As noted in last year’s “Cybersecurity” report on the 2018 Survey results, all attorneys should have security programs tailored to the size of the firm and the data and systems to be protected. Yet, more adoption is clearly needed on this topic. Many smaller breaches occur, of course, which do not make national headlines but nevertheless pose significant damage to those affected.

The opinion lists seven factors to consider when determining the appropriate level of cybersecurity: the nature of the threat; how client confidential info is stored and sent; the use of reasonable electronic security measures; how electronic communications should be protected; the need to label client information as privileged and confidential; the need to train lawyers and nonlawyer assistants, and the need to conduct due diligence on vendors who provide technology services. Model Rule of Professional Conduct 1.6(c) provides, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 sets forth factors to be “considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”. Rather, the opinion is clear that the responsibility of how best to conform to Model Rules is left to individual professionals considering the unique facts and circumstances of their practices. From the early threat of data breaches to attacks on internet of things (IoT) devices, the cyber threat continues to evolve at pace.

Incident response is a critical element of any information security program. Attorneys must implement when “required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”. This result is a material positive change from the prior year in the use of email encryption (29% in 2018) while the number for file encryption and whole/full disk encryption (46% and 24%, respectively in 2018) are slightly up. Last year’s report on the 2018 Survey concluded by noting that, “All attorneys and law firms should have appropriate comprehensive, risk-based security programs that include appropriate safeguards, training, periodic review and updating, and constant security awareness.” Those words remain true today. As might be expected, the larger the firm, the greater percentage of those unaware of whether their firms have ever experienced a breach (solo respondents, 2% firms of 2-9 attorneys, 6%; firms of 10-49 attorneys, 24%, firms of 100+ attorneys,53%). This year’s results indicate a leveling off of firms with cyber liability insurance policies after significant advancement on the topic in prior years. In Aon’s latest 2019 Cyber Security Risk Report, the scope of the threat to enterprises over the world is laid bare.

Hunting for hidden threats We explore the ins and outs of threat hunting and provide a how-to guide for creating a threat-hunting team at your organization.

Although the change is positive, room exists for much more improvement in the use of basic encryption tools in keeping client confidential information safe.

Other consequences resulting from a virus, spyware, or malware infection include costs incurred for consulting fees for repair (40%), downtime/loss of billable hours (32%), temporary loss of network access (23%), temporary loss of web site access (17%), and replacement of hardware/software (15%). This article discusses 2019 Survey results related directly to cybersecurity—an issue that is (or should be) of concern to attorneys in firms of all sizes due to fundamental ethical responsibilities and common business sense.

Like encryption, consideration of cyber-insurance coverage should be a basic data point for every practicing attorney—and if such coverage exists there should be an understanding of its limits, exceptions, and exclusions as coverage constitutes just a piece of a larger cybersecurity strategy. The 2019 Survey results show that a good number of lawyers, unfortunately, have experienced a security breach. In addition to the burdens faced by any business in confronting a breach, lawyers’ duties of competency, communication, and confidentiality according to the ABA Model Rules of Professional Conduct require consideration of cybersecurity issues: In addition to the three model rules discussed above, attorneys should be aware of ABA Formal Opinion 477 which provides that, “[A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”.

Finally, plans typically provide for a post-incident review period to allow any lessons learned to be built into a revised plan.

In fact, 26% of respondents report that their firms have experienced some sort of security breach (including hacker activity and website exploits to more mundane incidents such as lost or stolen laptops). Of course, the news is replete with stories of significant data breaches causing economic and reputational harm. Even for attorneys that responded affirmatively, work remains to be done in regularly evaluating and improving existing plans.


Overall, 33% of respondents in 2019 report their firms have cyber liability insurance (compared with 34% in 2018). 2 CONTENTS 3 A NOTE FROM THE MD 5 EXECUTIVE SUMMARY Top targeted industries Looking back at 2018 7 THE THREAT LANDSCAPE Everything changes Ransomware moves over for cryptomining With these standards in mind, set forth below is a summary of the 2019 cybersecurity survey results in the areas of incident awareness, incident response plans, encryption, and cyber insurance. As with security incidents discussed above, the size of a firm impacts the respondents reporting that they do not know: solo respondents (7%), firms of 2-9 attorneys (15%), firms of 10-49 attorneys (30%), and firms of 100+ attorneys (58%).