♫ Oh, we won’t give in
We’ll keep living in the past... ♫
— Music and Lyrics by Ian Anderson, recorded by Jethro Tull.
New York State has become the first US jurisdiction to mandate that attorneys take continuing legal education courses in cybersecurity, privacy and data protection.
All attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications.
Florida and North Carolina’s mandate on technology training, as part of a lawyer’s CLE, do not specifically address cybersecurity, etc.
Back on October 19, 2019, The Federation of Law Societies of Canada amended its Model Code of Professional Conduct to add the following commentary to the competence rule (r. 3.1-2):
[4A] To maintain the required level of competence, a lawyer should develop an understanding of, and ability to use, technology relevant to the nature and area of the lawyer’s practice and responsibilities. A lawyer should understand the benefits and risks associated with relevant technology, recognizing the lawyer’s duty to protect confidential information set out in section 3.3.
[4B] The required level of technological competence will depend on whether the use or understanding of technology is necessary to the nature and area of the lawyer’s practice and responsibilities and whether the relevant technology is reasonably available to the lawyer. In determining whether technology is reasonably available, consideration should be given to factors, including:
- The lawyer’s or law firm’s practice areas;
- The geographic locations of the lawyer’s or firm’s practice; and
- The requirements of clients.
Cybersecurity attacks show that this commentary badly needs updating. But BC has not even added this commentary to its Code.
The “number and perniciousness of cyberattacks increased dramatically” in 2021, according to a new report by Canadian firm Blake Cassels & Graydon. BC&G also stated that the number of reported cybersecurity breaches — just in Canada alone — has risen by more than 2,000% over the past decade.
BC&G states: “[T]he “game” is changing monthly in cases like ransomware — which made up 55% of cybercrime incidents. Approximately 25% of ransom payments exceeded US $1 million.
IT World Canada reports that: “Quebec-based IT services firm NoviPro released a poll in Feb. 2022 that found: “Just over half of surveyed Canadian organizations hit by ransomware or malware have paid the amounts demanded by cybercriminals.”
The same report stated: “28% of respondents estimated the cost of a cyber attack on their firm was less than $50,000. The same number estimated the cost was between $50,000 and $250,000. 25% of respondents estimated the cost was over $500,000.”
But this is not all. Sharon Nelson and John Simek in a post on slaw.ca: Small and Midsized Law Firms Slammed by Ransomware, quoted Coveware Quarterly Ransom-ware Report (Q1 2021):
“The most notable change in industries impacted by ransomware attacks in Q1 was the Professional Services industry, specifically law firms. Small and medium sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks.”
Some further disturbing facts from the Report:
- The average ransom payment: $220,298 (+43% from Q4 2020)
- The median ransom payment: $78,398 (+59% from Q4 2020)
- The average number of downtime days: 23 (+10 from Q4 2020)
- 77% of ransomware attacks include a threat to leak the stolen data (up from 70% in Q4 2020).
The time has come to act. Any lawyer working on a computer connected to the internet has an obligation to reasonably maintain current knowledge of their ethical obligations in the areas of cybersecurity, privacy and data protection as well as the current best practices to protect client and firm data. Anything less may amount to willful blindness to a clear, present, and growing extortion risk. The time for a change is here — unless of course, you wish to keep living in the past.