-based, comprehensive process that addresses people, policies and procedures, and technology, including training. Effective security also requires an understanding that security is everyone's responsibility and constant security awareness by all users of technology.

Duty to Safeguard

Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and also often have contractual and regulatory duties to protect confidential information.

• Ethics rules. Several ethics rules in the ABA Model Rules of Professional Conduct and the Pennsylvania Rules of Professional Conduct have particular application to protection of client information, including competence (Rule 1.1), communication (Rule 1.4), confidentiality of information (Rule 1.6) and supervision (Rules 5.1, 5.2 and 5.3).

Model Rule 1.1: Competence covers the general duty of competence. It provides that “a lawyer shall provide competent representation to a client.” In 2012, accepting the recommendations of the ABA Commission on Ethics 20/20, the ABA amended the Comment to Rule 1.1 to make explicit that competence includes keeping abreast of “the benefits and risks associated with relevant technology.” Pennsylvania has adopted this addition.

Rule 1.4: Communications requires appropriate communications with clients. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” It requires notice to a client of a compromise of confidential information relating to the client.

Model Rule 1.6: Confidentiality of Information generally defines the duty of confidentiality.

The 2012 ABA amendments added the following new subsection to Rule 1.6: (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

The 2012 amendments also include additions to Comment [18] to Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, considering the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed and consideration of available safeguards. The analysis includes the cost of employing additional safeguards, the difficulty of implementing them, and the extent to which they would adversely affect the lawyer's ability to use the technology. The amendment also provides that a client may require the lawyer to implement special security measures not required by the rule or may give informed consent to forego security measures that would otherwise be required by the rule. Pennsylvania has also adopted these amendments.

Model Rule 5.1: Responsibilities of Partners, Managers and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney's ethical duties, including confidentiality.

• Ethics Opinions. Pennsylvania Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling Ethical Duties of Confidentiality and Preservation of Client Property,” while predating these ABA and Pennsylvania rules amendments, takes a consistent approach.

The ABA has issued two formal ethics opinions on security topics since the 2012 rules amendments. ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017), while focusing on electronic communications, also explores the general duties to safeguard information relating to clients in light of current threats. It suggests a fact-based analysis and concludes “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,” but “particularly strong protective measures, like encryption, are warranted in some circumstances.”

In October, the ABA published Formal Opinion 483, “Lawyers' Obligations After an Electronic Data Breach or Cyberattack.” It reviews lawyers' duties to safeguard data and concludes “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these model rules.”

Complying With the Duties

Understanding the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing and maintaining an appropriate risk-based information security program, appropriately scaled to the size of the practice and the sensitivity of the information.

Information security is a process to protect the confidentiality, integrity, and availability of information. Comprehensive security must address people, policies and procedures, and technology. While technology is a critical component of effective security, the other aspects must also be addressed.

An equally important concept is that security requires training and ongoing attention. It must go beyond a one-time “set it and forget it” approach. A critical part of a law firm security program is constant vigilance and security awareness by all users of technology.

At the ABA Annual Meeting in August, 2014, the ABA adopted a resolution that encourages all private and public sector organizations (which includes law firms): ”to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.”

The first step for a security program is assigning responsibility for security. This includes defining who is in charge of security and defining everyone's role, including management, attorneys and support personnel.

The security starts with an inventory of information assets to determine what needs to be protected and then a risk assessment to identify anticipated threats to the information assets. The next step is development, implementation, and maintenance of a comprehensive information security program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. This is generally the most difficult part of the process. It must address people, policies and procedures, and technology, and include assignment of responsibility for security, policies and procedures, controls, training, ongoing security awareness, monitoring for compliance, and periodic review and updating.

An information security program should cover the core security functions: identify, protect, detect, respond, and recover. While detection, response, and recovery have always been important parts of security, they have too often taken a back seat to protection. Since security incidents and data breaches are increasingly viewed as sometimes being inevitable, these other functions have taken on increased importance.

The requirement for lawyers is reasonable security, not absolute security. Recognizing this concept, the Ethics 20/20 amendments to the Comment to Model Rule 1.6 include “the unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

Security involves thorough analysis and often requires balancing and trade-offs to determine what risks and safeguards are reasonable under the circumstances. There is frequently a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy-to-use technology is frequently insecure. The challenge is striking the correct balance among all of these often-competing factors.

As noted above, the Ethics 20/20 amendments to Comment [18] to Rule 1.6 provide some high-level guidance for a risk-based analysis for determining the reasonableness of the lawyer's efforts to safeguard client data.

A comprehensive security program should be based on a standard or framework. One that is commonly used is the National Institute for Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” Version 1.1, (April 2018).

There are more comprehensive standards, like NIST Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” (April 2013) and standards referenced in it (a comprehensive catalog of controls and a process for selection and implementation of them through a risk management process) (designed for government agencies and large organizations), and the International Organization for Standardization's (ISO), ISO/IEC 27000 family of standards, (consensus international standards for comprehensive Information Security Management Systems (ISMS) and elements of them).

NIST's “Small Business Information Security: The Fundamentals, NISTR 7621, Revision 1” (November 2016) provides NIST's recommendations for small businesses based on the Framework. 

In March 2019, NIST announced a new online Small Business Cybersecurity Corner. In October 2018, the Federal Trade Commission published a new website with cybersecurity resources for small businesses.

Attorneys and law firms will often need assistance in developing, implementing and maintaining information security programs because they do not have the requisite knowledge and experience. For those who need assistance, it is important to find an IT consultant with knowledge and experience in security or a qualified security consultant. Qualified consultants can provide valuable assistance in this process. A growing trend is to outsource part of the security function by using a managed security service provider for functions such as remote administration of security devices like firewalls, remote updating of security software, and 24/7/365 remote monitoring of network security.

Law firms are increasingly obtaining cyberinsurance to transfer some of the risks of confidentiality, integrity and availability of data in their computers and information systems. This emerging form of insurance can cover gaps in more traditional forms of insurance, covering areas like restoration of data, incident response costs, and liability for data breaches.

Conclusion

Attorneys have ethical and common law obligations to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory requirements. Attorneys and law firms that have not implemented comprehensive cybersecurity programs to address them should make a program a high priority. Those who have programs should periodically review and update them.

David G. Ries, of counsel at Clark Hill, practices in the areas of environmental, technology and data protection law and litigation. He has increasingly focused on cybersecurity, privacy and information governance in his practice. Contact him at [email protected].