Chapter § 9.01 Introduction

• Jurisdiction: United States
• Publication year: 2020

§ 9.01 Introduction

All lawyers have an ethical and legal obligation to protect client data from cyber threats. Clients often entrust outside counsel with their most sensitive and confidential information, including financial records, medical records, and business and trade secrets. So it’s no surprise that law firms have increasingly become targets for hackers. The FBI reports that hackers view law firms as “one-stop shops” for troves of private information about multiple clients.³ In 2012, for instance, the security consulting firm Mandiant estimated that 80 of the 100 largest U.S. law firms faced a cyber attack the prior year.⁴ More recently, the ABA reported in its 2018 Legal Technology Survey that, of 900 respondents from various sized law firms, about 23% reported breaches ranging from lost or stolen computers or smartphones to network intrusions.⁵ This figure compares with 22% in 2017, 14% in 2016, 15% in 2015, 14% in 2014, and 15% in 2013—“an increase of 8% in 2017 after being basically steady from 2013 through 2016.”⁶

With the growing volume of law firm breaches, clients are focused on their outside counsel’s cybersecurity practices, and many are using data security assessments and guidelines to drive law firm prioritization of data security. The ABA reported that 39% of large law firms said clients conducted a cybersecurity audit in 2018, and 66% of law firms with 100 or more attorneys reported that clients mandated specific safeguards.⁷ Despite the size of the firm, it’s clear clients will continue to scrutinize their lawyers’ cybersecurity...