2020 Cybersecurity

The results are in for this year’s Legal Technology Survey Report conducted by the American Bar Association’s Legal Technology Resource Center (LTRC). As in past years, the 2020 Survey collected information from attorneys in private practice on a host of topics concerning the use of technology in the practice of law. Responses came from attorneys practicing in a wide range of settings: solos (26%); firms of 2-9 attorneys (30%); firms of 10-49 attorneys (17%); firms of 50-99 attorneys (5%); firms of 100-499 attorneys (10%), and firms of 500+ attorneys (12%).

Using the information collected, the LTRC prepared its 2020 Survey, consisting of five volumes:

1. Technology Basics & Security
2. Law Office Technology
3. Marketing & Communication Technology
4. Online Research
5. Litigation Technology & E-Discovery

The 2020 Survey includes a detailed analysis of the responses to the 262 questions, along with trend reports comparing results to prior years. The “Technology Basics & Security” responses were for 21 questions focused on security, covering technology policies, security tools, security breaches, viruses/spyware/malware, physical security measures, and backup.

This TechReport discusses how the 2020 Survey results compare to prior years in the specific areas of incident awareness and incident response planning. First, however, it is appropriate to consider generally the ethical and legal issues at stake as well as the state of cybersecurity threats at the current time.

Ethical and Legal Considerations; Cybersecurity Threats

Last year’s cybersecurity TechReport discussed fundamental ethical rules of competency, communication, and confidentiality which underscore the importance of cybersecurity to the profession. Those rules remain very much applicable and should be ingrained into daily practice. In addition, last year’s TechReport noted ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483 “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018), which provides that “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The Opinion also states that “As a matter of preparation and best practices... lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”

In addition to ethical obligations of the profession, lawyers and firms are bound as well, of course, to any applicable state and federal laws governing information security and data breach obligations—a point specifically recognized by Opinion 483. Legislative attention in this area is rampant as evidenced by the Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act enacted by New York in 2019 and the California Consumer Privacy Act (CCPA) which became effective in January 2020.

Interestingly, the answers to the 2020 Survey were collected between March and May 2020—a time when the impacts of COVID-19 were first suffered by many personally and professionally. During that time, numerous law firms shut down offices and moved all personnel to virtual, remote working environments. The ABA highlighted the heightened cybersecurity risks in March 2020 through a variety of means including a webinar on Remote Working in a Time of COVID-19: Cybersecurity Issues You Need to Know and discussion in articles such as “Experts Warn Lawyers of Cyber Risks to Remote Work.”

Not surprisingly, the heightened concerns proved well justified. Reports of malicious activity intensified significantly affecting all corners of life including the legal profession. A prominent example includes the widely publicized ransomware attack on the law firm Grubman Shire Meiselas & Sacks, whose clients include numerous high-profile celebrities. As of this writing, reports indicate the firm has rebuffed demands for payment and faces the threat that confidential client data will be auctioned off in the summer of 2020.

Despite the ethical issues and pending challenges, the 2020 Survey results reveal that the use of certain security tools remains at less than half of respondents. For example, 43% of respondents use file encryption, 39% use email encryption, 26% use whole/full disk encryption. Other security tools used by less than 50% of respondents are two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%).

In contrast to the continuing slow adoption of security tools, this year’s results do indicate an increasing number of firms committing to cyber liability insurance policies—36% percent of respondents, compared to 33% in 2019, 34% percent in 2018, and 26% in 2017. Firms ranging in size from 10-49 attorneys are most likely to have cyber liability insurance (40%), followed closely by firms of 100+ attorneys (38%). One notable trend is the increase in the number of smaller firms with such coverage, with firms of 2-9 attorneys (36%) and solo attorneys (33%) up respectively from 27% and 19% since 2017.

With the ethical imperative for security very clear, the threat environment pronounced, and the use of security tools not widely adopted, one apparent trend revealed by the 2020 Survey is an effort by the profession to cover risk through insurance. Certainly, firms are wise to have policies in place, but a policy is only one component of an appropriate comprehensive, risk-based security program and itself offers no protection from attack nor any guarantee of actual coverage. The responsibilities and challenges could not be any clearer—and the profession needs more attention on the issues beyond merely increased insurance purchases.

Incident Awareness

The 2020 Survey results show that the number of firms experiencing a security breach (such as a lost/stolen computer or smartphone, hacker, break-in, website exploit) increased over the prior year; 29% of respondents compared to 26% in 2019.

The number of respondents continuing to report that they do not know whether their firm has ever experienced a security breach remains high at21%, compared to 19% for the prior year. As in the past, the larger the firm, the greater percentage of those unaware of whether their firms have ever experienced a breach (1% of solo respondents; 9% of firms of 2-9 attorneys; 28% of firms of 10-49 attorneys; 62% of firms of 100+ attorneys).

Reported consequences of security incidents revealed some interesting trends. For example, just 32% of respondents indicated the need to incur consulting fees for repair (down from 37% in 2019 and 40% in 2018). Similarly, a downward trend appears in the number of respondents reporting downtime/loss of billable hours at 34% (down from 35% in 2019 and 41% in 2018), as well as the destruction or loss of files (11% down from 15% in 2019).

In contrast, upward trends were reported in connection with the expense for replacing hardware or software (28% compared with 20% in 2019), notifying law enforcement of breach (14% compared with 9% in 2019), notifying clients of the breach (11% compared with 9% in 2019), unauthorized access to non-client sensitive data (7% up from 4% in 2019), and unauthorized access to sensitive client data (8% compared to 3% in 2019).

On the topic of viruses, spyware, and malware, results in two areas match 2019: 36% of respondents have had systems infected and 26% again were not aware whether any such infection has ever occurred. The size of a firm continues to impact the awareness level of respondents: only 4% of solo respondents report they “don’t know” (down from 7% in 2019), while the percentage is 15% of respondents in firms of 2-9 attorneys (same as 2019), 39% of attorneys in firms of 10-49 attorneys (up from 30% in 2019), and 57% of attorneys in firms of 100+ attorneys (down slightly from 58% in 2019).

When asked what business losses/breaches resulted from a virus, spyware, or malware attack, 70% of respondents reported that they believed no significant business disruption or loss resulted. This response continues the upward trajectory over the past few years (60% in 2019, 62% in 2018, and 61% in 2017). The trend mimics the response given by respondents who have experienced a security breach—67% reported their belief that no significant business disruption or loss occurred (up from 65% in both 2019 and 2018, and 62% in 2017). In reviewing these results, it is only natural to wonder whether the seemingly positive trends reflect a troubling false sense of comfort in the short term amid the prospect of potentially longer-term harm.

Consequences identified by respondents resulting from a virus, spyware, or malware infection include costs incurred for consulting fees for repair (39%), downtime/loss of billable hours (35%), temporary loss of network access (23%), temporary loss of web site access (10%), and replacement of hardware/software (17%). All these types of consequences are readily apparent while other adverse consequences may go unnoticed.

Incident Response Plans

The 2020 Survey response reveals continued improvement on the topic of developing incident response plans, with 34% of respondents indicating their firms maintained such a plan, up from 31% in 2019 and 25% in 2018. The likelihood of a firm having one remains a function of firm size. Thus, 77% of respondents from firms of 100+ attorneys reported that their firms have an incident response plan (up from 65% in 2019), 38% of respondents from firms of 10-49 (up from 35% in 2019), 23% of respondents from firms of 2-9 (up from 19% in 2019), and 14% of solo respondents (up from 11%).

Incident response plans remain a critical element of any information security program. The above results clearly show an expanded adoption of incident response plans. Yet, there remains room for improvement. The LTRC has been conducting some form of the Legal Technology Survey Report for nearly three decades. How long will it take before every firm has in place a basic incident response plan? The progress has been trending in the right direction, but the pace is glacial given the ethical and legal issues discussed earlier along with the heightened threat environment. Opinion 483 should be a starting point for any firm tackling this issue.

Conclusion

The 2020 Survey largely reflects incremental progress in areas fundamental to adequate security, in an age which cries out for a much more robust response by the profession to the challenges at hand. The balance of the year is an excellent opportunity for firms to anticipate the questions that will be asked in the 2021 Survey next March and take appropriate action now.

Meanwhile, some impetus for improving the pace of change in this area has emerged: the approval in June 2020 by the New York State Bar Association of a report by its Committee on Technology and the Legal Profession recommending that one credit of mandatory continuing legal education in ethics be devoted to cybersecurity. If approved, New York would join two other states (Florida and North Carolina) requiring a technology component as part of continuing legal education programs, as tracked by Bob Ambrogi. Although this development is notable, professionals need not wait for the profession to mandate education—all the information needed to act is available now. And just as an insurance policy will not prevent a hack, neither will a course; ultimately, professionals in firms of all sizes need to synthesize good cybersecurity practices into the everyday practice of law.