Cybersecurity compliance for attorneys Steven M. Bucher
Cybersecurity Readiness Data and information systems under your control Likely threats and vulnerabilities Legal landscape Information security standards for the legal profession Event response and loss mitigation
What is information security and why is it important? Data Information systems Internet privacy Why is it Important? High risk: Intentional attacks, unintentional disclosures, non-tech disasters, etc. Lawyers are target rich information pools Cyber events can cause considerable loss
What’s at stake? Loss of data Hardware, software, and network integrity Business interruption Loss of future business Harm to reputation Legal exposure
Legal Landscape Federal laws State laws Industry standards International laws Guidance on best practices
Legal profession and information security Rules of Professional Responsibility: ABA versus Louisiana ABA Formal Opinion 477R Competence, Rule 1.1 Confidentiality, Rule 1.6 Communication, Rule 1.4 Supervisory duties, Rules 5.1 - 5.3
Securing client information and work product Keep abreast of the changes, laws, benefits, and risks of technology Make reasonable efforts to avoid unauthorized access or disclosure of client information “Reasonable efforts” are generally sufficient “Special security precautions” are necessary in some circumstances Address information security with clients and third parties Implement periodic employee training
Institutional considerations Security by design - stick to the basics Know what you have, where you have it, what laws apply to it, and when/how it should be disposed Make reasonable efforts to impose preventive measures Business continuity and breach response Vendor management Cybersecurity insurance Revise internal policy annually or as circumstances change
Takeaways Every company has a responsibility to manage its cyber risk Keep informed about the technology you use in your practice and whether it is consistent with your professional obligations Assess what you have, where it is located, and who has access to it Assess your vulnerabilities and prepare a WISP Have an incident response plan Train your employees Manage your vendors Continually evaluate and update your security policies