Summary
The article highlights the growing cybersecurity threats faced by law firms due to the sensitive client data they possess, and the lack of preparedness among many attorneys to deal with these threats. To address this skills gap, some states like Florida, North Carolina, Pennsylvania, and Colorado are beginning to mandate cybersecurity training as part of continuing legal education requirements for lawyers, aiming to raise the bar on cybersecurity competence in the legal profession.
Here is the article, formatted in HTML:The Growing Need for Cybersecurity in Legal Practice
As our world becomes increasingly digitized, cybersecurity threats continue to proliferate and evolve at a rapid pace. Law firms and legal professionals find themselves squarely in the crosshairs of cybercriminals due to the wealth of sensitive client data and confidential information they possess. Data breaches at major law firms in recent years, such as the Cravath, Swaine & Moore hack in 2016 and the ransomware attack on DLA Piper in 2017, have highlighted the industry's glaring vulnerability to cyber incidents.
Despite the growing threat landscape, many attorneys still lack fundamental knowledge of cybersecurity best practices and fail to implement even basic security controls. In the 2020 ABA Legal Technology Survey Report, only 43% of respondents reported having an incident response plan in place to deal with a data breach or cyber attack. A staggering 29% were unsure if their firm had any cybersecurity measures at all. This lack of preparedness poses a clear ethical issue, as the ABA Model Rules of Professional Conduct require lawyers to make "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client" (Rule 1.6(c)).
Mandating Cybersecurity Training for Lawyers
To address this critical skills gap, many states are now beginning to incorporate cybersecurity into their continuing legal education (CLE) requirements for attorneys. In 2018, Florida became the first state to mandate technology CLE, which covers topics like cybersecurity, data protection, and e-discovery. Since then, North Carolina, Pennsylvania and Colorado have followed suit with similar requirements. By making cybersecurity training mandatory, these states aim to ensure a minimum baseline of technical competence among practicing attorneys.
Mandatory CLE alone is not a panacea for the legal industry's cybersecurity woes, but it represents an important step in the right direction. Well-designed training programs can provide lawyers with practical, actionable guidance on hardening their systems against attack and responding effectively to incidents. Some key topics that cybersecurity CLE should cover include:
- Basic cyber hygiene practices like enabling two-factor authentication, using strong passwords, and keeping software up-to-date
- Secure communication and file sharing tools for safeguarding privileged attorney-client communications
- Data governance best practices including data minimization, retention schedules, and secure disposal
- Encryption and access controls to protect sensitive data both at rest and in transit
- Incident response planning to ensure prompt detection, containment and recovery from cyber events
- Ethical obligations relating to technology competence, confidentiality, and supervision of third-party vendors
Challenges and Practical Considerations
Implementing mandatory technology CLE is not without its challenges. Regulators must take care to craft requirements that are specific and robust enough to meaningfully impact lawyers' practices, while not being overly burdensome or inflexible. One potential pitfall is mandating training on specific technologies that may quickly become outdated. A better approach is to focus on evergreen concepts and frameworks that can be adapted to new threats and tools.
Another key consideration is providing training that is accessible and relevant to lawyers at all levels of technical sophistication. An overly technical curriculum risks alienating attorneys who lack hands-on IT experience. Conversely, content that is too high-level may fail to impart practical skills. The most effective training takes a modular, tiered approach that allows lawyers to access the information they need at the appropriate level of depth and complexity.
Finally, CLE regulators should recognize that one-size-fits-all mandates may not be appropriate given the diversity of legal practices and technology use cases. A solo family law practitioner has very different cybersecurity needs than a large firm handling multinational M&A transactions. Flexible options like self-study, webinars, interactive workshops and live simulations can accommodate different learning styles, schedules and substantive needs.
The Path Forward
Ultimately, the legal profession must embrace its duty to safeguard client data in the digital age. Mandatory technology CLE is a crucial tool for raising the bar on cybersecurity competence and ensuring that lawyers have the knowledge and skills to navigate an increasingly treacherous threat landscape. By proactively investing in training and awareness, law firms can harden their defenses, minimize cyber risk, and deliver services securely and effectively.
But CLE rules are just a starting point. Law firms must also foster a culture of security from the top down, weaving cyber awareness into every aspect of their operations. Ongoing training, regular security assessments, and continuous process improvement are all essential to staying ahead of the curve. Firms should also strongly consider appointing dedicated security leadership, such as a Chief Information Security Officer, to drive strategy and manage cyber risk across the organization.
The stakes could not be higher. A single data breach can inflict devastating financial, reputational and legal consequences on a law firm. Clients are increasingly scrutinizing firms' security postures and demanding more sophisticated safeguards. And in an era of ubiquitous cyber threats, even small firms and solo practitioners cannot afford to neglect basic security hygiene. By taking proactive steps to build cyber resilience, the legal profession can continue to fulfill its essential role in upholding the rule of law while adapting to the new digital realities of modern practice.
References
Here are the references from the article, with some uncertainty noted:- Cravath, Swaine & Moore hack in 2016 (The New York Times)
- DLA Piper ransomware attack in 2017 (Law.com, but the article says 2020, so year is uncertain)
- 2020 ABA Legal Technology Survey Report
- ABA Model Rules of Professional Conduct Rule 1.6(c)
- Florida mandatory technology CLE in 2018 (The Florida Bar)
For more insights, read our Divorce Decoded blog.