Cloud storage of client data has become a standard practice of law firms with the growth of the internet. By 2022, it is projected that the worldwide cybersecurity sector will be worth a bustling $230 billion, according to research firm MarketsandMarkets. The big business of cybersecurity has increased lawyer's ethical demands to keep client's remotely stored data confidential.
The Legal Ethics of Confidentiality
The American Bar Association (ABA) Model Rules 1.1 (competence), Rule 1.4 (communications), Rule 1.6 (duty of confidentiality) and Rules 5.1-5.3 (lawyer and non-lawyer associations) are all important legal ethical considerations when developing protocols for storing confidential client information on the cloud. An updated comment to Rule 1.6(c) includes a list of non-exclusive factors to consider when examining whether an attorney's actions were reasonable leading up to a client data breach. This includes considering the type of stored information, the costs and challenges to implementing safeguards, and the likelihood of a breach without the placement of safeguards.
In August 2012, the ABA updated its Model Rules of Professional Conduct. According to the ABA Center for Professional Responsibility’s Policy Implementation Committee, the updated Model Rules have been adopted by 28 U.S. jurisdictions. Two changes to the Model Rules relate to confidentiality and competency. Lawyers must not only keep up with developments in the law but also keep up with developments in technology to employ the “reasonable efforts” required under the Model Rules to avoid “inadvertent or unauthorized” disclosure and access to client information.
In May 2017, the ABA's Standing Committee on Ethics and Professional Responsibility created a guidance for attorneys regarding confidentiality with publication of its Formal Opinion 477R. The guidance makes a number of recommendations, such as learning about the nature of threats and best practices to avoid data breaches, ensuring client confidential documents are properly labeled, and conducting due diligence on technology vendors. A thorough read of the guidance is essential for lawyers serious about learning about best practices to guard against cybersecurity threats.
In 2017, small companies accounted for 61 percent of cybersecurity attacks, according to the Verizon Data Breach Investigations Report. Because legal ethical rules are applied equally to the small firm and the big firm no lawyer can afford to ignore cybersecurity risk. The first step in mitigating risk is to become aware of a firm's specific technology vulnerabilities.
Vulnerability assessments are performed by third-party vendors. They can be costly depending on how complex the computer system is and whether remediation options are sought by the firm. John W. Simek, vice president of Sensei Enterprises, Inc., a Fairfax, Virginia-based cybersecurity firms advises small law firms not to pay for services intended for big firms. “Stay away from the big buys,” he says. “They are too expensive for you.” A simple online search of vulnerability assessments reveal that some are offered as low as a couple thousand dollars. Privacy Ref, a cybersecurity consulting firm in Delray Beach, Florida, however, states that vulnerability assessment can run about $30,000.
Remediating Cybersecurity Risks
A firm will know where to best deploy resources after the results of a vulnerability assessment is conducted. Depending on the results, a number of remedial efforts may be required, including, but not limited to the following:
- update firmware and software, firewalls, anti-virus software or network servers;
- install patches to fix known security vulnerabilities;
- establish an IT protocol, which may include developing stronger password policies;
- train employees about cyber threats and how to avoid them;
- hire a security company to examine outside vendors; and
- Buying insurance that covers technology-based risk.
These are just some of the possible remediation efforts that may be necessary after a vulnerability assessment. Continuous monitoring a firm's network can be costly, but the cost associated with responding to a hacking episode can be more costly. According to UPS Capital, cyberattacks can cost small businesses between $84,000 and $148,000. To make matters worse, the data indicates that within six months of a cyberattack, approximately 60 percent of small companies go out of business.
Technology is constantly changing. The Florida Bar became the first state bar association to require its lawyers to have at least three hours of CLE training in a technology program over three years. In light of the risk exposure, this is a good practice for lawyers to apply whether the state bar association mandates it or not.