Cybersecurity: the continuing evolution of insurance and ethics.

• Author: Zureich, Dan

This article originally appeared in the January 2015 Professional Liability Committee newsletter.

CYBERCRIME has reached epic proportions throughout the world. A 2014 report, released by the Center for Strategic and International Studies, and funded by McAfee, estimated that cybercrime costs the global economy more than $400 billion every year. (1) The report also estimates that the United States alone lost about $100 billion in 2013. (2) In the 2014 Cost of Data Breach Study: United States, the Ponemon Institute reported that the average cost paid by organizations for data breaches increased from $5.4 million in 2013 to $5.9 million in 2014. (3) While reports of data breaches among large retail businesses garner the most attention and headlines, law firms face an increasing threat to cyber attacks.

Cybersecurity has become a hot topic in the legal world, as law firms have become primary targets for hackers and other cyber criminals. (4) Hackers have realized that, not only do law firms hold a wealth of confidential client information and large trust account funds, but they may also lack adequate computer security systems and safeguards or a dedicated information technology team to fend off a cyber attack. (5) Although the total number of law firm hackings is unknown, lawyers can no longer turn a blind eye to the very real threat of a data breach and/or loss of clients' confidential information and entrusted funds.

Lawyers have both legal and ethical obligations to safeguard their clients' personal information and funds. In the fast-paced world of evolving technology, those obligations are changing frequently. There are also a number of issues regarding insurance for losses related to cyber crimes. Cyber claims and losses present difficult coverage questions for which there is very little precedent. Do general liability policies provide coverage for these losses? If not, does a professional liability policy provide coverage? Alternatively, do law firms have an obligation to purchase cyber liability or crime insurance policies?

1. Evolving Ethical Standards Regarding Advancing Technologies

   Rule 1.6(a) of the American Bar Association's Model Rules of Professional Conduct (MRPC) provides that a "[l]awyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)." (7) It has long been accepted that a lawyer may not intentionally reveal confidential client information. Rule 1.6(a) is simply a codification of this principle. However, the ABA recently amended Rule 1.6 by adding 1.6(c) to change this duty from a passive duty not to disclose confidential information to an active duty to prevent the unauthorized disclosure of confidential client information. In recommending this revision to the Rule, the ABA Ethics 20/20 Commission commented that technology had made the duty important enough that it should be made a part of the formal rule. (8) In the event that a lawyer's computer is breached, a variety of factors will be examined to determine whether the lawyer was reasonably competent in his attempt to prevent it. (9) The factors examined to determine reasonableness include the importance of the information, the probability of a breach without higher security measures, and the burden of implementing these higher security measures. (10) A recent example of what constitutes a reasonable security measure included a server that heavily encrypted both passwords and files. (11)

   ABA Rule 1.1 regarding a lawyer's competence as a fiduciary requires a lawyer to have "the legal knowledge, skill, thoroughness, and preparation" to represent others. (12) A recent amendment to the rule's comments emphasizes that, as a part of one's continuing education, a lawyer must also be aware of "the benefits and risks associated with relevant technology." (13) While most lawyers have taken advantage of the benefits of technology in the form of email, cloud computing, and a whole host of other electronic innovations, few lawyers understand the risks associated with these technologies. Many ethics opinions provide guidance on the risks associated with certain types of technology, such as email, metadata and cloud computing.

   A 2011 Formal Opinion from the ABA discusses the risks associated with sending confidential information to a client's work email because an employer will ultimately have access to the information. (14) Where the lawyer knows or reasonably should know that the clients will send or receive e-mails with privileged information and there is a significant risk that the communications will be read by the employer or a third party, the opinion provides that the lawyer must warn the client of the risks associated with this. (15) While the ABA does not have a...