In the past I have talked extensively about attorney-client privilege (ACP) and how cooperating with attorneys can help your organization be prepared in the event of a cyber-attack. This time, I’m going to talk about how attorneys themselves need to be practicing good cyber hygiene and upholding good standards of cybersecurity at their law firms.
Law firms, at first glance, don’t seem to be big targets of cyber-attacks. The work and documents are boring, and law firms aren’t giant corporations that have lots of money flowing in and out daily. So why are they often targets of cyber-attacks?
Simply put, even though the documents are boring, they can hold information that cybercriminals can use to make big bucks. A very well-known scandal pertaining to a cyber breach of law documents is the Panama Papers. The Panama Papers are 11.5 million leaked documents detailing financial and attorney-client information for more than 214,448 offshore entities.
Finally, lawyers are in the trust business and if clients do not trust their attorneys to maintain confidentiality of their sensitive information, they’ll go elsewhere. Having good cybersecurity will help you keep your customers.
Like other industries, there are regulations for cybersecurity in law firms, and these are specified by the American Bar Association. Cybersecurity regulations are in place for law firms in most of the U.S. and according to the ABA in rule 1.6c of the Model Rules for Professional Conduct, law firms must guard against the “unauthorized access to or the inadvertent or unauthorized disclosure of information relating to the representation of a client”.
The ABA also produces formal opinions that are then published, and formal opinion 477r says that cybersecurity in law firms needs to look like ongoing processes of evaluation and reevaluation when it comes to assessing cyber risks and mitigating them. While having firewalls, password managers, and using encryption are all important, your cyber risks need to be looked at again and again.
To simplify, you need to assess, mitigate, and update. In the next post, I’ll answer other questions about cybersecurity in law firms and what to do in order to assess your risks. I’ll see you next time.