The results are in for this year’s Legal Technology Survey Report conducted by the American Bar Association’s Legal Technology Resource Center (LTRC). As in past years, the 2020 Survey collected information from attorneys in private practice on a host of topics concerning the use of technology in the practice of law. Responses came from attorneys practicing in a wide range of settings: solos (26%); firms of 2-9 attorneys (30%); firms of 10-49 attorneys (17%); firms of 50-99 attorneys (5%); firms of 100-499 attorneys (10%), and firms of 500+ attorneys (12%).
Using the information collected, the LTRC prepared its 2020 Survey, consisting of five volumes:
- Technology Basics & Security
- Law Office Technology
- Marketing & Communication Technology
- Online Research
- Litigation Technology & E-Discovery
The 2020 Survey includes a detailed analysis of the responses to the 262 questions, along with trend reports comparing results to prior years. The “Technology Basics & Security” responses were for 21 questions focused on security, covering technology policies, security tools, security breaches, viruses/spyware/malware, physical security measures, and backup.
This TechReport discusses how the 2020 Survey results compare to prior years in the specific areas of incident awareness and incident response planning. First, however, it is appropriate to consider generally the ethical and legal issues at stake as well as the state of cybersecurity threats at the current time.
Ethical and Legal Considerations; Cybersecurity Threats
Last year’s cybersecurity TechReport discussed fundamental ethical rules of competency, communication, and confidentiality which underscore the importance of cybersecurity to the profession. Those rules remain very much applicable and should be ingrained into daily practice. In addition, last year’s TechReport noted ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483 “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018), which provides that “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The Opinion also states that “As a matter of preparation and best practices... lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
In addition to ethical obligations of the profession, lawyers and firms are bound as well, of course, to any applicable state and federal laws governing information security and data breach obligations—a point specifically recognized by Opinion 483. Legislative attention in this area is rampant as evidenced by the Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act enacted by New York in 2019 and the California Consumer Privacy Act (CCPA) which became effective in January 2020.
Interestingly, the answers to the 2020 Survey were collected between March and May 2020—a time when the impacts of COVID-19 were first suffered by many personally and professionally. During that time, numerous law firms shut down offices and moved all personnel to virtual, remote working environments. The ABA highlighted the heightened cybersecurity risks in March 2020 through a variety of means including a webinar on Remote Working in a Time of COVID-19: Cybersecurity Issues You Need to Know and discussion in articles such as “Experts Warn Lawyers of Cyber Risks to Remote Work.”
Not surprisingly, the heightened concerns proved well justified. Reports of malicious activity intensified significantly affecting all corners of life including the legal profession. A prominent example includes the widely publicized ransomware attack on the law firm Grubman Shire Meiselas & Sacks, whose clients include numerous high-profile celebrities. As of this writing, reports indicate the firm has rebuffed demands for payment and faces the threat that confidential client data will be auctioned off in the summer of 2020.
Despite the ethical issues and pending challenges, the 2020 Survey results reveal that the use of certain security tools remains at less than half of respondents. For example, 43% of respondents use file encryption, 39% use email encryption, 26% use whole/full disk encryption. Other security tools used by less than 50% of respondents are two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%).
In contrast to the continuing slow adoption of security tools, this year’s results do indicate an increasing number of firms committing to cyber liability insurance policies—36% percent of respondents, compared to 33% in 2019, 34% percent in 2018, and 26% in 2017. Firms ranging in size from 10-49 attorneys are most likely to have cyber liability insurance (40%), followed closely by firms of 100+ attorneys (38%). One notable trend is the increase in the number of smaller firms with such coverage, with firms of 2-9 attorneys (36%) and solo attorneys (33%) up respectively from 27% and 19% since 2017.
With the ethical imperative for security very clear, the threat environment pronounced, and the use of security tools not widely adopted, one apparent trend revealed by the 2020 Survey is an effort by the profession to cover risk through insurance. Certainly, firms are wise to have policies in place, but a policy is only one component of an appropriate comprehensive, risk-based security program and itself offers no protection from attack nor any guarantee of actual coverage. The responsibilities and challenges could not be any clearer—and the profession needs more attention on the issues beyond merely increased insurance purchases.