October is one of my favorite times of the year. Fall…pumpkin spice…and Halloween is right around the corner. But even better, October is National Cybersecurity Awareness Month; it was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online. This year’s theme is “Do Your Part. #BeCyberSmart.” The theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity. This is an important message for all of us, but is especially critical for lawyers and law firms, given the type of information we keep.
The results of the 2019 ABA TECHREPORT show 26% of survey respondents reported their firms have experienced some sort of security breach, including hacker activity and website exploits to more mundane incidents such as lost or stolen laptops. Of those that experienced some sort of security breach, consequences included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).
With respect to viruses, spyware and malware, the 2019 Survey results indicate more than a third of respondents (36%) have had systems infected, with 14% reporting complete destruction or loss of files.
In 2018, during Cybersecurity Awareness Month, I might add, the ABA issued Formal Opinion 483 discussing a lawyer’s obligations after an electronic data breach or cyberattack. The opinion notes that when a data breach occurs involving—or having a substantial likelihood of involving—material client
information, lawyers have a duty to notify clients of the breach and to take other reasonable steps
consistent with their obligations under the Rules of Professional Conduct.
For the rest of this month, we will focus on providing you with useful tips to promote cybersecurity awareness and provide you with best practices to protect your information, in addition to discussing ethical obligations associated with cybersecurity. In the meantime, I encourage you to view the several resources already available on this blog from phishing emails to viruses and everything in between, we got you covered.
For more information and additional resources on Cybersecurity Awareness Month, please visit: