This post applies to two groups of people –
- Members of a law firm
- Clients who share their sensitive information with their law firms
That pretty much means everyone!
The American Bar Association model rule of Professional Conduct 1.6 says that “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized access, to information relating to the representation of a client.”
An attorney’s duty of competence starts with legal knowledge, skill, thoroughness and preparation, but Comment 8 to Model Rule 1.1 extends that to “the benefits and risks associated with relevant technology.”
In addition, Model rules 5.2 and 5.3 say that the attorney supervising a matter, including consultants and vendors, act with technical competence.
If an attorney suffers a breach, such as the ones that the FBI says occurred at Weil, Gotshal & Manges and Cravath, Swaine & Moore or, even worse, such as the breach at Mossack Fonseca, which compromised almost 3 terabytes of data, not only will the firm have a very unhappy client or clients, but the attorneys may be in violation of the ABA rules of professional conduct and the firm will likely face lawsuits or loss of clients or both.
Whether law firm stores their data locally on servers or computers in the office or stores their data in the cloud, the basic issues are the same. The following types of controls must be in place:
- Physical – access to servers and network equipment must by physically secure
- Technical – Best practices require multiple layers of technical security controls and monitoring.
- Administrative – Policies and procedures, both inside the firm and with service providers
- Application – All applications have vulnerabilities, sometimes known, sometimes unknown. Frequent vulnerability scans and third party penetration tests used to be considered state of the art. Now they are considered basic industry practices.
Carnegie Mellon University created a scale to describe the level of organizational system maturity and it can be applied to the level cyber security maturity. Those levels are:
- Ad Hoc – Lack of any formal cyber security process
- Developing – Some processes are repeatable, but it requires continuous effort to keep the processes on track
- Practicing – Some documentation and enforceable standards. The firm’s processes have some consistency
- Optimizing – Processes are in place and mostly repeatable, but processes are being optimized
- Leading – Processes are optimized and repeatable. Processes are innovative and leading edge.
The vast majority of firms are at level 1 or 2. Most smaller firms are at level 1. Almost no firms are at level 4 or 5.
If you are a client of a law firm you should be asking what the firm is doing to protect your information and don’t accept an answer of “don’t worry”.
If you are in a management position at a law firm, you should be asking what your firm is doing to protect your client’s information. Law firms rely on their reputation to attract and keep clients.
Both law firm clients and law firm employees lose if a firm is breached, but unless clients demand improved cyber security, firms are less likely to commit substantial resources towards the problem. There are no winners when it comes to a breach. Except the bad guys.
Information for this post came from Corporate Counsel.