Explained: The American Bar Association’s Cybersecurity Policies

2023 set some unpleasant precedents for the legal industry, proving that cybersecurity has become essential in this highly digital world. Take the recent case of Bryan Cave Leighton Paisner (BCLP), an international law firm hired by food giant Mondelez to provide data and privacy advice. The firm suffered from a data breach in February, resulting in the information of over 51,000 Mondelez employees being stolen, including social security numbers, dates of birth, and addresses. Four months later, current and former employees of the food company filed a class action lawsuit against BCLP.

Unfortunately, BCLP’s case comes as no surprise in a year with a 154% increase in federal data breach class actions. To minimize these cyber issues over the years, the American Bar Association (ABA) and its Cybersecurity Legal Task Force have taken significant steps to advance cybersecurity and make it a top priority for law firms.

Let’s go over the most prevalent takeaways of the ABA’s cybersecurity resolutions and what they mean for law firms of all sizes in the US.

The Starting Point: Rule 1.6

Rule 1.6 pertains to the confidentiality of information, more specifically, the non-disclosure of information without client consent. This is the basis for all cybersecurity efforts: ensuring client information stays between a lawyer and their client. 

Since 2002, when it was first enforced, the Model Rules of Professional Conduct (MRPC) have outlined how lawyers must handle and disclose sensitive client data — as technology is introduced, this data must stay just as secure from any cyberattacks. While MRPCs are not binding laws, they’re models for state bar associations to adopt and enforce as they see fit, outlining lawyers’ duties to their clients, the court, and the profession of law.

The Five Principles of Cybersecurity for Law Firms

When it was evident that technology would play a seminal role in the practice of law, the ABA established five principles they recommended to be the basis of future policy decisions surrounding the security of both the public and private sectors. These guidelines mark the beginning of cybersecurity rules in the legal space, aiming to build a more prepared and trustworthy environment for lawyers and clients.

To summarize, each principle touches on:

1. The importance of cybersecurity frameworks to uphold national security.
2. Collaboration between public and private entities to securely share information.
3. Legal environments must keep their systems updated with the latest cybersecurity trends.
4. Privacy and civil liberties are paramount when using technology and enforcing cybersecurity.
5. Every practice must allocate resources to train, educate, and develop the workforce on cybersecurity.

The Importance of Cyber Due Diligence for SMBs & Vendors 

In the wake of 2023’s alarming spike in cyberattacks, the ABA reiterated its commitment to keeping law practices of all sizes secure by introducing resolution 608. In it, they made it clear that cybersecurity is a legal duty, and policies and frameworks should be harmonized to maintain it. They highlighted the importance of incentivizing better cybersecurity practices for both vendors and small and medium businesses (SMBs).

A recent case that highlights the importance of performing due diligence with third-party vendors when transitioning to the cloud is Proskauer’s data breach. After the company had contracted to set up its site on Microsoft Azure, the law firm realized a large amount of client data had been made publicly available due to a fault in its cloud system.

The ABA's cybersecurity resolutions timeline

Empowering Law Firms Through Cybersecurity Awareness and Education

The success of a firm's cybersecurity program ultimately lies with its people. Something as small as a phishing email could open the gates for malicious actors to steal sensitive data — many law firms, big and small, know this all too well. To mitigate threats stemming from unsuspecting employees, in August 2020, the ABA stated in many resolutions that training and educating workers is vital in strengthening cybersecurity.

While SMBs might think hackers have their sights set on big companies only and thus might spend less time, effort, and capital on cybersecurity, the reality is 42% of small businesses lost revenue due to cybercrime in 2023. Financial and reputational losses from data breaches and ransomware could tarnish a company’s chances at success in the long run, making cybersecurity a leading concern for companies to implement.

Resilience in the Face of Cyberattacks

Resolutions 118 and 108 mark two distinct moments in which the ABA recognized the impact of cybersecurity and the importance of proactive and reactive measures. 118, resolved in 2013, advised the government to enact policies to make information theft and intrusion into computers punishable by the law — further doubling down on the five principles of cybersecurity.

Additionally, in 2017, the association released resolution 108, informing law practices about cyber-preparedness and resiliency, which make a significant difference in preventing cyberattacks and mitigating long-lasting impacts after an attack. A secure system entails having updated backups, quick and efficient containment of an attack, and robust cybersecurity measures.

Acknowledging the Power and Dangers of AI

In 2023, the world was splashed by a massive wave of AI. Starting from the human-like advancements made by OpenAI’s ChatGPT, a flurry of other chatbots and automation innovations were released to support almost every industry. The legal sphere didn’t escape the brilliance of AI and machine learning (ML) either, which made their way into practices to help lawyers automate tasks like document generation and review, case outcome prediction, and personalized customer service.

The ABA quickly caught up and released two resolutions acknowledging AI's use and advantages while warning everyone involved to apply it responsibly. Resolution 609, for example, talks about the role of generative AI in developing smarter cyber threats that could potentially impact law firms, encouraging them to increase their cybersecurity by considering the new tech. 

On the other hand, resolution 604 mentions the need for transparent and responsible AI usage so that lawyers can reduce any bias, discrimination, and malpractice stemming from its application.

Cybersecurity must become more than an item to tick off on a checklist. Rather, it should be embedded into every law firm’s onboarding process, daily activities, and budget. At Havoc Shield, we specialize in taking companies’ cybersecurity practices from okay to great, ensuring they have top-of-the-line digital security that stands up to today’s quickly evolving threats.

Schedule a free Cyber Risk Assessment with us today to make sure you’re meeting the standards set by the ABA.