Attorneys must protect clients' sensitive data.

• Author: Harkness, John F., Jr.
• Position: Executive Directions

Open up any newspaper and you will not have to read far to find a headline on the latest security breach. Privacy Rights Clearinghouse reports that between 2005 and March 2016, there have been 4,766 reported data breaches exposing 898,458,364 records. In the first quarter of 2016, there have been 60 data breaches exposing 2,482,360 records.

Attorneys cannot afford to sit idle and assume that their information is secure. The FBI has reported that they are seeing law firms increasingly targeted by hackers, and one report noted that 80 percent of the 100 largest law firms have been hacked since 2011.

Law firms are high-value targets for hackers because they hold highly confidential and sensitive data. The legal and ethical obligations that law firms have to their clients demand this sensitive data be protected through the development and implementation of strong and comprehensive cyber security programs.

The ethical standards to ensure attorneys and firms maintain the confidentiality of all information relating to the representation ofa client are well known. ABA Model Rule 1.6(c) requires that "[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

The Florida Bar has several similar ethical provisions in place. The Florida Bar Board of Governors voted in July 2015 to approve the addition of the following language to the comment of Florida Bar Rules of Professional Conduct 4-1.1:

Competent representation may also involve the association or retention of a non-lawyer advisor of established technological competence in the field in question. Competent representation also involves safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.

The comment also added language that lawyers should have "an understanding of the benefits and risks associated with the use of technology."

In order for a security initiative to be a success, it must have the full cooperation of all firm personnel: technical and nontechnical staff. This requires that all staff are aware of 1) the information that requires protection; 2) the nature and extent of the risks to that information; 3) the firm's risk appetite, including an understanding of the risk level to confidential...