August 22, 2019

The State of Cybersecurity in Congress

What Attorneys and Law Firms Should Know

The ABA has long recognized that enhancing the protection of computer systems utilized by lawyers must be a priority, and this vigilance must extend to other critical sectors, as well. With that in mind, we closely monitor legislative and executive branch actions involving ABA-approved principles for cybersecurity improvements, and advocate for policies designed to prevent unauthorized intrusions into the computer systems and networks used by lawyers.

A major focus in Congress continues to be its response to the Cybersecurity Information Sharing Act of 2015 (CISA), which became law almost four years ago. This comprehensive cyber information sharing legislation created a system that allows private sector entities to share information about cyber threat indicators with the Department of Homeland Security. With that in place, Congress is focusing its attention on what to do with all this new information.

ABA member David Turetsky is currently coordinating a survey to determine how law firms around the country are implementing this system. “Recognizing that cybersecurity has become one of the top issues for law firms, the ABA Cybersecurity Legal Task Force is asking a select number of law firms to share their perspectives on cybersecurity information-sharing (i.e., communications with other law firms about threats, defenses, exercises, and so on),” Turetsky writes. ABA statistics from last year showed that 23% of law firms reported a breach at some point, a 9% increase from the prior year. Eleven percent of solo practitioners also reported experiencing a breach of sensitive client data last year.

At the ABA’s annual meeting earlier this month, Mr. Turetsky presented some of the survey’s initial results. So far, the survey indicates limited usage of cyber information-sharing opportunities by small firms and higher participation by medium and large firms. Many reported that the new system helps secure their cyber networks by fostering the prompt sharing of cyber threat indicators with key government officials. Small firms still struggle to effectively incorporate adequate cyber security measures because of limited available resources.

Almost 30 cyber-related bills have already been introduced during the 116th Congress, but few have generated much interest. Congress is debating the use of encryption technology and whether law enforcement should be granted access to encrypted data. Bills addressing key issues like election security and data breaches have so far failed to gain momentum at the federal level, but states are acting to shore up their election systems and to hold companies accountable for failing to adequately secure private consumer information.

In the last Congress, the ABA supported H.R. 584, the Cyber Preparedness Act, which would have fostered more cyber threat information sharing between the Federal government and state and local governments. The bill passed the House in an overwhelmingly bipartisan manner, but was, unfortunately, not considered by the Senate.

The President’s budget request for fiscal year 2020 included more than $17.4 billion for cybersecurity efforts across federal agencies – a $790 million increase from fiscal year 2019. Congress is expected to renew its consideration of specific funding requests as part of the appropriations process when it returns from recess next month.

Cyberattacks continue to occur at an alarming rate with no sign of abating, and several recent data breaches represent cybersecurity failures across all levels. The ABA will continue to monitor, analyze and aid policymakers as they debate ways to better protect our cyber systems. We will also advocate for policy measures that foster information sharing and balance security measures with privacy concerns.

While legislative solutions remain subject to debate, the ABA continues to assist lawyers by sharing cyber-related best practices. For example, the ABA Cybersecurity Legal Task Force developed a Cybersecurity Checklist as part of a vendor contracting project to assist procuring organizations, vendors, and their respective counsel address information security requirements in their transactions. This checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. The Task Force also published a Cybersecurity Handbook to help attorneys and law firms better protect themselves from potential cyber threats and dedicated a portion of its website to resources and best practices for solo and small firms. For more information about the ABA Cybersecurity Legal Task Force, please click here.

For more information about ABA advocacy surrounding these and other issues, please visit the Grassroots Action Center.