As I’ve often blogged, Rules 1.1 and 1.6 require lawyers to act competently to safeguard client data.
Last month, I became aware of a law firm that was the subject of a ransomware attack. The cyber attacker blocked the firm’s access to client files and demanded a ransom.
Reminder: if a lawyer’s electronic files are compromised in a cyber attack, the question of whether the lawyer violated the Rules of Professional Conduct will likely turn on whether the lawyer took reasonable precautions to safeguard against the unauthorized access of client data. In other words, being the victim of an attack is not, in & of itself, an ethics violation.
For example, consider two scenarios.
Scenario 1: Lawyer operates a solo practice. Lawyer employs a state-of-the art security system. Nevertheless, a determined criminal uses C-4 to detonate into the office, into the safe, and then steals Lawyer’s files.
Scenario 2: Attorney operates a solo practice. Attorney keeps client files in an unlocked cabinet that’s on the front porch. A lazy criminal walks up the steps, opens a drawer, and takes some of Attorney’s files.
Between the two, my guess is that a hearing panel is more likely to conclude that Lawyer is the one who took reasonable precautions against the inadvertent or unauthorized disclosure of confidential information.
In any event, on the subject of ransomware, here are few thoughts:
- a lawyer who I know suggests 3 distinct back-ups: onsite, online, and air-gap;
- in March, TechWorld posted Best anti-ransomware tools & decryptors for 2018;
- here in Burlington, Champlain College’s Senator Leahy Center for Digital Investigation is an excellent resource for issues related to cybercrime, digital forensics, and information assurance; and,
- the most recent edition of the ABA Journal has this informative post: Are you covered? Cyber insurance market is highly unstable and lacks uniformity
As always, let’s be careful out there.