Cyber Security Best Practices
Law firms are basically the same as any other company when it comes to countering cyber attacks and protecting their confidential and proprietary data. The only difference is that law firms have ethical rules that require confidentiality of attorney-client and work product data. That does not make them special, however, because accounting firms, engineers and medical providers also have privileged data.
Some basic activities must be undertaken to establish a security program, no matter which best practice a firm decides to follow. Technical staff will manage most of these activities, but firm partners and staff need to provide critical input. Firm management must define security roles and responsibilities, develop top-level policies and exercise oversight. This means reviewing findings from critical activities; receiving regular reports on intrusions, system usage and compliance with policies and procedures; and reviewing the security plans and budget.
- Set the “tone from the top” and issue high-level policies regarding the privacy and security of firm data. This includes the use of encryption, remote access, mobile devices, thumb drives, laptops, Wi-Fi “hotspots,” clouds, Web email accounts and social networking sites.
- Inventory the firm’s software systems and data, and assign ownership and categorizations of risk. Client data may need to be compartmentalized; not all clients are equal. Extremely sensitive matters have the highest risk and could cause the greatest magnitude of harm if breached. Firms may want to keep this data on a separate server with stronger security protections and stronger access controls.
- Conduct third-party vulnerability scans, penetration tests and malware scans. Antivirus software is essential, but it detects only a small percentage of new malware. Specialized services that detect sophisticated attacks may be required.
- Deploy needed security technologies for encryption, intrusion prevention and detection, monitoring, security event management, etc.
- Identify and document security controls.
- Develop security policies and procedures to support the security plan and technologies.
- Develop contractual security requirements for outsourcing vendors, cloud providers or other entities that connect to the firm’s network, including notification in the event of a breach.
- Conduct regular reviews of the security program and update as necessary.
Law firms, like any other business, are subject to breach notification laws, and many of them have pre-breach security program requirements. A firm will be in a far superior position with its clients, its state bar and any regulators that may become involved if it can show that (1) its security program is aligned with best practices, (2) its management is engaged, (3) it is complying with its policies and procedures, and (4) tools are deployed to detect malware and criminal behavior.
RESPONDING TO AN INCIDENT
Having a well-rehearsed incident response plan is critical. It must specify who will be notified, within what time frame, what documentation must be kept, who is designated to speak about the incident and who has authority to make certain decisions about the investigation. Serious incidents require specialized assistance from cyber forensic experts and careful documentation to preserve evidence. Even if the event did not trigger a breach law, a law firm’s decision to cover up an incident can be a dangerous strategy.
New commentary to Rule 1.1 of the Model Rules of Professional Conduct requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Model Rule 1.6(c), on the confidentiality of client communications, acknowledges that disclosures can happen by providing: (c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Commentary on the Rule notes that  Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.
Thus, Rules 1.1 and 1.6 may allow a law firm to avoid an ethics violation stemming from a breach if it has acted in a competent manner (e.g., having a strong security program) to protect its client data from disclosure.
Accordingly, a strong security program may help shield a firm from an ethics violation caused by not appropriately protecting client data, and it may help them beat a negligence charge, but it has no impact on the Rule’s requirement to inform clients of security incidents. A good security program does, however, reduce the likelihood that such a painful conversation will have to take place. Altogether, it is clear that an up-to-date security program is the best defense that a law firm can have. Whether large or small, taking measures to establish a strong security posture is not only the right thing to do, it’s the ethical thing to do. It may help save the firm cases, clients and its reputation.