For almost any industry, the idea of cybersecurity has moved from science fiction to a viable business concern in just a few decades. The safety of confidential information is such a concern that many view a data breach as something a business can basically count on dealing with. The only question is, when.
The short answer? Absolutely. In 2017, twenty percent of law firms in the United States experienced either a data breach or cyber-attack. And that number keeps going up.
As keepers of large swaths of information on multiple clients, law firms are “one-stop-shops” for hackers. Law firms hold valuable information with business data, trade secrets, personal info topping the list. In many cases, hackers look for confidential information they can exploit for insider trading.
Firms doing transactional work face an especially high risk of hacking because they often have advance notice of mergers and acquisitions, as well as other info that could impact the market. Litigators generally are not as tempting a target, as their publicly filed cases won’t provide much of an edge in the market.
At the same time, law firms tend to employ fewer safeguards to protect against cyber criminals than their clients do. Hackers targeted around 50 large, prestigious law firms in 2016, most likely because Biglaw had not been as focused on cyber defense as Wall Street. By attacking law firms, the hackers found the back door they needed to obtain valuable information they could use to impact financial markets.
According to 2017 guidance from the American Bar Association, an attorney’s duties of confidentiality do not increase or change depending on the method of communication. However, the more we rely on technology to hold and convey client information, the more vigilant we must be in protecting it.
The American Bar Association amended the Model Rules in 2012 to address these risks, creating a duty to inform clients of a data breach that involves, or has a substantial likelihood of involving, material client information. However, not every incident involving client data triggers these obligations.
Stay tuned to FindLaw’s Technologist in the coming weeks for more information on the types of cyber events law firms can encounter – and what you can do to prevent them.