On the day that it had expected to open its annual summer meeting in Ocean City, the MSBA launched its Legal Summit Series, designed to provide on-line many of the CLE programs it had planned to offer at the conference in-person. The Series opened with a June 10, 2020 presentation, Headless Chickens & Zombie Data: Your Ethical Obligations for Disasters and Data Breaches. While planned long before COVID-19 fundamentally changed the practice of law, it is of particular relevance today in light of the profession’s increased reliance on technology as many lawyers and their staff continue to work from home.
The presentation by attorney Sharon D. Nelson and engineer John W. Simek of Sensei Enterprises, Inc., a digital forensics and cybersecurity firm headquartered in Fairfax, VA, focuses on ABA Formal Ethics Opinions 482 (Ethical Obligations Related to Disasters), 483 (Lawyers’ Obligations After an Electronic Breach or Cyberattack), and 477R (Securing Communication of Protected Client Information). These opinions interpret the Model Rules of Professional Conduct as they relate to the need for technological competence (Rule 1.1), and the duty to communicate with clients (Rule 1.4), safeguard client property (Rule 1.15), and maintain client confidentiality (Rule 1.6), among others. At bottom, these obligations require a reasonable degree of preparedness, diligence and technological capacity that many in the profession have not adequately addressed, or if they have been addressed, may have not kept up with rapid changes in both the nature of the threats and methods for ameliorating them.
As the ethics opinions make clear, what was reasonable to satisfy one’s ethical obligations a year ago might not be reasonable today. And while what might be reasonably expected from an international law firm will often be different from what might be expected of a smaller enterprise, the rules of professional conduct apply equally. Ms. Nelson and Mr. Simek designed their program for all practitioners.
The ABA’s 2017 issuance of Opinion 482 was prompted by lessons learned in the aftermath of several devastating natural disasters that left lawyers and law firms without power, cell phone communications, or access to their offices, and exposed shortcomings in electronic storage and back-up systems, and in protocols for inventorying client information and property in their possession or that they stored electronically. More fundamentally, there was a decided lack of planning for the complete breakdown in basic services, such as a prolonged power outage, or even how to communicate with each other and their clients during an emergency. There were, in essence, many “headless chickens” rushing to react, and too few with readily available Incident Response Plans to guide their recovery efforts. With natural disasters on the rise and an increasing probability of similar disasters resulting from cyber warfare or other human activity, such planning is a must, and may well be ethically required.
Opinion 483 was issued in 2018 in light of rising threats to client confidentiality and potential business disruption from data breaches or other assaults on a law firm’s computer system. Computer hacking and ransomware attacks targeting attorneys were on the rise even before the pandemic forced many to work from home. The presenters cited a pre-COVID ABA survey indicating that 26% of law firms have been breached, noting that many more may not even know that their systems had been infiltrated. With so many people now working from home, opportunities for bad actors to access law firm technology, or to shut it down completely, have increased significantly. Ms. Nelson and Mr. Simek suggested that a home-based network is 3.5 times more likely to contain malware than an office network, and that 45% of personal devices used to connect to law firms remotely are already infected, a disaster scenario even for well protected office systems.
In their hour-long presentation, Ms. Nelson and Mr. Simek discuss the ethical and business implications of these threats, and describe how to address them. They explain the basics of computer back-up and encryption, what to look for when selecting cloud-based or other off-site storage services, and describe technologies that are available, many at low cost, to continually monitor systems for data breaches and other threats. Attributes of an effective Incident Response Plan to help “plan for the worst while hoping for the best,” and the steps to be taken after a data breach, are among the many other topics of discussion. Their full presentation, along with 93 pages of supplemental course materials, will soon be available for on-demand viewing.