Cyber ‘It’s not an if, it’s a when’ the renewed importance of incident response for lawyers and law firms in light of new ethics guidance.
Recently, the American Bar Association Standing Committee on Ethics and Professional Responsibility reiterated the importance of awareness of lawyers and law firms regarding cybersecurity issues in its Formal Opinions 483. This opinion ties in awareness of cybersecurity issues to one of an attorney’s most important obligations to his/her client: confidentiality and privilege.
We are all familiar with the concept of attorney-client privilege. Barring limited exceptions, it is the obligation to keep client information confidential. Part of this confidentiality obligation is to protect client data both in its physical and virtual forms. If the storage, processing, or transmission of information has a high vulnerability to hacking, it cannot be deemed confidential.
Interestingly enough, this Opinion went one step further, impressing upon attorneys something security professionals have known for years: it is not enough to protect your systems with the latest bells and whistles. Granted, protections such as network segmentation and encryption perform important functions. It makes the information so difficult to obtain that (hopefully) the hacker will move on to easier targets. But sometimes the attack is targeted. Sometimes the attack is personal, with the attacker being a former disgruntled employee or former disgruntled client. Given the proper motivations, no amount of cybersecurity will thwart a determined hacker.
When a breach does occur, the preventative cybersecurity measures are useless. Enter the incident response plan. Proper incident response plans give the attorneys a procedure to follow designed to mitigate the breach and resulting damage. The Opinion echoes, “The decision whether to adopt a plan, the content of any plan, and the action taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach” (p. 6). Incident response plans save the attorneys and victims a precious commodity in the event of a breach: time.
When attorneys and other employees of law firms develop the mindset of “it’s not an if, it’s when” with respect to cybersecurity breaches, the implementation of an incident response plan becomes seamless. We had our protections, those failed. We have our plan to respond to those failures.
Reputational considerations usually motivate large corporations to compose incident response plans and do annual drills. The entities with these plans make the news for a day (remember Home Depot and Nordstrom in the winter of 2015?). The entities without these plans do not leave the news. (Who among us is still getting alerts from Equifax?)
Law firms are businesses. Their duty to compose, test, develop, and maintain incident response plans is twofold: ethical and reputational. The justification for the time and expense of a robust incident response plan should be in the counterfactual: These firms cannot afford not to do it. Maintaining the ethical obligation of confidentiality is essential for a lawyer to provide effective assistance of counsel. Maintaining the reputation of the law firm ensures clients continue to seek this counsel.