This year marks the inaugural season of the ABA Academy’s Cybersecurity Core Curriculum. The Curriculum is a series of programs addressing the cybersecurity risks facing lawyers, best practices for prevention and incident response, and lawyers’ legal and ethical obligations to clients regarding data security.
The next event in this series, “Moving Target: Cybersecurity Legal Requirements and Liabilities,” will be held on November 19, 2014. More details on how to register for this and other upcoming events may be found here.
Facing the Need to Improve Cybersecurity Awareness & Practices
Lawyers are uniquely vulnerable to cyber attacks. Jill Rhodes and Vincent Polley, who were instrumental in the creation of the Core Curriculum, assert that despite this vulnerability most firms and organizations are unprepared to address the risk. Rhodes states, “We believe that lawyers are at risk because they hold such sensitive client data.” Being prepared is part of being a responsible attorney; attorneys are required to protect client data from any sort of disclosure. “The question,” Rhodes says, “is how to do that? Many lawyers use technology, but tend to be wary with respect to security matters—it can be overwhelming. How do you educate the legal population about the importance of protecting client data in a way that is understandable to that population?”
Creating the Tools to Help Lawyers Understand & Address Cybersecurity Threats
Echoing Rhodes’ sentiments, Polley notes that there was an “obvious need” for resources that lawyers could access in order to improve their understanding of and ability to address the threat of cyber attacks. The issue was determining what those resources would be. “It was with the creation of the Cybersecurity Legal Task Force that the stars were properly aligned,” Polley says. “All the cognizant ABA Sections, coming together, and leveraging their experience and expertise” led to the creation of the ABA Cybersecurity Handbook, a guidebook for lawyers on how to address the threat of cyber attacks on law practices. Since its release, the Handbook has been a bestseller. Rhodes states, “What is so great about the book is that it draws on the expertise of attorneys from different types of firms and practices. These experts did the writing, and the Curriculum tracks the topics in the book.” The authors of the book, and editors Rhodes and Polley, are also instructors for the Core Curriculum.
Facing the Challenge of Preventing Cybersecurity Attacks
When lawyers consider how to prevent and address cyber attacks, there are many issues to keep in mind. First, Polley warns, “perfect security is unachievable. Firms need to take a searching inward look at their own capabilities (and risks), and expand their dialogue with clients to address cybersecurity issues (and re-address them as circumstances change) to develop an informed, shared understanding of the risks.” Rhodes adds that an effective dialogue also requires that “lawyers and managing partners work well with their IT and security offices. Security shouldn’t be left for ‘others’ to worry about. It is everyone’s responsibility to manage data.”
Rhodes also highlights a critical concern that is rarely discussed. “We need to discuss what happens if a law firm or organization has a disclosure. Often, we can manage the disclosure itself; that’s a question of paying for the damage. The hardest piece to address occurs as soon as a disclosure hits the press: how should the firm or organization address reputational risks? One of the reasons to focus on this is 1) cyber attacks are a significant risk, and 2) if a firm has not put in preventative measures how can it protect its reputation?”
Meet the Editors
Jill Rhodes is currently Vice President and Chief Information Security Officer for Trustmark Companies, and is experienced in providing education and training to lawyers. Prior to joining Trustmark Companies, she spent twenty years working on national security and data security issues for a variety of government agencies including the Office of the Director of National Intelligence, Central Intelligence Agency, and Department of Homeland Security.
Vincent Polley has been involved in cybersecurity for over twenty years. In the mid-1990s, he was responsible for IT policy/law at a multinational energy company, and worked with the company to respond to cyber attacks on client data that were orchestrated by various nation states. Since 1997, he has been blogging on cybersecurity matters through www.knowconnect.com/MIRLN.
This post was originally published on the legacy ABA Section of Administrative Law and Regulatory Practice Notice and Comment blog, which merged with the Yale Journal on Regulation Notice and Comment blog in 2015.