Cybersecurity for Attorneys

by John Bandler

Here is a short article followed by a list of resources and articles (including CLE materials) regarding cybersecurity for attorneys.

I have been delivering continuing legal education (CLE) and other training for attorneys and law firms regarding cybersecurity for some time. Now this webpage is the main compilation of resources and additional reading, and is the mechanism to provide CLE materials (including as required for CLE accreditation).

My CLE titles

One of my preferred CLE titles is:

  • "Cybersecurity, Law, and Ethics for Lawyers: Secure Yourself, Your Family, Firm, and Clients".

This hits all the important keywords for the talk, what it covers and motivators to learn.

Another is:

  • "Cybersecurity for Lawyers: Secure Yourself, Your Firm, and Clients."

When providing a CLE, I generally prefer it in the "ethics" category, and now New York state has a new cybersecurity CLE requirement, so this fits within their "Cybersecurity-Ethics" category. More on the ethics category later.

Why cybersecurity for attorneys?

Here's my list of reasons why attorneys need to know about cybersecurity and improve upon their cybersecurity:

  • Attorneys have legal duties regarding cybersecurity (just like every other organization does)
  • Attorneys have professional (ethical) responsibilities regarding cybersecurity.
  • Attorneys (in NY) now have specific cybersecurity CLE training requirements.
  • Attorneys are target rich environments for cybercriminals. Deals, settlements, transactions, wire transfers and wire transfer instructions mean that cybercriminals can profit from attacking attorneys.
  • Attorneys need to protect themselves and their clients, serve their clients well, and be competent.
  • Attorneys have traditional duties to their clients which apply to the cyber realm (confidentiality, communication, competence, safeguard funds, etc.)
  • Attorneys need to be able to spot cybersecurity legal issues that exist for their clients.
  • Attorneys need to prevent a crime if possible.
  • Attorneys need to prevent a malpractice claim.

Needless to say, attorney duties extend to all the employees within a law firm.

Are attorneys really targeted by cybercriminals?

Absolutely. Attorneys are targeted and victimized, and clients are victimized too.

Imagine that wire transfer on that deal or settlement going to the cybercriminal, the funds are stolen. This happens a lot.

When funds are stolen, who will make the client whole?

Attorneys are also targeted for a wide range of frauds by cybercriminals that may not directly involve a client.

What does this have to do with "ethics"?

Attorney ethics encompasses many things.

Attorney ethics includes the usual meaning of "ethics", which (in my opinion) is a process of decision making and action that rises above mere personal interest and considers the interests of others, especially those one has a duty towards.

Attorney ethics and professional responsibility also includes complying with the many duties that attorneys must uphold, including duties of competence, confidentiality, communication, safeguarding funds, a fiduciary duty, and more.

Normally, we might not think of competence and client confidences as relating to being "ethical", but it is!

The American Bar Association, New York, and others have specifically recognized that attorney ethical and professional responsibility requirements extend to the cyber realm and for cybersecurity. In other words, it is an ethical and professional requirement to be competent with technology and cybersecurity, to have good cybersecurity to maintain client confidentiality, and to safeguard client funds.

Thus, cybersecurity is somewhat unique compared to other attorney ethical requirements because competence (and thus compliance with ethical and professional responsibilities) can only exist when you have a solid foundation in cybersecurity basics.

What is the same about cybersecurity for attorneys compared to other professions and sectors?

Bandlers Four Pillars of Cybersecurity

Cybersecurity for attorneys is very similar to cybersecurity for any person or organization, regardless of profession or sector.

Good cybersecurity principles always scale up or down, and translate across sectors.

The Three Priority Cybercrime Threats apply for attorneys, just like for other individuals and organizations. But probably more so, because of all the transactions attorneys are involved in (see next section).

My Four Pillars of Cybersecurity and other principles apply for attorneys just as they do for others.

My Five Components for Policy Work and Three Platforms to Connect (for compliance) principles apply for attorneys (just as for others).

But note that while assessing these platforms and components, the process and result will be slightly different, as it is for every sector and organization (see next).Bandlers Five Components for Policy Work 2022 (1) All

What is different about cybersecurity for attorneys?

Cybersecurity differences arise from a slightly different threat analysis, duties and rules, and the human element.

The differences include:

  • Attorneys have professional responsibility requirements which may be different from or exceed legal requirements for other sectors and professions
  • Attorneys have duties to their clients
  • Attorneys are target rich environments for cybercriminals, especially regarding email based wire transfer frauds
  • Attorneys (stereotypically, at least) may be less tech savvy, or more tech averse, then certain other professionals

Let us emphasize the importance of the existing duty. Remember a negligence claim is made up of (1) duty, (2) breach of that duty, (3) causation of damages. In some cybercrime situations that do not involve attorneys, it might be hard to establish duty, or that duty might be minimal. But the attorney duty to the client is well established.

Now consider that many attorneys are routinely in the middle of deals and financial transactions. Sometimes they even hold those funds on behalf of a client. If client funds are stolen, the element of "damages" is clearly established. With duty and damages well established, the one remaining hurdle for establishing attorney liability is what the standard of care was, and whether the attorney breached their duty by being below that standard of care.

Back to the bigger and more uplifting concept on cybersecurity

If fear and worry about bad things motivates some to improve their cybersecurity, that is OK.

But living and acting only out of fear is not a pleasant way to live. A better mindset is to think about how to continually improve cybersecurity and information governance for a holistic group of reasons that include:

  • Improve efficiency
  • Serve clients better
  • Protect clients and firm
  • Prevent a cybercrime (yes, the fear aspect, but consider it in the context of risk management)
  • Prevent a malpractice complaint or claim.  (" ")

That completes the short blog article here. Below are links to other resources and my CLE materials.

John's additional CLE materials include

Externally published articles by John about cybersecurity, law, and lawyers
ABA Model Rules
ABA Formal Opinions
NYS Rules of Professional Conduct for Attorneys

The NYS Rules of Professional Conduct for Attorneys is found in the New York Code of Rules and Regulations (NYCRR) Title 22 (Judiciary) Part 1200 (Rules of Professional Conduct). Or, for short, 22 NYCRR 1200. Relevant are portions on the attorney duties of confidentiality, competence and more. You can find the rules here:

NYS newish cybersecurity CLE requirement (order signed 6/10/2022, effective 1/1/2023 and 7/1/2023)

Attorneys admitted in NYS now must earn CLE in cybersecurity

NYS CLE rules

NYSBA Ethics Opinion
NYSBA's 2020 recommendation about cybersecurity training (their recommendation became a rule, so just see the rule above)

John's CLEs for attorneys on cybersecurity

In 2017 my first book was published, Cybersecurity for the Home and Office, The Lawyer's Guide to Taking Charge of Your Own Information Security, from the American Bar Association (ABA). You can read more about that book here. I have written many articles for lawyers about law, technology, and cybersecurity. You can read more about my background in law, investigating cybercrime, and protecting with cybersecurity here.

Since 2017 I have been providing continuing legal education (CLE) to attorneys about securing their information assets.

Some are afraid of technology and cybersecurity but should not be. It is a learning process and everyone can learn and improve.

I enjoy the intersection of law and cyber, and speak to attorneys about cybersecurity and technology and law, and to information security and information technology professionals about law.

I have prepared and delivered CLEs and trainings for attorneys on cybersecurity, and this includes for:

  • American Bar Association
  • Pace University's Elisabeth Haub School of Law (first in 2017, then started the annual event in 2021)
  • Local bar associations (NYC, NLA, WCBA forthcoming)
  • Legal services organization
  • Online CLE provider, TRTCLE (coming monthly live in 2024), see my page here
  • I am happy to discuss delivering a CLE for your organization

To explore more of this site

This page is hosted at https://johnbandler.com/cybersecurity-for-attorneys, copyright John Bandler all rights reserved.

Posted 6/21/2023 (building on prior work). Updated 11/15/2023.