As the news reports confirm, data breaches are a real and growing threat for all businesses, including large law firms. Instances of breaches are not limited to the government or even to corporate giants like Sony, Target, and Anthem. Indeed, the reports of large law firm data breaches continue to emerge as the risk steadily increases.
In 2009, the FBI warned law firms about being targeted by phishing schemes. Security consultant Mandiant estimated that 80 percent of the 100 largest U.S. law firms experienced a computer breach in 2011 alone. In February 2015, the New York Times reported that large financial institutions and law firms have been engaged in discussions about sharing information regarding cybersecurity threats.
Unfortunately, some law firms may have been breached and not even know it yet. Though not as widely publicized, law firms are increasingly targeted by hackers because of the plethora of sensitive, confidential, proprietary, and trade secret information they possess. Yet, law firms remain behind the curve in terms of protecting against cyber threats. Because of the risk and its implications, clients are starting to closely monitor how their law firms manage and protect their confidential information. Law firms that cannot reassure clients that their data is protected risk losing the client altogether.
So what should law firms be doing to help protect their data? The answers, like the question, cover various facets of law firm operations, ranging from the technology behind the scenes to how lawyers and staff access and transmit data on a daily basis. There is no silver bullet for protecting against cyber threats; it takes a layered approach of people, processes and technology, and constant adaptation to an ever-changing risk. The first step, however, is to identify the ethical and legal obligations imposed on lawyers.
Lawyers’ Ethical and Legal Obligations to Protect Confidential Information
The American Bar Association recently revised Comment 8 to Model Rule of Professional Conduct 1.1 on Competence to state that, in order to “maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .” No longer can lawyers and law firms stick their heads in the sand and avoid learning about current technology. In fact, lawyers and their firms must learn enough about current technologies to diligently represent their clients, including by protecting confidential information from unauthorized disclosure. Against this backdrop, ABA Model Rule 1.6(c), provides that a lawyer “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (See also Rule 1.15 Safekeeping Property.) Fortunately, unauthorized access to or the inadvertent or unauthorized disclosure of information is not itself an ethics violation if reasonable efforts were taken to prevent the access or disclosure. (See Model Rule 1.6, Comment 18.)
Factors considered when assessing whether such efforts are reasonable include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” Id. In the abstract, these factors do not appear especially onerous. Yet, when specifically applied to the protection of information from cyber breaches, these factors take on a whole new meaning.
Notably, clients may give informed consent either to forgo additional security measures or require additional safeguards not required under Rule 1.6. Client consent to the law firm’s security protocols for uniquely sensitive information is a “best practice” that firms should consider and include in engagement letters, retainer agreements or fee contracts.
But the mere existence of adequate protocols, practices and procedures is not enough. Law firm management and supervisors also must ensure that (i) others in the firm comply with their ethical obligations and (ii) non-lawyer conduct is compatible with the lawyer’s professional obligations (ABA Model Rules 5.1, 5.3). This latter obligation applies both to in-house copy services as well as third-party cloud providers.
Along with a lawyer’s ethical duties are statutes and regulations that impose requirements with respect to protecting clients’ information. State statutes often require businesses, including law firms, to provide notice to individuals in the event of a data breach where personally identifiable information is involved. Law firms also may be required to comply with various HIPAA regulations concerning privacy, security and breach notification if they possess certain protected health information. And there is increasing pressure from financial services clients, as well as law enforcement, for law firms to start disclosing when a breach occurs.
Moreover, EU Data Protection Directive 95/46/EC regulates how personal information processed within the EU must be protected. Law firms with offices in EU countries or who store EU client information must keep abreast of these regulations.
With these obligations in mind, below is a list of five (5) areas to focus on to help ensure adequate safeguards against unauthorized disclosures.
1. Create Accountability for Information Security.
Given the ethical and legal obligations outlined above, law firms must take information security very seriously. A critical aspect of preventing unauthorized disclosure is to have a dedicated information security officer whose job it is to execute a program of action items to help protect the firm’s (and its clients’) data.
First and foremost, it should be a real position with the authority to adopt, implement, and enforce adequate security protocols. Positions in title only are ineffective. Worse yet, they create a false sense of security that can make a law firm even more vulnerable to a data lapse or breach. The chief security officer should ensure that the firm’s IT infrastructure and data creation, transmission, and storage satisfy the three hallmarks of information security:
- Confidentiality – is the data being protected from unauthorized disclosure?
- Integrity – is the authenticity of the data, its source, and its contents trusted?
- Availability – is the data accessible to the right resources in a way that can be audited and monitored?
Specifically identifying who has ultimate responsibility for overseeing information security is an important step and should be clear. Achieving these goals will require a coordinated strategy that brings together training, policies, processes, and supporting technologies to help protect the firm’s information. Absent clear accountability and a single responsible program owner, information security programs commonly lack effectiveness and create sub-par results.
2. Adopt, Implement And Enforce Data Security Policies.
Beyond the traditional information security policies that a chief security officer would implement, there are several other policies that touch upon security issues. Here are a few:
- Contracting policies with third-party vendors, including cloud vendors;
- Personal device policies;
- Data breach policies;
- Disaster recovery policies;
- Records retention policies;
- Business continuity policies; and
- Social media policies.
All of the aforementioned policies impact a firm’s efforts to protect confidential information. Each merits specific consideration in adopting, implementing, and enforcing data protection protocols. For example, over the past few years, multiple ethics opinions provide guidance surrounding the “reasonable steps” lawyers must take to preserve the confidentiality of their clients’ data stored on the cloud. Backing up data, installing a firewall, encryption, and implementing audit trails to monitor who is accessing the data are some ways to protect against unauthorized disclosure.
Firms also should develop a policy regarding how to engage and monitor third-party vendors. A review of the vendor’s operating history and solvency should be conducted as part of a firm’s due diligence before engaging a vendor. And firms should closely review a vendor’s security methods and its breach notification requirements. Requiring the vendor to be ISO 27001-certified or audited by information security experts also warrant consideration.
Personal devices containing law firm information require special attention. Given the increasingly mobile nature of practicing law, whether it is from home or on the road, protecting the client’s sensitive information that is contained on or transmitted through mobile devices is a priority. Addressing four key issues will go a long way to better securing information on mobile devices:
- Password Protect All Devices – at a bare minimum, all devices containing firm/client information must be password protected.
- Activate Location and Remote-Erase Options – in case of loss or theft, these options must be activated on all mobile devices containing firm/client information.
- Password Protect and/or Encrypt Removable Drives – thumb drives are easily lost and the information on them must be protected from unauthorized access.
- Avoid Free Wi-Fi – the free wi-fi at a hotel, the airport or Starbucks is rarely secure and data transmitted using that wi-fi is susceptible to interception and hijacking. Using your own (secure) mobile hot spot, a virtual private network (VPN), and encrypting are all good alternatives.
For more information on protecting information on mobile devices, see “Simple Fixes Prevent Stolen Data from Lost Devices,” by J. Randolph Evans and Shari L. Klevens, Daily Report, February 10, 2015. Identifying a firm’s sensitive points, such as smart phones or cloud storage, and ensuring the data is protected is critical. See “Why law firms are juicy pickings for hackers, and what to do about it,” by J. Randolph Evans and Shari L. Klevens, Daily Report, August 26, 2014. In addition, firms must have policies in place to handle how client files are transferred when a lawyer decides to leave a firm. With the prevalence of mobile devices, it is much easier for lawyers to copy a client’s files. Given that files are the property of the client, not the lawyer or law firm, that data must be protected from unauthorized duplication.
Business continuity policies are also important to determine how to proceed if data is unavailable for any reason, whether it is because of a vendor’s technical difficulties or a cyber attack. Establishing and following a business continuity policy may be extremely helpful in convincing a court not to issue sanctions for failure to meet a deadline.
Finally, it is always better to have a policy in place to be able to promptly respond to a data breach or disaster recovery. A team should be in place to handle the breach and make the required disclosures. For additional details on establishing a robust incident response plan, see “Web of trust: Five steps to protect your law firm from cyber attacks,” by Elizabeth Ferrell, Shari L. Klevens, and Alanna Clair, Managing Partner, May 22, 2014. Not only must the methodology for investigating the breach be justifiable and all evidence preserved for potential use in litigation or to provide to an insurer, but firms should take care to preserve the attorney- client privilege when addressing a breach, preferably by retaining outside counsel.
3. Conduct Continual Training.
Unlike malicious hacking, many inadvertent disclosures result from “the human condition”—i.e., failing to follow firm policies by not taking required precautions such as password protecting a smart phone or accidently leaving an iPad on the airplane. Lawyers and staff must constantly receive training to teach and remind them of the firm’s policies and protocols for protecting confidential information. Given all the information lawyers are bombarded with on a daily basis, such training must be simple and concise.
4. Employ Technological Safeguards to Help Protect Confidential Information.
While establishing firm policies and training lawyers about those policies are paramount, technology can provide another layer of protection. The International Legal Technology Association’s (ILTA) 2014 technology survey of over 400 law firms showed that the use of multi-factor authentication and encryption technologies is on the rise. Laptops, mobile phones and tablets, and USB drives can and should be encrypted, not only to protect against those actively seeking to intercept the data, but also against unauthorized access if the device is lost or stolen. Encryption should be utilized both when the data is being transmitted and when it is at rest. In addition to encrypting traditional firm and client files, firms are now starting to protect web traffic by encrypting the law firm’s website. Firms have begun using Hypertext Transfer Protocol Secure, HTTPS, to help ensure that a client or potential client’s online research is not easily hacked by competitors.
A consideration when hiring third-party vendors is that it is better if the user, rather than the provider, can access and change the encryption key. If the provider can change the encryption key, the data is much less protected than if the user has the sole ability to do so.
Other ways to protect data include utilizing multi-factor authentication and implementing mobile device management systems. ILTA’s 2014 technology survey revealed that 54 percent of responding law firms did not use any mobile device management systems. Requiring more complex passwords and that they be changed at regular intervals are additional safeguards that will help protect a firm’s data. Transferring risk of a cyber-related incident is another protective measure a law firm can employ. Although policies may claim they protect against a breach, law firms must make sure they obtain the appropriate policy that will cover the intended risks.
5. Monitoring and Auditing Drives Continual Improvement.
As technology evolves, so too must a firm’s methods of protecting against unauthorized disclosures. Striving for continual improvement may require both internal and external resources. Internally, for example, the chief security officer should oversee the continual monitoring and review of the system logs to look for anomalous activity. But firms also should consider hiring third-party auditors to evaluate their policies and practices. According to ILTA’s 2014 survey, 73 percent of responding firms employ security audits.
Yes, this is another expense, but clients will feel more comfortable giving a firm their business, and their sensitive data, if the firm’s systems have been validated by an expert in the field of information security. Experts can also simulate a breach to test the firms’ protocols and controls. The simulations and audits will help a firm continue to improve its resilience against a breach.
Rest assured, if a party is intent on breaching a firm’s security, it will attempt do so. The only questions are how long will it take and how difficult it will be. Firms that focus their resources on the five areas discussed above will be better equipped to thwart such threats.
About the Author:
Mindy L. Rattan is a counselor in the Washington DC office of McKenna Long & Aldridge LLP. She represents clients involved in complex commercial disputes and is an active member of the CLE Committee for the ABA’s Center for Professional Responsibility.
