Should Competence in Data Security Be an Ethical Obligation for Law Firms?


It’s unlikely that Congress or federal regulators will move to specifically target law firms with data security rules, Bloomberg BNA Privacy & Data Security News Managing Editor Don Aplin said at a recent MimesisWebTV Cy-pher roundtable discussion of privacy thought leaders. 

Lisa Sotto, chairman of Hunton & Williams LLP's privacy and cybersecurity practice and managing partner of Hunton's New York office, agreed. Unlike financial and health-care companies that have had their data security regulated, it is highly unlikely that law firms will face the same treatment.

Aplin said a more significant development may be the move by the American Bar Association to focus on cybersecurity issues for law firms and to make technical competency a model ethical rule definitely moves things in the direction of ethical obligations surrounding data security.

Kevin Chalker, founder and CEO of GRA Quantum, said law firms aren’t waiting for the government to tell them what to do but have been independently moving to improve their cybersecurity as a means of protecting client data.

Mark Seifert, a partner at the Brunswick Group, noted that law firms too often lack people at the top decision-making rungs of the firm ladder who really understand the need to assess data security risks. They may not comprehend the importance of looking at privacy and security risks associated with bring your own device or other such developments, he said.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.