COVID-19 Resource Center

January 17, 2017

Protecting Firm and Client Information Against Cyber Risks

Technological advances continue to expand the scope of risks that the legal profession experiences in maintaining the privacy and security of privileged client information in a secure, yet increasingly mobile, environment.  Often, cyber security breaches against law firms are initiated by those seeking our clients' corporate secrets, such as plans for mergers and acquisitions, intellectual property, public securities information, and at times even records of criminal defense actions that may be used in extortion efforts.

However, solo practitioners and smaller firms should not be lulled into the false thinking that they and their clients are immune from cyber risks.  Our entire profession in all areas must be on guard, including mega-firms. smaller boutique firms and yes, solo practitioners.  We all have valuable and sensitive information that, if revealed, could harm our clients.

Cyber security incidents and breaches initiated by criminals are not the only cause of concern.  Whether our electronic data is maliciously accessed by criminals, disclosed by disgruntled former employees, or inadvertently leaked through untrained staff or flaws in cyber security measures, any of these scenarios could be devastating to our clients, either financially, to their reputation, or both.

Lawyers have an affirmative duty to manage the risks of technology as it pertains to client information.  ABA Model Rule 1.6(c) imposes an ethical duty on a lawyer to "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."  A lawyer's duty to keep abreast of changes in the law and its practice includes the benefits and risks associated with relevant technology.

So what can lawyers and law firms do to address these risks?

1.  Develop a Culture of Security Among All Employees

Cultivate a security culture in your practice and throughout your office.  Educate yourself about technology so that you can better understand the risks and can become reasonably conversant in this area.  Many breaches occur through staff members who are heavy technology users.  So, do not forget to include your staff in the education and training process.

2.  Perform an Audit to Identify Security Risks

Make sure your firm maintains good computer habits, such as using firewalls and keeping anti-virus software up-to-date.  It is important to have policies and procedures in place to protect your mobile devices that contain privileged information.  Remember to use strong passwords and change them frequently.  Encrypting electronic communications containing privileged or sensitive information is always a good practice.

3.  Distinguish Between Liability and Security

As part of their planning and due diligence in advance of an event, lawyers often assess risk in large part according to liability, rather than with respect to prevention and recovery.  In addition to understanding the nature and scope of legal and financial liability for any breach, lawyers should be more deliberate in taking all available steps to identify security risks and to take corrective measures to improve security, address the breach response actions to mitigate damages and have a plan for all necessary corrective action.

4.  Prepare an Incident Response Plan

Prepare a written incident Response Plan ("IRP") appropriate to your firm's unique practice and risks.  An IRP is like an evacuation plan for a cyber security incident.  An IRP outlines a step-by-step response strategy to a data security incident.  An IRP can provide some peach of mind that if a cyber breach occurs, you have a plan in place to minimize the firm's risk and to protect your clients from exposure.

5.  Discuss Cybersecurity with your Clients

Speak with your clients about your firm's cybersecurity protocols as well as their use of safeguarding measures.  Discussing potentially sensitive data and agreeing upon a means to protect it will likely be welcomed by the client as it gives them a sense of security when communicating with you.