Cybersecurity for Attorneys
by John Bandler
This webpage has a short article followed by a list of additional resources and articles regarding cybersecurity for attorneys.
I have been delivering continuing legal education (CLE) and other training for attorneys and law firms regarding cybersecurity for some time. Now this webpage is the main compilation of resources and additional reading, and is the mechanism to provide CLE materials (including as required for CLE accreditation).
My CLE titles
One of my preferred CLE titles is:
- "Cybersecurity, Law, and Ethics for Lawyers: Secure Yourself, Your Family, Firm, and Clients".
This hits all the important keywords for the talk, what it covers, benefits, and motivators to learn.
- "Cybersecurity for Lawyers: Secure Yourself, Your Firm, and Clients."
When providing a CLE, I generally prefer it in the "ethics" category, and now New York state has a new cybersecurity CLE requirement, so this fits within their "Cybersecurity-Ethics" category. More on the ethics category later.
Why cybersecurity for attorneys?
Here's my list of reasons why attorneys need to know about cybersecurity and improve upon their cybersecurity:
- Attorneys have legal duties regarding cybersecurity (just like every other organization does)
- Attorneys have professional (ethical) responsibilities regarding cybersecurity
- Attorneys (at least in NY) now have specific cybersecurity CLE training requirements
- Attorneys are target rich environments for cybercriminals. Deals, settlements, transactions, wire transfers and wire transfer instructions mean that cybercriminals can profit off of attacks on attorneys.
- Attorneys need to protect themselves and their clients, serve their clients well, and be competent
- Attorneys have duties to their clients (confidentiality, communication, competence, to safeguard funds, etc)
- Attorneys need to be able to spot cybersecurity legal issues that exist for their clients
- Prevent a crime
- Prevent a malpractice claim.
Needless to say, all attorney duties extend to all the employees within a law firm.
Are attorneys really targeted by cybercriminals?
Absolutely. Attorneys are targeted and victimized, and clients are victimized too. Imagine that wire transfer on that deal or settlement going to the cybercriminal, the funds are stolen. When funds are stolen, who will make the client whole?
Attorneys are also targeted for a wide range of frauds by cybercriminals that may not directly involve a client.
What does this have to do with "ethics"?
Attorney ethics encompasses many things.
Attorney ethics includes the usual meaning of "ethics", which (in my opinion) is a process of decision making and action that rises above mere personal interest and considers the interests of others, especially those one has a duty towards.
Attorney ethics and professional responsibility also includes complying with the many duties that attorneys must uphold, including duties of competence, confidentiality, communication, safeguarding funds, a fiduciary duty, and more.
Normally, we might not think of competence and confidence as being "ethical". But for attorneys, they go together.
The American Bar Association, New York, and others have specifically recognized that attorney ethical and professional responsibility requirements extend to the cyber realm and for cybersecurity. In other words, it is an ethical and professional responsibility requirement to be competent with technology and cybersecurity, to have good cybersecurity to maintain client confidentiality, and to safeguard client funds.
Thus, cybersecurity is somewhat unique compared to other attorney ethical requirements because competence (and thus compliance with ethical and professional responsibilities) only comes when you have a solid foundation in cybersecurity basics.
What is the same about cybersecurity for attorneys compared to other professions and sectors?
Cybersecurity for attorneys is very similar to cybersecurity for any person or organization, regardless of profession or sector.
Good cybersecurity principles always scale up or down, and translate across sectors.
The Three Priority Cybercrime Threats apply for attorneys, just like for other individuals and organizations. But probably more so, because of all the transactions attorneys are involved in (see next section).
My Four Pillars of Cybersecurity and other principles apply for attorneys just as they do for others.
My Five Components for Policy Work and Three Platforms to Connect (for compliance) principles apply for attorneys (just as for others). But note that while assessing these platforms and components, the result will be slightly different (see next).
What is different about cybersecurity for attorneys?
Cybersecurity differences arise from a slightly different threat analysis, duties and rules, and the human element.
The differences include:
- Attorneys have professional responsibility requirements which may be different from or exceed legal requirements for other sectors and professions
- Attorneys have duties to their clients
- Attorneys are target rich environments for cybercriminals, especially regarding email based wire transfer frauds
- Attorneys (stereotypically, at least) may be less tech savvy, or more tech averse, then certain other professionals
Let us emphasize the importance of the existing duty. Remember a negligence claim is made up of (1) duty, (2) breach of that duty, (3) causation of damages. In some cybercrime situations that do not involve attorneys, it might be hard to establish duty, or that duty might be minimal. But the attorney duty to the client is well established.
Now consider that many attorneys are routinely in the middle of deals and financial transactions. Sometimes they even hold those funds on behalf of a client. If client funds are stolen, the element of "damages" is clearly established. With duty and damages well established, the one remaining hurdle for establishing attorney liability is what the standard of care was, and whether the attorney breached their duty by being below that standard of care.
Back to the bigger and more uplifting concept on cybersecurity
If fear and worry about bad things motivates some to improve their cybersecurity, that is OK.
But living and acting only out of fear is not a pleasant way to live. A better mindset is to think about how to continually improve cybersecurity and information governance for a holistic group of reasons that include:
- Improve efficiency
- Serve clients better
- Protect clients and firm
- Prevent a cybercrime (yes, the fear aspect, but consider it in the context of risk management)
- Prevent a malpractice complaint or claim. (" ")
That completes the short blog article here. Below are links to other resources.
John's additional CLE materials include
- My speaker bio
- A PDF of the slide deck is made available for download shortly after the presentation in the appropriate forum
- Cybersecurity Tips from John Bandler (one page tip sheet)
- Bandler's Four Pillars of Cybersecurity
- The Three Priority Cybercrime threats to protect against, including:
- Identity theft
- Technology basics
- Introduction to Cybersecurity and Information Security
- Cyber Insurance
- Cybersecurity Laws and Regulations Part 1
- Cybersecurity Laws and Regulations Part 2
- Five Components for Policy Work
- External Guidance
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity and Working from Home
- Cybersecurity book overview page
- Cybercrime Investigations book overview page
- Cybersecurity Policy (Free Version)
- Cybersecurity related asset inventory forms you can use to inventory the information assets in your home or small organization (computer devices, data, accounts, network, etc.)
- Incident response
- Cybersecurity and Cybercrime Prevention (a comprehensive course outline, with extensive linked resources)
- Attorneys Know Your Client (and beneficiary)
- Cybersecurity for attorneys (this article)
Externally published articles by John about cybersecurity, law, and lawyers
- Attorneys on alert for cybersecurity threats: New York's new CLE training requirement, John Bandler, Reuters Legal News, July 19, 2023, hosted here and available at Reuters at https://www.reuters.com/legal/legalindustry/attorneys-alert-cybersecurity-threats-new-yorks-new-cle-training-requirement-2023-07-19/
- A Day in the Life of an Attorney: The Cybersecurity, Technology, and Crime Risks We Face, John Bandler, New York State Bar Association Journal, July/August 2018, Vol 29 No 6, https://johnbandler.com/a-day-in-the-life-of-an-attorney-cybersecurity-technology-crime-risks/
- Cybercrime and Fraud Protection for your Home, Office, and Clients, John Bandler. American Bar Association GP SOLO magazine, Volume 34, Number 5, September/October 2017, https://johnbandler.com/bandler-john-cybercrime-fraud-prevention-aba-gp-solo-septoct-2017/
- Prepare for and Plan Against a Cyberattack, John Bandler, American Bar Association Journal, July 2018, http://www.abajournal.com/magazine/article/prepare_plan_against_cyberattack
- Network Cybersecurity in Your Home and Office, John Bandler, American Bar Association GP SOLO Magazine, March/April 2018, Vol 35 No. 2, https://johnbandler.com/network-cybersecurity-home-office/
- Lawyers, Drugs and Money: AML in Popular Media, John Bandler, ACAMS Today, March 20, 2018, Vol 17 No. 2, https://www.acamstoday.org/lawyers-drugs-and-money-aml-in-popular-media/
- The Cybercrime Scheme That Attacks Email Accounts and Your Bank Accounts, John Bandler, Huffington Post, August 3, 2017, https://www.huffpost.com/entry/the-cybercrime-scheme-that-attacks-email-accounts-and_b_59834649e4b03d0624b0aca6, hosted here too.
ABA Model Rules
- ABA Model Rules, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/
- Cornell's LII on the Model Rules of Professional Conduct, https://www.law.cornell.edu/wex/model_rules_of_professional_conduct
ABA Formal Opinions
- ABA Formal Opinion 477R (revised May 22, 2017), Securing Communication of Protected Client Information. https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.pdf
- ABA Formal Opinion 483 (October 17, 2018), Lawyers’ Obligations After an Electronic Data Breach or Cyberattack. https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf
- ABA Formal Opinion 498 (March 10, 2021), Virtual Practice. https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf
NYS Rules of Professional Conduct for Attorneys
The NYS Rules of Professional Conduct for Attorneys is found in the New York Code of Rules and Regulations (NYCRR) Title 22 (Judiciary) Part 1200 (Rules of Professional Conduct). Or, for short, 22 NYCRR 1200. Relevant are portions on the attorney duties of confidentiality, competence and more. You can find the rules here:
- NYS Rules of Professional Conduct on Westlaw (public access)
- NYS Rules of Professional Conduct via NYSBA with comments as amended through 8/2/2022
- New York State Bar Association (NYSBA), https://nysba.org/attorney-resources/professional-standards/
- NYS Courts - Legacy versions are readily available, individual orders are too, so this is not as helpful http://ww2.nycourts.gov/rules/jointappellate/index.shtml
NYS newish cybersecurity CLE requirement (order signed 6/10/2022, effective 1/1/2023 and 7/1/2023)
Attorneys admitted in NYS now must earn CLE in cybersecurity
- NYS Courts Categories of CLE Credit as Defined in the New York State CLE Program Rules 22 NYCRR 1500.2(c)-(h), https://www.nycourts.gov/LegacyPDFS/ATTORNEYS/CLE/NY-CLE-Program-Rules-22-NYCRR-1500.2c-h.pdf
- NYS Courts FAQs on Cybersecurity, Privacy and Data Protection, https://www.nycourts.gov/LegacyPDFS/attorneys/cle/Cybersecurity-Privacy-and-Data-Protection-FAQs.pdf
- NYS Courts Guidance Relating to the New Cybersecurity, Privacy and Data Protection Category of CLE Credit, https://www.nycourts.gov/LegacyPDFS/attorneys/CLE/Cybersecurity-Privacy-and-Data-Protection-Guidance-Document.pdf
- Joint Order of the Judicial Departments of the Appellate Division of the New York State Supreme Court adding a cybersecurity, privacy, and data protection CLE requirement amending Title 22 NYCRR 1500.2 et seq. (and sequence) at this link (too messy to spell out)
NYS CLE rules
- General CLE information from NYS Courts: https://ww2.nycourts.gov/attorneys/cle
- NYS CLE Program rules here and NYS CLE Regulations & Guidelines here
NYSBA Ethics Opinion
- New York State Bar Association, Committee on Professional Ethics, Opinion 842 (9/10/2010), Using an outside online storage provider to store client confidential information, https://nysba.org/ethics-opinion-842/, https://nysba.org/app/uploads/2010/09/Opn842.pdf
NYSBA's 2020 recommendation about cybersecurity training (their recommendation became a rule, so just see the rule above)
- NYSBA Recommends Cybersecurity CLE Requirement (2020), https://nysba.org/new-york-state-bar-association-recommends-cybersecurity-requirement-include-cle/
- NYSBA Report recommending cybersecurity CLE, https://nysba.org/app/uploads/2020/06/3.-Report-and-recommendations-of-Committee-on-Technology-and-the-Legal-Profession-Agenda-Item-9-with-comments.pdf
To explore more of this site:
John's CLEs for attorneys on cybersecurity
In 2017 my first book was published, Cybersecurity for the Home and Office, The Lawyer's Guide to Taking Charge of Your Own Information Security, from the American Bar Association (ABA). You can read more about that book here. I have written many articles for lawyers about law, technology, and cybersecurity. You can read more about my background in law, investigating cybercrime, and protecting with cybersecurity here.
Since 2017 I have been providing continuing legal education (CLE) to attorneys about securing their information assets.
Some are afraid of technology and cybersecurity but should not be. It is a learning process and everyone can learn and improve.
I enjoy the intersection of law and cyber, and speak to attorneys about cybersecurity and technology and law, and to information security and information technology professionals about law.
I have prepared and delivered CLEs and trainings for attorneys on cybersecurity, and this includes for:
- American Bar Association
- Pace University's Elisabeth Haub School of Law (first in 2017, then started the annual event in 2021)
- Local bar associations (NYC, NLA, WCBA forthcoming)
- Legal services organization
- Online CLE provider, TRTCLE (forthcoming, 2024), see my page here
This page is hosted at https://johnbandler.com/cybersecurity-for-attorneys, copyright John Bandler all rights reserved.
Posted 6/21/2023 (building on prior work). Updated 09/16/2023.