Articles
Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

Preparing for a Hack of Your Law Firm

It can happen to you— and you will need a plan

Every lawyer has an ethical duty to keep client information confidential—even though that duty increasingly involves mastering technological security matters that many lawyers and firms find challenging. Since there is no way to assure that your law firm can never become the victim of cyber intrusions, it is vital not only to take reasonable steps to secure client information, but to develop a plan for dealing with data breaches when they occur.

Even as law practices shift to cloud-based storage systems, the sophistication of hackers continues to grow, and law firms are becoming major data breach and hacking targets.1 Law firm exposure to compromise is compounded by a perception that lawyers are lagging in their commitment to basic technical hygiene. Many attorneys still email sensitive documents to their personal addresses, use public wi-fi, and fail to employ virtual private networks (VPNs) while away from the office, even if such practices fail to comply with their own firm’s theoretically much more robust data-protection policies.2 Sensitive client data can thereby be exposed, resulting in the compromise of trade secrets, confidential contract information, confidential proposed business transactions, and critical financial information.3 Law firm data breaches continue to be kept from the public eye, but recent investigations by a plaintiff’s lawyer revealed that 15 major law firms have inadequate cybersecurity, and at least one firm has been sued over allegedly lax security.4

The obligation of lawyers to protect their client’s confidential information is not simply a matter of good business practices. The ABA Model Rules of Professional Conduct impose ethical obligations on lawyers to protect confidential client information, but the specifics of how that obligation becomes manifest in a digital age are only beginning to emerge. This article offers a brief overview of a lawyer’s ethical duty to protect client confidentiality and provides practical guidance on how to fulfill that duty.

Ethical considerations and today’s law firm technology

The Model Rules provide guidance to attorneys regarding their duty to keep client information confidential.5 Two rules in particular are worthy of note: Rule 1.1 and Rule 1.6(c). Rule 1.1 deals with an attorney’s competency in representation. The rule requires an attorney to “provide competent representation to a client” where competency consists of “legal knowledge, skill, thoroughness and preparation reasonably necessary for representation.”6 Specifically, an attorney is required to follow changes in the legal practice, “including the benefits and risks associated with relevant technology” and engage in continuing study and education in compliance with continuing legal education requirements.7

More specifically in the context of cybersecurity, Rule 1.6(c) places a “preventative duty” with regard to the disclosure of client information:8 “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”9 The corresponding comment explains that Rule 1.6(c) protects against unauthorized access to information related to the representation of a client.10 Importantly, there is no violation of the rule if “the lawyer has made reasonable efforts to prevent the access or disclosure.”11 The comment further provides qualitative criteria for determining the reasonableness of an attorney’s efforts, including, but not limited to, “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”12

Briefly summarized, attorneys have two ethical duties related to technology: “(1) to maintain an understanding of the technologies used in the practice of law and (2) to take affirmative action to prevent unauthorized access to client information either through the selection of technology they employ or implementing safeguards or precautions to existing technology.”13

Practical guidance for protecting client information

Protecting sensitive information at your law firm—whether it is attorney-client privileged materials, employee information, or the intellectual property and trade secrets of your clients—can be summarized in five steps:

  1. Know your data and where it resides;
  2. train your employees (especially partners—who may be the least tech-savvy, but ultimately must set the example);
  3. know and manage your vendor risk;
  4. prepare and practice an incident response plan; and
  5. evaluate your cyber insurance.

Know your data. Information governance in a law firm ultimately is no different from information governance in any other organization. The first step is understanding what data is being collected, who has access to it, and how long it will be retained (and why), and mapping the flow of that data. Once you understand your data, you need to prioritize how it will be protected. You cannot protect everything. Assume that hackers ultimately can, and perhaps will, obtain access to your systems even with the best perimeter security. The internal detection capabilities in a firm’s systems are every bit as important as its firewalls.

Train your employees (and their bosses). The first step in any effective information governance process is communicating to anyone with access to sensitive information (whether they be copy room employees or M&A partners) that they need to be constantly vigilant in order to protect a law firm’s data. In the first instance, they need to understand the nature of the data that they are collecting, accessing and retaining, and protect it accordingly. The most secret and sensitive data, including privileged attorney-client information, trade secrets, and M&A planning, deserves the highest prioritization and security. For confidential but less sensitive data, which nevertheless requires thoughtful protection, the firm should assign a lower tier of classification, with commensurately scaled security systems and protocols. Finally, firms should acknowledge the reality that some of the information being collected and maintained does not need protection—for example, publicly available information.

When implementing an information governance system, it is important to document the process that led to the development of the various tiers of protection, and provide a brief explanation as to why particular kinds of data are in a particular tier. This will help employees grasp the basic concepts of information governance, and appreciate the importance of providing the most important data with the most rigorous security.

Once the data categorization process has been completed, the law firm must be thoughtful about which individuals should have access to which data. For example, highly sensitive M&A documents should not be accessible to a lawyer not involved in the deal merely because he happens to be a partner in the M&A department. Similar approaches should be taken to client intellectual property and trade secrets. Once the protocols for access have been determined, appropriate steps (commensurate with the size and sophistication of the firm) can be taken to apply basic “need to know” safeguards regarding various data sets.

Managing vendor risk. Data security is only as strong as its weakest link, and most often that weak link can be found in the form of vendors to the firm—ranging from payroll processing to night cleaning staff. Although it may appear daunting at first, every firm must rigorously analyze exactly who has physical access to spaces that may contain sensitive information as well as who could access the electronic systems that store its data. Even in the digital age, highly confidential information is often found in hard copies, especially in law firms. Outside vendors should be queried regarding vetting and security training for their employees. What specific commitments, if any, have your vendors made regarding training their employees about the importance of maintaining the confidentiality of confidential law firm information? As a practice tip, acknowledge at the outset that the perfect may be the enemy of the good. Rather than attempt a “big bang” approach to vendor management, consider an incremental approach: Start prospectively with the vendors who have access to the most sensitive information. Consider basic due diligence and contractual provisions regarding protection of information.14

The Incident Response Plan (IRP). Typically viewed as the most essential element in preparing for a law firm breach, the development of an IRP is, as a practical matter, an essential step in good information governance. The key individuals responsible for responding to a breach are the same people who can make or break the effective implementation of good information governance in the first instance. If the firm’s employees, administration, and lawyers have all been sensitized to the importance of protecting the firm’s information by the members of the Incident Response Team (IRT), the likelihood of the firm actually suffering a security incident will diminish proportionately.

Nonetheless, no institution is perfect. Every firm should plan for the day when it discovers that an intruder has penetrated its security and accessed sensitive information. Anticipating this crisis—which should be part of the firm’s overall business continuity and crisis management plan—requires selecting committed members of the firm’s various functional units to constitute the core Incident Response Team. Typically the IRT should include the individuals responsible for information technology, human resources, risk management, and client relations. Larger firms may want to establish relationships and Master Services Agreements (MSAs) with supplemental resources—forensic experts who can determine the extent and severity of any breach, public relations consultants, and specialized outside breach counsel. Once the IRT is identified, appoint one individual
(and a backup) as the team leader to initiate the response to an incident. Each incident response protocol may be slightly different, and the IRT leader may delegate or assign the leadership function depending on the nature of the incident. For example, if the event is a relatively confined and technical incident that can be adequately addressed by internal IT, or an isolated instance of unauthorized access to employee information that can be handled by HR, it may be that the IRT does not have to be activated.

At a minimum, the IRT needs to understand the potential consequences of different types of breaches, and be prepared to respond accordingly. For example, it may be too much to ask the IRT to be sufficiently familiar with the various breach notification laws in 48 states (plus the District of Columbia) to manage a breach response internally, but the IRT should understand the broad parameters of what is required to respond to such a breach (for example, what is the impact if the data accessed was encrypted?) and have a plan in place for retaining the resources required to respond to those situations beyond the competence of the team.

Finally, the IRP should not be a ‘one-and-done’ process, left to languish in a file once the IRP box is checked. Even modest-sized organizations practice their plans through ‘table-top exercises’ where the IRT is convened, often by an outside expert practiced in such exercises, and given a mock scenario requiring decisions on short notice with incomplete information. In the commercial world, it is increasingly common for CEOs to participate in these exercises, often as part of a planned escalation in the exercise. Any significant incident often quickly requires the highest level of decision-making under the competing tensions of controlling the messaging early versus making sure you have it right before you say anything. Using table-top exercises to involve top firm management also gives firm leaders critical insight not only into the realities of a breach, but also into the capabilities of the IRT.

Cyber insurance. Every firm, regardless of size, needs to assess carefully what kind of cyber insurance would be best suited to its needs. The firm’s traditional broker almost certainly will have a product offering, perhaps even several—but those offerings may or may not meet the firm’s needs. A firm should seriously consider independent due diligence, either by someone in the firm well-versed in cyber insurance, or, if that expertise is not available, through an independent legal or risk management resource. An ill-fitting cyber insurance policy may create a false sense of security, and potentially even elevate the firm’s risk profile. Cyber insurance is one of the most rapidly evolving, and least understood, tools for helping protect the firm and its clients, and the importance of the proper application of this risk-shifting mechanism cannot be overemphasized.

Conclusion

Cyber-risk for law firms is on the rise. Those firms with substantial resources can meet the threat with a dedicated commitment of those resources and careful planning. But what about those firms lacking substantial resources? Is their clients’ confidential information worthy of any less protection? The Model Rules recognize the concept of proportionality to some degree, but a proportional standard of protection requires significant minimum steps each lawyer must take to protect client information. Technological improvements in security certainly help, but cannot be a substitute for a top-to-bottom culture of commitment to protecting confidential client and firm information. This requires thoughtful information governance and a well-considered—and practiced—Incident Response Plan.


ROBERT CATTANACH of Dorsey & Whitney LLP helps clients navigate the complexities of regulatory law, especially in the area of cybersecurity and compliance. His technical background enables him to understand the complex business challenges associated with today’s cyber world, and provide the strategic acumen to achieve success. Bob’s decades of experience as a trial lawyer also enable his clients to achieve their business objectives if other means of resolution cannot be achieved.

SAMIR ISLAM is an associate in Dorsey & Whitney LLP’S regulatory affairs practice group. His practice focuses on internet privacy and cybersecurity; telecommunications, including FCC licensing laws and international authorization applications and domestic transfer of control filings; and environmental law.


Notes

1 See Gabe Friedman, “Threats of Litigation after Data Breaches at Major Law Firms,” Bloomberg (3/30/2016), https://bol.bna.com/threats-of-litigation-after-data-breaches-at-major-law-firms/.

2 Id.

3 Id.

4 See Derek Borchardt and Michael F. Buchanan, “Law Firm Sued for Alleged Lax Data Security Obtains Significant Win in District Court,” Patterson Belknap: Data Security Law Blog (3/8/2017), https://datasecuritylaw.com/law-firm-sued-for-alleged-lax-data-security-obtains-significant-win-in-district-court/. 

5 Alan W. Ezekiel, Note: Hackers, Spies, and Stolen Secrets: Protecting Law Firms from Data Theft, 26 Harv. J. Law & Tec. 649, 658 (2013).

6 Model Rules of Prof’l Conduct R. 1.1 (2013).

7 Id. at R. 1.1 CMT. 8.

8 Shea Boyd, Article: The Attorney’s Ethical Obligations with Regard to the Technologies Employed in the Practice of Law, 29 Geo. J. Legal Ethics 849, 850 (2016).

9 Model Rules of Prof’l Conduct R. 1.6(c).

10 Id. at R. 1.6(c) CMT. 18.

11 Id.

12 Id.

13 Boyd, supra note 8, at 851. Boyd’s article also discusses State Ethics Committee decisions regarding to use of technology, including unencrypted email, cloud storage, and remote access.

14 The ABA has published a helpful guide on this subject: “Vendor Contracting Project: Cybersecurity Checklist” http://www.americanbar.org/content/dam/aba/images/law_national_security/Cybersecurity Task Force Vendor Contracting Checklist v 1 10-17-2016 cmb edits clean.pdf 

Leave a Reply

Articles by Issue

Articles by Subject