How cybersecurity is changing the way lawyers work


 As new technologies are changing the way lawyers practice law, it is paramount to modify the Deontological Code for the profession and update lawyers concept of due diligence.

Author: Jaime Sardina is a tax lawyer and winner of the XII José María Cervelló prize for his paper on cybersecurity and deontological ethics. 

The new digital landscape is transforming the way many professions are carrying out their business, and law is not an exception. In this respect, our daily performance within our chosen profession is becoming increasingly affected by new technologies. Therefore, as a result of higher competition, there is a greater pursuit for efficiency. This pursuit is aimed at achieving an increase in profit margins and establishing relations with clients who are highly skilled in IT and new digital developments. Such clients will demand a higher quality service, which can be achieved only by using the aforementioned technological advancements.

In today’s climate, where the majority of our work is based and stored in a digital platform, a lawyer must work hard and collaborate with the emergence of such new technologies. This will ensure they uphold their key duty of maintaining the confidentiality of clients’ information which will ultimately result in the client’s satisfaction and confidence in the firm.

Therefore, we must consider including cybersecurity into the Deontological Code of Advocacy. Nonetheless, both the Spanish and European Codes (the former being inspired by the latter) do not regulate any duty regarding new technologies and their relation to the lawyer’s due competence. This is, rather regrettably, not surprising if we take into account that Spain, even though ranked 13th in GDP terms, holds a high 54th place in terms of commitment and development for cybersecurity, according to the “Global Cybersecurity Index 2017”, conducted by the International Telecommunication Union.

Lawyers must now focus on the concept of ‘cybersecurity,’ a new phenomenon that is changing the way they work as they know it

In contrast to European countries, several others such as the United States, Canada or Australia have regulated this issue in their Deontological Codes. For instance, the New Hampshire Bar Association, in its Advisory Opinion 2012-13/4, regulates the competence of a lawyer in the following terms:

“Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.”

In this regard, there are also similar provisions missing in the Spanish Deontological Code, but we cannot even see any duty related with the lawyer’s due competence. Taking this into consideration, it would be highly recommendable to add a new article providing a definition of the lawyer’s competence. This definition should include keeping abreast of the benefits and risks associated with relevant technology. This specification would be extremely useful in helping to distinguish whether a lawyer’s performance has been diligent or not and in the event of any disciplinary liabilities, being able to measure the extent to which a lawyer has been incurred.

Moreover, some sort of provision regarding confidentiality and client information would help us to assess, not only disciplinary liability, but also civil liability with the client.

Above all, the mere inclusion of the necessary knowledge of new technologies would encourage Spanish lawyers to apply different measures when implementing cybersecurity into their law firms. As of yet, only 41.7% of law firms have introduced cybersecurity into their daily practices, according to a recent investigation conducted by Lefebvre (“Estudio de Innovación en el Sector Jurídico. 2019”, p. 80).

We should pay close attention to the following aspects when debating whether to enforce cybersecurity:

  • Private cloud: as opposed to the public cloud, the private cloud guarantees that the law firm will be the only party allowed access to the resources and information available in the cloud. Moreover, private clouds enable the law firm to negotiate service agreements with the provider, so as to ensure the proper level of security meets the law firm’s requirements.
  • Encryption and tokenization: encryption is the process of converting information or data into a code, whereas tokenization is the process of substituting data with symbols which have no extrinsic or exploitable value. Both methods seek to protect confidential information from third parties.
  • Internal code of conduct: this suggests the need for some sort of code to be implemented within the law firm. The code would use decisive and unique measures and accountabilities to adapt to the specific security requirements of each law firm.

All of the above would work in conjunction with one another to properly ensure our law firms are protected from emerging technological threats, without being disadvantaged. Finally, all the benefits and advantages relating to efficiency and cost reduction that are being advocated by the current digital transformation will still remain.

Jaime Sardina is a tax lawyer at Garrigues. He studied Law & Business Administration at ICADE and has been recently awarded with XII José María Cervelló prize for his paper «La ciberseguridad como deber deontológico del abogado: una mirada al futuro de la profesión».


Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.