Several years ago, my insurance broker suggested I get cybersecurity insurance for my firm. It seemed a cybersecurity insurance policy was unnecessary, not much different from having an undercoating for a new car. That was then. Now, the benefits of having a cybersecurity insurance policy are not reasonably in dispute these days. In addition to having the security of insurance, another (and more important) benefit of getting a cybersecurity insurance policy was the requirement that I have an IT security and breach policy that deals with how to prevent a security breach and what to do if there is a security breach. While getting a cybersecurity insurance policy may still remain an option for many, having an IT security policy describing detailed procedures to protect against a cybersecurity attack (and what to do when the system is breached) is a must.

Need for Cybersecurity Measures

As our lives become increasingly digitized, it becomes especially important to consider how to protect confidential information stored electronically from cybercriminal hacking. Law firms, with their access to large quantities of confidential client information, represent a prime target for security threats. Lawyers must recognize the need to protect their data against security threats, and to consider what steps to take in the unfortunate event that they do become the victim of a security breach, particularly in notifying their clients and preventing future breaches.

Cybersecurity Threats to Lawyers and Their Clients

There have been many well-known security breaches among some of the biggest names, including Yahoo, Equifax, Target, JP Morgan Chase and the Home Depot. Some breaches involved adult dating websites, implicating not just users' financial information but also highly personal, intimate information.

Businesses are not the only entity vulnerable to security breaches: law firms, with their access to a wealth of sensitive information from their clients, often find themselves the target of hackers. Security breaches in law firms appear to be on the rise—the American Bar Association, in its 2017 TechReport, revealed that 22 percent of respondents to their Legal Technology Survey Report had ever experienced a data breach, an increase of 8 percent from the year before. The figure was highest for firms with 10-49 attorneys, where 35 percent, more than one-third, had experienced a security breach, see David G. Ries, 2017 Security, TechReport 2017, (Dec. 1, 2017). Even more concerning, however, was that another report, from the Law Firm Cybersecurity Scorecard, showed that 40 percent of surveyed law firms had experienced a data breach in 2016, and did not even know it, see Dan Steiner, “Hackers are aggressively targeting law firms' data,” (Aug. 3, 2017).

The prevalence of such security breaches involving law firms has been the source of national news. In 2016, 2.6 terabytes of information consisting of 11.5 million files, referred to as the Panama Papers, were leaked from the internal databases of the world's fourth biggest offshore law firm, Mossack Fonseca. In 2017, DLA Piper reported that it had been the target of a cyberattack via the NotPetya virus, which shut down communications at the firm for two days, see Daniel R. Stoller and Rebekah Mintzer, “Foley & Lardner Hit With Cybersecurity Incident (1)” (Oct. 26, 2018).

Security Breach Notification Law

In response to increasing cybersecurity attacks and devastating consequences, which involve many victims who do not even know that their confidential information has been stolen, new laws have been enacted addressing the notice requirement in the event of a cybersecurity breach. Specifically, security breach notification laws have been enacted in all 50 states, governing the people covered, the content being breached, the timing of the notification and the penalties for violating the notification statutes. Pennsylvania law, 73 P.S. Sections 2301, for instance, defines “breach of the security of the system” as “unauthorized access and acquisition of computerized data,” which stands to compromise the security or confidentiality of, or could cause loss or injury to, any resident of the commonwealth. The act requires that any entity that maintains, stores, or manages computerized data—whether they be state agencies, businesses, vendors, or individuals—notify the victims of a security breach “without unreasonable delay” after discovery of the breach, see Baker Hostetler, “State Data Breach Law Summary,” (July 2018).

Ethical Obligations

Lawyers have a greater duty than the one imposed by Pennsylvania's data breaching notification law. On Oct. 17, 2018, the American Bar Association's Standing Committee on Ethics and Professional Responsibility released a formal opinion, outlining the obligations of lawyers toward their clients in the event of a data breach, see Formal Opinion 483, ABA Standing Committee on Ethics and Professional Responsibility. The opinion builds off of the Model Rules of Professional Conduct to more specifically delineate the steps lawyers should take and what constitutes an ethical violation as far as their clients' privacy is concerned. The applicable Model Rules include 1.1 (competence), 1.4 (communications), 1.6 (confidentiality of information), 1.15 (safekeeping property), 5.1 (responsibilities of a partner or supervisory lawyer), and 5.3 (responsibilities regarding nonlawyer assistants).