The rise in cybersecurity incidents should sound the alarm bells for law firms and legal professionals alike. State bar authorities across the country have reported that lawyers are being specifically targeted by those carrying out cybercrimes, including data breaches and ransomware attacks. These incidents are becoming more prevalent and even harder to detect given the increased use of and reliance on technology by attorneys in connection with the practice of law. This article discusses the obligations that practitioners have when it comes to cybersecurity and practicing law, steps that can be taken to defend against and respond to cybersecurity incidents and potential consequences from the failure to act.

The Duties of Technological Competence and Safeguarding Client Information, Funds and Property

A lawyer's duty to keep up with advancements in technology that impact the practice of law stems from the ethical obligation of competence rooted in ABA Model Rule 1.1. As a comment to the rule explains, "to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." Comment [8] to ABA Model Rule 1.1. There is also an ethical duty to take reasonable measures to safeguard client information entrusted to the lawyer and to prevent its unauthorized disclosure. See ABA Model Rule 1.6(c)("A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."); see also ABA Comm. on Ethics & Prof'l Responsibility, Formal Op. 483 (Oct. 17, 2018)("When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach.").