INTRODUCING THE ACC DATA STEWARD PROGRAM
Each year, the American Bar Association’s Legal Technology Resource Center conducts the Legal Technology Survey Report, an extensive survey of attorneys in private practice on the use of technology in the profession. The second volume of the survey, “Technology Basics & Security” received responses from attorneys practicing in firms of all sizes: solos (31%); firms of 2-9 attorneys (27%); firms of 10-49 attorneys (15%); firms of 50-99 attorneys (5%); firms of 100-499 attorneys (10%), and firms of 500+ attorneys (12%).
This article discusses 2019 Survey results related directly to cybersecurity—an issue that is (or should be) of concern to attorneys in firms of all sizes due to fundamental ethical responsibilities and common business sense. As the results show, the profession continues to make progress in adopting risk management practices necessary for improving security and resilience. Yet, as with the 2018 Survey results, there continues to be room for improvement.
The 2019 Survey asked cybersecurity questions related to technology policies, security tools, security breaches, viruses/spyware/malware, physical security measures, and backup. The responses provide a detailed snapshot of the state of the profession in all those areas—information which is especially useful when analyzed against results in prior years. This article focuses on results in the following four critical areas: incident awareness, incident response plans, encryption, and cyber insurance.
When considering the results in these areas, it is helpful to keep in mind the professional imperative for strong cybersecurity programs. Of course, the news is replete with stories of significant data breaches causing economic and reputational harm. Many smaller breaches occur, of course, which do not make national headlines but nevertheless pose significant damage to those affected. In addition to the burdens faced by any business in confronting a breach, lawyers’ duties of competency, communication, and confidentiality according to the ABA Model Rules of Professional Conduct require consideration of cybersecurity issues:
1: Model Rule of Professional Conduct 1.1 provides, “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Model Rule 1 makes clear, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Clearly, the duty of competency requires cybersecurity considerations.
