Many experts agree that all businesses should plan for when they experience a data breach, not if. On top of that, the amount of highly sensitive information held by attorneys and law firms makes them tempting targets for hackers. However, while the majority of attorneys are aware of the general threat of a data breach, it is also important to understand how cybersecurity fits into the obligations imposed by their jurisdiction's professional rules.
This article looks at cybersecurity through the lens of the American Bar Association's Model Rules of Professional Conduct. It would be wise to also check your local rules for any guidance on protecting client information from cyber attacks.
In Formal Opinion 477, the ABA addressed a lawyer's obligation to secure client information in electronic communications. Cybersecurity concerns arise under both Model Rule 1.1 and Rule 1.6, which describe a lawyer's duty to provide competent representation and prevent unauthorized disclosure of client information. When taken together, these rules require lawyers to employ reasonable protection efforts in their use of technology to communicate with clients.
Comment  to Rule 1.1 reads: "To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology (emphasis added)."
The best example of this is email. An attorney would have a difficult time providing competent representation in today's market without using e-mail. At the same time, they must ensure that emails containing confidential information cannot fall into the wrong hands. This can be done by employing email encryption and securing their networks.
Meanwhile, Comment  to Model Rule 1.69(c) provides a list of nonexclusive factors to determine the level of protection needed for different communications:
- The sensitivity of the information
- The likelihood of disclosure if additional safeguards are not used
- The cost of additional safeguards
- Whether the safeguards would make a device or piece of software so difficult to use that it would adversely affect the lawyer's ability to represent their clients
On the bright side, email encryption is fairly easy to do. Most email platforms have encryption or confidentiality options built-in, including Gmail, Apple products, and Outlook.
When A Breach Occurs
ABA Formal Opinion 483 outlines a lawyer or firm's obligations after a cyber incident, based on Model Rule 1.4 - which requires that lawyers keep clients "reasonably informed" about the status of their case.
In the event of a data breach, a lawyer is obligated under Rule 1.4 to inform clients if the breach involves (or has a substantial likelihood of involving) material client information. In addition, lawyers are obligated to:
- Take action to reasonably and promptly stop the breach and mitigate the damages
- Investigate the source of the breach
- Make reasonable efforts to restore computer operations
However, not every cybersecurity incident triggers these obligations. According to the ABA, a "data breach" that rises to this level is one where material client information is "misappropriated, destroyed, or otherwise compromised," or where the lawyer's ability to do their job is significantly impaired. For example, an attack where a hacker unsuccessfully attempts to access firm data would not trigger the above requirements.
The Bottom Line On Law Firm Cybersecurity
While the professional rules by no means require law firms to be perfect in their cybersecurity efforts, it is important to take note of the monitoring and notification requirements these recent developments impose. Having policies and procedures in place, and training all members of the firm in them, can help lawyers be prepared to handle a cyber incident - when it happens.