Although many lawyers prefer to believe that their firm is unlikely to be the target of a hack, such thinking often proves to be naïve. Cyber criminals are continually adapting looking for easy targets and sources of potentially valuable data. Because law firms are essentially warehouses of client and employee data, they should acknowledge that they are not immune to such attacks.
Personally Identifiable Information
Law firms are often considered to be perfect targets by cyber criminals looking to hack into businesses that keep lots of data containing personally identifiable information (PII) but lack protective security. Some examples of PII include:
- Names, identifying numbers, symbols, or other identifiers assigned to particular individuals
- Information that describes anything about a person
- Information that indicates actions done by or to a person
- Information that indicates a person possesses certain characteristics
Most, if not all, law firms possess a great deal of PII. This information was historically kept in paper files, but is not stored electronically for the most part. The most commonly reported cyber breach reported by law firms is related to the loss or theft of a laptop, thumb drive, smart phone, tablet, or some other mobile device. If the information on the lost or stolen device was not encrypted and contained PII, a breach likely occurred. With access to office email and other law office networks, cyber criminals can gain access to and steal confidential information.
This is an ethical dilemma for attorneys for several reasons. Besides the common law duty owed by attorneys to protect the confidential information entrusted to them by clients, the ABA Rules of Professional Conduct requires an attorney to maintain the confidentiality of information related to the representation of current and former clients, and state and federal law also imposes a duty upon attorneys to protect PII for clients.