By:
Stephen S. Wu, Shareholder, Silicon Valley Law
Drew Simshaw, Assistant Professor, Gonzaga University School of Law
July 2, 2019
AbstractSweeping advances in technology are not only changing the law that attorneys practice, they are also causing profound changes to the way attorneys practice law. For instance, the combination of consumer-friendly mobile devices and cloud computing means that attorneys now have the technology to access all their work data with any device, at any time, and anywhere in the world, as long as they have an Internet connection. Nonetheless, new technologies create new threats to the confidentiality of client data.
Ethics rules impose duties on attorneys to protect client confidences. They also require attorneys to practice competently and to supervise office staff and third parties with access to client data. The operation of these rules will require attorneys and law firms to implement reasonable information security practices to protect the confidentiality, integrity, and availability of client data. The failure to protect client data may lead to attorney discipline or malpractice liability. Solo lawyers and small firms are subject to the same rules as large firms. Consequently, they cannot ignore information security requirements.
Moreover, information security is not just a “technology issue” that can be delegated without supervision to information technology support staff. Attorneys themselves have an obligation to manage and oversee the security function in their firms. Lessons learned from other industries and industry standard security frameworks can help law firms implement effective security programs. We present a set of sample security safeguards that solos and small firms can use to implement administrative, physical, and technical safeguards to protect client data.
I. Introduction [1]With advancing computing technology, we live in an era of unprecedented computing power and connectivity. Modern computing devices have as much power as mainframe computers running entire government agencies in the 1960s. Desktop and laptop computers are standard equipment for modern knowledge workers. Workers frequently telecommute by using their laptops or home computers.
Moreover, mobile device usage is now a way of life. Walking around our cities and towns, it seems that everyone has a smart phone in hand. In the office, at home, and in planes, trains, and automobiles, people are communicating, writing, and doing their work using smart phones, tablets, and laptops. Besides offering us voice, email, and text communications on the go, our mobile devices are giving us access to the world’s information via the Mobile Internet more or less anytime and anywhere. If a law firm’s systems are connected to the Internet, technology enables today’s lawyer to obtain access to client data at any time from any device from any place in the world with Internet or cellular connectivity.
With these advances in technology, information security threats have increased. Data breaches continue to be an everyday occurrence. We see them in the news all the time. Competitors, former employees, and state-sponsored groups seek companies’ trade secrets in order to bolster competing businesses. Hacktivist groups seek to damage the reputation of companies by publicizing sensitive information. Organized crime rings seek sensitive information for profit.
Law firms are not immune from attacks. [2] For instance, in 2011, a Chinese hacker group gained unauthorized access to the systems and data of Wiley Rein LLP in Washington D.C. Wiley had pursued unfair trade claims against exporters in China and, in just one case, obtained tariffs on more than $3 billion in exports of solar cells. The Chinese hacking group not only penetrated the firm’s networks, it stole large amounts of data from a various entities, including the president of the European Union Council, Haliburton Co., and a Canadian magistrate. [3]
One FBI agent put it succinctly: “Computer attacks on law firms happen every day . . . .” [4] Many of these attacks fail, but some succeed. The bottom line is, “Many large law firms have been hacked; the FBI has warned that law firms are being targeted.” [5] We, as attorneys, are on notice of the threat.
More recently, “Petya” malicious software, a kind of “ransomware,” attacked international firm DLA Piper in June 2017 and brought the firm’s information technology infrastructure to its knees. [6] Ransomware is a kind of malicious software that attacks systems by encrypting a user’s or network’s files and displaying a screen demanding a payment of ransom to obtain a key to decrypt and recover the user’s or firm’s data. For DLA Piper, old emails and files were unavailable more than two weeks after the attack, and the lost business and recovery costs were probably in the millions of dollars. [7]
Moreover, ransomware and other malicious software attacks are not limited to large law firms. Although the most publicized breaches involve large law firms, and we do not have large, comprehensive surveys about exact numbers, our discussions with security professionals lead us to believe countless numbers of small firms have been victims of attacks as well. The loss of an entire practice’s worth of data may be more devastating to that small firm than a similar attack against a large firm. A large firm may have in-house and retained expert technical support, the resources to fund data recovery operations, and the ability to recover data after perhaps weeks in the case of DLA Piper. For some solos and small firms, the attorneys may never be able to recover their client data and may have to start their electronic recordkeeping from scratch.
In addition to anecdotal evidence, one survey of 200 small and medium sized firms found a general lack of risk management mechanisms and procedures. [8] Among the key findings were:
The ABA, recognizing increasing cyber threats, adopted a House of Delegates resolution calling for “all private and public sector organizations to develop, implement, and maintain an appropriate security program.” [10] The report accompanying the resolution made it clear that the resolution covers law firms and legal services organizations. [11] This resolution followed an earlier 2012 House of Delegates resolution proposed by the Commission on Ethics 20/20 approving changes to the ABA Model Rules of Professional Conduct. The resolution amended the Model Rules to impose a duty on lawyers to use reasonable efforts to prevent unauthorized access to client data and made related changes to address the advances of technology. [12] The ABA has also created a number of publications to help lawyers and law firms improve their information security programs.
In 2012, the ABA created a Cybersecurity Legal Task Force. The Task Force’s mission is to “identify and compile resources within the ABA that pertain to cybersecurity, and will focus and coordinate the ABA’s legal and policy analyses and assessments of proposals relating to cybersecurity.” [13] The most important output of the Task Force was its comprehensive cybersecurity guidance book for lawyers and law firms in 2013; the ABA issued a second edition of the book in 2018. [14]
II. Information Security Risks to Law FirmsLaw firms are recognized targets for attack for a number of reasons. First, law firms have large amounts of information that would be valuable to state or non-state actor attackers. “They collect and store large amounts of critical, highly valuable corporate records, including intellectual property, strategic business data, and litigation-related theories and records collected through e-discovery.” [15] For instance, attackers might want to steal trade secrets about a firm client in order to gain an advantage in the marketplace. Moreover, attackers may be interested in the identity of potential acquisition targets in order to profit by the information via stock trades. [16] Also, some firms hold personal information about individuals, whether clients or opponents, that could be used for identity theft purposes, such as names, birthdates, and social security numbers.
Second, law firms are perceived as easy targets for attacks. Attackers seeking information about a particular company may find it easier to find out the identity of the law firms representing it, and to try to attack the law firms’ systems, than to attack the company’s systems directly. Law firms are “perceived to have fewer security resources than their clients, with less understanding of and appreciation for cyber risk.” [17] Finally, a hack against a law firm may be more efficient and save time, compared to an attack against a firm client. “[L]lawyers are usually involved in only their client’s most important business matters, meaning hackers may not need to sift through extraneous data to find the more valuable information.” [18]
Threats to law firms may arise from a number of sources. For instance, some law firms may fall victim to malicious insiders. Malicious insiders may be motivated by job dissatisfaction or may seek to compromise client data for financial gain. For instance, in 2001, a paralegal at a large firm in New York downloaded a copy of a trial plan from his firm’s computer system and tried to sell the plan to opposing counsel for $2 million. Fortunately for the firm, the scheme was exposed and the paralegal made the sale to an undercover FBI agent. He eventually pleaded guilty to Computer Fraud and Abuse Act violations, wire fraud, and related charges. [19] Some insiders may also have political or social activism motives.
State-sponsored attacks are another source of information security threats. State actors may be motivated by economic espionage, terrorism, or politics. [20] Foreign or domestic criminal enterprises may seek information to sell or use in order to make money. Non-state “hacktivists” may hope to achieve a political objective through attacks. Terrorists may make hacking attacks both for profit and to terrorize their victims. Finally, business competitors sometimes seek information about other companies in their markets using extra-legal techniques.
Given these increasing threats, our clients are now asking law firms about their security programs and are seeking written assurances of security as a condition of giving business to their outside counsel. For instance, “Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others . . . .” [21]
A law firm’s failure to protect client data may cause considerable damage. “Clients and third parties may find themselves victims of fraud, identity theft, and bankruptcy, not to mention negative publicity and tarnished business reputation.” [22] Following a breach, a law firm’s clients or third parties could incur liability in civil actions, administrative proceedings, or even criminal charges. [23] Attorneys or law firms that fail to protect data may face discipline from their state bars, government investigations, fines, private law suits, and malpractice claims by clients. In fact, in 2016, a putative class of clients filed a malpractice suit against a law firm alleging that the firm’s time tracking web-based application used out of date supporting server software, the application was thus insecure, and the firm thereby put client data at risk. [24] Although the case ended in an order compelling arbitration, [25] we expect that the firm filing this action, Edelson PC, is continuing to look for other opportunities to assert claims against law firms with vulnerable or hacked systems. Most importantly, a data breach may cause considerable harm to the reputation of a hacked law firm and its lawyers. Clients, judges, the legal community, and members of the public may lose trust in the firm. [26] If sufficiently serious, a data breach could be a threat to the very survival of a law firm.
III. Attorneys’ Ethical Obligations to Protect Client DataLawyers and law firms have ethical obligations under the rules of professional conduct in their jurisdictions. The ABA published and regularly updates the ABA Model Rules of Professional Conduct. [27] States have their individual ethical rules, although most are based on the ABA’s Model Rules. As mentioned above, the ABA Commission on Ethics 20/20 proposed changes to the Model Rules based on their evolving views about the impact of technology on the practice of law. The House of Delegates passed a resolution approving these changes. [28] Various ABA opinions provide additional guidance on security issues.
State ethics opinions provide an additional source of guidance for understanding attorneys’ ethical obligations under their rules. In addition, secondary sources of information are available for guidance. In 2006, the ABA Section of Science & Technology Law published a book on law office security. [29] In 2013, moreover, the ABA published The ABA Cybersecurity Handbook. which the ABA updated with a second edition in 2018. [30]
The following sections discuss the core duties under the ethics rules bearing on information security: the duty of confidentiality, the duty of competence, and the duty to supervise.
A. The Duty of ConfidentialityThe most important ethical rule relating to lawyer and law firm information security is the duty to protect the confidentiality of client confidences. In general, under ethical rules, “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” [31] The ABA Cybersecurity Handbook.xplains that “[t]his obligation to maintain confidentiality of all information concerning a client’s representation, no matter the source, is paramount,” and “is no less applicable to electronically stored information than to information contained in paper documents or not reduced to any written or stored form.” [32] Confidentiality is a “core” obligation of a lawyer in the conduct of the lawyer’s practice. [33]
Following the ABA resolution in the wake of the work of the ABA Commission on Ethics 20/20, ABA Model Rule 1.6 Part (c) now says that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” [34] In addition, and perhaps most significantly, Comment 18 now elaborates that “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include” “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” [35]
The Ethics 20/20 Commission’s work was intended to address a lawyer’s obligations in the face of changing technologies. Although not specifically calling out the concept of information security, the Commission’s language is similar to the language in information security legislation. The requirement to protect client data is, in essence, an information security obligation. Commentators have noted the significance of this change, and the new affirmative duty of care for securing client data. [36]
The rules do not specify requirements for the exact security measures necessary in any given situation, such as an attorney-client communication. Indeed, the rules contemplate that the lawyer and client will discuss and then decide what security is necessary. “A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.” [37]
Model Rule 1.4 also requires attorney-client communications, specifically “about the means by which the client’s objectives are to be accomplished.” [38] In other words, attorneys should keep their clients reasonably informed about their work together. By implication, this rule requires communication about the law firm’s technology for communicating with clients. [39] Likewise, these rules require a notification in the event of a data breach that compromises client data. [40] ABA Formal Opinion 483 cited Rule 1.4 to state that when a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have an ethical duty to notify current clients of the breach. [41] Lawyers may also have statutory duties to inform clients of data breaches, depending on the type of information compromised and applicable laws.
B. The Duty of CompetenceIn order to maintain client confidences, lawyers must be competent and must keep abreast of changes in information technology they are using in their practices. They cannot protect client confidences unless they know of the nature of the technology they are using, the threats to that technology, and the use of safeguards to mitigate risks. “A lawyer shall provide competent representation to a client.” [42]
“Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” [43] “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .” [44] Competence includes the knowledge of substantive law and specific skills, such as knowledge of applicable law, advocacy, writing, and negotiation, but it also includes competence in using the technologies commonly used for law practice.
A lawyer does not need to personally have all the needed technology competencies. The lawyer can, and indeed must, turn to the expertise of staff or outside experts when needed. [45] According to The ABA Cybersecurity Handbook. “If an attorney is not competent to decide whether use of a particular technology (e.g., e-discovery, cloud storage, public Wi-Fi) allows reasonable measures to protect client confidentiality, the ethics rules require that the lawyer must get help, even if that means hiring an expert information technology consultant to advise the lawyer.” [46]
Nonetheless, a duty of competence means that the lawyer cannot simply turn over all aspects of the security function to others. All workers at the firm have control over certain aspects of their client work and must maintain secure work practices. For instance, attorneys have control over what they talk about in public. They have a duty not to discuss confidential client matters in public places. This is a concern of the attorney, and not just the staff.
Similarly, attorneys must protect paper records. They should not read sensitive paper documents in places where others can view them, such as on the plane or in coffee shops. Again, this is an attorney responsibility.
In addition, lawyers can control their use of technology. For instance, the careless use of social media can lead to compromises of client data. Preventing careless social media usage by lawyers is not a “tech issue” to be handled only by staff.
C. The Duty to Supervise Staff and Third PartiesLawyers in a law firm must supervise junior attorneys, support staff, and third parties with access to client data. Under the ABA Model Rules, lawyers “shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that,” first, “all lawyers in the firm conform to the Rules of Professional Conduct,” [47] and second, that the conduct of a non-lawyer employed by, retained by, or associated with the lawyer, “is compatible with the professional obligations of the lawyer.” [48] Moreover, in the future, as lawyers and law firms delegate some lawyering tasks to autonomous automated data processing, machine learning, and artificial intelligence systems, these rules will, in our opinion, need guidance from state bar authorities, or even amendments, to clarify that lawyers’ responsibility for the firm includes a duty to supervise these non-human systems as well.
Again, the ethical obligation of the lawyer is to maintain ultimate responsibility for the security function in his or her practice. This is not a duty that can be delegated to others. To the contrary, the lawyer must oversee subordinate attorneys, support staff, third parties, and automated systems.
One specific issue that has come up in the context of supervision is whether a law firm may ethically use cloud computing services to store, share, use, and communicate client data. While a thorough discussion of choosing and supervising cloud service providers is beyond the scope of this paper, ethics opinions have stated generally that cloud computing is permissible, as long as lawyers take proper steps when selecting and using services. [49] For example, in 2013, an Ohio opinion acknowledged that lawyers may use cloud services as long as they competently select an appropriate vendor, preserve confidentiality and safeguard client property, provide reasonable supervision of cloud vendors, and communicate with the client as appropriate. [50]
Ethics opinions recognize the limitations of lawyers’ competencies. As the New Hampshire Bar has stated, “a lawyer’s duty is to take reasonable steps to protect client data, not to become an expert in information technology,” and “[w]hen it comes to the use of cloud computing, the Rules of Professional Conduct do not impose a strict liability standard.” [51] The ABA Cybersecurity Handbook.otes that “rapidly evolving technology means that these factors cannot provide a ‘safe harbor.’” [52] Instead, “[l]awyers should monitor and reassess the protections of the cloud provider as the technology evolves.” [53]
IV. Implementing an Effective Information Security Program: the Solo and Small Firm PerspectiveThe upshot of the ethics rules is that a lawyer must make “reasonable efforts” to prevent inadvertent or unauthorized disclosure of client data, and to prevent unauthorized access to client data. [54] Nonetheless, the rules don’t say what “reasonable efforts” are or what specific safeguards are necessary. How much security is enough under this standard? What is “reasonable”? The factors listed in Section III.A above (such as the level of sensitivity of the client data, risks to data, cost of safeguards, etc.) provide guidance, but they don’t provide ideas to develop specific security safeguards for a security program.
The issue of what is reasonable is especially acute for solos and small law firms. On one hand, the ethical rules apply equally to small and large practices. On the other hand, compared to larger firms, solo and small firm practices have fewer resources to manage a security program. They don’t have large budgets to spend on information technology and security. Further, small practices won’t usually have a knowledgeable security professional on staff. Larger firms can afford to hire an information security director and may have an in-house team to oversee security. Lawyers and staff in smaller practices may not have the expertise to manage a security program effectively.
For small practices, the good news is that the rules are flexible enough to accommodate the differing circumstances of small practices. As mentioned above, in considering measures to protect the confidentiality of client data, the practice can consider “the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” [55] Thus, the rules allow small practices to account for the cost and difficulty of implementation in deciding what safeguards are reasonable. They do not require small practices to spend all their income on security safeguards; that would not be “reasonable.” The expectations for security safeguards in a solo practice are much different from those for the largest megafirms. Some expensive, difficult-to-implement security measures appropriate for a megafirm are not reasonable for small practices and therefore not required.
In essence, there is a sliding scale of “reasonableness” for small versus large practices. Small law firms can and should implement security safeguards that are reasonable and appropriate to the context of their small size. A full listing of all the security safeguards a law firm could implement is beyond the scope of this paper. The other Cybersecurity panel speakers will be presenting ideas for specific safeguards that a law firm could implement. The secondary sources, such as The ABA Cybersecurity Handbook. also present safeguards a law firm can implement. Nonetheless, this section provides what we believe are practical, concrete, and reasonable examples of security safeguards a small practice can realistically implement. The list is not meant to be exhaustive.
The list breaks down security safeguards into three categories: administrative, physical, and technical safeguards.
Small practices should conduct their own security assessment and review the safeguards in this section. If they don’t have the knowledge to conduct an assessment themselves, they should obtain qualified help. They should consider which safeguards are reasonable and appropriate in light of their individual practices. Following this assessment, they should implement the safeguards they consider reasonable and appropriate.
Different small practices will come to different conclusions about what is reasonable and the details of how to implement different safeguards. For instance, solo practitioners with no support staff will be different from a ten-lawyer firm with support staff. The solo in this example needs no separate responsible person for managing the security function. The solo does everything. Moreover, the solo will be focusing on software for a single individual’s set of devices and can use consumer versions of security software suites and ”endpoint” security packages. The term “endpoints” in data security jargon refers to the computers and mobile devices an individual user would use. By contrast, the ten-lawyer firm with support staff is large enough to have centralized management of some computer and network functions and may make use of “enterprise” (company-wide) versions of endpoint security software.
Small firms with a handful of lawyers with enough sophistication to manage their own devices may be able to operate like the solo in our example. But small firms with more lawyers and staff, or those without professionals having the expertise to manage their own devices, will likely find it useful to have a lawyer or staff member to centrally manage some of the technology functions of the firm.
With these caveats in mind, here are examples of administrative, physical, and technical safeguards of typical small practices to protect client data.