The headlines are increasingly filled with reports of cyberattacks against businesses and organizations of all kinds and sizes, including attorneys and law firms. It has reached the point where there is sometimes the breach of the week or breach of the day. The attacks range from high-profile ones like Accellion, Colonial Pipeline, Kaseya, and Microsoft Exchange, to individual attacks on small businesses and law firms.
ABA Formal Opinion 477R, discussed below, describes the current threat environment: “Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of “when,” and not “if…” a company (or law firm) will be breached.
The greatest threats today are spearphishing, ransomware, business email compromise, supply chain/third-party compromises, and lost and stolen laptops, smartphones, and portable devices. These and other threats are a particular concern to attorneys because of their duties of competence in technology and confidentiality.
Security threats to lawyers and law firms continue to be substantial, real, and growing – security incidents and data breaches have occurred, are occurring, and will continue. It is critical for attorneys and law firms to recognize these threats and address them through comprehensive cybersecurity programs, including securing virtual practices.
This is the third in my series of Law Practice Today articles on Cybersecurity for Attorneys, following “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties” (November 2019) and “Cybersecurity for Attorneys: The Ethics of Incident Response” (November 2020). This article addresses securing the virtual practice of law. ABA Formal Opinion 498, also discussed below, broadly defines virtual practice “as technologically enabled law practice beyond the traditional brick-and-mortar law firm.” Because traditional law firms with physical offices have moved largely to work-at-home and hybrid practice models because of the pandemic, the obligations and analysis in the opinion apply equally, in many respects, to traditional law firms.
Duty to Safeguard
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients, and also often have contractual and regulatory duties to protect confidential information.
Ethics Rules. Several ethics rules in the ABA Model Rules have particular application to protection of client data, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2 and 5.3), and safeguarding property (Model Rule 1.15).
At the ABA Annual Meeting in 2012, the ABA adopted the recommendations of the ABA Commission on Ethics 20/20 on technology and confidentiality. They include:
- An amendment to Comment [8] to Model Rule 1.1 providing that competence requires knowing and keeping abreast of changes in “the benefits and risks associated with relevant technology…”,
- Addition of section (c) to Model Rule 1.6, requiring attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” and
- Additions to Comment [18] to Model Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, with additional details.
Model Rule 1.4: Communications also applies to attorneys’ use of technology. It requires appropriate communications with clients “about how the client’s objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent” about use of technology. It requires notice to a client of a material compromise of confidential information relating to the client.
Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services, ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality.
Model Rule 1.15: Safeguarding Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied it to electronic data held by attorneys.
These obligations are now well-established in the Model Rules, comments, and ethics opinions.
Ethics Opinions. A number of ABA and state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards. Three current ABA formal ethics opinions address attorneys’ duty to safeguard information relating to clients when using technology.
ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017), while focusing on electronic communications, also explores the general duties to safeguard information relating to clients in light of current threats and the Ethics 20/20 technology amendments to the Model Rules. It concludes:
Rule 1.1 requires a lawyer to provide competent representation to a client. Comment [8] to Rule 1.1 advises lawyers that to maintain the requisite knowledge and skill for competent representation, a lawyer should keep abreast of the benefits and risks associated with relevant technology. Rule 1.6(c) requires a lawyer to make “reasonable efforts” to prevent the inadvertent or unauthorized disclosure of or access to information relating to the representation.
ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018), reviews lawyers’ duties of competence, communication, confidentiality, and supervision in safeguarding confidential data and in responding to data breaches. It finds that Model Rule 1.15: Safeguarding Property applies to electronic client files as well as paper client files and requires the care required of a professional fiduciary.
The opinion states that these duties include:
- The obligation to monitor for a breach;
- The duty to stop a breach and restore systems; and
- The duty to determine what happened.
The opinion notes that attorneys have a duty under Model Rule 1.4 to communicate with current clients concerning a data breach. Applying Model Rule 1.9(c), the opinion finds norequirement to notify a former client of a breach “as a matter of legal ethics.”
Most recently, the ABA issued Formal Opinion 498, “Virtual Practice” (February 2021). Consistent with earlier ABA and state ethics opinions, its headnote includes:
…When practicing virtually, lawyers must particularly consider ethical duties regarding competence, diligence, and communication, especially when using technology. In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information. Additionally, the duty of supervision requires that lawyers make reasonable efforts to ensure compliance by subordinate lawyers and nonlawyer assistants with the Rules of Professional Conduct, specifically regarding virtual practice policies.
The opinion includes a discussion of lawyers’ obligations relating to particular technologies and services, including: 1. Hardware/Software Systems; 2. Accessing Client Files and Data; 3. Virtual Meeting Platforms and Videoconferencing; 5. Virtual Document and Data Exchange Platforms; and 6. Smart Speakers, Virtual Assistants, and Other Listening-Enabled Devices. Attorneys who use these technologies should understand and address the listed considerations.
Common Law and Contractual Duties. Along with the ethical duties, parallel common law duties are defined by case law in the various states. They include competence, communication, and confidentiality. Breach of these duties can result in a malpractice action.
Increasingly, lawyers have contractual duties to protect client data, particularly for clients in regulated industries, such as health care and financial services, that have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches.
Regulatory Duties. Attorneys and law firms that have specified personal information about their employees, clients, clients’ employees, or customers, opposing parties and their employees, or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice to affected individuals and sometimes to regulators in the event of a data breach.
More details about attorneys’ duties to safeguard confidential information and compliance with them are covered in the November 2020 and November 2019 articles listed above.
Complying with the Duties
Understanding all the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing, and maintaining an appropriate risk-based cybersecurity program.
A cybersecurity program should cover the core security functions: identify; protect; detect; respond; and recover. There has been an increasing emphasis on detection, response, and recovery in recent years. While detection, response, and recovery have always been important parts of security, they have too often taken a back seat to protection. Since security incidents and data breaches are increasingly viewed as sometimes being inevitable, these other functions have taken on increased importance.
Security starts with an inventory of information assets and data to determine what needs to be protected, and then a risk assessment to identify anticipated threats to the information assets. The next step is development, implementation, and maintenance of a comprehensive cybersecurity program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. It should include an incident response that addresses procedures and resources to address a security incident or data breach. The program should be appropriately scaled to the size of the practice and sensitivity of the information. It should include training and promotion of constant security awareness by every user, every time that they’re using technology.
A comprehensive security program, including protection of virtual practice, is best based on a standard or framework, like those published by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization (ISO). For small and mid-size firms, more basic information is available on the ABA Cybersecurity Legal Task Force’s Cybersecurity Resources for Small Law Firms, the Federal Trade Commission (FTC) website, Cybersecurity for Small Business, and NIST’s Small Business Cybersecurity Corner website. The ABA’s Cybersecurity Resources for Small Law Firms also includes links to ABA, government and private sector resources.
Secure cloud services, like Microsoft 365 (Office 365), Google Workspace (G Suite), and cloud practice management platforms, can provide a higher level of security than many attorneys and law firms can provide on their own, particularly for solos and small and mid-size firms. In selecting and using cloud services, attorneys should follow the recommendations in the cloud ethics opinions, including reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. It is important to securely configure the cloud service (like using multifactor authentication and enabling and retaining logs), to provide for security of the endpoint computers and devices connecting to the cloud, and to provide a secure connection to the cloud (like a virtual private network). Business versions generally have stronger controls and security than consumer versions. Managing third-party security risks is important for all service providers and others that can connect to a law firm network. The ABA Cybersecurity Legal Task Force has recently published the Vendor Contracting Project: Cybersecurity Checklist, Second Edition (2021), available free to ABA members.
Attorneys and law firms will often need assistance with cybersecurity programs because they do not have the requisite knowledge and experience. For those who need assistance, it is important to find an IT consultant with knowledge and experience in security or a qualified security consultant.
Securing Virtual Practice
The elements of a cybersecurity program discussed in the previous section provide the macro or overview part of a program. This section addresses the next level, practical aspects. Attorneys should consider reviewing and addressing these practical steps, in combination with the considerations for particular technologies and services in Formal Opinion 498, for a comprehensive approach.
Areas to consider in addressing safeguards for a virtual or remote practice include:
- Security of the end user’s computer or device and the network to which it is connected, often a home wireless network;
- A secure channel over the internet like a virtual private network (VPN); and
- Security of the remote network or service provider to which the end user is connected.
The following safeguards are in a checklist format. While checklists are helpful for cybersecurity programs, it important to use them appropriately. Security is not a “check the box” or “set it and forget it” process. Effective security requires continuing attention and periodic review and updating.
- Manage and minimize data.
Cybersecurity should be part of information governance. It is necessary to know what technology and data needs to be protected. Data that is securely deleted when it is no longer needed is no longer exposed. - Use secure, common configurations for servers, desktops, laptops, and mobile devices.
- This includes settings like automatic logoff or shut down after x minutes of inactivity and locking or wiping after x failed logon attempts.
- Follow security configuration recommendations from Microsoft, Apple, and device manufactures.
- For more comprehensive recommendations, see the Center for Internet Security’s CIS Benchmarks.
- Most attorneys will need technical assistance with secure configuration of servers.
- Control use of administrative privileges.
- Windows and Mac computers have two kinds of user accounts: administrator and standard user accounts.
- Administrator access is needed for some functions like installing or removing software and devices.
- Some malware can run only in an administrator account.
- Use a standard user account for routine use of a computer; use administrator access only when necessary.
- Use strong passwords or passphrases and a password manager.
- The current recommendation is for a minimum of 12 or 14 characters, including capital and small letters, numbers, and symbols.
- Passphrases (like “Ilovmy2017BMW!”) are secure and easer to remember than random passwords.
- Password managers (like 1Password, LastPass and Dashlane) can be very helpful to balance security and ease of use. The user has to remember only the password or passphrase for the manager and all others are securely stored in the manager.
- Zero Trust architecture is an emerging approach for authentication and access control. Watch for developments as it becomes more common and available for virtual law practices.
- Use multifactor authentication (MFA), particularly for administrator accounts and remote access.
- MFA is particularly important for remote access to networks and cloud services. If a username and password is compromised, an attacker cannot get access unless they have access to the additional factor, like a generated code, physical device, or biometric identifier.
- MFA using SMS text messages has been compromised in some situations, so MFA with authentication apps or physical devices is recommended. MFA by SMS is still much stronger than no MFA.
- Segment and limit access to sensitive data.
Sensitive data should be stored in a separate location or locations, with separate access controls. Access should be limited to users who need access.
- Promptly patch the operating system, firmware, all applications, and all plug-ins.
- Malware often takes advantage of vulnerabilities in operating systems, applications, and plug-ins. Updates and patches are developed to protect against such vulnerabilities after they are known.
- Patches should be promptly applied to the operating system, all applications, and firmware to protect against vulnerabilities.
- Computers are often compromised by malware for which patches are available but have not been applied.
- Provide for secure electronic communications.
- Attorneys should have access to encrypted e-mail for use when appropriate.
- Multiple options for encrypted e-mail are inexpensive and easy to use.
- Examples include business versions of Microsoft 365 (Office 365), Google Workspace (G Suite), and services like ZixMail and Citrix FileShare.
- Secure file-sharing apps and services are also necessary for most attorneys today.
- Use a spam filter and website filtering.
- Use strong encryption.
- Business versions of Windows have built-in encryption called BitLocker. It is activated by turning it on and saving a recovery key. BitLocker works best on business grade desktops and laptops that have a TPM (Trusted Platform Module) security chip. For consumer versions of Windows, encryption software is available from the publishers of standard security software like Symantec, McAfee, Norton, and Sophos. Standalone encryption software is available from providers like Dell and WinMagic.
- Apple computers have built-in encryption called FileVault 2. It is activated by turning it on and saving a recovery key.
- iPhones and iPads have built-in encryption that is automatically enabled when a passcode is set.
- Current Android devices work the same way as iPhones and iPads, with encryption automatically enabled when a PIN, passcode, or swipe pattern is set.
- Some older Android devices require encryption to be enabled by checking a box or pressing an onscreen button. If you are enabling encryption on an Android device that is already in use, follow the onscreen instructions, including plugging the device into a charger.
- After encryption is enabled, the device is automatically encrypted when a user logs off or the device is shut down. It is automatically decrypted when a user enters his or her logon credentials.
- Use only secure wireless networks.
- Securely configure law office wireless networks and home wireless networks used for work and use only ones with WPA2 or WPA3 security. Consider using a separate wireless network for work at home. Apply security updates to the wireless access point. Do not use wireless clouds with outdated WEP or WPA security.
- It is best to avoid public wireless networks for work or other confidential use. A wireless hotspot is a more secure alternative. Do not use public wireless networks unless you confirm that you have a secure connection by using a VPN or other secure communication channel.
- Use strong security appliances and software and keep them up to date.
- Home and law firm networks should be protected by hardware firewalls, securely configured. Firewalls are often included in network devices provided by internet service providers, but they must be turned on, configured, and kept up to date.
- Windows and Mac computers have built-in software firewalls. They also need to be turned on, configured, and kept up to date.
- Windows and Mac computers should be protected with current versions of security software, with all updates. Some are updated multiple times a day. It’s generally best to use auto update.
- Some examples of security software are Bitdefender, McAfee, Microsoft Windows Defender, Sophos, Trend Micro, and
- Consider using more advanced security software, like application whitelisting (that allows only approved applications and processes to run), data loss prevention, and endpoint detection and response.
- Conduct vulnerability assessment and remediation.
This is usually done by a tech professional to find and address security issues like missing patches, incorrect configurations, and open ports.
- Back up important files and data.
- Files should be backed up at least daily.
- Maintain multiple backups, including an offline and offsite backup.
- Make sure that backups are secure.
- Test restoration from backups.
Conclusion
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties. The safeguards should be included in a risk-based, comprehensive cybersecurity program, including safeguarding of virtual practice.
Additional InformationAmerican Bar Association, Cybersecurity Legal Taskforce American Bar Association, Law Practice Division, including the Legal Technology Resource Center and ABA TECHSHOW Jill D. Rhodes and Robert S. Litt, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition (ABA 2017) (Third Edition in production) |
The views and opinions expressed in this article represent the view of the author, and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.
About the Author
David G. Ries (dries@clarkhill.com) is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the firm’s Cybersecurity, Data Protection & Privacy Group. He is a coauthor of Encryption Made Simple for Lawyers (ABA 2015) and Locked Down: Practical Information Security for Lawyers, Second Ed. (ABA 2016), an active member of the Law Practice Division, and served on the ABA Cybersecurity Legal Task Force.