Small and Mid-Sized Law Firms Must Urgently Reconsider Cyberattacks and Cybersecurity
Many small and mid-sized law firms are at an increased threat for cyberattacks resulting from failure to take adequate cybersecurity precautions. Smaller law firms often lack the expertise and willingness to expend operating costs on proper cybersecurity. Law firms operating without properly developed cybersecurity plans and safeguards are at risk for violating Rules of Professional Conduct and exposure to the very real threat of cyberhacking.
ABA Model Rules of Professional Conduct (MRPC) require consideration of cybersecurity issues.
MRPC 1.1 provides, “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” ABA’s comment 8 to the rule states, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
MRPC 1.6(c) provides, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The rule applies to email communication.
Additionally, ABA’s Formal Opinion 477 states that, “[A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” While, Formal Opinion 483 provides that, “when a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.”
The Opinions make it clear that “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The opinion further states that “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
Too many law firms are taking cybersecurity for granted; however, recent email spoofing and hacking incidents are bringing more light and attention to the issue of cybersecurity.
Smaller law firms often have the mentality that only large firms are at risk for being targeted. However, in addition to the traditional approach of throwing out a wider net for potential hacking targets, computer hackers are now also specifically targeting smaller law firms because they are seen as easy targets when compared to larger law firms and financial companies that have invested in cybersecurity over the years.
Additionally, law firms take for granted the vast amounts of their clients’ confidential information in their possession. Found with law firms’ files is a wide range of information ranging from personally identifiable information, to private medical records, and finally personal and corporate financial information. This information makes law firms very attractive targets for computer hackers.
Experts recommend that law firms develop and employ adequate cybersecurity measures. A leading recommendation is implementing two-factor authentication for access to firms’ computer systems and email, which requires users to authenticate with a second, constantly changing code available on the user’s smartphone. This assists in preventing cyber-attacks utilizing email spoofing, leading to recent cases where individuals were fraudulently convinced to transfer large sums of money to hackers.
Ultimately, as today’s hacking and spoofing attacks become more sophisticated, law firms must recognize and acknowledge the reality of existing threats, develop and implement reasonable security measures, and finally consider retaining the services of outside technical experts and/or outsourcing the firm’s cybersecurity to third-party companies that specialize in this field.