Whoops! The New Rules, Law Firms and Cyberattacks
By Edward McIntyre
Macbeth, Duncan and Sara were enjoying a celebratory toast at the Red Coach & Horses when MacTavish, drink in hand, joined them.
“Have you guys seen the news about that major law firm. Had its computer network hacked? Massive embarrassment, for sure.”
Duncan nodded. “I understand the FBI divides law firms into two kinds. Those that’ve been hacked — and those that will be.”
MacTavish laughed and sipped his scotch.
Macbeth cautioned, “Not sure I find much mirth in their misfortune. Not only embarrassing. They have to confront a myriad of liability issues. And think of the ethics nightmare.”
MacTavish looked surprised. “Ethics? How so?”
“Have you looked at the new and revised Rules of Professional Conduct? The ones that just became effective on November 1?”
“Not yet. On my to-do list. But —”
“When you get around to it, take a hard look, for example, at rule 5.1. It’s new in California. We’ve never had anything like it before.”
“What’s it about?”
“It imposes on lawyers with law firm management authority the obligation to ensure that the firm has in effect measures that give reasonable assurance that all the firm’s lawyers comply with the rules. And with State Bar Act.”
“Seems like a bit of an overreach, but —”
“It also requires lawyers with supervisor authority over another lawyer to make sure that lawyer does the same. Rule 5.3 applies the same obligations to the supervision of non-lawyer personnel, whether employees or not.”
“But what’s all that got to do with a computer hack?”
“I assume we agree that, as lawyers, we possess a vast trove of sensitive and confidential client information. Financial data. Transaction and litigation strategies. Personal information. Perhaps health histories.”
“Sure. Necessary to the practice.”
“Rule 1.6 and 6068(e)(1) require us to hold client confidential information inviolate. At almost any cost.”
“New number, huh. OK, understand that.”
“Further, rule 1.1 requires competence, including — in this digital era — staying knowledgeable about the benefits and risks associated with technology.”
“Well —”
Macbeth held up his hand. “Finally, rule 1.4 requires lawyers keep clients reasonably informed about significant developments related to the representation.”
“All fine. But I was talking about a computer hack —”
Sara smiled as Macbeth nodded to a waiter for another round for the table.
“We were indeed. Let’s start with rules 5.1 and 5.3 — even before any computer breach occurs.”
“If you want.”
“Given the prevalence of cyberattacks, likely firm managers and supervisors have an ethical obligation to ensure the firm has adequate cyber protection already in place —current and updated — to prevent the loss of any client information that rule 1.6 requires the firm’s lawyers keep confidential.”
“Good thing I’m a sole practitioner —”
“A manager of your own firm, in other words.”
“Ouch.”