Law firms have never been very good with technology, and now they are struggling, as breaches in firms have made headlines and clients increasingly are asking questions about their security programs. The FBI has issued warnings to firms and held a meeting in early 2012 with about 200 firms in New York to discuss the risk of breaches and theft of client data. Around the same time, Alan Paller, director of research for the SANS Institute, a cyber training organization, revealed an amazing conversation that he had with partners from a New York firm who had been told—and shown—by the FBI that all their client files had been stolen. These warnings and many other instances of law firm data breaches have come squarely in the crosshairs of the ABA. Laurel Bellows, president of the ABA, has raised awareness within the legal community about cyber risks by launching a special Cybersecurity Legal Task Force to analyze a wide range of issues, including risks to law firms.
THE NEED FOR AN ENTERPRISE SECURITY PROGRAM
Many firms are now asking, “What do we do to keep our systems and data safe? How can we keep this from happening to us?” There is a simple answer to this question: Hire a chief information security officer, give him or her a budget to hire the staff needed to build and maintain an enterprise security program (ESP), and exercise appropriate governance over the firm’s digital assets.
Law firms are basically the same as any other company when it comes to countering cyber attacks and protecting their confidential and proprietary data. The only difference is that law firms have ethical rules that require confidentiality of attorney-client and work product data. That does not make them special, however, because accounting firms, engineers and medical providers also have privileged data. All companies—irrespective of whether they are engaged in expensive research and development, processing financial transactions, providing electricity or practicing law—must have a security program that comports with internationally accepted best practices and standards. (See “Cybersecurity Best Practices and Standards” box.)
This is usually where attorneys’ eyes glaze over and they want to call in their “IT guy” and go back to work. Not so fast. Security is an enterprise issue, and that means that attorneys, firm management and support personnel need to be involved.
Some basic activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. (Note that they are all harmonized and can be adjusted for small firms.) Technical staff will manage most of these activities, but firm partners and staff need to provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from critical activities; receiving regular reports on intrusions, system usage and compliance with policies and procedures; and reviewing the security plans and budget.
The basics of an ESP, including the roles and responsibilities of all personnel, are provided in a security program guide developed by Carnegie Mellon University’s Software Engineering Institute. A simplified listing of the activities required to establish and maintain an ESP that has been tailored toward law firms is provided below:
- Establish a cross-organizational team comprised of practice chairs, procurement (they buy copiers, faxes and printers, which have servers inside), finance, human relations, communications, office management, IT and security personnel. Meet quarterly.
- Set the “tone from the top” and issue high-level policies regarding the privacy and security of firm data. This includes the use of encryption, remote access, mobile devices, thumb drives, laptops, Wi-Fi “hotspots,” clouds, Web email accounts and social networking sites.
- Inventory the firm’s software systems and data, and assign ownership and categorizations of risk. Client data may need to be compartmentalized; not all clients are equal. Extremely sensitive matters have the highest risk and could cause the greatest magnitude of harm if breached. Firms may want to keep this data on a separate server with stronger security protections and stronger access controls.
- Identify points of contact with law enforcement, Internet service providers and the communications companies that service the firm, and cyber forensic experts. If the firm has multiple offices, this should be done for each, with particular attention to foreign offices.
- Conduct third-party vulnerability scans, penetration tests and malware scans. Antivirus software is essential, but it detects only a small percentage of new malware. Specialized services that detect sophisticated attacks may be required.
- Perform software code reviews on Web applications and custom code to detect vulnerabilities.
- Enough data is now gathered to develop a security strategic plan (a two- to five-year plan) and security program plan (the firm’s 12-month plan for security activities, which will include remediation activities identified in scans and penetration testing).
- Deploy needed security technologies for encryption, intrusion prevention and detection, monitoring, security event management, etc.
- Identify and document security controls.
- Establish security configuration settings, access controls and logging.
- Develop security policies and procedures to support the security plan and technologies.
- Conduct training (general awareness, governance, operational and technical).
- Develop incident response, business continuity or disaster recovery plans and communications plans. Test them.
- Develop contractual security requirements for outsourcing vendors, cloud providers or other entities that connect to the firm’s network, including notification in the event of a breach.
- Conduct regular reviews of the security program and update as necessary.
Some attorneys may fall into the trap of believing that the less they know about security threats to their system, the better. Security will never be bulletproof, but security fools are not treated kindly. Law firms, like any other business, are subject to breach notification laws, and many of them have pre-breach security program requirements. A firm will be in a far superior position with its clients, its state bar and any regulators that may become involved if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.
RESPONDING TO AN INCIDENT
Having a well-rehearsed incident response plan is critical. It must specify who will be notified, within what time frame, what documentation must be kept, who is designated to speak about the incident and who has authority to make certain decisions about the investigation. Serious incidents require specialized assistance from cyber forensic experts and careful documentation to preserve evidence. This is no time to learn on the fly.
While law firms need ESPs just like all businesses, special considerations arise at the time of an incident. With any breach, an almost instinctive reaction is to cover up the event and keep it secret. Paller’s previously mentioned conversation with the New York attorneys revealed, in stark terms, their intention to tell no one about the breach: “Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every document they gave us under [attorney-client] privilege?”
Even if the event did not trigger a breach law, a law firm’s decision to cover up an incident can be a dangerous strategy. Some of the attacks against firms are suspected of having been sponsored by nation-states, and pushing these incidents under the rug may result in even further infestation of malware or exfiltration of data. Even large communication providers do not have the capabilities to ward off a nation-state without government assistance; to think that a law firm could is laughable. If investigated, some might consider this negligent behavior.
Firms must also consider that ethics rules already have provisions addressing metadata and email, so if either of these were disclosed, an ethics issue is already in play. Whether a firm is ethically obligated to report a security breach of attorney-client documents to its clients is a question that many security professionals have bandied about.
New commentary to Rule 1.1 of the Model Rules of Professional Conduct requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” So the days of attorneys being technology troglodytes are over. Model Rule 1.6(c), on the confidentiality of client communications, acknowledges that disclosures can happen by providing: (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Commentary on the Rule notes that  Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.
Thus, Rules 1.1 and 1.6 may allow a law firm to avoid an ethics violation stemming from a breach if it has acted in a competent manner (e.g., having a strong security program) to protect its client data from disclosure.
Rule 1.6(c), however, does not address whether attorneys have to tell their clients about such an event. Law professor Benjamin Cooper’s Baylor Law Review piece, “The Lawyer’s Duty to Inform His Client of His Own Malpractice,” raises some very interesting points about self-reporting of negligence. In addition to discussing Rule 1.4 (communications with the client) and the fiduciary law governing the lawyer-client relationship, he explains that the Restatement (Third) of the Law Governing Lawyers states: “If the lawyer’s conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client.”
When I recently spoke with Professor Cooper, he observed that “firms have a duty under Rules 1.1 and 1.6 to effectively protect their clients’ information. If a firm is negligent in carrying out that duty because it has been lax with its security, and that resulted in client files being disclosed, it is potentially a problem.” Even if a firm has a very good security system, he observes that “the attorney absolutely has a duty to inform clients under 1.4 that their confidential information has been compromised.”
Accordingly, a strong security program may help shield a firm from an ethics violation caused by not appropriately protecting client data, and it may help them beat a negligence charge, but it has no impact on the Rule’s requirement to inform clients of security incidents. A good security program does, however, reduce the likelihood that such a painful conversation will have to take place. All together, it is clear that an up-to-date security program is the best defense that a law firm can have. Whether large or small, taking measures to establish a strong security posture is not only the right thing to do, it’s the ethical thing to do. It may help save the firm cases, clients and its reputation.
“We live in a world where our national security is threatened by cyberterrorists, and where private enterprise is forced to respond to cybertheft of intellectual property on a daily basis. The ABA Cybersecurity Legal Task Force is examining risks posed by criminals, terrorists and nations that seek to steal personal and financial information, disrupt critical infrastructure and wage cyberwar. When our national security and economy are threatened, lawyers will not stand on the sidelines.”
2012-2013 President of the American Bar Association