chevron-down Created with Sketch Beta.
September 2019

Veteran advocates continue to sound alarm on cyberattack vulnerability of law firms

Jill Rhodes and Ruth Hill Bro could be considered warriors in the battle to raise awareness among lawyers and law firms about the threats of cybersecurity breaches and the need to take necessary steps before an attack.

For more than five years, they have appeared together at American Bar Association meetings, preaching the gospel and noting how businesses and firms – large and small – have suffered hundreds of millions of dollars in losses because of phishing, ransomware and other cyber intrusions. At the ABA Midyear Meeting in 2014, for example, then recent breaches targeted at Target and Neiman Marcus provided fodder for their compelling warnings.

On Friday, Aug. 9, at the ABA Annual Meeting in San Francisco, the pair had new breaches to cite – Amazon and Capital One. The fact that these two mega merchants are still vulnerable to attack reinforces their mantra that there is no place for complacency in guarding against a cyber breach.

“Cybersecurity readiness is not just one point in time,” said Bro, co-chair of the ABA Cybersecurity Legal Task Force. “You have to keep educating yourself.”

Rhodes and Bro were joined by Lucian Pera, a Memphis lawyer and immediate past chair of the governing board of the ABA Center for Professional Responsibility (CPR), and Stephen Wu, a San Francisco Bay Area lawyer, in “Law Firm Cybersecurity Requirements You Never Dreamed of: Emerging Threats, Ethical Obligations to Clients, and Survival Tactics.” The program was part of the ABA CLE Showcase series and was presented by the ABA Cybersecurity Legal Task Force

While it is not new that law firms have become prime targets for cyber thieves because they store treasure troves of client information and money, this program explored the legal profession’s recent requirements to secure communications and proactive steps to minimize the impact of cyberattacks.

In the past two years, for example, CPR has issued Formal Opinions 477R482 and 483 that deal with securing communication of protected client information, ethical obligations related to disasters and lawyers’ obligations after an electronic data breach. In addition, ABA Model Rule of Professional Conduct 1.1 states a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Rhodes, the vice president and chief information security officer for Option Care Enterprises, Inc., in the Chicago area, urged lawyers of all size firms to invest personally in the security of their and their client’s information. “We all assume that somebody else is doing it,” she said of cybersecurity, “when it is our responsibility.”

While there is a long list of items to consider in developing a security plan, the panel urged lawyers to prioritize and start with the low-hanging fruit. Rhodes, for example, said begin with incident-response planning. “Figure out if you have incident, whom I am going to call and what are the basic steps that I am going to do,” she said.

Pera, a partner at Adams and Reese LLP., said ethics rules provide “minimum standards” and should not be construed as the final target for good security. If you meet those standards and a breach occurs, he added, the “data is still gone in the hands of the Ukrainians but guess what, you won’t lose your law license.” But you still will have problems, he added.

Wu, a shareholder at the Silicon Valley Law Group, repeated Bro’s theme that cybersecurity is a never-ending battle. He observed that “accessibility of information has expanded exponentially” as the storage of information has moved from paper base to computers and now to the cloud.

“This,” he added, “is always a work in progress.”

The cybersecurity task force recently released the second edition of the “The ABA Cybersecurity Handbook" for lawyers, law firms and other professionals. Rhodes was one of the editors of both editions.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.