Earlier this month, the ABA House of Delegates adopted Resolution 609. Intended to remind lawyers of their duty to protect client data “from unauthorized access, use, and modification,” the resolution “urges all lawyers to keep informed about new and emerging technologies” and “to enhance to enhance their cybersecurity and infrastructure to protect confidential client information.”
In other words, Resolution 609 is a reminder of the mantra upon which this blog was built: competence includes tech competence.[1]
The report that accompanied the resolution begins with a statement unlikely to surprise readers:
- “Attorneys and law firms have become increasingly attractive targets for criminals engaged in cybercrimes, and this trend has unfortunately been increasing over time – despite the warnings, more robust training, and initiatives to raise awareness within the legal profession.”
After referencing various studies and surveys, the report offers another statement unlikely to surprise anyone:
- “The obvious conclusions are that law firms present attractive targets, many lawyers are unaware of the daily threats to their practice and their clients, and the sophistication and harm from these attacks are ever increasing.”
The report goes on to recount the evolution of cyberthreats, describe the more common threats, and share “best practices” to defend against those threats. I’ve excerpted the “major threats’ and “best practices” below the footnotes. However, they’re not my focus. Rather, I write today to highlight two points that the report drives home:
- Competence includes tech competence.
- Ask for help with what you don’t know.
Competence Includes Tech Competence
Resolution 609 focuses on data security. What’s that got to do with competence?
V.R.Pr.C. 1.1 requires a lawyer to provide competent representation. The rule states that “competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 adds that “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Turning to data security, V.R.Pr.C. 1.6 prohibits a lawyer from disclosing “information relating to the representation of a client.” Last year, the Vermont Supreme Court amended Rule 1.6 to include this paragraph:
- “(d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”
I’ve long argued that, read together, Rules 1.1 and 1.6 impose a duty to act competently to safeguard client information, no matter the format in which the information is stored. I’ve done so, both here and at seminars, under the rubric of “competence includes tech competence.”[2]
My sense is that the vast majority of lawyers agree that the duty exists. Still, it’s not uncommon to receive “push back.” The report that accompanied Resolution 609 should end the “push back.” Specifically, the first sentence on page 12:
- “Lawyers do not get a free pass when it comes to data security.”
In other words, competence includes tech competence.
End of story.[3]
Ask for help with what you don’t know.
The “push back” I referenced above often includes something like this: “But Mike, how I’m supposed to know how all that tech stuff works?”
You aren’t. But you’re expected to know what you don’t know. As I blogged in 2016’s The Cloud: what are “reasonable precautions?”:
“Finally, remember that asking the questions isn’t enough. You need to understand the answers or find someone who does. For example, imagine this:
- You: Will my data be encrypted in transmission and at rest?
- Vendor: Yes. In transmission, we use a BTTF Flux Capacitor. At rest, we use the latest cloaking technology from Romii.
- You. Sounds awesome. Sign me up.
Umm, no. You just signed up to star in the next entry in Was That Wrong.“
The report that accompanied Resolution 609 makes the same point in a more lawyerly way:
- “The point is this: a lawyer’s ethical obligation extends to acquiring sufficient knowledge to know when to request guidance from third parties or internal resources to implement the necessary safeguards for complying with the ethical architecture in place (such as protecting client confidential information that comes within a lawyer’s reach). Ethical competence requires acquiring knowledge and skill from third parties or internal resources to maintain ethical obligations for the protection of clients’ interests.”
For those of you who already know what you don’t know and are thinking of contacting a professional, email me. I have a list of people/vendors who work with lawyers and law firms on cybersecurity.
In closing, when it comes to acting competently to protect client data, competence includes tech competence, and you should ask for help with what you don’t know.
As always, let’s be careful out there.
[1] On November 9, 2015, I posted Competence Includes Tech Competence. It was my 7th post ever and came 3 days after the inaugural Five for Friday quiz. The topic went on to dominate the early years of this blog.
[2] Most recently History’s Best “Worst” Song and Tips on Protecting Client Data.
[3] But not the end of the journey. Here’s an excerpt from the ABA Journal’s report on the adoption of Resolution 609: Ruth Hill Bro, a special adviser the Cybersecurity Legal Task Force, discussed how the need for education is ongoing. “Cybersecurity is a journey, and you never really arrive,” she said. “We do have obligations to remain abreast of these threats that are happening and to respond to them.”
Excerpts from the Report that Accompanied Resolution 609
On page 6, the report lists “the major cyber threats” as:
“1. Ransomware. This is a form of malware (malicious software) that attempts to encrypt (scramble) your data and then extort a ransom to receive a decryption key that will unlock your data. Cybercriminals often spend days or weeks navigating the targeted firm’s network before they “drop” the ransomware executable file on their way out.
2. Phishing. Cybercriminals send emails that appear to be from legitimate sources, such as clients, colleagues, or financial institutions, to trick employees into clicking on malicious links or downloading malware-infected attachments. Once clicked, these links or attachments can give cybercriminals access to the law firm’s computer systems.
3. Social engineering. Cybercriminals use social engineering techniques, such as impersonating a client or employee, to gain the trust of employees and trick them into revealing sensitive information or providing access to computer systems.
4. Data leakage. While maintaining cybersecurity within the physical confines of an office may seem challenging, it is essential to understand in the post-pandemic hybrid work environment we now inhabit that security extends well beyond the office. Smart phones, laptops, and tablets have replaced the standard desktop PC. The abundant and cheap nature of portable storage devices makes them a useful tool for the backup and transportation of data. Theft and misplacement of small mobile devices add to the headaches of firm IT administrators.
5. Unsecured networks. Cybercriminals can gain access to law firms’ computer systems through unsecured wireless networks, especially those that do not require a password or use weak encryption.
6. Weak passwords. Cybercriminals can use brute-force attacks or password guessing techniques to gain access to law firms’ computer systems, especially if employees use weak or easily guessable passwords.
7. Malware. Cybercriminals use various types of malware, such as viruses, trojans, and ransomware, to gain unauthorized access to law firms’ computer systems. Once installed, malware can steal data, destroy files, or provide backdoor access to cybercriminals.
8. Third-party vendors. Cybercriminals can gain access to law firms’ computer systems through third-party vendors or contractors that have access to the firms’ systems. If these vendors or contractors have weak security measures in place, cybercriminals can use their access to infiltrate the law firms’ systems.
9. Insider threats. If your organization employs staff (full time or as contractors), they might leak data by mistake or maliciously. The potential damage from a leak of documents cannot be underestimated.”
Then, on page 8, the report states:
“Once you understand your vulnerabilities and capabilities, firms should implement as many of the following best practices as makes sense for their operations:
- Implement multifactor authentication
- Mandate Virtual Private Networks (VPNs) for remote access to firm networks (critical for a dispersed and/or work-from-home workforce)
- Deploy endpoint detection and response (EDRs will detect and prevent most incidents automatically and do so 24/7/365)
- Implement Incident Response Plans
- Encrypt confidential and sensitive data both at rest and in transit
- Back up data (encrypted) and secure that backup off-site
- Turn on logging so that the cybercriminals’ tracks are traceable if there is a cyber incident • Segment data across IT networks
- Control access credentials only to need-to-have individuals
- Implement periodic training for all
- Maintain comprehensive cyber insurance
- Maintain physical security controls
- Conduct periodic external and internal vulnerability scans”