Cybersecurity health is increasingly necessary for lawyers to keep their and their clients’ information secure. The prevalence of “hacking,” “ransomware” and “phishing” attacks, scams and other unauthorized digital intrusions demonstrates the need to use reasonable and appropriate technology to safeguard confidential and privileged information. Doing so is mandated by New York’s Rules of Professional Conduct, as well as the recently enacted New York state “Stop Hacks and Improve Electronic Data Security” or “SHIELD Act,” which applies to all law firms, even to solo practitioners and small firms.

Lawyer’s Ethical Obligations

A lawyer must take reasonable care to affirmatively protect client confidential information and NYSBA Committee on Professional Ethics Op. 1019 provides that the duty of “reasonable care”:

does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered to determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.