Cyber Security for Nevada Law Firms in 2024
Zeus
1/17/20247 min read
The year 2023 marked a pivotal shift in the technological landscape, particularly with the introduction of Generative AI (GenAI) significantly transforming our interaction with information. The Nevada Bar Association recognized this through their CLE Seminar while Nevada Lawyer published an article discussing AI ethics around the same time. However, as powerful and promising as GenAI may be, The 2023 ABA Law and National Security conference keynote spoke about GenAI’s existential risks. Law firms are flush with sensitive information and GenAI is potent risk to Law firms “...For a potential criminal with little technical knowledge, this is an invaluable resource.” Major news outlets have warned firms about cyber criminals directly targeting them through phishing emails, ransomware attacks, and more.
One notable development is the automation of highly personalized phishing emails through GenAI, leading to a staggering 1200% increase in such attacks since Q4 of 2022 alone. This isn't the only threat, as criminals are leveraging GenAI's capabilities to replicate voices. On December 12th, 2023 I demonstrated this myself by creating an excerpt of my own voice (download) within just 10 minutes using Meta's Audiobox, a free tool that combines voice inputs and natural language text prompts with only one paragraph of your recorded voice.
Meta explains, “Audiobox is a foundation research model for audio generation capable of generating voices and sound effects. It can create custom audio based on voice inputs and natural language text prompts, making it suitable for numerous applications.” This innovation raises concerns because it enables voice calls from clones of individuals over the phone, and with minimal text input.
Furthermore, real-time deepfake technology, combined with real-time fake faces, adds another layer of complexity to these threats. In light of these developments, law firms need to be vigilant and adaptive in their approach to cybersecurity, recognizing how GenAI can empower malicious actors in new ways. Not just in fake voices, the same tools accelerate and multiply the power to perform complex cyber attacks. It's crucial for firms to stay informed about the evolving risks and adopt robust security measures against these sophisticated threats.
As evidenced by this dynamic landscape, it requires constant adaptation and proactive efforts to ensure the integrity and security of client information, your work product and the very reputation your firm has created both online and in the legal community. SierrÆgis Cyber Security specializes in helping firms like yours navigate these complexities and provides Managed Security Services designed to mitigate the risks posed by GenAI.
Lawyers are, of course, bound by confidentiality laws and rules. The ABA Model Rules of Professional Conduct states this implicitly and Formal Opinion 477R addresses lawyer's obligations to maintain client privacy in the digital age. In the Opinion Rule 1.1 is relevant to the duty of technological competency. Rule 1.6(c) is relevant to prevent unauthorized access or inadvertent disclosure of information relating to the representation of a client. Rules 5.1 and 5.3, and specific state laws like Nevada Revised Statutes (NRS) 603A regard reasonable security measures to protect records from unauthorized access. Furthermore, federal laws may impose additional cybersecurity requirements depending on the nature of the practice.
The American Bar Association's (ABA) Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 in October of 2018, focusing on the necessity for lawyers to notify clients about data breaches affecting confidential client data. This opinion builds upon Formal Opinion 477R (May 2017), which emphasized the need for securing protected client information in electronic communications.
Opinion 483 recognizes that law firms, as custodians of sensitive client information, and are likely targets for cyber incidents. It underscores the heightened risk law firms face for information exploitation in insider trading schemes. The Opinion identifies six ABA Model Rules implicated in a data breach:
Model Rule 1.1: Demands competent representation, including adequate legal knowledge, skill, thoroughness, and preparation.
Model Rule 1.4: Obligates lawyers to keep clients reasonably informed about their case status and explain matters to enable informed client decisions.
Model Rule 1.6: Requires confidentiality and reasonable efforts to prevent unauthorized disclosure or access to client information.
Model Rule 1.15: Mandates appropriate safeguarding of clients' documents and property.
Model Rule 5.1: Imposes on lawyers with managerial authority the duty to ensure all firm lawyers adhere to professional conduct rules.
Model Rule 5.3: Obligates supervisory lawyers to ensure non-lawyer conduct aligns with professional obligations.
The opinion also discusses routine practices aiding lawyers in meeting ethical obligations. It defines a "data breach" as an event where client confidential information is misappropriated, destroyed, compromised, or where a lawyer’s ability to provide legal services is significantly impaired. This definition is significant as it only includes incidents impacting client information or impairing legal services.
The Opinion differentiates its definition from federal and state breach notification laws, which often focus on personally identifiable information. This means a data incident might trigger ethical notification obligations without necessarily invoking breach notification laws.
The Opinion stresses the Duty of Competence, requiring lawyers to stay updated on law changes, including technology risks and benefits. This might involve monitoring for incidents, acting promptly on suspected breaches, and conducting thorough investigations post-breach.
In terms of confidentiality, the Opinion, referencing Model Rule 1.6, highlights that lawyers should take preventive steps before incidents and also consider post-incident actions based on investigation findings.
Notification obligations are divided into two contexts: notifying current clients and former clients whose data is retained according to record retention requirements. For current clients, the breach notification obligation is based on Model Rule 1.4, necessitating lawyers to keep clients reasonably informed. The Opinion considers data breaches, as defined by the Committee, as having a reasonable possibility of negatively impacting a client’s interests, thus requiring notification. However, for former clients, there is no explicit ethical requirement for notification, and any obligation would stem from statutory or regulatory requirements.
The Opinion also provides guidance on the content of breach notifications, including the occurrence of an incident, the extent of information accessed or disclosed, and the lawyer's response plan. Lawyers have a continuing duty to keep clients updated on material developments post-breach.
Overall, the Opinion aligns with standard incident response best practices across various industries. It outlines pre-incident actions, such as maintaining basic technology understanding, preparing an incident response plan, implementing policies to safeguard confidential information, monitoring for unauthorized access or intrusions, and providing oversight for technology-related activities.
Post-incident, lawyers should promptly respond by investigating the incident, containing it, and mitigating damage. Based on the investigation's findings, lawyers must assess the impact on client confidential information or their ability to perform legal services. If the breach affects material client information or significantly impairs legal services, lawyers must communicate with affected clients and provide appropriate follow-up updates.
To comply with these duties, law firms should implement comprehensive cybersecurity programs covering core security functions: identify, protect, detect, respond, and recover. This includes conducting risk assessments, employing physical, administrative, and technical safeguards, and having incident response plans. Additionally, law firms may have regulatory duties under federal laws requiring reasonable safeguards for personal information and notice in the event of a data breach outside of the scope of NRS Chapter 603A SECURITY AND PRIVACY OF PERSONAL INFORMATION.
However, many law firms make the mistake of relying on an IT company, a local computer repair shop or solely on Managed Service Providers (MSPs) rather than SierrÆgis’s Managed Security Services dedicated to cyber security. This is putting them at risk of security gaps, regulatory violations, and even potential harm to their reputation which means their bottom line. So why do so many law firms continue to overlook the importance of specialized cybersecurity expertise?
For starters, MSPs provide general IT support services such as network management, software upgrades, and hardware maintenance. While they may offer a modest level of security for any individual product or service, their expertise typically doesn't extend to the specific skill set required for comprehensive cybersecurity protection. In contrast, SierrÆgis specializes in staying abreast of the latest cyber threats and defense mechanisms, ensuring a firm's technology infrastructure remains secure against evolving risks. This specialized knowledge is crucial for proactively identifying and mitigating complex cyber threats that might not be fully addressed by an MSP.
Moreover, law firms are often subject to stringent compliance and regulatory requirements concerning data privacy and protection under laws like HIPAA, GLBA, various Nevada regulations. Proskauer Rose in New York City exposed 184,000 client files accessible a browser by anyone who wanted to look at private and privileged financial and legal documents, contracts, non-disclosure agreements, financial deals and files relating to high-profile acquisitions. SierrÆgis has extensive experience helping firms comply with these legal standards, whereas MSPs likely do not fully address these requirements in their service offerings.
Additionally, SierrÆgis can provide advanced security services such as continuous monitoring, threat intelligence, incident response, forensic analysis, and more - all essential components of a robust cybersecurity strategy for handling sensitive client information. Risk assessment and management are also key aspects of cybersecurity that SierrÆgis consultants excel at, unlike generalist MSPs who lack the tools and expertise for proper in-depth security assessments.
When it comes to customized solutions tailored to a law firm's unique needs, SierrÆgis outshines MSPs. Each firm has distinct requirements based on its size, type of clients, and cases handled. Tailored security measures ensure the most effective protection against potential cyber threats.
In the event of a security breach, quick and effective response is critical. Incident response and recovery are areas where SierrÆgis specializes, minimizing damage and restoring operations swiftly. An MSP might not possess the same level of preparedness or even implement the resources for your infrastructure to investigate or detect serious cyber incidents.
To summarize, while MSPs play a crucial role in managing a law firm's IT infrastructure, relying solely on them for cybersecurity needs leaves wide gaps in a firm's security posture. Incorporating the specialized skills of SierrÆgis ensures a comprehensive, robust cybersecurity strategy that safeguards client information and adheres to legal and ethical obligations. By doing so, law firms in Nevada can protect their practices, reputation, and ensure they uphold the integrity of the legal system.