The threats to the security of data in computers, networks, and cloud services used by attorneys and law firms appear to be at an all-time high. And they continue to grow! ABA Formal Opinion 483, discussed below, starts with the following observation: “…the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.” The same is likely the case for law firms.
The ABA’s 2021 Legal Technology Survey Report explores security threats and safeguards that reporting attorneys and their law firms are using to protect against them. As in past years, it shows that many attorneys and law firms are employing safeguards covered in the questions in the survey and their use is generally increasing over time. However, it also shows that many law firms report that they are not using security measures that are viewed as basic by security professionals and are used more frequently in other businesses and professions.
Significantly, 25% of respondents overall reported this year that their firms had experienced a data breach at some time.
Cybersecurity is addressed most directly in the “Technology Basics & Security” volume of the 2021 Survey. This Cybersecurity TechReport reviews responses to the security questions and discusses them in light of both attorneys’ duty to safeguard information and what many view as standard cybersecurity practices. It breaks down the information by firm size and compares it to prior years. This gives attorneys and law firms (and clients) information to compare their security posture to law firms of similar size.
Attorneys’ Duty to Safeguard Information
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and also often have contractual and regulatory duties to protect confidential information. These duties present a challenge to attorneys using technology because most are not technologists and often lack training and experience in security.
Several ethics rules in the ABA Model Rules have particular application to safeguarding client information, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), and supervision (Model Rules 5.1, 5.2, and 5.3).
Together, these rules require attorneys, when using technology, to 1) employ competent and reasonable measures to safeguard the confidentiality of information relating to clients, 2) communicate with clients about the attorneys’ use of technology and obtain informed consent from clients when appropriate, and 3) to supervise subordinate attorneys, law firm staff, and service providers to make sure that they comply with these duties.
Some ABA and state ethics opinions, for over a decade, have addressed these duties. There are three current relevant ABA formal ethics opinions, including ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017), ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 2018), and ABA Formal Opinion 498, “Virtual Practice” (February 2021).
Attorneys also have common law duties to protect client information, and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, like health and financial information.
Security Programs and Policies
At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” Law firms are covered by this resolution.
A security program should address people, policies and procedures, and technology. All three areas are necessary for an effective program. Security should not be left solely to IT staff and tech consultants. In addition to measures to prevent security incidents and breaches, there has been a growing recognition that security includes the full spectrum of measures to identify and protect information assets and to detect, respond to and recover from security incidents and data breaches. Cybersecurity programs should cover all of these functions.
An important initial step in establishing an information security program is assigning responsibility for security. The program should designate an individual or individuals responsible for coordinating security—someone must be in charge. It should also define everyone’s responsibility for security, from the managing partner or CEO to support staff.
While a dedicated, full-time chief information security officer is generally appropriate (and affordable) only for larger law firms, every firm should have someone who is responsible for coordinating security. The larger the firm, the more it is necessary to have a full-time security officer or multiple persons who, together, are able to dedicate an appropriate part of their time and effort to security. The 2021 Survey asks who has primary responsibility for security in respondents’ firms. As expected, responses vary by firm size. The respondents reported that they have primary responsibility in solo firms (80%), with external consultants/experts, IT staff, and a chief information officer having primary responsibility increasing with the size of firms. A chief security officer has primary responsibility in some large firms, 13% of firms with 100-499 attorneys, and 16% of firms with 500+. A small percentage (.9%) report that nobody has primary responsibility for security.
The 2021 Survey asks respondents about a variety of technology-related policies, rather than about an overall comprehensive information security program. Attorneys and law firms should view these kinds of policies as part of a coordinated program rather than individually.
According to the 2021 Survey, 53% of respondents report that their firms have a policy to manage the retention of information/data held by the firm, 60% report a policy on email use, 56% for internet use, 57% for computer acceptable use, 56% for remote access, 48% for social media, 32% personal technology use/BYOD, and 44% for employee privacy. The numbers have generally increased over the years and generally increase with firm size.
Two responses that raise a concern are those that report having no policies (17% overall) and those reporting that they don’t know about security policies (8%). There is a clear trend by firm size in the responses of having no policies, with policies increasing with firm size. While it is understandable that solos and smaller firms may not appreciate the need for policies, all firms should have policies, appropriately scaled to the size of the firm and the sensitivity of the data.
Incident response is a critical element of a cybersecurity program. Overall, 36% report having an incident response plan. The percentage of respondents reporting that they have incident response plans varies with firm size, ranging from 12% for solos and 21% for firms with 2-9 attorneys to approximately 80% for firms with 100+ attorneys. As with a comprehensive security program, all attorneys and law firms should have an incident response plan, scaled to the size of the firm. For solos and small firms, it may just be a checklist plus whom to call for what, but they should have a basic plan.
Security awareness is a key to effective security. There cannot be effective security if users are not trained and do not understand the threats, how to protect against them, and the applicable security policies. Obviously, they can’t understand policies if they don’t even know if their law firm has any policies.
In accordance with the ABA resolution on cybersecurity programs (and generally accepted security practices), attorneys and law firms should have security programs tailored to the size of the firm and the sensitivity of the data and systems to be protected. They should include training and promotion of constant security awareness.
Recognizing the Risk
Cybersecurity starts with an inventory and risk assessment to determine what needs to be protected and the threats that an attorney or law firm faces. The inventory should include both technology and data. You can’t protect it if you don’t know that you have it and where it is. The next factors in the risk analysis cover appropriate safeguards. Comment  to ABA Model Rule 1.6 includes them in the risk analysis for attorneys for determining what is reasonable:
…the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
The 2021 Survey includes information about the available safeguards that various attorneys and firms are using.
As noted above, about 25% of respondents overall reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” A breach broadly includes incidents like a lost/stolen computer or smartphone, hacker, break-in, or website exploit. This compares with 29% last year, 26% in 2019, 23% in 2018, and 22% in 2017. The number of attorneys reporting a breach at some time has generally increased over the years. The drop this year (29% last year to 25%) may not be meaningful because it asks about breaches ever.
This year, the reported percentage of firms experiencing a breach ranged from 17% of solos and firms with 2-9 attorneys, about 35% for firms with 10-49, 46% with 50-99, and about 35% with 100+. Larger firms have more people, more technology, and more data, so there is a greater exposure surface, but they also should have more resources to protect them. It is difficult to tell the completeness of larger firms’ responses on breaches because the percentage of those reporting that they don’t know about breaches (27% overall) directly goes up with firm size—reaching 58% in firms with 100+. This makes sense because attorneys in medium and large firms may not learn about security incidents that don’t impact the entire firm, particularly minor incidents and ones at remote offices.
The majority of respondents (48%) reported that their firm had not experienced a breach in the past. Hopefully, this does not include firms that have experienced a security breach and never detected it. A common saying in security today is that there are two kinds of companies: those that have been breached and know it and those that have been breached but don’t know it.
The most serious consequence of a security breach for a law firm would most likely be unauthorized access to sensitive client data, although the loss of data would also be very serious. The 2021 Survey shows a very low incidence of this result for firms that experienced a breach; about 7% overall. While the percentages are low, any exposure of client data can be a major issue for a law firm and its clients.
The information on breaches with exposure of client data is incomplete because 6% overall report that they don’t know about the consequences. Unauthorized access to non-client sensitive data is 4% overall.
The other reported consequences of data breaches are significant. Downtime/loss of billable hours was reported by 36% of respondents; consulting fees for repair were reported by 31%, destruction or loss of files by 13%, and replacement of hardware/software reported by 18% (percentages for firms that experienced breaches). Any of these could be very serious, particularly for solos and small firms that may have limited resources to recover. No significant business disruption or loss was reported by 64% overall.
About 24% overall responded that they notified a client or clients of the breach. Formal opinion 483 addresses the duty to notify clients under Model Rule 1.4. The percentage reporting notice to clients ranges from 33% for solos and firms with 2-9, 9% for firms with 10-49, none for firms with 50-99, 18% for firms with 100-499, and 70% for firms with 500+.
Overall, 14% of respondents that experienced a breach reported that they gave notice to law enforcement, ranging from 13% for solos to 70% for firms with 500+.
The 2021 Survey also inquired whether respondents ever experienced an infection with viruses/spyware/malware. Overall, 29% reported infections, 39% reported none, and 32% reported that they don’t know. 61% reported no significant business disruption or loss.
Basic security measures like using up-to-date security software, using current versions of operating systems and software, promptly applying patches to the operating system and all application software, employing effective backup, and training of attorneys and staff, can help to protect against these kinds of threats.
Security Assessments and Client Requirements
Clients are increasingly focusing on the cybersecurity of law firms representing them and using approaches like required third-party security assessments, security requirements, and questionnaires.
The increased use of security assessments conducted by independent third parties has been a growing security practice for businesses and enterprises generally. Law firms have been slow to adopt this security tool, with only 27% of law firms overall reporting that they had a full assessment. Affirmative responses generally increase with the size of the firm.
Overall, 30% of respondents report that they have received a client security requirements document or guidelines, with affirmative responses generally increasing by firm size. There is a growing recognition in the cybersecurity security profession of the importance of securing data that business partners and service providers, including law firms, can access, process, and store.
As the headlines continue to be filled with reports of data breaches, there has been a growing recognition of the need for cyber insurance. Many general liability and malpractice policies do not cover security incidents or data breaches. The percentage of attorneys reporting that they have cyber liability coverage has been increasing— 42% overall, this year. In addition to cyber liability insurance, covering liability to third parties, there is also coverage available for first-party losses to the law firm (like lost productivity, data restoration, and technical and legal expenses). A review of the need for cyber insurance coverage should be a part of the risk assessment process for law firms of all sizes.
Security Standards and Frameworks
A growing number of law firms are using cybersecurity standards and frameworks, like those published by the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS). They provide consensus approaches to comprehensive cybersecurity programs. Some firms use them as guidelines for their security programs, while a smaller group of firms have obtained formal security certification under a standard. The 2021 Survey asks whether respondents’ firms have received a security certification. Overall, only 12% report that they have received a certification, with a low for firms with 2-9 (4%) and a high for firms with 500+ (28%).
Basic Security Tools
The 2021 Survey asks about various security tools that are available to responding attorneys. Many of these tools are security basics that should be used by all attorneys and law firms.
The most common tool is the spam filter, used by 81% of respondents. This may be under-reported because most email service providers have at least basic spam filters. Spam filters can be a strong first line of defense against phishing (malicious emails that try to steal information or plant malware). Filters are only part of the defense that weeds out some phishing emails but are an important first step.
Other tools with high reported use include software-based firewalls (75%), anti-spyware (75%), mandatory passwords (70%), antivirus for desktops/laptops as well as for e-mail (both about 70%) and networks (66%), and hardware firewalls (57%). The use of intrusion detection and prevention systems is reported by about 33% of respondents overall. There has been a growing trend for a number of years to use security suites that combine some of these tools like malware protection, spyware protection, software firewalls, and basic intrusion protection in a single tool. Availability of the various security tools is generally stable across firms of all sizes, with increases for some of them with the size of the firm. There is a general low incidence of “don’t know” responses for these tools, about 9% overall. Attorneys and law firms that are not using all of these tools should review the ones that they are not using, with qualified assistance if needed.
Authentication and access controls are the first lines of defense. They are the “keys to the kingdom”—controlling access to networks, computers, and mobile devices. This part of the 2021 Survey includes a general question about mandatory passwords, without specifying the access for which they are required. Overall, 70% of respondents report using mandatory passwords. They are required by 50% of solos, 73 % of firms of 2-10 attorneys, and about 80% or higher for larger firms. About 11% of firms overall report using biometric login. Some form of strong authentication should be required for access to computers and networks for all attorneys and all law firms.
Multifactor authentication is being increasingly used to provide a stronger form of authentication. There are three authentication factors: something the user knows (like a password), something the user has (like a security token or a security app on a smartphone), and something the user is (like a fingerprint or face scan). Multifactor authentication uses two or three of these factors. If a password is compromised or brute-forced, an attacker cannot get access without the second factor. The Cybersecurity and Infrastructure Security Agency (CISA) recently added failure to use multifactor authentication for remote access and administrator access to its list of Bad Practices. (The other Bad Practices on the current list are using unsupported [end-of-life] software and using known/default passwords.)
Encryption is a strong security measure that protects data in storage (on computers, laptops, smartphones, tablets, and portable devices) and transmitted data (over wired and wireless networks, including email). Security professionals view encryption as a basic safeguard that should be widely deployed. It is increasingly being required by law for personal information, like health and financial information. The recent battle between the FBI and Apple and the current debate about mandated “backdoors” to encryption for law enforcement and national security show how strong encryption can be for protecting sensitive data. The 2021 Survey shows that use by attorneys of the covered encryption tools has been growing, but its use is limited.
Full-drive encryption provides strong protection for all of the data on a server, desktop, laptop, or portable device. The data is readable only when it is decrypted through the use of the correct password or other access control. Respondents report an overall use of full drive encryption of only 20%, ranging from 17% for solos to about 63% for firms of 500+, with percentages increasing by firm size. File encryption protects individual files rather than all the data on a drive or device. Reported use of file encryption is higher than full disk—50% overall, ranging from 30% for solos to 81% in firms of 500+. This question is general and is not broken down by servers, desktops, laptops, smartphones, etc.
Verizon’s 2014 Data Breach Investigation Report (over seven years ago) concluded that “encryption is as close to a no-brainer solution as it gets” for lost or stolen devices. Attorneys who do not use encryption on laptops, smartphones, and portable devices should consider the question: Is failure to employ what many consider to be a no-brainer solution taking competent and reasonable measures?
Intrusion Detection Prevention software (IDS) and Intrusion Prevention software (IPS) detect or block some attacks on networks or computers. Respondents reported an overall use of about 53% for each of them. Use increases by the size of firm, with solos reporting 18% for IDS and 22% for IPS and firms with 500+ reporting about 53% for both.
Additional security tools covered in this volume of the Survey, with reported overall usage include pop-up blockers (67%), network antivirus (62%), hardware firewalls (52%), file access restrictions (46%), and employee monitoring (20%).
Disaster Recovery/Business Continuity
Threats to the availability of data can range from the failure of a single piece of equipment to a major disaster like a fire or hurricane. An increasing threat to attorneys and law firms of all sizes is ransomware, generally spread through phishing and insecure remote access. It encrypts a user’s or network’s data and demands a ransom (to be paid by Bitcoin) for the release of the decryption key. Effective backup, which is isolated from production networks, can sometimes provide timely recovery from this aspect of ransomware. Unfortunately, attackers often exfiltrate (steal) data before encrypting it and demand an extortion payment or they will sell or publish the data.
Overall, 15% of respondents report that their firm had experienced a natural or man-made disaster, like a fire or flood. The highest incidence, about 26%, was in firms of 50-99. The lowest reported incidence was for solos at 8%, with the rest being between these numbers. Disasters of this kind can put a firm out of business—temporarily or permanently. These positive responses and the potentially devastating results demonstrate the importance for law firms of all sizes to be prepared to respond and recover.
Despite this clear need, only 48% overall of responding attorneys report that their firms have a disaster recovery/business continuity plan. Firms with a plan generally increase with the size of the firm, ranging from 24% of solos to 80% of firms with 500+ attorneys. As with comprehensive security programs, all law firms should have a disaster recovery/business continuity plan, appropriately scaled to its size.
Backup of data is critical for business continuity, particularly with the current epidemic of ransomware. Fortunately, most firms report that they employ some form of backup. Only 3% report that they don’t back up their computer files. 33% of respondents report that they don’t know about backup. The most frequently reported form of backup is external hard drives (28%), followed by online backup and offsite backup (each 25%), network-attached storage (12%), USB (7%), cloud (5%) (appears to overlap with online), RAID (4%), CDs (5%), tape (3%), DVDs (2%), and other (2%). The most common methods for solos and small firms are external hard drives and online. A majority of attorneys in firms of 50+ attorneys report that they don’t know.
The 2021 Survey responses show that 41% of respondents use constant live backup, 26% back up once a day, 10% more than once a day, 9% weekly, 3% monthly, and 1% quarterly. 10% report that they don’t know, with unknowns increasing with firm size.
With the increasing risks of ransomware, hardware failures, disasters, and other incidents reported in the 2021 Survey, attorneys and law firms should consider reevaluating the methods and frequency of backups, if they have not recently done so. Cybersecurity professionals recommend maintaining multiple backups, including offline and offsite backups.
The 2021 Survey provides a good overview, with supporting details, of what attorneys and law firms are doing to protect information relating to clients. Like the last several years, it generally shows increasing attention to security and increasing use of the covered safeguards, but also demonstrates that there is still room for improvement. Attorneys and law firms who are behind the reporting attorneys and firms on safeguards should evaluate their security posture to determine whether they need to do more to provide, at minimum, competent and reasonable safeguards—and hopefully more. Those who are in the majority on safeguards, or ahead of the curve, still should review and update their security, as new technology, threats, and available safeguards evolve over time. Effective security is an ongoing process, not just a “set it and forget it” effort.
About the Author
David G. Ries (firstname.lastname@example.org) is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the firm’s Cybersecurity, Data Protection & Privacy Group. He is a coauthor of Encryption Made Simple for Lawyers (ABA 2015) and Locked Down: Practical Information Security for Lawyers, Second Ed. (ABA 2016), an active member of the Law Practice Division, and served on the ABA Cybersecurity Legal Task Force.