What are the ABA’s New Cybersecurity Obligations for Law Firms and How this Affects the Information Function in Firms
The American Bar Association (ABA) recently issued a major new ethical statement, Formal Opinion 477, which clarifies law firms’ cybersecurity obligations. The Opinion updates prior ABA statements such as the 2012 Model Rules.
In the past five years since the Model Rules were issued, law firms have become coveted targets for cybercriminals, and law firms’ breaches have become front-page news. Law firms of all sizes are increasingly relying on a new breed of technical companies that have developed special tools and services for protecting the uniquely valuable data of law firms and their clients.
The ABA’s lengthy Opinion has two especially significant aspects: i) using “reasonable measures” to assess and mitigate risks; and ii) making “reasonable efforts” to manage vendors. The Opinion rejects requirements for specific security measures, and instead adopts a “reasonable” standards approach to deal with complex technical issues. Therefore, it is important that law firms and technical companies work together to update and improve cybersecurity practices, and decide which services and tools are most suitable for meeting a variety of challenges in law firms.