ABA Model Rules: What law firms need to protect
Law firms are responsible for protecting their client information including attorney-client privileged communications, intellectual property, and payment and personally identifiable information. The ABA Model Rules of Professional Conduct mandates that law firms have proper cybersecurity measures in place, including:
- Model Rule 1.1 “Competence” requires attorneys to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
- Model Rule 1.6 “Confidentiality of Information” Provision (c) states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
- Model Rule 1.4 “Communication”, requires a firm to inform clients of any compromise.
How law firms can protect their information
Not sure how to set up appropriate cybersecurity measures according to the ABA Model Rules? Below are the top five steps that we’ve identified to make sure that your law firm has a sound cybersecurity program in place that will meet American Bar Association standards.
- Implement good corporate employee cyber security policies with controls, enforcement and consequences. These policies should include the use of social networking, personal email, mobile phones etc. on the corporate network as well as many additional items (more).
- Train the firm’s employees, contractors and vendors on the policies and the general security protections, such as understanding how a phishing attack occurs (more).
- Ensure the firm has a cyber-liability insurance policy in place. These are not expensive and should be a part of every businesses insurance portfolio.
- Audit your suppliers and require them in their contracts to ensure they have employee cyber related policies, cyber insurance and cyber security infrastructure support.
- Use a managed security services provider to offer low-cost security services such as NetWatcher to keep an eye on the firm’s network and look for anomalous behavior 24×7, 365 days a year.
Why it’s important
Surprisingly, according to a survey by the International Legal Technology Association (ILTA), many law firms have been slow to address security risks:
- 76% do not use or require two factor identification
- 72% do not use issue encrypted USB drives
- 64% do not automatically encrypt content-based emails
- 56% do not encrypt laptops
- 90% do not employ laptop tracking technology
- 61% have no intrusion detection tools
- 64% have no intrusion prevention tools
However, it is critical that small and midsize law firms establish a cyber security solution for the following reasons:
- Their reputation would be badly tarnished if client data were compromised
- Data managed by law firms is expected to be secure
- Law firms may be subject to audit and review to ensure adequate defenses in place
- Firms are at risk for losing their business if security solutions cannot be demonstrated
Learn about how NetWatcher works to identify potential threats and vulnerabilities here.
