Parties and counsel who receive data in litigation have an obligation to take reasonable steps to protect that data. See The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, 19 Sedona Conf. J. 1, 179 (2018) (“[A] requesting party should take reasonable steps to secure the information they requested and received. This includes investing in appropriate physical, technical, and human security necessary to meet the obligations the requesting party inherits upon taking possession of that information.”)

The American Bar Association (ABA) has specifically recognized “[d]ata breaches and cyber threats involving or targeting lawyers and law firms are a major…threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers.” ABA Standing Committee on Ethics and Professional Responsibility, Formal Opinion 483, Oct. 17, 2018.