In today’s world, cyberattacks are no longer a question of “if,” but a question of “when.”
It’s nearly impossible to avoid some sort of data breach in technology-driven businesses, and as the practice of law becomes more digitized, industry leaders are urging legal professionals to take the appropriate steps to protect themselves and their clients. The American Bar Association Standing Committee on Ethics and Professional Responsibility, for example, recently released Formal Ethics Opinion 477, urging attorneys to make “reasonable efforts” to protect client data and communication from unforeseen attacks or breaches.
The opinion is an updated version of a previous one handed down in 1999, when email was the primary method of electronic communication. Now, attorneys communicate with their clients in a variety of ways and with various devices, necessitating new guidance to legal professionals on how to protect their work on all platforms, the opinion said.
The “reasonable efforts” standard is intentionally vague, as Opinion 477 is meant to encourage a fact-based analysis of cybersecurity measures, rather than a one-size-fits-all method, the committee wrote. However, the opinion does include a list of seven recommended cybersecurity practices:
- Understand the nature of the threat;
- Understand how client confidential information is transmitted and where it is stored;
- Understand and use reasonable electronic security measures;
- Determine how electronic communications about client matters should be protected;
- Label confidential client information;
- Train lawyers and nonlawyer assistants in technology and information security; and
- Conduct due diligence on vendors providing communication technology.
Since that list is not meant to be exhaustive, legal and other cybersecurity experts are offering their take on “reasonable” steps firms can take to protect data from would-be hackers.
Personalized risk assessment
The first and most basic step toward making “reasonable efforts” for client protection is to assess the unique risks each firm incurs in its cyber practices. Derek Brost, director of engineering for Indianapolis-based cybersecurity group Bluelock, said he advises his clients, including law firms, to examine how they use technology, where that technology can be accessed and how that access could open the firm up to vulnerabilities. In general, Brost said law firms tend to take a proactive approach to protecting client data by performing risk assessments before data breaches occur, rather than waiting for a cyberattack to spur action.
Further, Stephen Reynolds, an Ice Miller LLP partner who co-chairs the firm’s Data Security and Privacy Practice Group, said training attorneys on their firm’s cybersecurity practices is another effective risk management tool that can mitigate the chance of an employee accidentally causing a data breach within the firm. But training must be done regularly to ensure attorneys and other employees understand how cybersecurity practices evolve over time, he said.
Two-factor authentication can be described as a set of three possible factors, Reynolds said: one thing you know, one thing you have and one thing you are. Something attorneys “know” can be as simple as a passcode used to access a device, something they “have” could be a token or access code, while something they “are” usually involves biometrics such as an iris or fingerprint scan.
The first step in a two-factor authentication process often begins with an attorney using a passcode to log in to a system or device, Ray Biederman, chief operating officer of Proteus Discovery Group, said. Then, a unique access code could be sent to a cellphone associated with that passcode, prompting the attorney to also enter the access code before they are allowed to enter the system, Biederman said.
Reynolds likened two-factor authentication to using a debit card — a user must have both the card and the unique pin to access the account information. In the same way, he and Biederman said requiring two-factor authentication to access client data at law firms can protect data from would-be hackers who do not have passcodes that prompt subsequent access codes, or whose fingerprints are not known by the data storing system.
Levels of access
In the hierarchy of a law firm, some attorneys have less need to access certain data than others, and ensuring each attorney has the appropriate level of data access is another key element of promoting cybersecurity, Biederman said. That way, an attorney who falls prey to a cyberattack would only risk compromising the data he or she has access to, not the entirety of the firm’s database, he said.
Similarly, having appropriate data access controls can help a firm guard against “malicious insiders,” or people within the firm who would use their access level to misuse company data, Reynolds said. Protecting against malicious insiders can be as simple as ensuring attorneys’ credentials are revoked when they leave a firm, a step Reynolds said could ensure the exiting attorney does not take confidential client information with them and disseminate it at their new place of work.
Contracting with outside security companies
Because of the inevitable nature of cyberattacks, data security experts recommend contracting with outside services as a backup access point. Bluelock, for example, is a cloud-based hosting and disaster recovery service that can house and replicate law firm data and access that data if the original database is compromised or inaccessible due to a breach, natural disaster or other issue that prevents attorneys from logging in.
Mid-size firms tend to be likeliest to contract with companies such as Bluelock, Brost said, because they are large enough to have an IT risk management plan in place, yet still require some assistance to put that plan into motion. Smaller firms, however, may be less likely to seek outside help due to the smaller, and possibly less digitized nature of their operations. Opinion 477 notes law firms must provide a clear set of guidelines to contractors to ensure they understand both the firm’s and the firm clients’ expectations of privacy and appropriate cybersecurity measures.
Best practices vary
Like Opinion 477, the cybersecurity experts said their advice is not an exhaustive list of “reasonable” data security practices. Biederman also noted the importance of understanding a firm’s cybersecurity insurance policies, while Reynolds said state and federal laws may also govern cybersecurity practices, such as how long an attorney should keep client files. There is no definitive list of rules law firms must follow to keep their data safe, the attorneys said, so the best practices are the ones that meet a firm’s unique needs.•