Lawyers as Cybercrime-Fighters

As you know by now, more and more states are jumping on the Model Rule 1.1 bandwagon. (If you don’t know: That’s the ABA rule stating that lawyers have an ethical duty to be technologically competent.) Now, the District of Columbia is considering adding yet another duty its members’ job descriptions: cybercrime-fighters!

As guru Bob Ambrogi wrote in his May 30 Law Sites blog:

“In addition, the committee has recommended changes to make clear that a lawyer’s duty to protect the confidentiality of client information includes the responsibility to protect against unauthorized access, such as through hacking.”

As of this writing, The District of Columbia hasn’t decided whether to adopt the tech-competence guidelines. One would hope they would join the majority of states that have already decided to require that their attorneys demonstrate and maintain technological competence. (For those wondering how to assess and efficiently train the attorneys in their firm, click here.)

But I am supremely intrigued by the DC discussion around client security, as well! If I were a law firm client, I would certainly want to trust that the firm is doing everything in its power to protect my sensitive data. With the seemingly continuous headlines lately around data breeches at law firms, clients have every right to be skittish.

Lawyers as Cybercrime-Fighters

The District of Columbia is reportedly considering the following changes. (Underlines indicate additions.)

Acting Competently to Preserve Confidences

When transmitting or storing confidences or secrets of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty does not require that the lawyer use special security measures if the method of communication or storage affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Among the factors to be considered in determining reasonableness of the lawyer’s conduct in transmitting or storing that information are: the sensitivity of the information; the extent to which the privacy of the client information is protected by law or by a confidentiality agreement; the cost of the security measures; and, difficulty in implementing the safeguards. A client and a lawyer may agree that the lawyer will implement special security measures beyond those required by this rule. A client may give informed consent to forgo security measures that would otherwise be required by this rule. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].

Honestly, this seems like something every client should absolutely expect from their law firm. Until now, though, I haven’t seen it written out as an expectation quite like this. I hope they pass this language: our very trust in the legal industry could be shaken if clients can’t expect this level of protection!

Cybersecurity is Everyone’s Job

Unfortunately, a lot of law firms delegate security solely to the IT department. Yes, those teams must be the Generals in this war, but literally everyone who touches a computer in a law firm must be put through boot camp and trained as soldiers in the battle.

Did you know that the number-one way that hackers gain access to sensitive data is through email? Watch this 60 Minutes segment to see just how easy it is for criminals to gain access to your network.

Savvy Training & Consulting is proud to partner with KnowBe4, the world’s most sophisticated and effective security awareness training company. And, because Savvy knows the legal industry, we add value to the law firms who use KnowBe4, offering industry-specific advice for more impactful trainings.

KnowBe4’s Enterprise Security Awareness Training works like this:

1. Baseline Testing: First, assess your law firm’s risk and your weak points with baseline testing. KnowBe4 provides baseline testing to assess the phish-prone percentage of your users through a simulated phishing, vishing or smishing attack.

2. Train Your Users: Second, using the information from the baseline test, train your users to be more security-aware. KnowBe4 offers the world’s largest library of security awareness training content, including interactive modules, videos, games, posters and newsletters. KnowBe4 also includes automated training campaigns with scheduled reminder emails.

3. Phish Your Users: Third, send fake phishing scams to test users’ adoption of the training information. KnowBe4 offers best-in-class, fully automated simulated phishing, vishing and smishing attacks, thousands of templates with unlimited usage, and community phishing templates.

4. See the Results: Fourth, analyze the results and train again. KnowBe4 provides enterprise-strength reporting, including both high-level and granular stats and graphs. You can even drill down to a personal timeline for each user.

If you are concerned about your law firm’s vulnerability to hackers, contact me today. I can even provide you with a couple of free tools from KnowBe4 that might help you successfully pitch this to your firm’s managers!

(PS. If the attorneys in your firm still think PDFs are “secure documents,” you might want to share this article, too.)


Leave a Reply