October marks Cybersecurity Awareness Month, a crucial time for law firms to reassess their risk management strategies and bolster their defenses against cyber threats. In an era where data is one of the most valuable assets, law firms, which handle vast amounts of sensitive client information, are prime targets for cyber criminals. As the legal industry becomes more reliant on digital tools, robust cybersecurity measures become even more imperative.
One of the most significant risks facing law firms today is the potential for a data breach. Cyber criminals commonly exploit vulnerabilities through phishing attacks, ransomware, and social engineering tactics. Phishing, for instance, often involves emails designed to trick recipients into clicking malicious links, while ransomware can paralyze a firm’s operations by encrypting data and demanding ransom for its release. Social engineering, such as a common scheme where criminals manipulate attorneys by posing as clients and convince them to send funds from a trust account, poses a particularly insidious threat.
According to the ABA’s 2021 Cyber Security Report, 25% of law firms have previously suffered a data breach. And experience shows that firms of all sizes are susceptible to social engineering scams. Solo attorneys are often targeted in social engineering scams involving a faux client, while members of larger organizations are attacked through other spear phishing scams involving executive impersonation. Cybercrime is so prevalent that ABA Formal Opinion 483 observes that law enforcement approaches businesses as those who have already been victims and those that will be.
For law firms, the consequences of a cyber-attack can be devastating. Beyond financial losses, a breach can severely damage a firm’s reputation and erode client trust. Lawyers must not only understand these risks but take proactive steps to mitigate them. OBLIC provides access to the comprehensive Cyber Toolbox for insured attorneys. This resource provides training, tech news & developments, and sample templates to help attorneys protect their firms. Contact Loss Prevention to request the Cyber Toolbox password.
A critical component of any law firm’s risk management strategy should be cyber breach insurance. This specialized insurance provides coverage for the financial fallout of a cyber-attack, including the cost of notifying clients, recovering lost data, and addressing legal liabilities. Cyber breach insurance acts as a safety net, ensuring that firms are not financially crippled by a breach. It also emphasizes the need for comprehensive risk assessment and incident response planning. OBLIC provides coverage through Tokio Marine HCC – Cyber & Professional Lines Group to offer a comprehensive cyber breach insurance policy to Ohio law firms. Contact OBLIC’s agency partner, the Ohio Bar Insurance Agency, to learn more.
In addition to securing insurance, law firms must implement basic cybersecurity best practices. This includes regular employee training, strong password policies, multi-factor authentication, and up-to-date software to reduce vulnerabilities. By fostering a culture of cyber awareness, firms can significantly reduce the risk of becoming victims of common cybercrimes.
Attorneys have both ethical and legal responsibilities to implement competent and reasonable safeguards to protect client information.
Key provisions in the Ohio Rules of Professional Conduct address the protection of client information. Notable rules include competence (Rule 1.1), communication (Rule 1.4), confidentiality (Rule 1.6), and supervision (Rules 5.1, 5.2, and 5.3). These rules collectively require attorneys to:
- Implement reasonable safeguards to protect client confidentiality.
- Communicate effectively with clients about the use of technology and obtain informed consent when necessary.
- Supervise attorneys, staff, and third-party service providers to ensure compliance with these obligations.
The ABA and the Ohio Board of Professional Conduct have provided guidance on these duties for more than a decade. Key advisory opinions include:
ABA Formal Opinion 477R, Securing Communication of Protected Client Information (May 2017)
ABA Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack (October 2018)
ABA Formal Opinion 498, Virtual Practice (February 2021)
Ohio Advisory Opinion 2017-05, Virtual Law Office (June 9, 2017)
Ohio Advisory Opinion 2022-11, Lawyers Sharing Office Space, Nonlawyer Staff, Dividing Fees (October 7, 2022)
As Cybersecurity Awareness Month unfolds, it’s an opportune moment for law firms to evaluate their cybersecurity posture. Risk management is not just about preventing breaches—it’s about being prepared to respond effectively when one occurs. Investing in cyber breach insurance and staying vigilant can make all the difference in navigating today’s evolving cyber threats.
As always, feel free to contact us if you have questions or comments. We’re here to help!
Gretchen K. Mote, Esq. Director of Loss Prevention Ohio Bar Liability Insurance Co. Direct: 614.572.0620 [email protected] |
Merisa K. Bowers, Esq. Loss Prevention Counsel Ohio Bar Liability Insurance Co. Direct: 614.859.2978 [email protected] |
This information is made available solely for loss prevention purposes, which may include claim prevention techniques designed to minimize the likelihood of incurring a claim for legal malpractice. This information does not establish, report, or create the standard of care for attorneys. The material is not a complete analysis of the topic and should not be construed as providing legal advice. Please conduct your own appropriate legal research in this area. If you have questions about this email’s content and are an OBLIC policyholder, please contact us using the information above.