Download This PaperTechnology and Legal Ethics: The Need for Uniform Regulation
Charlotte Law Review (Forthcoming)
34 Pages Posted: 4 Nov 2015 Last revised: 6 May 2016
Date Written: May 8, 2015
Abstract
The issue of cybersecurity recurs in the mainstream media every few weeks, whether it concerns a “cyber attack” on an entertainment group, or whether it raises fears of hacked personal information by national managed health care companies. The media have even portrayed cyber attacks on law firms in popular television shows. In reality, there has been an increase in the number of cyber attacks on American law firms in recent years. Although fueled in part by law firms’ perception of being vulnerable targets ignorant of the risk of cyber attacks, hackers also target law firms because, in the fabled words of Willie Sutton, that’s where the money is. This is because nearly all law firms store vast amounts of confidential business information, attorney-client privileged communications, attorney work product, intellectual property, personally identifiable information, and payment information.
Data security breaches at law firms may have disastrous consequences on the legal profession in a way that other worries in legal ethics might not. That is, the unintended release of confidential information could have the effect of “potentially hurting business transactions, halting mergers and acquisitions, and damaging relationships forever.” If large-scale attacks were to continue, even at the smallest law firm firms, clients may begin to question whether they should give private information to their lawyers. One former software programmer, who is also a practicing attorney, warns that the whole legal system could “start to fail” if the issue of cybersecurity is not taken seriously.
Even with recent amendments to the Model Rules of Professional Responsibility, the American Bar Association (ABA) and state bar associations have demonstrated that they might not be the best sources of reform in this subject. Numerous federal and state laws and regulations already impose liability on some types of attorney behavior regarding information security, while many sophisticated clients are starting to require much more protection than even the updated Model Rules suggest is necessary. This Note argues that, at least with respect to the legal profession and cybersecurity, the Model Rules have so far proven to be irrelevant, and external regulation may be desirable. Part I of this Note discusses the development of the current state of so-called attorney self-regulation and why self-regulation is not likely to solve the cybersecurity issues facing lawyers. Part II describes the current forms of external regulation of attorneys and then details and critiques both current and potential regimes for regulating conduct, including a reformed and more victim-friendly tort system, and a free market approach, more robust state legislative activity, and federalization of cybersecurity rules. This Note concludes with Part III, in which several possible solutions are discussed, principally the adoption of uniform legislation across the state level and a uniform law based on the Health Insurance Portability and Accountability Act (HIPAA).
Suggested Citation: Suggested Citation
Travis Andrews (Contact Author)
University of Virginia - School of Law, Students ( email )
580 Massie Road
Charlottesville, VA 22903
United States