Open up any newspaper and you will not have to read far to find a headline on the latest security breach. Privacy Rights Clearinghouse reports that between 2005 and March 2016 there have been 4,766 reported data breaches exposing 898,458,364 records. In the first quarter of 2016 there have been 60 data breaches exposing 2,482,360 records.
Attorneys can not afford to sit idle and assume that their information is secure. The FBI has reported that they are seeing hundreds of law firms being increasingly targeted by hackers and one report noted that 80% of the 100 largest law firms had been hacked since 2011.
Law firms are high-value targets for hackers for one simple reason: law firms hold highly confidential and sensitive data. The legal and ethical obligations that law firms have to their clients demand that this sensitive data be protected through the development and implementation of strong and comprehensive cyber security programs.
The ethical standards to ensure that attorneys and firms maintain the confidentiality of all information relating to the representation of a client are well known. ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The Florida Bar has several similar ethical provisions in place. In addition to the ethical rules, The Florida Bar Board of Governors voted in July of 2015 to approve the addition of the following language to the comment of Florida Bar Rules of Professional Conduct 4-1.1:
“Competent representation may also involve the association or retention of a non-lawyer advisor of established technological competence in the field in question. Competent representation also involves safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.”
The comment also added language that lawyers should have “an understanding of the benefits and risks associated with the use of technology.”
In order for a security initiative to be a success it must have the full cooperation of all of the firm’s personnel. That includes both technical and non-technical staff. This requires that all staff are aware of: (1) the information that requires protection; (2) the nature and extent of the risks to that information; (3) the firm’s risk appetite, including an understanding of the risk level to confidential information the firm is willing and legally permitted to tolerate; and (4) the amount of resources the firm is willing and able to commit to insure that level of risk. Many attorneys incorrectly think that security is just for the IT department. While IT has a critical role, everyone, including management, all attorneys, and all support personnel, must be involved for effective security.
Security involves thorough analysis and often requires balancing and trade-offs to determine what risks and safeguards are reasonable. With technology there tends to be a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy to use technology is frequently insecure. The challenge is to find the correct balance among all of these competing factors.
Determining what constitutes “competent and reasonable measures” can be difficult. The ethics requirements should be seen as the bare minimum. Anything less is a violation of an attorney’s professional duties. Attorneys should always strive for stronger safeguards to protect their clients and themselves. In determining what is reasonable, attorneys can look to LegalFuel for guidance. LegalFuel regularly publishes materials and provides educational programs on information security.
Attorneys have ethical and common law duties to take competent and reasonable steps to protect information relating to their clients. Compliance with these duties requires the development, implementation, and maintenance of a comprehensive information security program. Important considerations for attorneys include understanding limitations in their knowledge and experience, obtaining appropriate, qualified assistance, continuing security training, and ongoing review and updating as technology, threats, and available security evolve over time. Particularly important is constant security awareness by all users of technology at all times.