Chapter § 9.01 Introduction

JurisdictionUnited States
Publication year2020

§ 9.01 Introduction

All lawyers have an ethical and legal obligation to protect client data from cyber threats. Clients often entrust outside counsel with their most sensitive and confidential information, including financial records, medical records, and business and trade secrets. So it’s no surprise that law firms have increasingly become targets for hackers. The FBI reports that hackers view law firms as “one-stop shops” for troves of private information about multiple clients.3 In 2012, for instance, the security consulting firm Mandiant estimated that 80 of the 100 largest U.S. law firms faced a cyber attack the prior year.4 More recently, the ABA reported in its 2018 Legal Technology Survey that, of 900 respondents from various sized law firms, about 23% reported breaches ranging from lost or stolen computers or smartphones to network intrusions.5 This figure compares with 22% in 2017, 14% in 2016, 15% in 2015, 14% in 2014, and 15% in 2013—“an increase of 8% in 2017 after being basically steady from 2013 through 2016.”6

With the growing volume of law firm breaches, clients are focused on their outside counsel’s cybersecurity practices, and many are using data security assessments and guidelines to drive law firm prioritization of data security. The ABA reported that 39% of large law firms said clients conducted a cybersecurity audit in 2018, and 66% of law firms with 100 or more attorneys reported that clients mandated specific safeguards.7 Despite the size of the firm, it’s clear clients will continue to scrutinize their lawyers’ cybersecurity practices to ensure they are implementing appropriate controls to protect client data. Plus law firms now face the threat of legal malpractice suits from clients if they fail to establish reasonable data security practices.8 Some observers even label cybersecurity “the single biggest risk law firms face” today.9

And, to be sure, the ethical and legal obligations to secure client information do not only apply to outside counsel. One ethical opinion concluded that, even though in-house counsel often have “no input with regard to the technology used by the corporation,” they nonetheless owe “the duty of communication with the corporate client regarding the risks and benefits of cloud storage.”10 In-house counsel may likewise owe a duty to advise their internal clients about the risks and benefits of technology used to protect the company’s data.

It’s essential that today’s lawyers recognize and satisfy their...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT