For many, the issues of cyber and data security may have seemed to creep up on us. For others, it has been more like a two-by-four hitting us in the face. In fact, it has been a series of threats, building over the course of years that has left us in our current, potentially vulnerable, position....
For many, the issues of cyber and data security may have seemed to creep up on us. For others, it has been more like a two-by-four hitting us in the face. In fact, it has been a series of threats, building over the course of years that has left us in our current, potentially vulnerable, position. In the 1990s and the earlier part of the last decade, computer security problems were mostly attributable to internal failings (mistakes in computer configuration, accidental loss of laptops, and some employee malfeasance), and to a lesser extent, malicious actions by outsiders. Sometimes called "script kiddies," these outsiders were individuals using commonly available computer tools to test the defenses of corporate and government computers. Most of these early security failures had limited impact. Back then, there were few organized, systematic, or sophisticated attacks on corporations' computer security, and legal exposure, including that of law firms and other practices, seemed entirely absent and unlikely. There was some complacency with the sense that most cyber attacks were against the government, rather than specific corporations or law firms.
This has changed. The most recent Verizon Data Breach Investigations Report notes that security losses due to insiders or loosely organized groups are now dwarfed in size by the actions of organized groups using highly sophisticated and effective tools. Worse, law firms, government law departments, and other similarly situated organizations have become prime targets. Lawyers have limited resources to dedicate to computer security, may not have a sophisticated appreciation of the associated technology risks, and lack an instinct for cybersecurity. Lawyers have become "soft targets in the hunt for insider scoops on mergers, patents, and other deals." At the same time, law firms may not only be soft targets, they may also be attractive targets --- if they are known to have a large corporate client base, an attacker may be drawn to them, like a bee to honey. While the corporate clients themselves may have sophisticated computer security defenses, their law firms' defenses are probably weaker. And once inside a law firm's defenses, the intruder likely has access to all of the firm's client information.
The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals provides practical cyber threat information, guidance, and strategies to lawyers and law firms of all sizes. The guide considers the interrelationship between lawyer and client, establishing what legal responsibilities and professional obligations are owed to the client in the event of a cyber attack. The book provides strategies to help law firms defend against the cyber threat, and also offers information on how to best to respond if breached.