Five Ways Law Firms Can Protect Themselves from the Consequences of Cyberattacks

The frequency of cyberattacks on law offices will likely increase because of the confidential and valuable data that attorneys store in electronic client files. In conjunction with the American Bar Association’s (“ABA”) Formal Opinion 483, this article details five proactive steps law firms should take.

ABA Formal Opinion 483 clarifies attorneys’ obligations to prepare for cyberattacks, to safeguard information provided to them, and to respond appropriately if an attack occurs. Formal Opinion 483 states: “Lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” In other words, attorneys must secure their electronic files. While ABA rules are not technically binding on attorneys, states will likely issue similar rules, and practitioners should be prepared to follow these regulations.

1. 1. Ensure Reasonable Computer Protection Systems Are In Place

Model Rule 1.1 states: “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Rule 1.1 reads, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

Every law firm should have current technology protecting its computer systems, including office resources connected to the internet, and as well as external data sources. A firm’s IT department should perform periodic, regular reviews to determine whether additional protections are warranted and whether the current security system is “reasonable.” In addition, the IT department should monitor whether patching existing protections is necessary based on newly developed cyberattacks. At least one technically-competent partner should be assigned as the liaison to the IT department to ensure its responsibilities are being met. If a law firm does not have an IT department, an outside cybersecurity firm should be consulted and retained.

1. Train and Test Your Attorneys and Staff
   Most successful cyberattacks are the result of human error and not a frontal breach of a computer system. In other words, a user gets tricked into clicking a link that results in a virus or other attacking agent obtaining access to the system. As a result, all users should be regularly trained regarding what types of cyberattack vectors exist, and what attackers try to do to trick users. However, law firms should take matters a step further and conduct fake phishing campaigns to test their employees. Numerous third-party cyber companies can provide this service if a firm does not have internal resources to do so. Trial by error is often the best way to learn.
2. Ensure Third Party Vendors Have Reasonable Cyber Protection Systems in Place
   Importantly, law firms should ensure that external vendors have reasonable security protections in place to protect the data provided to them. If a vendor does not have reasonable protections, the vendor must be required to implement such protections immediately or the firm should retain another vendor that does provide such protection. Law firms can be held responsible to their clients if they do ensure vendor security exists. One proven approach for law firms is to contractually require vendors to adhere to a specific cybersecurity framework and to provide the law firm the right to audit them.
3. Limit the Amount of Time Client Files Are Retained
   The longer a law firm retains its electronic files, the longer those files are susceptible to being attacked. Every law firm should have a written document retention policy, which should be followed and monitored, that applies to both hard and electronic copies of files and documents. The amount of time client files are retained after the conclusion of a matter should be limited as agreed to as part of the initial engagement agreement.
4. Know How to Respond
   Law firms should have a plan in place to deal with cyberattacks when they happen. Having an effective, comprehensive plan will allow a firm to halt the attack and minimize any damage and disruption as soon as possible after the attack becomes known. The plan should specify each step that takes place and who is responsible for taking it. High-level partners should be assigned to the response team to provide leadership and permit executive decision making to occur quickly.

One of the key steps in the response plan should include discovering what occurred and whether client data was compromised. This step is vitally important so that law firms can notify clients in a timely fashion, if their data was taken or destroyed. The notification should be sufficiently detailed so that the client can decide what next steps, if any, should be taken as a result of the attack. Law firms should also make sure they notify clients of any efforts to recover data and what additional protections, if any, are being put into place.

Failing to take the five steps outlined above could not only result in the breach of an attorney’s ethical duties, but it could also lead to civil liability. Law firms must proactively protect themselves and their clients’ confidential data from cyberattacks.