Cyber criminals target law firms and other legal services providers for both their own and their clients’ data. Clients naturally demand their data be protected. Cybersecurity is an organizational imperative across the legal industry.
For lawyers, it’s also an ethical duty.
Keep the client’s information confidential is one of the first rules of lawyering. Lawyers must take competent and reasonable measures to safeguard clients’ confidential and privileged information. There are common law duties of confidentiality and privilege, and the duty of confidentiality is part of every state’s rules of professional conduct.
Lawyers also have a duty to keep clients reasonably apprised of matter status so they can make informed decisions about the legal representation. Does that duty extend to security incidents involving client information? It’s a reasonable interpretation of the rule.
The ABA agrees. ABA Formal Opinion 483, published in October of last year, calls on lawyers to use reasonable efforts to:
- Monitor data security involving client information;
- Act promptly to stop security incidents and mitigate damages;
- Determine the scope of the breach;
- Provide appropriate and accurate notice to affected clients.
Confidentiality and keeping clients informed in the electronic age demand at least a basic understanding of information technology and information security. This lines up squarely with the duty of competence – the paramount ethical obligation to clients. Lawyers must have the knowledge and skills necessary for the representation. Data security today impacts all practice areas.
There are three parts to technology competence. First, knowing what you don’t know. Second, learning what you must know. Third, seeking help from qualified people to fill in the gaps.
Responsibility doesn’t end at hiring technical experts (necessary and important as that is). Lawyers have an ethical duty to supervise staff, consultants and service providers. Within the law firm, this includes policies and procedures, employee security training and reasonable compliance monitoring. For consultants and vendors, data security should be part of initial and ongoing evaluations.
State ethics rules set the minimum standard of conduct for the legal profession. As lawyers we are called to go beyond the minimum and give our clients the best in professional practice and service. That includes keeping their information safe from cyber criminals.
This series will continue with seven essential steps to cyber preparedness.