Cybersecurity experts had a sobering message for the audience at a recent American Bar Association panel discussion: Preventing malicious cyberattacks is an obligation that falls on lawyers, if they want to protect their clients’ information.

The panel, as part of the American Bar Association Annual Meeting in San Francisco on Aug. 9, discussed the threats of cybersecurity breaches at law firms. The session was moderated by ABA Cybersecurity Legal Task Force co-chair Ruth Hill Bro and included Option Care vice president and chief information security officer Jill Rhodes, Adams and Reese partner Lucian Pera and Silicon Valley Law Group shareholder Stephen Wu.

“The bottom line is, it starts with you,” Rhodes said. “Everyone in your firm should be thinking about information security; it needs to be integrated into the culture. We have to understand and prioritize the risk.”

She said law firms should constantly be asking themselves: “Where is our data, where is the risk that data is bringing in, how are we protecting that data?”

Listing a number of data breaches at major companies in recent years—including Uber, Equifax, Marriott and Facebook—Rhodes emphasized the massive impact of a cyber breach, explaining that the lessons learned from the breaches apply to all businesses, including law firms.

Rhodes said she believes 75% of data breaches are not caused by technology malfunctioning, but the mishandling of the information from the company and employees. She urged businesses to think about cybersecurity at the company governance level, advising employees to guard their client information with more care.

Because law firms often operate as a repository of sensitive client information, they have increasingly become prime targets for cybersecurity attacks. But law firms are relatively unprepared for continually emerging threats, according to the panelists.

“My view is that all of us as lawyers—we don’t care if you are solo or if you’re with some thousand-lawyer megafirm … you’ve got the personal obligation to have some clue how to deal with these issues and some level of understanding of ethical obligations,” said Pera, the past chair of the governing board of the ABA Center for Professional Responsibility.

“You’ve got to also have some understanding of every piece of technology that you use,” he added.

In the past two years, the Center for Professional Responsibility has issued Formal Opinions 477R482 and 483 that outline lawyers’ ethical obligations to combat cyberattacks. In addition, ABA Model Rule of Professional Conduct 1.1 also states a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Pera said ethics rules “require” lawyers to be able to get help with security concerns. “If you don’t have on your cellphone—maybe in your wallet, if you are old school—the phone number of the person you’re gonna call if your laptop gets stolen … then you have a problem,” he added.

As the storage of information has moved from paper-based to computers, and now to the cloud, Wu, a Silicon Valley-based lawyer, said he has observed: “Accessibility of information has expanded exponentially.”

“So, when we’re trying to protect client confidentiality, now we have to think about who has access to that information, from what device and how? And through what network?” Wu said. “It literally could be anywhere in the world.”

Clients also are imposing cybersecurity requirements on their law firms, Bro added, noting her company will conduct questionnaires and technology assessments to determine if their outside counsel take property management to protect client data.

“We assess all of the firms,” she said. “We work with several different firms in my company, we go out to assess all of them.”