Practical Tips for Managing Cybersecurity Risks
As lawyers, we are inundated with troubling statistics and horror stories related to data breaches and other cybersecurity issues. We know that law firms, big and small, are targets for hackers. We are reminded of the threat daily as we receive unsolicited emails to retrieve documents or to represent a client overseas. The threat is enhanced by lawyers accessing client data on-the-go from virtually anywhere. Technology, and the accompanying cyber threats, moves at a pace faster than most of us can keep up with.
Given our ethical obligations to our clients, we cannot just assume that data privacy is a technology issue best left to the IT experts. But where do we begin? There are no bright-line rules or one-size-fits-all practices when it comes to appropriate security measures. But there are certain practical tips we can implement with limited angst to avoid being the next cyber victim.
Before diving into the cybersecurity world, it is important to understand the lawyer’s ethical obligations related to safeguarding client information.
To highlight a few of the relevant authorities, first, lawyers owe clients a duty to protect their confidential information. Texas Disciplinary Rule 1.05 regarding Confidentiality provides that a lawyer shall not knowingly reveal confidential information of a client or former client. The duty is not limited to privileged information but includes “all information relating to a client or furnished by a client . . . acquired by the lawyer during the course of or by reason of the representation of the client.” Model Rule 1.6 regarding Confidentiality includes additional language that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
In May 2017, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477 stating that a lawyer may transmit information relating to the representation of a client over the internet without violating the ethics rules where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access to the information; however, a lawyer may be required to take special security precautions pursuant to an agreement with the client or when the nature of the information requires a higher degree of security.
Model Rule 1.1 regarding the duty of competence includes a comment stating that “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . .”. While Texas has not yet adopted a similar comment, one could argue keeping up with relevant technology is now inherent in the duty of competence.
In essence, the rules require that attorneys make reasonable efforts to prevent the inadvertent or unauthorized disclosure of client information. The “reasonable efforts” standard is fact-intensive and subject to interpretation.
Complying with the “reasonable efforts” standard is often more about the process rather than a specific practice or software. The process starts with a written risk management program that reflects planning and diligence in protecting client data. This program should include an information security policy and an incident response plan. Specific policies related to email, mobile devices, and social media should also be considered. In developing this written program, it is important to assess the scope of data held by the firm and prioritize safeguards based on the different classes of data held by the firm.
Second, it is important to provide routine training for employees on security and data issues. Employees are often the weakest link when it comes to data incidents. Ensure employees are aware of popular phishing schemes and common pitfalls when it comes to suspicious emails and links. Consider utilizing mock phishing emails to test employees’ responses and develop additional training as necessary.
Third, implement strong authentication mechanisms. This starts with unique, complex passphrases (over a simple password) to log onto the firm’s network. Consider using a password manager to strengthen your passwords. As a next step, consider multi-factor authentication. These mechanisms should apply to firm computers and “bring your own devices” such as phones and tablets. Even the most sophisticated systems are vulnerable if the criminals are given the keys to enter.
Fourth, encrypt all sensitive data, and consider multiple layers of encryption for highly sensitive data. Not only is encryption one of the easiest and most effective security measures, but the majority of data breach statutes have exceptions to the notification requirements for encrypted data, including the Texas Identity Theft Enforcement and Protection Act. Many of the operating systems and programs we as lawyers use have encryption built in, so consider what is already in place before purchasing additional software.
Fifth, manage remote work for attorneys and employees. Attorneys should avoid accessing sensitive client data via unsecured public Wi-Fi. The firm should offer a secure platform for accessing client data, such as a Virtual Private Network. Attorneys and employees alike should be cautioned against transferring client data to unsecured devices or via unsecured networks.
Last but not least, work with your IT partner to secure internal networks with the use of anti-virus software, malware protection, and firewalls and apply necessary security patches and updates. Hackers probe and test for weaknesses in a program or protocol. Also, ensure that you have a backup with multiple copies of your firm’s data. In the event of a breach, this backup will save you from losing critical firm and client data.
As lawyers, we will always be chasing technology, and hackers will be chasing us. When it comes to managing cybersecurity risks in our practice, there is no perfect security system. But awareness, common sense, and a few relatively simple security measures can go a long way towards protecting client data.
Lindsey Wyrick is a Member of Cobb Martinez Woodward PLLC. She devotes her practice primarily to professional liability defense and commercial litigation, including advising clients on emerging technology and cybersecurity issues.
 Tex. Disc. R. Prof’l Conduct 1.05.
 Model R. of Prof’l Conduct 1.6.
 ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 477 (2017).
 Model R. of Prof’l Conduct 1.1.
 Tex. Disc. R. Prof’l Conduct 1.01 (Competent and Diligent Representation).
 Tex. Bus. & Comm. Code § 521.
Articles on the DAYL website are provided for informational use only, and are in no way intended to constitute legal advice or the opinions or views of the DAYL.