The American Bar Association has again called on law firms to do more to protect their computer systems from intrusion by bad actors.
The ABA’s House of Delegates approved Aug. 8 a trio of resolutions addressing cybersecurity topics – all with essentially the same message: Law firms have a vital role in protecting confidential information entrusted to them by clients, and they must do more than they are at present to harden their computer systems against growing threats from digital thieves, ransomware attacks, and industrial espionage.
House of Delegates Resolution 609 urges lawyers to keep abreast of new technologies, beef up their cybersecurity protections, be vigilant when dealing with third-party vendors, and advise clients to do the same.
Cybersecurity Is an Ethical Obligation
Because law firms routinely possess their client’s most valuable proprietary and financial information, they are often described as “low hanging fruit” for cybercriminals. Cybersecurity should be a leading organizational objective among law firm leaders.
The need for greater cybersecurity vigilance has been a frequent subject of ABA messaging in recent years. In 2020, the group said that lawyers were simply not doing enough to respond to emerging cyberthreats. “The 2020 Survey largely reflects incremental progress in areas fundamental to adequate security, in an age which cries out for a much more robust response by the profession to the challenges at hand,” the group wrote.
While cybersecurity today is a front-of-mind consideration across the profession, more needs to be done. According to the ABA’s 2022 technology report, less than half of the firms surveyed had a data breach incident response plan in place.
The lawyer’s duty to have strong cybersecurity measures in place stems largely from the ethical obligations to exhibit competence when handling client matters and to ensure the confidentiality of client information entrusted to the lawyer.
In 2012, the ABA added an ethical obligation of technology competence to the ABA Model Rules of Professional Conduct. Comment 8 to ABA Model Rule 1.1 (Competence) states that a lawyer “shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
This so-called “duty of technology competence” has been adopted in 40 states so far. California’s professional ethics code explicitly mentions cybersecurity when describing the technological expertise that California lawyers owe their clients.
The cybersecurity practices of a law firm’s vendors was singled out for special attention in Resolution 609. A research summary accompanying the resolution explains how hackers can gain access to a law firm’s computer systems by exploiting weaknesses in the computer systems of connected third-party vendors and contractors. “If these vendors or contractors have weak security measures in place, cybercriminals can use their access to infiltrate the law firms’ systems,” according to the summary.
“[I]t is important that law firms and lawyers protect their cyber infrastructures and institute careful review of the vendors and third-party products that they utilize.”
Resolution 609: A Cybersecurity Roadmap
House of Delegates Resolution 609 identifies several ways that law firms can raise their cybersecurity game:
- keep informed about new and emerging technologies and protect digital products, systems, and data from unauthorized access, use, and modification
- enhance their cybersecurity and infrastructure to protect confidential client information and to keep clients informed
- conduct cybersecurity due diligence regarding third-party and vendor products and services
- advise clients to improve their own cyber-defenses
- incorporate cybersecurity and emerging technologies into law firm training programs; and
- enhance cybersecurity through a diverse and technologically competent workforce.
The American Bar Association is a voluntary organization that, while having no direct authority to regulate, nevertheless advances the legal profession through educational programs, model rules of professional conduct, law school accreditation programs, and the frequent publication of “best practices” guidance on emerging areas of concern to lawyers.
Earlier this year, the ABA published best practices for success in remote depositions.
In other policymaking action during the ABA’s just-completed annual meeting, the House of Delegates called on Congress to pass federal legislation establishing a legal duty for all companies to implement reasonable security measures.
The group also urged law schools to incorporate cybersecurity and emerging technologies into their educational offerings.
We Can Help
Esquire Deposition Solutions takes cybersecurity seriously. We stand ready to assist our customers in meeting their ethical obligations to take all reasonable measures to safeguard client confidential information that might be shared and transmitted during the deposition process. First, our computer systems and business processes have successfully completed multiple SOC and ISO security certification audits. Second, we’re always innovating to take advantage of the latest technologies for conducting depositions. Third, Esquire Deposition Solutions representatives are available for training and advice – to make sure our clients get the most out of our technology and services.