Law firms maintain large quantities of their client’s most sensitive information – lawsuits, mergers and other high profile situations make law firms a high visibility target.
So what is contained in what is known as the Standing Committee on Ethics and Professional Responsibility Formal Opinion 483? Here are the details.
- Model Rule 1.1 (competence), which requires lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach.
- Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.
- Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.
- Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.
- Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.
- Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.
The ABA says that lawyers should be prepared for a breach, including having an incident response plan in place.
So what does this mean for clients of law firms?
Assuming you care about whether your most private information and/or dirty laundry remains private, here are some recommendations.
- Ask your lawyer for a copy of their security and privacy (two different things) policies.
- Ask when their last INDEPENDENT THIRD PARTY risk assessment was conducted and for a summary of the findings.
- Ask if they have cyber risk insurance.
- Find out which partner is ACCOUNTABLE for cyber risk and talk to that partner about it.
- Find out if they have an internal cyber security team.
Ultimately, it is up to you to hold the law firm accountable for protecting your information and if you don’t get the right answer, move on. Source: ABA.