“It takes 20 years to build a reputation and 5 minutes to ruin it.”
This statement was profoundly said by American financier, philanthropist, and investor Warren Buffet, and in this present day, with the daily cyber dangers experienced by all organizations, including the legal sector, this saying is particularly relevant.
Lawyers manage a great deal of confidential data on a regular basis, and maintaining confidentiality is one of the most important principles of the legal field. Clients need to be assured that the client-attorney privilege covers their conversations and piece of information. Unfortunately, security breaches are becoming increasingly frequent, which puts at risk the safety of clients’ classified details and the image of law firms.
Data and Duty: The Professional Ethics of Confidentiality
Confidentiality is one of the core duties that attorneys owe to their clients. It is central to professional ethics as well as required by law. Often, in the course of legal representation, attorneys are entrusted with susceptible documents and information, the disclosure of which could have extremely damaging consequences for their clients. As a result, every state has adopted some form of ethical requirement to employ competent and reasonable measures to safeguard the confidentiality of information relating to clients and to communicate with clients about attorneys’ use of technology and obtain consent when appropriate.
Moreover, attorneys often maintain trust accounts holding clients’ funds. Their access to valuable information and resources makes them particularly attractive targets for data breaches and theft.
A Rapidly Growing Threat: Cyber Attacks and Digital Data Management
Although ensuring the security of client information, documents, and resources is an essential component of the profession, it is also an increasingly difficult one in the digital age. The global cybersecurity threat continues to evolve rapidly, with a rising number of data breaches each year. A report by Risk Based Security revealed that data breaches had exposed a shocking 7.9 billion records in the first nine months of 2019 alone. This figure is more than double the number of records exposed in the same period in 2018.
As cybersecurity risks rise, the American Bar Association reports that one out of every four law firms has experienced a data breach at some point. Unsurprisingly, larger firms are more at risk than smaller firms. The ABA also reports that while 17% of law firms with nine or fewer employees have been victims of data breaches, a shocking 46% of law firms with 50-99 employees have been victimized.
How Can You Protect Your Practice from Data Breaches?
In 2014, the ABA adopted a resolution that encouraged all law firms to “develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” 40 jurisdictions, including New York state, have gone further, mandating “technological competence” as a component of an attorney’s ethical obligations.
To advance this goal, New York also recently required that every attorney take continuing legal education courses on cybersecurity. As of January 1, 2023, those courses are a requirement for practicing law in New York. These courses address various topics, ranging from ethics to the technological aspects of protecting electronic data and communications to establishing policies and programs to mitigate cybersecurity risks to vetting third-party vendors for their own policies and practices on cybersecurity. According to the ABA, just over half of law firms report having a cybersecurity program in place.
In addition to educating themselves about the ethical and technical requirements of cybersecurity and creating programs that comply with those requirements, attorneys must implement their programs effectively. This requires conducting regular audits of their cybersecurity. Attorneys may also benefit from hiring third-party monitors to implement their programs and provide assessments of their cybersecurity risk.
Attorneys may also be advised to invest in cybersecurity insurance. It is equally important for attorneys to ensure their web presence and electronic communications do not leave them exposed to hacking, malware, or other malicious efforts to extract data.
Finally, attorneys who store client information digitally may benefit from practice management platforms, like General Practice Speed, that comply with state of the art in encryption and data security. Ideally, an attorney should pursue a fully integrated legal technology service to ensure that all their software and digital needs are met with the same exacting standards for compliance and security.
Final Note
We firmly maintain that law firms should take all necessary steps to protect their client’s assets, data, and names, as well as ensure that their technology providers and software vendors are also taking proper measures to combat cyber security threats.
It is essential for organizations to take into account the broader implications that cybercrime can have on the culture of law firms and to look to the experiences of other legal establishments, particularly those which have not taken prompt action to strengthen their cyber defense and consequently endured the consequences.
