eDiscovery Daily Blog

According to the ABA, Lawyers are “Failing at Cybersecurity”: Cybersecurity Trends

In these days of increased data privacy emphasis with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), how are lawyers doing with regard to cybersecurity within their firms?  According to the American Bar Association Legal Technology Resource Center’s ABA TechReport 2019, they are “failing at cybersecurity”.

In the ABA Journal article (Lawyers are failing at cybersecurity, says ABA TechReport 2019, by Jason Tashea), the author reports this quote from an accompanying article on cybersecurity released last Wednesday: “In fact, the results are shocking and reflect little, if any, positive movement in the past year or even in the past few years. The lack of effort on security has become a major cause for concern in the profession.”

The annual report looks at how attorneys use all kinds of technology in their practices. Articles on cloud computing, cybersecurity and websites and marketing were released free online. There are six more articles that will be released Wednesdays through Dec. 18.

The survey found that the most popular security measure being used by 35% of respondents was secure socket layers (SSL), which encrypt computer communications, including web traffic. Only 27% make local data backups. Since 2018, the number of respondents reading vendor privacy policies fell from 38% to 28%. A mere 23% investigated a vendor’s history, even though 94% said vendor reputation mattered when deciding who to contract with.

Only 35% of attorneys use SSL?!?  I have a feeling that many more use it, but don’t realize it.

Meanwhile, slightly more than a quarter of respondents (26%) reported their firm had had a security breach.  In addition, 19% of respondents who reported said that they do not know whether their firm has ever experienced a security breach.  So, the percentage of firms that have experienced a security breach could be quite a bit higher.

Consequences of security incidents included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).

Only 9% of firms notifying clients of the breach?!?  Ruh-roh.

The ABA Legal Technology Resource Center Tech Survey 2019 is available here.  It’s in five volumes, each available for $350 (non-members) or $300 (members).

BTW, the Legal Technology Resource Center of the ABA used to have a publicly available page with Cloud Ethics Opinions Around the U.S., showing a map of states that had a cloud ethics opinion (we’ve covered it a handful of times, the last being about 2 1/2 years ago here, when there were 21 states that had one, including one that the ABA didn’t have on its site).  That page is now inactive and I can’t find it via a search on the website.  If anybody knows if it’s still available in some form on the ABA website, let me know.

So, what do you think?  Are you surprised by any of the ABA findings on cybersecurity?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.