Legal Ethics, Cybersecurity, and Data Privacy: Navigating Risks, Protecting Client Data, Maintaining Compliance

Cybercrime and data breaches continue to rise and dominate the headlines and law firms remain prime targets due to the sensitive nature of their work. Lawyers must understand the risks and their ethical and legal obligations to safeguard client data in order to uphold their professional responsibilities and avoid malpractice actions.

Rule 1.6 of the American Bar Association's (ABA) Model Rules of Professional Conduct emphasizes a lawyer's duty to maintain confidentiality and adopt reasonable security measures against data breaches to protect sensitive client information. Other ethics rules have particular application to protection of client information, including the technical competency requirements found in Model Rule 1.1, the diligence and promptness standards found in Rule 1.3, Rule 1.4 which underscores the importance of clear communication with clients, and Rules 5.1 and 5.3 highlighting the supervisory responsibilities of lawyers to ensure that all members of the firm adhere to the ethical obligations concerning cybersecurity and data protection.

Beyond ethical rules, attorneys must also navigate compliance with various state, federal, and international laws, including among others, the European Union's General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Federal Trade Commission (FTC) Act, the California Consumer Privacy Act (CCPA) and New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Listen as our authoritative panel examines the ethics rules relating to data privacy and cybersecurity and provides guidance on implementing robust processes and procedures for maintaining compliance with the Model Rules of Professional Conduct and other laws. 

I. Overview: lawyer’s role as a fiduciary

II. Cybersecurity and data privacy risks in the legal setting

III. ABA Model Rules of Professional Conduct relating to a lawyer's duty to protect client data

IV. ABA Standing Committee on Ethics and Professional Responsibility's Formal Opinions 477R and 483

V. States with enhanced data privacy and cybersecurity requirements for lawyers that go beyond the ABA's Model Rules of Professional Conduct

VI. Other state, federal, and international laws regulating data privacy and protection: GDPR, HIPAA, Federal Trade Commission Act, CCPA, New York's SHIELD Act

VII. Realities of a data breach at a law firm

VIII. Strategies for implementing technical measures and administrative safeguards for data compliance to mitigate exposure to cybersecurity incidents

IX. Practitioner pointers and key takeaways

The panel will examine these and other key considerations:

• Why are law firms and lawyers prime targets for cyberattacks and data breaches?
• How do the Model Rules of Professional Conduct govern a lawyer's duty to protect client data and minimize the risks of cyberattacks?
• What are other laws and regulations lawyers and firms must abide by with respect to data and cybersecurity?
• What specific cybersecurity measures are required to safeguard client data from hackers?