Solo and Small Firm Cybersecurity Guide: Ethics and Data Security: What Are the Attorney’s Obligations
By: Kevin Lin, Christopher Hawkins and James Allmendinger
Note: The authors of this article are members of the New Hampshire Bar Association Ethics Committee, but this article is not an official Ethics Committee opinion and should be considered as general guidance.
Roughly three-quarters of all practicing, in-state New Hampshire Bar Association members work in law firms with 10 or fewer attorneys, and the majority of those law firms employ no IT staff. So it should not be a surprise then that the American Bar Association 2016 Legal Technology Survey Report found that only about one in 10 solo law firms, and one in six law firms with 10-49 lawyers, have assessed their firm’s data security.
But as technology and client expectations have evolved, assessing and implementing cybersecurity measures has become an essential part of running a law firm, large or small. It is not only sound business practice, but also an ethical requirement for all attorneys. Namely, Rules 1.1 and 1.6 of the New Hampshire Rules of Professional Conduct require attorneys to take competent and reasonable measures to safeguard client information. These days, that means a lot more than locking the door on the way out.
SANS 20 Critical Security Controls
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privileges
6. Maintenance, Monitoring, and Analysis of Audit Logs
7. Email and Web Browsing Protection
8. Malware Defenses
9. Limitation and Control of Network Ports, Protocols, and Services
10. Data Recovery Capability
11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
12. Boundary Defense
13. Data Protection
14. Controlled Access Based on the Need to Know
15. Wireless Access Control
16. Account Monitoring and Control
17. Security Skills Assessment and Appropriate Training to Fill Gaps
18. Application Software Security
19. Incident Response and Management
20. Penetration Tests and Red Team Exercises
According to the California Attorney General, meeting the controls does not provide a safe harbor, but failure to implement all 20 controls constitutes a lack of reasonable security practices.
Over the last decade, lawyers increasingly have become prime targets for hackers. Law firms hold a treasure trove of sensitive client information, often including Social Security numbers, medical information, trade secrets, wire transfer instructions, litigation strategy, and internal corporate data.
Even the most prestigious law firms are vulnerable. In March 2016, the Wall Street Journal reported that law firms such as Cravath Swaine and Weil Gotshal, which represent Wall Street banks and Fortune 500 companies, were breached. Worse still, some hackers have gained access to a firm’s network months or years before the firm learned of the breach. Even when detected immediately, a hacker only needs a few minutes of unauthorized access to mail servers to harvest thousands of confidential emails and attachments containing sensitive information. Calling that worrisome greatly understates the extent of the risk.
Clients increasingly insist that law firms ensure the security of their confidential information. In December 2016, an unsealed complaint revealed that clients had filed a class action against Johnson & Bell, a large Chicago-based law firm. The action sought damages for breach of contract (i.e., legal malpractice), negligence, unjust enrichment, and breach of fiduciary duty. The clients alleged that the firm failed to take reasonable steps to maintain data security and had left its clients’ confidential information unsecured and unprotected.
Such examples demonstrate the crippling effects that cybersecurity attacks can have on all law firms, regardless of size. While large law firms are targeted more frequently, the ABA reports that about one in 10 small law firms (2-9 attorneys) have reported a similar security breach. These statistics only capture those breaches that firms have detected. Smaller firms may not have the technology to detect the true number of breaches actually incurred. Even some firms that have reported a breach may not know the full extent of the breach. Sweeping advances in technology, shifts in client expectations, and developments in attorneys’ ethical obligations demand that lawyers make cybersecurity safeguards a priority.
The New Hampshire Rules of Professional Conduct impose a duty on lawyers to maintain technological competency and require lawyers to take reasonable steps to protect confidential client information. Under Rule 1.1, a lawyer must provide competent legal representation. As the NHBA Ethics Committee and ABA have stated, minimal competence includes protecting a client’s information and the lawyer’s work product. Moreover, the 2012 amendment to Comment  of ABA Model Rule 1.1 requires that a lawyer “keep abreast of changes in the law and its practice, including the benefits or risks associated with relevant technology.” In other words, competent lawyers must have a basic understanding of the technologies they use, and as technology advances, lawyers need to stay current on changes in the way information is maintained, stored, and organized.
In addition, Rule 1.6 requires a lawyer to protect client confidences. Rule 1.6(a) requires lawyers to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of clients. This confidentiality applies not only to matters communicated in confidence by the client, but also to all information related to the representation, whatever its source. One cannot overstate the importance of client confidentiality.
In practice, the rules translate to requiring that attorneys exercise reasonable security efforts when using technology in communicating about client matters. For example, ABA Formal Opinion 99-413 states that attorneys and clients have an expectation of privacy in all communications made by email. What constitutes “reasonable efforts” to protect such communications, as required under the ethical rules, will vary depending on the facts of each case. For example, lawyers representing employees are cautioned against communicating with clients over the client’s employer-maintained email and communication systems (ABA Opinion 11-459, 2011).
Rather than defining “reasonable efforts,” when it comes to ethical requirements related to securing law firm data, the ethical rules are geared toward promoting a multi-factor approach to data security that is more flexible and practical for firms of varying sizes and budgets. For example, large law firms often handle client data in industries such as healthcare, banking or defense. The risk of data theft is higher in these industries, and therefore, these law firms need more robust security measures to protect their clients’ data.
The ABA advises law firms to adopt a process to systematically assess and address cybersecurity risks. As guidance, the ABA suggests five factors to use to determine whether the security measures implemented are appropriate in a particular situation:
the sensitivity of the information;
the likelihood of disclosure if additional safeguards are not employed;
the cost of employing additional safeguards;
the difficulty of implementing the safeguards; and
the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
As the ABA Cybersecurity Handbook emphasizes, no one security measure, such as firewalls, passwords, and the like, is a “bright-line” measure that guarantees ethical compliance. A law firm cannot simply point to its firewall to escape liability if no additional data security measures have been implemented. In short, the process requires law firms to routinely identify security risks, implement security measures responsive to those risks, verify that they are implemented, and ensure that they are continually updated in response to new developments.
That said, the Rules of Professional Conduct do not impose a strict liability standard. A lawyer’s duty under the Model Rules is to take reasonable steps toward data security, not guarantee against all unauthorized access to electronic information. “Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax.” (NH Bar Ethics Opinion 2012-13/4, 2013 (citation omitted)).
At least one state has already tried to further clarify what constitutes “reasonable efforts.” The California Attorney General’s 2016 Data Breach Report adopted the 20 specific controls set forth by the Center for Internet Security’s Critical Security Controls as what the state views as reasonable security practices. These controls are commonly known as the SANS 20 Critical Security Controls, which represent the minimum level of information security that all organizations need to meet in California.
According to the California Attorney General, meeting the controls does not provide a safe harbor, but failure to implement all 20 controls constitutes a lack of reasonable security practices. The controls are prioritized in order of the greatest reduction of risk to the least, and each item is listed sequentially, so that a higher priority vulnerability must be addressed before moving on to a lower risk vulnerability. See sidebar.
Even if small law firms do not have the resources to develop robust security programs, there are easy steps that all law firms can take to get started. The accompanying data security article outlines manageable steps that small law firms can take to secure their data systems.
The key for small-firm lawyers is to schedule routine evaluations of data security concerns and safeguards to protect clients and avoid scams and attacks. About 40 percent of lawyers have reported downtime or loss of billable hours as a result of a data breach. Large law firms can make up for such business disruptions, but smaller law firms may not have the margins to easily weather such breaches. Therefore, it is essential that all law firms, regardless of size, devote attention and resources to data security.
To contact the NHBA Ethics Committee with questions about this or other legal ethics topics, members are encouraged to put inquiries in the form of a written hypothetical and send via email to Ethics Committee staff liaison Robin E. Knippers.