In response to the omnipresent threat of cyberattacks, on Oct. 16, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 (the “Opinion”). The Opinion addresses the obligations imposed upon lawyers to safeguard their clients’ data and to notify them of a data breach. While the ABA meticulously listed the six Model Rules which support its conclusions that lawyers have a duty to become proficient in cybersecurity, it did not identify how to achieve compliance. This article bridges that gap.
Cybersecurity Obligations Under Formal Opinion 483
The Opinion relies upon ABA Model Rules of Professional Conduct Rule 1.1 (competence), Rule 1.4 (communications), Rule 1.6 (confidentiality of information), Rule 1.15 (safekeeping property), Rule 5.1 (responsibilities of a partner or supervisory lawyer), and Rule 5.3 (responsibilities regarding nonlawyer assistance) to conclude that a lawyer must take reasonable steps to monitor for a data breach, to stop it when it happens, to restore the systems after a breach, to determine what occurred, and to provide notice of the breach if it materially affects the lawyer’s ability to represent the client.
When a breach of protected client information is either suspected or detected, Model Rule 1.1 requires the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.
Under Model Rule 1.4, lawyers have a duty to notify clients of a data breach in sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to permit the client to make informed decisions regarding the representation.”
Model Rules 1.6 and 1.15 emphasize the obligation to take reasonable precautions to safeguard client data. The Opinion states, “[l]awyers who maintain client records solely in electronic form should take reasonable steps (1) to ensure the continued availability of the electronic records in an accessible form during the period for which they must be retained and (2) to guard against the risk of unauthorized disclosure of client information.”
Further, the Opinion states that, in support of Model Rules 5.1 and 5.3, lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.
In light of the above, the ABA recommends a fact-specific approach to business security be used which requires the lawyer undergo a process to: (i) assess risks, (ii) identify and implement appropriate security measures responsive to those risks, (iii) verify the measures are effectively implemented, and (iv) ensure they are continually updated in response to new developments. The ABA’s recommendation is consistent with cybersecurity best-practices and incorporates the essential elements of a cybersecurity program.
We address each of the steps below and make suggestions to satisfy them.
The ABA recommends a lawyer assess the security risks associated with his or her own law practice. The starting point for this exercise is a cybersecurity risk assessment. This type of assessment focuses on the value of the information stored within a business’s computer system (both onsite and cloud based) and anticipates the losses that may incur if that information is exposed, destroyed, stolen or becomes otherwise inaccessible. The assessment identifies and categorizes the electronic data, where the data is located, who has access to it, and the ability of the business’ current cybersecurity controls to protect it against harm. This catalog of information will allow the lawyer to build, upgrade and maintain systems, processes and protocols which will ultimately reduce the risk of a cybersecurity incident, limit the exposure should an incident occur, and enable the lawyer to satisfy the duties set forth in the Opinion, as well as respond to any regulatory notification requirements in an efficient manner.
Policies and Procedures/Chief Information Security Officer
Written policies and procedures for the handling of data are an essential element of a firm’s cyber risk management plan. In general, the documents provide a roadmap for day-to-day operations, ensure compliance with laws and regulations, and give guidance for decision-making. In terms of cybersecurity, they ensure sensitive data is appropriately and consistently accessed and handled, systems are hardened and maintained, and detection protocols and procedures are available to guide the firm’s response to a critical event.
The stages of policy development include: identifying the needs of the firm, determining who will be on the team, gathering information, drafting policy, consulting with stakeholders, finalizing and approving, and then monitoring, reviewing and revising. This task is typically led by a Chief Information Security Officer (CISO)—historically a member of the firm, but more recently, an outside virtual CISO—who is responsible for establishing and maintaining the firm’s overall vision, strategy and program to ensure its digital assets are adequately protected.
In conjunction with the development of the firm’s policies and procedures for handling data and responding to security events, the lawyer must also verify that the measures being adopted are effectively implemented. Similar to the auditor independence rules in the accounting field, cybersecurity and IT consultants should not audit their own work. Rather, a separate firm should be retained to conduct vulnerability assessments and penetration tests to verify that the protections put in place are working. These tools are designed to evaluate the strength or weakness of a particular piece of software (computer operating systems, programs, applications), or hardware (routers, firewalls), or business processes (data flow and usage), and the channels over which the business’s information flows (third-party vendors, cloud storage, email). The results these tools yield help refine the firm’s ongoing risk assessment and remediation.
Monitoring Software/Cybersecurity Training
To ensure the firm’s systems are continually updated and protected, the firm can avail itself of a number of technological tools and techniques. These include proactive cyber-threat hunting, operating system security and event log review, advanced anti-malware software, and security awareness training programs for employees. Utilizing these tools will align the firm with the Opinion’s commentary about knowing when a breach occurs, quickly containing it, and what data is affected. By installing end-point detection and response sensors on the firm’s computers and servers, a lawyer can (in near real time) know when the firm’s data is at risk, and from which computer/server the threat was spawned. Next generation anti-malware (i.e., machine learning/artificial intelligence) further advances the Opinion’s goals regarding containment. Training employees to spot suspicious emails and attachments also furthers the Opinion’s directives that lawyers take reasonable precautions to safeguard client data.
Incident Response Plans
The Opinion specifically recommends a lawyer develop an incident response plan to guide the firm in responding to a breach. “One of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken.”
An incident response plan is a multi-disciplinary approach to addressing and managing both the preparations for, and aftermath of, a security incident. It should include the in-house IT staff, a representative from management, an outside cybersecurity consultant, a public relations firm, and, potentially, outside legal counsel.
From a technical perspective, the primary goals of an incident response plan are to: (A) rapidly contain any ongoing (i) data loss, theft, corruption and/or unauthorized access, and (ii) damage to software and/or hardware; (B) preserve evidence for future analysis/investigation; and (C) reduce recovery time and costs.
Developing an incident response plan is not a task that can be accomplished in a day. It is a process that requires thought and several layers of development. The incident response team must first understand the most critical components of the firm’s system and the impact upon the business should those systems become unavailable. Thereafter, the team must define each member’s role when an incident occurs, and what steps are to be taken during different scenarios (email compromise vs. ransomware vs. data exfiltration vs. loss of a cell phone or laptop, etc.). Often, incident response teams will simulate scenarios and perform table top exercises to spot pitfalls in the plan, and then adapt the program to address the weaknesses identified.
Cyberattacks are constantly changing, and even the most diligent lawyer can succumb to a data breach. Adopting the aforementioned security programs, installing threat hunting/monitoring tools, providing an employee training program, and testing your incident response plan will greatly enhance your ability to withstand an attack and satisfy the obligations set forth in the Opinion.
Larry J. Hershman is the managing partner of Black Cipher Security, a cybersecurity consultancy based in Cherry Hill. Jeffrey S. Brenner serves as the firm’s digital forensics practice leader.