Cybersecurity for Small Legal Firm — CyberSecurity4biz, LLC

“Lawyers must employ reasonable efforts to monitor the technology and office resources connected to the Internet, external data sources, and external vendors providing services relating to data and the use of data.”

— The American Bar Association’s Formal Opinion 483

What are the cybersecurity vulnerabilities the legal industry faces?

Law firms have always been a popular target for cybercriminals, but in recent years, an increase in online fraud and theft schemes targeting lawyers has been apparent. It’s really isn’t hard to understand why law firms are such popular targets. There are not many other professions, outside of politics, that deal with the sheer number of valuable documents that lawyers typically have access to. Not just sensitive personal and private client information, but also very valuable business documents related to finances, mergers and acquisitions, transactions, due diligence, business strategies, and much more.

What cybersecurity regulations affect the legal industry?

Federal Laws that apply to you:
Bank Secrecy Act (BSA)
Children’s Online Privacy Protection Rule (COPPA)
Health Insurance Portability and Accountability Act (HIPAA) (if you have clients in the healthcare industry)
Payment Card Industry Data Security Standard (PCI DSS)
Sarbanes–Oxley Act (SOX) (if you have clients that are publicly owned)
If you have international Clients:
Canada Consumer Privacy Protection Act (CPPA)
Canada Payment Services Directive 2 (PDS 2)
Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
EU General Data Protection Regulation (GDPR)
If you have clients in these states:
California Consumer Privacy Rights Act (CCPA)
Colorado Privacy Act (CPA)
Utah Consumer Privacy Act (UCPA)
Virginia Consumer Data Protection Act (CDPA)

What are the consequences of a data breach?

Financial Loss
Reputational Damage
Operational Downtime
Legal Action
Loss of Sensitive Data
60% chance of going out of business

ABA Penalties

The American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack in 2018. This opinion followed Formal Opinion 477R, issued a year earlier, that outlined the ethical obligations of attorneys to secure confidential client data when communicating via the Internet.
Opinion 483 gives explicit guidance on how these types of situations should be handled, stating that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the Internet, external data sources, and external vendors providing services relating to data and the use of data.”