As law firms gravitate to using digital solutions as part of their business operations or providing of legal services to their clients, an inevitable question looms above any form of digital solution – that of “cybersecurity”. The issue of cybersecurity is not endemic only to the legal industry but has plagued other industries such as the healthcare and financial industries, with the latest cybersecurity breaches making the headlines on mainstream media every now and then.
While everyone will acknowledge that equipping the law firm with cybersecurity is a necessary expenditure: the question is what reasonable amount should each firm spend on cybersecurity. Providing judgment on what is reasonable, however, is a tricky issue as it very much depends on the firm, its business operations and even the clientele. Considering the huge scope of and multiple issues relevant to cybersecurity and the intention of this article as a ‘baseline’ guide to lawyers, this article will discuss the issue on cybersecurity in the form of a FAQ format.
Generally, cybersecurity comprises a myriad of approaches to prevent unwanted breaches of the firm’s digital ecosystem. Such approaches include but are not limited to: (1) software cybersecurity; (2) hardware cybersecurity; (3) policies on use of IT equipment for employees; and (4) continuous education for employees.
Most of us are connected to the Internet on a daily basis, or have part of our lives connected to the Internet through e-Government services such as SingPass, eLitigation, etc. Similar to our physical spaces, the digital space is prone to security breaches as well. Breaches such as viruses, worms and other malicious software can invade that digital space and cause massive disruptions to our work and lives. Some common and well-reported digital disruptions include theft of clientele information from companies, insertion of “ransomware” that prevents employees from using their computers unless a sum is paid to the ransomware distributoramongst many others.
As long as you use a computer or a smartphone (or even a mobile phone with Internet accessing capabilities), your computer network system in the office is prone to such security vulnerabilities. To provide an example of the gravity of not having cybersecurity, under the Legal Profession Act, a lawyer is required to maintain client confidentiality as the theft of clientele information due to a lack of cybersecurity measures can call for a disciplinary hearing before the tribunal. Besides disciplinary measures, firms may also lose current and future clients over fears that their sensitive information may be leaked to competitors. There is thus a double penalty: sanctions pursuant to the Legal Profession Act and commercial costs in the loss of clients.
As mentioned earlier, this article sets out four key approaches to cybersecurity: (1) software cybersecurity; (2) hardware cybersecurity; (3) policies on use of IT equipment for employees; and (4) continuous education for employees.
This refers to the use of software to prevent or remedy cybersecurity breaches. Familiar softwares such as antivirus software and firewalls may come preinstalled with the computer’s operating system (with other softwares e.g. Windows Defender or MacOS’ updates) or can be purchased from third party providers, such as McAfee Antivirus software or Norton Antivirus. One may even find antivirus software and firewalls bundled with products sold by telecommunications providers.
Some law firms also require employees to have their e-mails encrypted and attachments scanned before the e-mails can be sent out. As client confidentiality is an integral aspect of the legal profession, such practices should be adopted as best practices.
This refers to the use of hardware or physical (re)location of certain IT equipment to prevent cybersecurity breaches or help in restoring the network in the aftermath of a grave security breach that involves loss or inaccessibility of data. Hardware cybersecurity can involve the introduction of a hardware firewall, and for firms that maintains its own server, have their backup servers relocated in another physical location other than the office headquarters in the event of a security breach in their headquarters.
This refers to setting down on the use of IT equipment. Firms should make it a point to address the use of office IT equipment, e.g. desktops, laptops, smartphones and e-mail accounts that the firm provides to the employees, and the use of personal IT equipment in the office, e.g. use of personal USB keys on the office desktop, use of personal smartphone or desktop to access company e-mails or data, etc. Policies on the use of office IT equipment usually include the following: use of Internet (including downloading and viewing of websites), prohibition of use of company-owned devices for personal matters, no forwarding of spam e-mails, amongst many other policies.
It is likewise important to have policies on the use of personal devices in the office, in particular for small law firms where the firm allows employees to work from home or in the office using their personal devices. For instance, firms may set out IT policies requiring employees to ensure that any personal devices used for work should not be allowed for other parties to use or view. This is especially so when they are viewing confidential work-related information or data. In the event of any loss of personal devices containing work-related data, a report should be made to the employee’s superior.
Another common policy is the use of USB sticks or portable storage devices in the firm. Many firms and companies have implemented a ban on the use of USB thumb drives for security reasons, to ensure that there is no unwanted data transfers of confidential information and no introduction of external viruses via the USB stick. Implemented policies should include a general prohibition on the use of USB sticks or portable storage devices, followed by exceptions e.g. where permission is granted by a partner.
As technology advances rapidly, the cybersecurity breaches evolve concurrently as well. While the average lawyer may not be able to resolve an actual cybersecurity attack, employee education can help prevent such attacks from happening or recurring. To prevent employees from stepping into a cybersecurity landmine, employees should be educated on the dangers behind retrieving or downloading suspicious emails or attachments, visiting suspicious websites, learning to identify spam e-mails (with potentially malicious attachments), the differences between a scam website and a real website, etc..
This is a tricky question. It will be onerous for a small firm to have all possible cybersecurity software and hardware (which can cost a handsome sum), while at the same time, a large firm that handles large volumes of confidential information with big retainer clients may be a target for hackers and thus should think twice when skimming on cybersecurity measures.
Regardless, law firms and lawyers should be aware of section 35(4) of the Legal Profession (Professional Conduct) Rules 2015, which states that the management of a law practice “must take reasonable steps to ensure that the law practice has in place adequate systems, policies and controls for ensuring that the law practice, and the legal practitioners working in the law practice, comply with the applicable written law, and any applicable practice directions, guidance notes and rulings issued under section 71(6) of the Act or by the Council or the Society relating to – (a) client’s money; (b) conflicts of interests; and (c) client confidentiality”. Section 35(6) of the same rules further states that lawyers in the management of a law practice must also assess the systems, polices and controls and make changes to ensure that such systems, policies and controls continue to comply with the law.
What is deemed to be a “reasonable step” depends on the facts. In the event of a dispute on whether adequate measures have been taken, some guidance can be sought from  SGHC 155 at . The burden is on the law firm to produce “clear and convincing evidence that “effective” measures have been taken to ensure that no disclosure will occur”, insofar where keeping a former client’s confidential information is concerned. Furthermore, firms and lawyers should note at  of the same case that “whether the measures taken to protect against disclosure are effective or ineffective must depend, in each case, on a range of factors, including the nature of the work done for the former client, the timing of the creation of the information barrier, the size of the law firm, the physical locations of departments within the firm, the number and seniority of tainted lawyers, and so on”.
To conclude, law firms that handle client confidential information using digital mediums should have cybersecurity system(s), polices and controls in place. As to whether a law firm has taken reasonable steps is a question of fact, it is thus good practice for the management to be constantly updated with circulars on practice guidance notes and cybersecurity related topic circulars from the Law Society of Singapore’s Ethics’.
Profile of Author(s):