Each year, the American Bar Association’s Legal Technology Resource Center conducts the Legal Technology Survey Report, an extensive survey of attorneys in private practice on the use of technology in the profession. The second volume of the survey, “Technology Basics & Security” received responses from attorneys practicing in firms of all sizes: solos (31%); firms of 2-9 attorneys (27%); firms of 10-49 attorneys (15%); firms of 50-99 attorneys (5%); firms of 100-499 attorneys (10%), and firms of 500+ attorneys (12%).
This article discusses 2019 Survey results related directly to cybersecurity—an issue that is (or should be) of concern to attorneys in firms of all sizes due to fundamental ethical responsibilities and common business sense. As the results show, the profession continues to make progress in adopting risk management practices necessary for improving security and resilience. Yet, as with the 2018 Survey results, there continues to be room for improvement.
The 2019 Survey asked cybersecurity questions related to technology policies, security tools, security breaches, viruses/spyware/malware, physical security measures, and backup. The responses provide a detailed snapshot of the state of the profession in all those areas—information which is especially useful when analyzed against results in prior years. This article focuses on results in the following four critical areas: incident awareness, incident response plans, encryption, and cyber insurance.
When considering the results in these areas, it is helpful to keep in mind the professional imperative for strong cybersecurity programs. Of course, the news is replete with stories of significant data breaches causing economic and reputational harm. Many smaller breaches occur, of course, which do not make national headlines but nevertheless pose significant damage to those affected. In addition to the burdens faced by any business in confronting a breach, lawyers’ duties of competency, communication, and confidentiality according to the ABA Model Rules of Professional Conduct require consideration of cybersecurity issues:
- Model Rule of Professional Conduct 1.1 provides, “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Model Rule 1 makes clear, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Clearly, the duty of competency requires cybersecurity considerations.
- Model Rule of Professional Conduct 1.4 requires an attorney to keep clients “reasonably informed” about the status of a matter and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.” Because communication today is so often conducted by electronic means, attorneys have an obligation to ensure that the tools used to communicate are secure. Model Rule of Professional Conduct 1.6(c) provides, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 sets forth factors to be “considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
In addition to the three model rules discussed above, attorneys should be aware of ABA Formal Opinion 477 which provides that, “[A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
The opinion lists seven factors to consider when determining the appropriate level of cybersecurity: the nature of the threat; how client confidential info is stored and sent; the use of reasonable electronic security measures; how electronic communications should be protected; the need to label client information as privileged and confidential; the need to train lawyers and nonlawyer assistants, and the need to conduct due diligence on vendors who provide technology services.
Further, when a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.” ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483 “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018). Formal Opinion 483 makes clear that “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” The opinion further states that “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
With these standards in mind, set forth below is a summary of the 2019 cybersecurity survey results in the areas of incident awareness, incident response plans, encryption, and cyber insurance.
The 2019 Survey results show that a good number of lawyers, unfortunately, have experienced a security breach. In fact, 26% of respondents report that their firms have experienced some sort of security breach (including hacker activity and website exploits to more mundane incidents such as lost or stolen laptops).
Although the 26% figure is notable, also eye-catching is the 19% of respondents who reported that they do not know whether their firm has ever experienced a security breach. As might be expected, the larger the firm, the greater percentage of those unaware of whether their firms have ever experienced a breach (solo respondents, 2% firms of 2-9 attorneys, 6%; firms of 10-49 attorneys, 24%, firms of 100+ attorneys,53%). Of course, there is no way to know the number of firms who don’t yet know that they have been breached.
Consequences of security incidents included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).
On the topic of viruses, spyware, and malware, results indicate more than a third of respondents (36%) have had systems infected with more than a quarter (26%) not aware whether any such infection has ever occurred. As with security incidents discussed above, the size of a firm impacts the respondents reporting that they do not know: solo respondents (7%), firms of 2-9 attorneys (15%), firms of 10-49 attorneys (30%), and firms of 100+ attorneys (58%).
Consequences of infection have included the destruction or loss of files (14%), unauthorized access to (non-client) sensitive data (3%), and taking steps to report to law enforcement and clients (1% each). Other consequences resulting from a virus, spyware, or malware infection include costs incurred for consulting fees for repair (40%), downtime/loss of billable hours (32%), temporary loss of network access (23%), temporary loss of web site access (17%), and replacement of hardware/software (15%).
Incident Response Plans
The 2019 Survey response indicates attorney progress on the topic of developing incident response plans. In 2018, just 25% of overall respondents reported having an incident response plan with responses varying alongside firm size—from solos (9%), firms with 2-9 attorneys (16%), to firms of 10-49 (27%), and firms with 100+ attorneys (70%).
This year, the overall number reporting an incident response plan improved to 31%—with favorable responses improving across much of the board— from solos (11%), firms with 2-9 attorneys (23%), and firms of 10-49 (35%). Only those responding from firms with 100+ attorneys dipped to 65% from 71% in 2018.
As noted in last year’s “Cybersecurity” report on the 2018 Survey results, all attorneys should have security programs tailored to the size of the firm and the data and systems to be protected. Incident response is a critical element of any information security program. Thus, it is encouraging to see some year over year progress in adopting incident response firms—particularly among small and midsized firms. Yet, more adoption is clearly needed on this topic. Even for attorneys that responded affirmatively, work remains to be done in regularly evaluating and improving existing plans.
Essential elements of a typical incident response plan include procedures for initial reporting of an incident, confirmation of the incident, escalation as appropriate, and investigation. Best practices include a designated incident response project manager working with a cross-disciplinary team familiar with breach reporting obligations, mitigation requirements, and steps needed for recovery. Finally, plans typically provide for a post-incident review period to allow any lessons learned to be built into a revised plan.
Incident response plans should be drafted to company with all applicable laws and professional obligations and be informed by standards such as those set out by The National Institute of Standards and Technology (NIST), an agency under the umbrella of the U.S. Department of Commerce. The well-known NIST “framework” provides excellent context for many points that should be included in an incident response plan.
A law firm developing an incident response plan should review Opinion 483 carefully for consideration of ethical issues that could be implicated in a cyber incident. The opinion does not set forth a mandated form of incident response plan. Rather, the opinion is clear that the responsibility of how best to conform to Model Rules is left to individual professionals considering the unique facts and circumstances of their practices.
ABA Formal Opinion 477, noted above, does not require the use of encryption in all instances noting in part that “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.” Yet, the opinion goes on to state that the use of stronger protective measures, like encryption, is appropriate in some circumstances. Attorneys must implement when “required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
The 2019 Survey results indicate that less than half of respondents use file encryption (44%), slightly more than a third use email encryption (38%), and even fewer use whole/full disk encryption (22%). This result is a material positive change from the prior year in the use of email encryption (29% in 2018) while the number for file encryption and whole/full disk encryption (46% and 24%, respectively in 2018) are slightly up.
Although the change is positive, room exists for much more improvement in the use of basic encryption tools in keeping client confidential information safe.
This year’s results indicate a leveling off of firms with cyber liability insurance policies after significant advancement on the topic in prior years. Overall, 33% of respondents in 2019 report their firms have cyber liability insurance (compared with 34% in 2018).
The two prior years had seen much more dramatic progress—as 26% of responses reported such coverage in 2017 and 17% in 2016. One notable statistic from the 2019 results: a full 39% of respondents report that they do not know whether their firms have cyber liability insurance. Like encryption, consideration of cyber-insurance coverage should be a basic data point for every practicing attorney—and if such coverage exists there should be an understanding of its limits, exceptions, and exclusions as coverage constitutes just a piece of a larger cybersecurity strategy.
Last year’s report on the 2018 Survey concluded by noting that, “All attorneys and law firms should have appropriate comprehensive, risk-based security programs that include appropriate safeguards, training, periodic review and updating, and constant security awareness.” Those words remain true today. The 2019 Survey results show that, while some progress has been made in some areas, law firms have further to go to in designing and implementing appropriate solutions. Recognition of the issues, consideration of the available options, and implementation of a tailored program are (and will remain) necessary steps for all firms.