Legal Ethics’ Next Frontier: Lawyers and Cybersecurity
47 Pages Posted: 28 Jan 2016 Last revised: 15 Jul 2016
Date Written: January 28, 2016
The inherent uncertainty surrounding cyberattacks on law firms – who perpetrated the attack, what information was compromised, and what damage, if any, did clients suffer as a result of the attack – renders liability controls such as malpractice lawsuits and market controls such as being fired by a client ineffective means of regulating lawyers’ cybersecurity conduct. Of course, some lawyers have been at the forefront of practicing diligent cybersecurity. Yet, because practicing cybersecurity is expensive and the technological learning curve for lawyers is steep, in the face of under-regulation and few practical consequences for inaction, some lawyers may fail to reasonably defend against cyber-threats, the known risks notwithstanding.
This article argues that the under-regulation of lawyers’ cybersecurity conduct can be effectively addressed by promulgating rules of professional conduct, which will require lawyers to adopt and implement cybersecurity plans for all clients, define the meaning of “reasonable efforts” necessary to prevent the unauthorized disclosure or access to confidential client information, and mandate disclosure to clients of cyberattacks and information theft.
Part I of the article summarizes the knowledge lawyers have recently gained about cybersecurity, namely who is attacking them, why, and what can be done to defend against cyberattacks. Part II examines the under-regulation of lawyers’ cybersecurity conduct and its consequences. Part III advances a proposal for a regulatory response, in the form of new and revised rules of professional conduct designed to ensure that lawyers make reasonable efforts to protect clients’ confidential information.
Suggested Citation: Suggested Citation