We are all more reliant on technology than ever before, and the legal industry is no exception. Partly due to COVID-19, law firms have adopted new tech for file management, remote work and communication. New technology is a welcome change in a profession often plagued by antiquated systems and thinking. However, the adoption of new technology in the legal field has led to an increase in the amount of data stored and accessed online. As a result, firms may be more vulnerable to cybersecurity threats.[1]
Ransomware
One tactic used by hackers is ransomware. Ransomware attacks can result in millions of dollars spent to resolve the data breach, update security systems and train employees to prevent it from happening again. In April 2020, two Manitoba law firms were hit by a ransomware attack, locking them out of their entire computer system, including their Cloud backups.[2] The amount of the ransom and whether it was paid were never disclosed. Even if firms regain access to their data, there is no guarantee that it has not been corrupted or altered.[3]
In both cases, hackers gained access to the firm’s system using email phishing scams. I was under the impression hackers would use sophisticated technology-based tools to gain access to law firm data. While this is true in some cases, more often, simple tactics such as malicious email links and attachments are used to penetrate security systems. It is quite ridiculous that methods used since the dawn of the internet are still used to hold law firms hostage.
As of November 2022, the Law Society of BC’s Code of Professional Conduct does not reference technological competence. In 2019 the Federation of Law Societies of Canada amended the Model Code of Professional Conduct by including provisions addressing technological competence.[4] Revising the Code is not a new idea, but change is slow in the legal industry. Now may be the right time for the Law Society of B.C. to revise the competency requirement. They may be more receptive to change now in comparison to years past, as evidenced by the Legal Innovation Sandbox.
The Code and Security Training
While firm-specific training and education are critical in this area, introducing data and cybersecurity in the Law Society’s Code and admissions process helps establish a baseline understanding across lawyers in B.C. This would introduce the basic threats commonly targeted at law firms. The trend of innovative technologies in legal services will only increase, making it more difficult for even senior lawyers to avoid utilizing new legal tech.
Therefore, upholding the core principle of “protecting the public” through establishing legal competence should include a technological component related to cybersecurity and data breaches. A self-governing profession undertakes significant responsibility to uphold the foundation of legal services. If lawyers are to maintain the confidence of the public, it seems necessary to update the policies we all follow along with new tech.
[1] “Ransomware attacks have seen a dramatic increase, say lawyers” Elizabeth Raymer, June 29, 2021 https://www.canadianlawyermag.com/practice-areas/privacy-and-data/ransomware-attacks-have-seen-dramatic-increase-say-lawyers/357700.
[2] “Small and Midsized Law Firms Slammed by Ransomware” Sharon Nelson & John Simek June 3, 2021 http://www.slaw.ca/2021/06/03/small-and-midsized-law-firms-slammed-by-ransomware/
[3] “Ransomware attacks lock 2 Manitoba law firms out of computer systems” Sean Kavanagh, April 14, 2020 https://www.cbc.ca/news/canada/manitoba/winnipeg-law-firms-computer-virus-ransomware-1.5530825)
[4] “It’s Finally (Sort Of) Here!: A Duty of Technological Competence for Canadian Lawyers” Amy Salyzyn, November 26, 2019
These are significant risks that we should all be paying attention to. Relevant news story: Cadwalader recently suffered a cyberattack https://www.law.com/americanlawyer/2022/11/21/cadwalader-suffered-email-network-outage-following-cyberattack/ – and apparently also went through one in 2020.
I really appreciated this blog for discussing one less savory and yet still deeply important sides to our class. The move to digitize more legal tools is a process that inherently involves risks, especially those like you listed.
I think the lens of the Law Society is a worthwhile one, but I wonder to what extent it’s going to be the most effective mechanism to truly hold lawyers and legal professionals to account? It seems that the duty to adapt or innovate alongside changes in technology is slightly different than the duty to be defensive of client data, for instance, and may tie more closely to firm or organizational incentive structures.
Great post!! I completely agree that BC should include a tech competency in its Code of Professional Conduct, as well as every province. I don’t believe this requirement is that big of an ask for all lawyers to meet. Ben has a really good point about the effectiveness of the Law Society. I think in order to make any changes to the Code, the Law Society also needs the appropriate resources to effectively monitor lawyers and their ability to meet the tech requirement. I’m curious whether it would be a good idea for the Law Society to partner with a tech company and standardize cyber security across the board.