We are all more reliant on technology than ever before, and the legal industry is no exception. Partly due to COVID-19, law firms have adopted new tech for file management, remote work and communication. New technology is a welcome change in a profession often plagued by antiquated systems and thinking. However, the adoption of new technology in the legal field has led to an increase in the amount of data stored and accessed online. As a result, firms may be more vulnerable to cybersecurity threats.[1]
Ransomware
One tactic used by hackers is ransomware. Ransomware attacks can result in millions of dollars spent to resolve the data breach, update security systems and train employees to prevent it from happening again. In April 2020, two Manitoba law firms were hit by a ransomware attack, locking them out of their entire computer system, including their Cloud backups.[2] The amount of the ransom and whether it was paid were never disclosed. Even if firms regain access to their data, there is no guarantee that it has not been corrupted or altered.[3]
In both cases, hackers gained access to the firm’s system using email phishing scams. I was under the impression hackers would use sophisticated technology-based tools to gain access to law firm data. While this is true in some cases, more often, simple tactics such as malicious email links and attachments are used to penetrate security systems. It is quite ridiculous that methods used since the dawn of the internet are still used to hold law firms hostage.
As of November 2022, the Law Society of BC’s Code of Professional Conduct does not reference technological competence. In 2019 the Federation of Law Societies of Canada amended the Model Code of Professional Conduct by including provisions addressing technological competence.[4] Revising the Code is not a new idea, but change is slow in the legal industry. Now may be the right time for the Law Society of B.C. to revise the competency requirement. They may be more receptive to change now in comparison to years past, as evidenced by the Legal Innovation Sandbox.
The Code and Security Training
While firm-specific training and education are critical in this area, introducing data and cybersecurity in the Law Society’s Code and admissions process helps establish a baseline understanding across lawyers in B.C. This would introduce the basic threats commonly targeted at law firms. The trend of innovative technologies in legal services will only increase, making it more difficult for even senior lawyers to avoid utilizing new legal tech.
Therefore, upholding the core principle of “protecting the public” through establishing legal competence should include a technological component related to cybersecurity and data breaches. A self-governing profession undertakes significant responsibility to uphold the foundation of legal services. If lawyers are to maintain the confidence of the public, it seems necessary to update the policies we all follow along with new tech.
[1] “Ransomware attacks have seen a dramatic increase, say lawyers” Elizabeth Raymer, June 29, 2021 https://www.canadianlawyermag.com/practice-areas/privacy-and-data/ransomware-attacks-have-seen-dramatic-increase-say-lawyers/357700.
[2] “Small and Midsized Law Firms Slammed by Ransomware” Sharon Nelson & John Simek June 3, 2021 http://www.slaw.ca/2021/06/03/small-and-midsized-law-firms-slammed-by-ransomware/
[3] “Ransomware attacks lock 2 Manitoba law firms out of computer systems” Sean Kavanagh, April 14, 2020 https://www.cbc.ca/news/canada/manitoba/winnipeg-law-firms-computer-virus-ransomware-1.5530825)
[4] “It’s Finally (Sort Of) Here!: A Duty of Technological Competence for Canadian Lawyers” Amy Salyzyn, November 26, 2019