Cybersecurity for attorneys

Cybersecurity for Attorneys

by John Bandler

Here is a short article followed by a list of resources and articles (including CLE materials) regarding cybersecurity for attorneys.

I have been delivering continuing legal education (CLE) and other training for attorneys and law firms regarding cybersecurity for some time. Now this webpage is the main compilation of resources and additional reading, and is the mechanism to provide CLE materials (including as required for CLE accreditation).

My CLE titles

One of my preferred CLE titles is:

• "Cybersecurity, Law, and Ethics for Lawyers: Secure Yourself, Your Family, Firm, and Clients".

This hits all the important keywords for the talk, what it covers and motivators to learn.

Another is:

• "Cybersecurity for Lawyers: Secure Yourself, Your Firm, and Clients."

When providing a CLE, I generally prefer it in the "ethics" category, and now New York state has a new cybersecurity CLE requirement, so this fits within their "Cybersecurity-Ethics" category. More on the ethics category later. The other category would be "Cybersecurity-General".

Why cybersecurity for attorneys?

Here's my list of reasons why attorneys need to know about cybersecurity and improve upon their cybersecurity:

• Attorneys have legal duties regarding cybersecurity (just like every other organization does)
• Attorneys have professional (ethical) responsibilities regarding cybersecurity.
• Attorneys (in NY) now have specific cybersecurity CLE training requirements.
• Attorneys are target rich environments for cybercriminals. Deals, settlements, transactions, wire transfers and wire transfer instructions mean that cybercriminals can profit from attacking attorneys.
• Attorneys need to protect themselves and their clients, serve their clients well, and be competent.
• Attorneys have traditional duties to their clients which apply to the cyber realm (confidentiality, communication, competence, safeguard funds, etc.)
• Attorneys need to be able to spot cybersecurity legal issues that exist for their clients.
• Attorneys need to prevent a crime if possible.
• Attorneys need to prevent a malpractice claim.

Needless to say, attorney duties extend to all the employees within a law firm.

Are attorneys really targeted by cybercriminals?

Absolutely. Attorneys are targeted and victimized, and clients are victimized too.

Imagine that wire transfer on that deal or settlement going to the cybercriminal, the funds are stolen. This happens a lot.

When funds are stolen, who will make the client whole?

Attorneys are also targeted for a wide range of frauds by cybercriminals that may not directly involve a client.

What does this have to do with "ethics"?

Attorney ethics encompasses many things.

Attorney ethics includes the usual meaning of "ethics", which (in my opinion) is a process of decision making and action that rises above mere personal interest and considers the interests of others, especially those one has a duty towards.

Attorney ethics and professional responsibility also includes complying with the many duties that attorneys must uphold, including duties of competence, confidentiality, communication, safeguarding funds, a fiduciary duty, and more.

Normally, we might not think of competence and client confidences as relating to being "ethical", but it is!

The American Bar Association, New York, and others have specifically recognized that attorney ethical and professional responsibility requirements extend to the cyber realm and for cybersecurity. In other words, it is an ethical and professional requirement to be competent with technology and cybersecurity, to have good cybersecurity to maintain client confidentiality, and to safeguard client funds.

Thus, cybersecurity is somewhat unique compared to other attorney ethical requirements because competence (and thus compliance with ethical and professional responsibilities) can only exist when you have a solid foundation in cybersecurity basics.

What is the same about cybersecurity for attorneys compared to other professions and sectors?

Cybersecurity for attorneys is very similar to cybersecurity for any person or organization, regardless of profession or sector.

Good cybersecurity principles always scale up or down, and translate across sectors.

The Three Priority Cybercrime Threats apply for attorneys, just like for other individuals and organizations. But probably more so, because of all the transactions attorneys are involved in (see next section).

My Four Pillars of Cybersecurity and other principles apply for attorneys just as they do for others.

My Five Components for Policy Work and Three Platforms to Connect (for compliance) principles apply for attorneys (just as for others).

But note that while assessing these platforms and components, the process and result will be slightly different, as it is for every sector and organization (see next).

What is different about cybersecurity for attorneys?

Cybersecurity differences arise from a slightly different threat analysis, duties and rules, and the human element.

The differences include:

• Attorneys have professional responsibility requirements which may be different from or exceed legal requirements for other sectors and professions
• Attorneys have duties to their clients
• Attorneys are target rich environments for cybercriminals, especially regarding email based wire transfer frauds
• Attorneys (stereotypically, at least) may be less tech savvy, or more tech averse, then certain other professionals

Let us emphasize the importance of the existing duty. Remember a negligence claim is made up of (1) duty, (2) breach of that duty, (3) causation of damages. In some cybercrime situations that do not involve attorneys, it might be hard to establish duty, or that duty might be minimal. But the attorney duty to the client is well established.

Now consider that many attorneys are routinely in the middle of deals and financial transactions. Sometimes they even hold those funds on behalf of a client. If client funds are stolen, the element of "damages" is clearly established. With duty and damages well established, the one remaining hurdle for establishing attorney liability is what the standard of care was, and whether the attorney breached their duty by being below that standard of care.

Back to the bigger and more uplifting concept on cybersecurity

If fear and worry about bad things motivates some to improve their cybersecurity, that is OK.

But living and acting only out of fear is not a pleasant way to live. A better mindset is to think about how to continually improve cybersecurity and information governance for a holistic group of reasons that include:

• Improve efficiency
• Serve clients better
• Protect clients and firm
• Prevent a cybercrime (yes, the fear aspect, but consider it in the context of risk management)
• Prevent a malpractice complaint or claim.  (" ")

That completes the short blog article. I could write a book on this topic (and I did), and I also have many free resources as linked to below.

John's sample course outline

This is a complete, stand alone course outline that covers all the basics attorneys need to know. Every audience member is different, with different knowledge and skills in each area. By covering these topics this way, attendees have resources to explore each area in greater detail.

1. Welcome, introduction, and set the stage
2. Cybercrime and threats to security and privacy
3. Technology in one minute
4. Cybersecurity explained
5. Laws of general applicability
6. Regulations for certain sectors regarding cybersecurity
7. Lawyer professional responsibilities on cybersecurity
8. Cybersecurity implementation and securing yourself
9. Organization cybersecurity basics
10. Secure your firm with good policies and practices
11. Incident response planning and the response
12. Conclusion
13. Additional resources
14. Question and answer and discussion continued (ask throughout!)

John's additional CLE materials include

• My speaker bio
  • Read About me on this site
• If I am giving a presentation, a PDF of the slide deck is sometimes made available for download shortly after the presentation, in the appropriate forum or landing page.
• Cybersecurity Tips from John Bandler (one page tip sheet)
• Bandler's Four Pillars of Cybersecurity
• The Three Priority Cybercrime threats to protect against, including:
  • Email Based Funds Transfer Frauds
  • Data Breach
  • Ransomware
• Cybercrime
• Identity theft
• Technology basics
• Introduction to Cybersecurity and Information Security
  • Cybersecurity things to know
• Risk
• Cyber Insurance
• Cybersecurity Laws and Regulations Part 1
• Cybersecurity Laws and Regulations Part 2
• Privacy
• Five Components for Policy Work
  • Three Platforms to Connect (for compliance)
  • Four Platforms to Connect (adding mission and business needs)
  • Policy Checklist
• External Guidance
  • Cybersecurity Frameworks and Guidance
• Cybersecurity, Privacy, You, and Your Organization
• Cybersecurity and Working from Home
• Cybersecurity book overview page
• Cybercrime Investigations book overview page
• Cybersecurity Policy (Free Version)
• Cybersecurity related asset inventory forms you can use to inventory the information assets in your home or small organization (computer devices, data, accounts, network, etc.)
• Incident response
• Cybersecurity and Cybercrime Prevention (a comprehensive course outline, with extensive linked resources)
• Attorneys Know Your Client (and beneficiary)
• Cybersecurity for attorneys (this article)
• Books relating to cybersecurity:
  • Cybersecurity for the Home and Office
  • Policies and Procedures Book
  • Cybercrime Investigations

Externally published articles by John about cybersecurity, law, and lawyers

• Attorneys on alert for cybersecurity threats: New York's new CLE training requirement, John Bandler, Reuters Legal News, July 19, 2023, hosted here and available at Reuters at https://www.reuters.com/legal/legalindustry/attorneys-alert-cybersecurity-threats-new-yorks-new-cle-training-requirement-2023-07-19/
• A Day in the Life of an Attorney: The Cybersecurity, Technology, and Crime Risks We Face, John Bandler, New York State Bar Association Journal, July/August 2018, Vol 29 No 6, https://johnbandler.com/a-day-in-the-life-of-an-attorney-cybersecurity-technology-crime-risks/
• Cybercrime and Fraud Protection for your Home, Office, and Clients, John Bandler. American Bar Association GP SOLO magazine, Volume 34, Number 5, September/October 2017, https://johnbandler.com/bandler-john-cybercrime-fraud-prevention-aba-gp-solo-septoct-2017/
• Prepare for and Plan Against a Cyberattack, John Bandler, American Bar Association Journal, July 2018, http://www.abajournal.com/magazine/article/prepare_plan_against_cyberattack
• Network Cybersecurity in Your Home and Office, John Bandler, American Bar Association GP SOLO Magazine, March/April 2018, Vol 35 No. 2, https://johnbandler.com/network-cybersecurity-home-office/
• Lawyers, Drugs and Money: AML in Popular Media, John Bandler, ACAMS Today, March 20, 2018, Vol 17 No. 2, https://www.acamstoday.org/lawyers-drugs-and-money-aml-in-popular-media/
• The Cybercrime Scheme That Attacks Email Accounts and Your Bank Accounts, John Bandler, Huffington Post, August 3, 2017, https://www.huffpost.com/entry/the-cybercrime-scheme-that-attacks-email-accounts-and_b_59834649e4b03d0624b0aca6, hosted here too.

ABA Model Rules

• ABA Model Rules, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/
• Cornell's LII on the Model Rules of Professional Conduct, https://www.law.cornell.edu/wex/model_rules_of_professional_conduct

ABA Formal Opinions

• ABA Formal Opinion 477R (revised May 22, 2017), Securing Communication of Protected Client Information.  https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.pdf
• ABA Formal Opinion 483 (October 17, 2018), Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.  https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf
• ABA Formal Opinion 498 (March 10, 2021), Virtual Practice.  https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf

NYS Rules of Professional Conduct for Attorneys

The NYS Rules of Professional Conduct for Attorneys is found in the New York Code of Rules and Regulations (NYCRR) Title 22 (Judiciary) Part 1200 (Rules of Professional Conduct). Or, for short, 22 NYCRR 1200. Relevant are portions on the attorney duties of confidentiality, competence and more. You can find the rules here:

• NYS Rules of Professional Conduct on Westlaw (public access)
• NYS Rules of Professional Conduct via NYSBA with comments as amended through 8/2/2022
• New York State Bar Association (NYSBA), https://nysba.org/attorney-resources/professional-standards/
• NYS Courts - Legacy versions are readily available, individual orders are too, so this link is not as helpful http://ww2.nycourts.gov/rules/jointappellate/index.shtml

NYS newish cybersecurity CLE requirement (order signed 6/10/2022, effective 1/1/2023 and 7/1/2023)

Attorneys admitted in NYS now must earn CLE in cybersecurity

• NYS Courts Categories of CLE Credit as Defined in the New York State CLE Program Rules 22 NYCRR 1500.2(c)-(h), https://www.nycourts.gov/LegacyPDFS/ATTORNEYS/CLE/NY-CLE-Program-Rules-22-NYCRR-1500.2c-h.pdf
• NYS Courts FAQs on Cybersecurity, Privacy and Data Protection, https://www.nycourts.gov/LegacyPDFS/attorneys/cle/Cybersecurity-Privacy-and-Data-Protection-FAQs.pdf
• NYS Courts Guidance Relating to the New Cybersecurity, Privacy and Data Protection Category of CLE Credit,  https://www.nycourts.gov/LegacyPDFS/attorneys/CLE/Cybersecurity-Privacy-and-Data-Protection-Guidance-Document.pdf
• Joint Order of the Judicial Departments of the Appellate Division of the New York State Supreme Court adding a cybersecurity, privacy, and data protection CLE requirement amending Title 22 NYCRR 1500.2 et seq. (and sequence) at this link (link too messy to spell out)

NYS CLE rules

• General CLE information from NYS Courts: https://ww2.nycourts.gov/attorneys/cle
• NYS CLE Program rules here and NYS CLE Regulations & Guidelines here

NYSBA Ethics Opinion

• New York State Bar Association, Committee on Professional Ethics, Opinion 842 (9/10/2010), Using an outside online storage provider to store client confidential information, https://nysba.org/ethics-opinion-842/,  https://nysba.org/app/uploads/2010/09/Opn842.pdf

NYSBA's 2020 recommendation about cybersecurity training (their recommendation became a rule, so just see the rule above)

• NYSBA Recommends Cybersecurity CLE Requirement (2020), https://nysba.org/new-york-state-bar-association-recommends-cybersecurity-requirement-include-cle/
• NYSBA Report recommending cybersecurity CLE,  https://nysba.org/app/uploads/2020/06/3.-Report-and-recommendations-of-Committee-on-Technology-and-the-Legal-Profession-Agenda-Item-9-with-comments.pdf

John's CLEs for attorneys on cybersecurity

In 2017 my first book was published, Cybersecurity for the Home and Office, The Lawyer's Guide to Taking Charge of Your Own Information Security, from the American Bar Association (ABA). You can read more about that book here. I have written many articles for lawyers about law, technology, and cybersecurity. You can read more about my background in law, investigating cybercrime, and protecting with cybersecurity here.

Since 2017 I have been providing continuing legal education (CLE) to attorneys about securing their information assets.

Some are afraid of technology and cybersecurity but should not be. It is a learning process and everyone can learn and improve.

I enjoy the intersection of law and cyber, and speak to attorneys about cybersecurity and technology and law, and to information security and information technology professionals about law.

I have prepared and delivered CLEs and trainings for attorneys on cybersecurity, and this includes for:

• Pace University's Elisabeth Haub School of Law (first in 2017, then started the annual event in 2021)
• Bar associations (American Bar Association (ABA), NYC, NLA, WCBA, Duchess Co BA)
• Legal services organization
• Online CLE provider, TRTCLE (monthly live in 2024), see my page here
• Though my bandwidth is limited, I am happy to discuss delivering a CLE for your organization

To explore more of this site

• Cybersecurity services
• Reliable information
• Contact John
• Show me everything

This page is hosted at https://johnbandler.com/cybersecurity-for-attorneys, copyright John Bandler all rights reserved.

Posted 6/21/2023 (building on prior work). Updated 8/21/2024.