Many lawyers hear “cybersecurity” and immediately tune out, thinking it does not pertain to them. However, they really should perk up their ears, as a security breach can have major ramifications for their practice. Corporate clients who do not insist their firms have security standards open themselves up to leaks of privileged information, and lawyers who do not ensure their firms are secure risk losing their largest corporate clients. Furthermore, not only can data be inadvertently exposed, but if data is not properly secured, firms may find themselves in violation of their ethical responsibilities. Below is the first of three real-world scenarios that could happen to any attorney and seriously impact a corporate client. Look for the next two scenarios in the coming months.
Firmwide policies should be drafted around working outside the office, and databases with very sensitive information should be locked so they can be viewed from secure locations only. However, it is not enough for your outside counsel to simply have these policies in place: Staff need to be trained on the policies and understand the implications if they are broken. All new employees must be made aware of the firm’s security policies, and all current employees should be trained on the policies and retrained every time the policies are changed. All of your outside counsel should be compliant and enforce any and all policies you have in place to protect your own data.
Adding to the firm’s predicament is that, in addition to losing you as a client, it may have violated its ethical obligations to you. The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (See ABA Rule 1.6: Confidentiality Of Information.) This does not mean that lawyers are subject to an ethics violation for every data breach, but this obligation does require active efforts on the part of outside counsel to evaluate and implement technological safeguards. The comment to the rule notes that, when evaluating whether an attorney’s efforts were reasonable, factors to be considered include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.” As a practical matter, this requires attorneys to make fact-specific evaluations regarding both the information to be protected and the various technological means of protecting them. This suggests that more sensitive information might be subject to greater, more costly or more cumbersome technological controls, such as access restrictions and copying limitations.