Cyber Security Best Practices
Law firms are the same as any other company in countering cyber attacks and protecting their confidential and proprietary data. The only difference is that law firms have ethical rules that require confidentiality of attorney-client and work product data. That does not make them unique, however, because accounting firms, engineers, and medical providers also have privileged data.
Some essential activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. Technical staff will manage most of these activities, but firm partners and staff must provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from necessary activities, receiving regular reports on intrusions, system usage, compliance with policies and procedures, and reviewing the security plans and budget.
- Set the “tone from the top” and issue high-level policies regarding the privacy and security of firm data. This includes encryption, remote access, mobile devices, thumb drives, laptops, Wi-Fi “hotspots,” clouds, Web email accounts, and social networking sites.
- Inventory the firm’s software systems and data, assigning ownership and risk categorizing. Client data may need to be organized; not all clients are equal. Extremely sensitive matters have the highest risk and could cause the most significant magnitude of harm if breached. Firms may want to keep this data on a separate server with stronger security protections and access controls.
- Conduct third-party vulnerability scans, penetration tests, and malware scans. Antivirus software is essential, but it detects only a small percentage of new malware. Specialized services that see sophisticated attacks may be required.
- Deploy needed security technologies for encryption, intrusion prevention, detection, monitoring, security event management, etc.
- Identify and document security controls.
- Develop security policies and procedures to support the security plan and technologies.
- Develop contractual security requirements for outsourcing vendors, cloud providers, or other entities that connect to the firm’s network, including notification in the event of a breach.
- Conduct regular reviews of the security program and update as necessary.
Like any other business, law firms are subject to breach notification laws, and many have pre-breach security program requirements. A firm will be in a far superior position with its clients, its state bar, and any regulators that may become involved if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.
RESPONDING TO AN INCIDENT
Having a well-rehearsed incident response plan is critical. It must specify who will be notified, within what time frame, what documentation must be kept, who is designated to speak about the incident, and who has the authority to make certain decisions about the investigation. Serious incidents require specialized assistance from cyber forensic experts and careful documentation to preserve evidence. Even if the event did not trigger a breach of law, a law firm’s decision to cover up an incident could be a dangerous strategy.
New commentary to Rule 1.1 of the Model Rules of Professional Conduct requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Model Rule 1.6(c), on the confidentiality of client communications, acknowledges that disclosures can happen by providing: (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Commentary on the Rule notes that  Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and inadvertent or unauthorized disclosure.
Thus, Rules 1.1 and 1.6 may allow a law firm to avoid an ethics violation stemming from a breach if it has acted competently (e.g., having a strong security program) to protect its client data from disclosure.
Accordingly, a strong security program may help shield a firm from an ethics violation caused by not appropriately protecting client data, and it may help them beat a negligence charge. Still, it does not impact the Rule’s requirement to inform clients of security incidents. A good security program does, however, reduce the likelihood that such a painful conversation will have to take place. Altogether, it is clear that an up-to-date security program is the best defense that a law firm can have. Whether large or small, taking measures to establish a strong security posture is not only the right thing to do, it’s the ethical thing to do. It may help save the firm cases, clients, and reputation.