Who is Lurking in Your Computer?
Lawyers may not worry about cyberattacks because, after all, what could hackers possibly want from them? As described below, hacking of law firm data is alive and well. However, according to the ABA 2020 Legal Technology Survey Report conducted by the ABA Legal Technology Resource Center, less than 50% of the lawyers who responded to the survey implement and use certain security measures. (Only 43% of respondents use file encryption, 39% use email encryption, and 26% use whole/full disk encryption. Other security tools were used by less than 50% of respondents are two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%).
Lawyers have a treasure trove of information that has value to hackers: personal information such as social security numbers, credit card numbers, and medical information; and intellectual, trade secret, or other propriety business information. And now that lawyers are working remotely, the risks of a data breach can be even greater if security measures have not been taken. What happens if you leave your iPad at Starbucks or leave the computer on and the screen shows the deal you’re working on while workers are in your house and you’ve left to run an errand? Do your firm’s security measures apply when working remotely? If you maintain confidential information in the cloud, what security measures do your vendors have in place?
CRS § 6-1-716(1)(h) defines a security breach as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information maintained by a covered entity.” Certainly not the only data breach to have occurred involving a law firm, but probably one of the most famous, involved the Panamanian law firm Mossack Fonseca in which the “Panama papers” were published, revealing confidential information including the identity of clients attempting to move money to avoid certain laws in their home jurisdictions.
A fairly recent data breach that affected over 190 law firms involved a third-party vendor hosting legal documents for those law firms. Lawyers must be familiar with their obligations to notify clients when such breaches occur, either directly or by other third parties. See, e.g., CRS § 6-1-716, discussing notification obligations for security breaches.
Understanding technology is subsumed in lawyers’ ethical obligations of competency, appropriately communicating, and preserving confidential information. Colo. RPC 1.1 and cmt. 8 thereto (competency includes keeping abreast of technology changes), and Colo RPC Rules 1.4, and 1.6. See also ABA Formal Op. 483 (Oct. 2018), Lawyers’ Obligations after an Electronic Data Breach or Cyberattack.
A lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of confidential information, and failure to do so could result in disciplinary proceedings. See cmts. 18 and 19 to Colo. RPC 1.6, which discuss whether the lawyer implemented appropriate safeguards to protect confidential information and factors considered to determine whether the lawyer made reasonable efforts to protect the information.
In addition to ethical concerns, a breach of a lawyer’s device or network may implicate federal and state laws. CRS § 6-1-716, discussing notification obligations for security breaches.
Consider taking the following actions to supplement your data security protocols:
- Retain an IT company that can help with security measures and wipe devices if lost or left somewhere.
- Create strong passwords.
- Train lawyers and staff about security protocols, including checking email addresses and not opening links that are unfamiliar.
- Don’t allow work computers to be used for personal use. This is not an issue for solo practitioners.
- Don’t send passwords in the same email as the email sending a link for documents.
- Conduct cybersecurity testing and auditing.
- Verify that wiring instructions are sent to the correct recipient. This may mean picking up the phone.
- Ask vendors about their security protocols.
- Purchase cybersecurity insurance for when a security breach occurs.
Although lawyers may love publicity, being the headline because your firm was hacked is not the type of publicity any lawyer wants.
Lawyers have a treasure trove of information that has value to hackers: personal information such as social security numbers, credit card numbers, and medical information; and intellectual, trade secret, or other propriety business information.