- ABA Groups
- Resources for Lawyers
- About Us
As the recent data breaches reported at Target and Neiman Marcus underscore the importance of cybersecurity to the retail sector, the Snowden and Manning incidents demonstrate the difficulty for the government in protecting its assets and secrets. While the loss of important operational data and trade secrets can severely disrupt corporate and government practices, cyberthreats exist against nearly every industry in the United States, and cybercrime has become one of the major problems of the 21st century.
“Concerns about cybersecurity vulnerabilities are driving the enactment of new laws and regulations and new interpretations of existing laws and regulations,” said Ruth Hill Bro, chair of the American Bar Association Standing Committee on Technology and Information Systems. “Lawyers and law firms need to take steps to protect themselves from becoming the most recent media headline or losing a client behind the scenes because confidential data was not properly protected.”
A panel of privacy and cybersecurity experts, including Bro, will discuss potential threats, review applicable laws and offer suggestions on best practices for preparing for and responding to cyberattacks during a program at the ABA Midyear Meeting in Chicago. “Critical Cyber Issues Affecting You Today,” sponsored by the ABA Cybersecurity Legal Task Force, will take place from 9 to 10:30 a.m. on Saturday, Feb. 8, at the Hyatt Regency Chicago.
“The threat is there to anyone who is attached to a computer, a system and the Internet,” said Jill D. Rhodes, vice president and chief information security officer for Trustmark Companies in Lake Forest, Ill. “The perpetrators of cybercrimes don’t necessarily care about the specific organization they are attacking. They want to find data and attack computers in a way that will allow them to take over networks, steal information and conduct additional attacks.”
According to Evan Sills, consultant to the ABA Cybersecurity Legal Task Force and legal fellow at the Cyber Security Policy and Research Institute, targeted companies have to look at all of their business relationships as potential avenues of attack.
“Some industries are more at risk to particular threats, i.e., criminals looking to steal money are more likely to target the financial services and retail industries, but cyberthreats will target the weakest link, in whatever industry is vulnerable,” Sills said. “Law firms make for particularly attractive targets because they hold sensitive information for many clients across many industries.”
Experts agree that a lawyer’s obligation to safeguard clients’ confidential information, whether it is in paper or electronic form, has become more difficult with the rapid growth and development of new technologies and as law firms increasingly become targets of cyberattacks.
In August 2013, the ABA adopted policy condemning the unauthorized infiltration of computer networks used by lawyers and law firms and encouraging the legal profession to safeguard computer networks and reasonably inform clients about intrusions.
“No one is immune from cyberthreats,” Bro said. “Clerical errors, misplaced mobile devices, disgruntled employees, careless third-party contractors, trusted colleagues selling information to the highest bidder and deliberate cyberattacks by governments and litigants all pose risks for businesses and firms that collect, disseminate or store data.”
Consistent with the policy on cyberintrusion, the ABA updated its Model Rules of Professional Conduct to require lawyers and law firms to protect their clients’ data more diligently.
“Lawyers are quickly learning that the standards for maintaining confidentiality in the 21st century must change with the increasing vulnerability of our digital data,” Sills said. “At this point, attorneys need to embrace evolving technology and not associate cybersecurity as the exclusive domain of the IT office.”
“With everything that is in the press and readily available about protecting information, there is no reason that lawyers and law firms should not be cognizant of their responsibility to protect client and proprietary data,” Rhodes said.