American Bar Association Security Recommendations: Part I
The ABA heavily influences the practice of law, and frequently issues updates as technology and other factors evolve. There have been several key opinions regarding cybersecurity that firms need to review in relation to their practices.
Formal Opinion 498
(from 2021) 498 discusses “technologically enabled law practice beyond the traditional brick-and-mortar law firm.” Key points include:
Baseline IT security is now emphasized, these are table stakes processes that every firm should have in place. “…lawyers should be diligent in installing any security-related updates and using strong passwords, antivirus software, and encryption”
“Lawyers must ensure that data is regularly backed up and that secure access to the backup data is readily available in the event of a data loss.” CGP asks clients to regularly request test restores so that both backups and response time/effectiveness can be evaluated.
Formal Opinion 477R
(from May 2017) 477R was a major step forward, embracing one of our favorite sayings at CGP, “Cybersecurity recognizes a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.” [emphasis ours]. This is a major shift in thinking for security, as you are both working on defense but also preparing for after the attack. 477R covers several key points including:
“implementing firewalls and anti-Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.”
One of the first discussions of formalized IT security training is covered in section six: “In the context of electronic communications, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.”
Third parties are the biggest IT security risk to your firm, whether because of software, services provided, or both. 477R discusses lawyers’ duty to perform proper due diligence of vendors, such as reviewing security policies and protocols. CGP uses a formal vendor review process to gauge the security of both our vendors and our client’s.
Formal Opinion 483
(from October 2018) 483 addresses the event of a breach or cyberattack. Key topics include professional obligations, and recommends a few key preparations. It also takes a modern approach to security: “Indeed, the data security threat is so high that law enforcement officials regularly divide business entities into two categories: those that have been hacked and those that will be.”
The firm needs to act “reasonably and promptly” if a breach is suspected or identified, ideally using an incident response plan.
A retention policy is strongly encouraged: “Absent an agreement with the former client lawyers are encouraged to adopt and follow a paper and electronic document retention schedule”. Our experience is that a retention policy which is properly built and implemented can greatly reduce the amount of data exposed in a breach.
Client notification in the event of a breach is a complex situation, and a firm has many obligations and processes that are involved.
If you are unsure about your cybersecurity, or your firm needs better technology strategy, contact our experts today.