This is further exacerbated by the fact that smaller law firms are seen as easy targets. While major corporations typically have robust cybersecurity programs, many law firms do not prioritize security.
In a 2020 survey conducted by the American Bar Association (ABA)’s Legal Technology Resource Center, 29% of responding firms reported experiencing a data breach in the last year. Without the right tools to prevent, detect and respond to threats, cybercriminals can do untold damage before you even realize they’ve gained access.
Additionally, many clients will audit their respective law firms to understand exactly what security measures are in place to keep their information safe.
ABA Rules Pertaining to Cybersecurity in the Legal Field
The ABA calls for appropriate cybersecurity measures through several rules and opinions.
Model Rule 1.1 identifies keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” as an element of maintaining competence. Model Rule 1.6 directly addresses confidentiality. Among other requirements, it states: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion 483 “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” further clarifies: “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” It goes on to suggest: “As a matter of preparation and best practices...lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
State boards regulate lawyer conduct, and failing to protect client information adequately could be seen as an ethics breach, which may ultimately result in a reprimand, suspension, or disbarment.
Cybersecurity & Breach Notification Legislation
Due to the alarming frequency of cyberattacks, some states have implemented legislation pertaining to cybersecurity and breach notification that may apply to those in the legal field.
In 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). This requires businesses to implement reasonable data security measures and notify affected individuals if there is a breach.
Similarly, the California Consumer Privacy Act (CCPA) mandates certain businesses that operate in the state to disclose what personal information they’ve collected and what they do with that information. Individuals can also request that businesses delete their personal information. An amendment removing the requirement to provide personal information is set to take effect in 2023, but until then, law firms must weigh requests for privileged information to determine whether disclosing it would restrict the ability to “exercise or defend legal claims.” Additionally, if the contract with the client renders the law firm a service provider based on CCPA statutes, it may be able to deny access requests.
Law firms that regularly work with clients in regulated industries may also be subject to the same information privacy regulations. For instance, those frequently representing healthcare organizations may need to comply with HIPAA, and those working in the financial sector may need to be aware of the Gramm-Leach-Bliley Act.
Motives for Cyberattacks in the Legal Field
While 53% of malicious attacks are financially motivated, according to IBM Security’s 2020 “Cost of a Data Breach Report,” the underlying goals of attacks against those in the legal field are nuanced.
Collecting information to hold for ransom is a common motive. Since lawyers maintain a lot of private information, attackers may threaten to make files public if the law firm doesn’t pay up. To protect their clients and reputations, some in the legal field will likely succumb to this pressure. However, paying ransom to cybercriminals may not be legal, depending on the origins of the attack.
Acquiring insider information or trade secrets may also attract threat actors to law firms. Private financial information about a company can give the hacker an illegal advantage in trading, and trade secrets can be sold to competitors.
Additionally, hacking a law firm can give threat actors significant leverage. Both nation-states and organized crime may seek to exploit knowledge and manipulate a law firm or its clients into doing their bidding by threatening to release private information.
Wengui v. Clark Hill, in which a former client sued a law firm for malpractice for failing to protect private information that hackers accessed during an attack, is but one example of how failing to adequately protect client data with robust cybersecurity can put your firm at substantial risk.
Cybersafe Solutions Is Here To Help
At Cybersafe Solutions, we pride ourselves on providing state-of-the-art cybersecurity technology, coupled with human expertise. Through continuous security monitoring, security awareness training, breach & attack simulation, and other services, we will help bolster your legal practice’s cybersecurity posture. Contact us today to learn about how to protect the private information of your clients.