Digital transformation occurs wherever you look. Even the smallest of businesses and most archaic of bureaucracies have foregone pen and paper and rubber stamps for digital files and signatures. With that evolution, however, comes an increasingly dangerous threat landscape where cybercriminals are raking in outrageous sums that approach three billion dollars annually.
Organizations across all industries are affected, but ones that house vast amounts of personal and sensitive data are the most vulnerable. This is especially applicable to organizations in government, healthcare, and the field of law. For those in the legal profession, cyberthreats targeting law firms are a major professional responsibility that all firms must continually address, just as businesses in other industries do. Additionally, however, cyberattacks also represent a potential liability.
That’s why the American Bar Association has established guidelines for firms to follow to help ensure their data—as well as their clients’—remains secure.
The Ramifications and Obligations of Formal Opinion 483
The American Bar Association’s (ABA) Formal Opinion 483 provides the legal profession with a long list of obligations to meet in the lead up to and aftermath of a data breach or cyberattack. The opinion acknowledges that cyberthreats targeting law firms now present a major professional responsibility. To underscore the seriousness of the threat, the opinion notes that law enforcement officials divide businesses into two categories: (1) those that have been hacked and (2) those that will be. Unfortunately, there is no third option.
Under Formal Opinion 483, lawyers have an ethical obligation to extend their duty of competence to prepare for a potential (and perhaps inevitable) data breach. Specifically, lawyers must understand the technologies used to deliver legal services to their clients, and the ways in which data is transferred and stored. They then must take steps to reasonably safeguard client property and information in their possession. To that end, under the duty of competence, a lawyer has an ethical obligation to understand the risks of any technology used in their practice in the three areas to follow that are each critical to preventing and recovering from data breaches.
Monitor for a Data Breach
The ABA notes that not every cyber event constitutes a data breach and, therefore, not all events trigger the obligations detailed in the opinion. Nonetheless, the opinion defines a data breach as involving material confidential client information that is “misappropriated, destroyed, or otherwise compromised.” Additionally, the opinion applies when “a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” Moreover, lawyers must employ reasonable efforts to police the technology and resources connected to the internet, external data sources, and the data in possession of external vendors.
In this context, the opinion notes that “…the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.” In essence, security monitoring by capable analysts who understand today’s threats is required to meet this obligation. Ideally, around the clock as cyberattacks can be launched from anywhere around the world at any time, night or day.
Stop the Breach and Restore Systems
As it relates to stopping the breach and returning to business as normal, the opinion notes that “When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”
To prepare for an event, the opinion encourages lawyers to proactively develop and document their response to a data breach in an incident response plan. The opinion also encourages lawyers to “make all reasonable efforts to restore computer operations” to resume servicing the needs of clients.
Incident response plans involve great coordination by a number of teams and significant planning. A best practice for law firms as well as all organizations is to conduct trial runs to ensure all respondents are aware of their roles and how they need to react swiftly.
Determine What Occurred
Breaches do occur, so when it comes time to determine how the event unfolded, the opinion states that “a competent attorney must make reasonable efforts to determine what occurred during the data breach.” This effort includes gathering enough evidence to ensure the intrusion is no longer taking place and, to the extent possible, determine the data lost or accessed during the event. This in turn allows for accurate disclosures to clients, consistent with a lawyer’s duty of communication and honesty.
Data breaches are costly, but ones left unremediated are the worst. When firms respond quickly and then investigate and discover exactly what happened, they stem losses not only in the present but also in the future by reducing the risk of breaches down the road.
Employ Best Practices for Formal Opinion 483
Large organizations consider security operations centers—which include the people, processes, and technology for comprehensive cybersecurity—an essential component for staying safe in today’s threat climate. Smaller organizations, too, without the technology or people resources for an in-house security operations center are also to meet the ABA’s obligations and employ best practices through a security operation center “as a service.”
For more, this cybersecurity checklist for law firms provides further guidance on what your firm needs to do to better meet these obligations to (1) assess risk, monitor, and detect threats to your network, (2) develop plans for incident response, and (3) create customized reporting for compliance and regulatory purposes.