I sat down with Alex Pearce of Ellis & Winters LLP, the current chair of North Carolina Bar Association’s Privacy & Data Security Committee to discuss the current trends he sees in security for lawyers.
PETRONELLA: What is the biggest threat to firms that already have cybersecurity systems in place?
PEARCE: One of the biggest threats is phishing. That’s because defending against that threat relies in large part on the vigilance of the employee as opposed to a firm’s investment in technological safeguards. For that reason, employee training on cybersecurity in general, and phishing, in particular, is critical. As part of that, companies are running phishing exercises on their employees. Law firms should consider that. To my mind, tricking someone into clicking on a phishing link as part of a training exercise is a great way to teach them a lesson that sticks.
PETRONELLA: Other than a failure to train employees properly, what are the two most common other vulnerabilities law firms face concerning cyber breaches other than going bare?
PEARCE: Two other common issues include not being careful with cloud storage and communications services; and failing to implement appropriate controls on the use of mobile devices. As to the first, our State Bar, and the state bars of several other states, have issued ethics opinions that outline the steps lawyers should take when using cloud services to store and transmit client information. As to the second, the rise of “BYOD” creates risks that I’m not sure all lawyers understand when it comes to the confidentiality and security of client information.
PETRONELLA: What does the landscape look like for cyber threats to law firms?
PEARCE: For some time I think law firms have been identified by cybercriminals as a “soft underbelly” of corporate America. Criminals have figured out that law firms tend to be places where sensitive, high-value information is collected in one place, and some law firms historically, have been behind the curve in terms of cybersecurity. I think law firms are getting better about this, but the fact remains that law firms are targets, like any other business that handles valuable information.
PETRONELLA: How about firms that don’t have cybersecurity because they don’t know where to start, who to ask, or what to ask?
PEARCE: There are plenty of good resources out there that provide basic steps to shore up security. They aren’t specific to law firms, but a few that come to mind are the Center for Internet Security’s Critical Security Controls and the Federal Trade Commission publication “Start with Security: A Guide for Business.” Professional liability insurers can also be a good resource in this area. They often make information on this topic available to their insureds.
PETRONELLA: What’s your guidance for attorneys who say, “I’m not making enough to pay my electric bill, why should I spend money I don’t have on cybersecurity?”
PEARCE: There are obviously lots of reasons why attorneys need to pay attention to cybersecurity. But for folks who might be inclined to think it’s not a high priority, I’d point them to the increasing attention being paid to this issue by our state bar and other ethics authorities. The rules of professional responsibility and several recent ethics opinions make clear that the ethical duties of competence and confidentiality include an obligation to use reasonable efforts to prevent unauthorized access to client information.
PETRONELLA: A few liability insurance experts told us that some firms would rather go bare, declare bankruptcy and re-organize in the event of a major breach. Good idea? Bad idea?
PEARCE: Terrible idea. This strategy does not account for the ethical obligations that lawyers have to protect client information, nor for the consequences to a lawyer’s reputation of a breach that happens because the lawyer hasn’t done anything to protect that information.
PETRONELLA: What are some the minimum standards set by the ABA and the state bar?
PEARCE: The ABA’s formal ethics opinion on Securing Communication of Protected Client Information provides a high-level framework for evaluating and addressing cybersecurity threats—I’d highly recommend that folks familiarize themselves with that opinion. Beyond that, the ABA and our State Bar don’t set forth specific “minimum standards” for cybersecurity per se. Rather, they require lawyers to take “reasonable” measures to protect client information. What’s reasonable can vary, depending on the circumstances, but the point is that lawyers have to think about the information they handle and the specific risks that they face, and then to tailor their security program accordingly using a risk-based analysis.