You find yourself using public Wi-Fi at a local café to check email and an odd message appears on the screen; you grab your briefcase but you forget your laptop when you leave the courthouse; a pickpocket swipes your smartphone on the subway. Any of these can be troubling enough, but in today’s world they can have great impact because any one of them could lead to a cyber breach of substantial proportions. What would you do if this happened to you or an attorney in your firm? Do you have a response plan? Have you taken inventory of your critical data assets?
August 31, 2016
Cyber Breach = Ethics Breach?
In June 2015, the United State Office of Personnel Management (OPM) was the target of a data breach. The records of an estimated 18 to 21 million people were compromised in the attack, and while the perpetrators are not yet known with certainty, it is believed that the hackers were located in China. But the government isn’t the only target; cybersecurity firms say that Chinese hackers are still attacking American companies with regularity.1 Law firms (and legal departments of businesses and governments) are attractive targets, because of the information they often harbor: personal identifying information, financial information, health records, trade secrets, and intellectual property.
The common response to these concerns is often along the lines of “Isn’t this an IT problem?” or “This is why my firm hired a CIO.” Unfortunately, the answer is not that simple; lawyers practicing in Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, Utah, Virginia, West Virginia, and Wyoming have an explicit duty to be aware of the risks of technology as well as a duty to protect client data. In August 2012, the ABA House of Delegates adopted a resolution of the ABA Commission on Ethics 20/20 to “provide guidance regarding lawyers’ use of technology and confidentiality.”2
Rule 1.1 of the Model Rules of Professional Conduct, “the competency rule,” has added language in Comment 8 urging attorneys that “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .” To date, 20 states have adopted this language (and the list will likely grow).3
Model Rule 1.6(c) states:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Comments 18 and 19 add:
[18] Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. . . . The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use) . . . .
[19] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement . . . .
With the addition of these comments, it is no longer enough to pass this duty onto on IT manager; indeed ABA Resolution 109 and Report stated:
Cybersecurity has moved beyond the realm of technical personnel; the maintenance of a security program . . . is a responsibility that all senior executives, business owners, attorneys, general counsels, compliance officers, and government officials should embrace.4
One of the reasons a rule like 1.1, Comment 8 is so important is because many people adopt technology quickly before fully understanding the ramifications of using the technology. For example, consider the current popularity of using cloud-based computing and storage; while this type of technology is convenient and often cheap, it is not always secure. Do you know the level of data security your current cloud software provides? Most common cloud storage products for commercial and personal use do not offer encryption, but some do.
The Section of State and Local Government Law is ready to help its members take on these newfound responsibilities. At the Spring Meeting in San Juan, Puerto Rico, the Section presented the first of three programs on cybersecurity basics for attorneys. (See related article, “The Cybersecurity Frontier,” which follows this article.)
These programs are designed to help public and private sector attorneys identify and understand major ethics and professionalism concerns surrounding the impact of technology on attorney records and data, offer simple technology solutions for ensuring practicing attorneys are ethically using technology and maintaining data security for their clients, and provide a practical exercise to instruct attorneys on how they can identify and minimize cybersecurity risks.
In the event of a breach, attorneys (and their firms) should be ready with an incident response plan—a guide that gives you a step-by-step process to determine what data was compromised, if any. And if data was compromised, who do you contact first and how do you move forward? What are your notification obligations? Are clients affected? Should you contact your third-party providers, such as Internet and cloud storage providers? At what point do you contact law enforcement?
A comprehensive data security plan starts with being proactive. Attorneys should begin by identifying critical assets. The most efficient way of identifying critical assets is to understand and organize your data; have you recently updated your record retention schedule and are you complying with it? Now with the prevalence of technology, a cyber-incident response plan is just as vital as the other traditional plans, such as a business continuity plan or disaster recovery plan.
Because technology will only play a larger part in both the practice of law and life in general, now is the time to move toward greater awareness and education of technological issues and concerns in the practice of law. Although it goes without saying that the demands will vary from one practice setting to the next, what is clear is that all attorneys have a duty to take reasonable precautions to safeguard client information in the cyber age.
Endnotes
1. Paul Mozur, Cybersecurity Firm Says Chinese Hackers Keep Attacking U.S. Companies, N.Y. Times (Oct. 19, 2015), http://www.nytimes.com/2015/10/20/technology/cybersecurity-firm-says-chinese-hackers-keep-attacking-us-companies.html?_r=0.
2. ABA Resolution 105A Revised, Commission on Ethics 20/20, Report to the House of Delegates. Annual Meeting 2012.
3. Robert Ambrogi, States Have Adopted Ethical Duty of Technology Competence, LawSites (Mar. 16 2015), www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html.
4. ABA Resolution 109, Cybersecurity Legal Task Force and Section of Science and Technology Law, Report to the House of Delegates. Annual Meeting 2014.