Lawyers and law firms are increasingly targeted for cyber attacks because of the sensitive client data they handle and store -- and because of these threats they should embrace the use of encryption where appropriate, develop plans for destroying and limiting storage of personal data, and adopt a cyber-risk management and incident-response plan in advance of a potential data breach.
These recommendations, among a number of other cybersecurity practices, are laid out in a new “handbook” for attorneys to be released next month by the American Bar Association. The advice is likely to have broad implications across industry sectors that rely on law firms and in-house counsel for legal advice in the face of potential lawsuits and regulatory actions in the wake of breaches, ransomware or other malicious cyber attacks.
“Moving the legal community from the wake-up call of 2013 to regular involvement in cybersecurity risk analysis and response is the purpose of this edition of our Handbook.” according to the second edition of the handbook, which addresses the changing threat landscape over the past several years and the increased role and responsibility for lawyers in helping businesses and organizations prepare for and respond to cyber attacks.
This article examines the changing cybersecurity risks faced by law firms as laid out in chapter 2 of the handbook, as part of a series that looks at such wide-ranging issues as international norms, the role of insurance, the varying considerations for private-sector and government lawyers, and the ethics and statutory requirements related to data security, among other considerations.
“When attorneys, practitioners, and law firms do not protect themselves through basic steps, such as patching software, updating files, and monitoring who has access to their networks, these risks increase and data and systems are put in harm’s way,” according to the latest edition of “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals.”
Key developments since the last release of the ABA handbook in 2013 include the release of the National Institute of Standards and Technology's voluntary framework of cybersecurity standards and the development of information sharing and analysis organizations, or ISAOs -- both initiatives were prompted by executive orders by former President Obama -- and the release of President Trump's cybersecurity order in May that mandated use of the NIST framework for all federal agencies.
Trump's order required all federal agency heads to develop risk-management reports based on use of the NIST framework within 90 days for review by the Department of Homeland Security and the White House Office of Management and Budget, as noted by the ABA handbook.
“While this order focuses on the public sector, there have also been changes in the private sector since the first edition of this Handbook was published,” write Jill Rhodes and Robert Litt in the first chapter on explaining the “purpose” for the updated edition of the handbook.
They note that recent private-sector developments include the establishment of ISAOs and the legal implications surrounding this expanded sharing of cyber-threat indicators. Rhodes is vice president and chief information security officer for healthcare company Option Care, and Litt is of counsel in the firm Morrison & Foerster and was general counsel for the Office of the Director of National Intelligence in the Obama administration.
“A legal ISAO was started, providing a venue in which lawyers from the private sector can meet with those from the Department of Homeland Security and other public sector entities to discuss these issues while maintaining a level of confidentiality,” according to the handbook. “But the cyber threat is also growing.”
To address this growing threat, the ABA handbook lays out 10 steps that law firms should take to protect confidential information and prevent data breaches.
“Secure the law firm’s sensitive data using appropriate encryption technology,” writes Lucy Thompson in the second chapter on “understanding” cyber risks. “Develop a data retention and destruction plan so personal data is not at risk--sanitize regularly,” is another recommendation among the steps offered by the handbook.
“Develop a comprehensive information security plan specifically designed to prevent data breaches,” according to the handbook. “The plan must include appropriate security for all aspects of the computer network, including technical, operational, and management controls,”
The ABA also highlights concerns about potential cyber risks from vendors and third-parties, and recommends use of purchasing agreements and procurement policy to force improved cybersecurity.
“Work with vendors and business partners who provide products and services with appropriate security,” according to the handbook. “Use procurements as an opportunity to specify requirements for appropriate security in vendor contracts and business partner agreements,” writes Thompson, who is founding principal of Livingston PLLC in Washington, DC, where she focuses her practice on legal and technology issues related to cybersecurity and global data privacy.
The handbook, which will be released in early November and can be pre-ordered at the ABA online store, was developed by the ABA Cybersecurity Legal Task Force established in 2012. The first edition handbook was developed in response to what the task force saw as general unawareness about the cyber risks faced by law firms, and the benefits of sharing information about a data-breach incident with law enforcement and other businesses.
“In the past four years, there have also been significant cybersecurity disclosures related to law practices,” according to the latest handbook.
“Much of this change may not be voluntary, as there has been increased external pressure on law practices to protect client data effectively. For example, regulations, such as those under the Health Information Portability and Accountability Act (HIPAA), require companies to ensure that their third-party associates (such as law firms) also protect sensitive data,” states the handbook.
“As a result, law practices of all sizes, including smaller firms and sole practitioners, are being asked by current and prospective clients about their security practices and required to show that they maintain an appropriate security posture through audits and governance tools. Any practitioner, law firm, or practice that is not knowledgeable about its own security posture is potentially putting itself at risk,” the ABA handbook asserts. -- Rick Weber (rweber@iwpnews.com)