How cybersecurity is changing the way lawyers work

As new technologies are changing the way lawyers practice law, it is paramount to modify the Deontological Code for the profession and update lawyers concept of due diligence.

Author: Jaime Sardina is a tax lawyer and winner of the XII José María Cervelló prize for his paper on cybersecurity and deontological ethics. 

The new digital landscape is transforming the way many professions are carrying out their business, and law is not an exception. In this respect, our daily performance within our chosen profession is becoming increasingly affected by new technologies. Therefore, as a result of higher competition, there is a greater pursuit for efficiency. This pursuit is aimed at achieving an increase in profit margins and establishing relations with clients who are highly skilled in IT and new digital developments. Such clients will demand a higher quality service, which can be achieved only by using the aforementioned technological advancements.

In today’s climate, where the majority of our work is based and stored in a digital platform, a lawyer must work hard on cyber attack protection and collaborate with the emergence of such new technologies. This will ensure they uphold their key duty of maintaining the confidentiality of clients’ information which will ultimately result in the client’s satisfaction and confidence in the firm.

Therefore, because of the importance of cyber security, we must consider including cyber security in the Deontological Code of Advocacy. Nonetheless, neither the Spanish or European Codes (the former being inspired by the latter) currently regulate any duty regarding new technologies and their relation to the lawyer’s due competence. This is, rather regrettably, not surprising if we take into account that Spain, even though ranked 13th in GDP terms, holds a high 54th place in terms of cybersecurity commitment and development, according to the “Global Cybersecurity Index 2017”, conducted by the International Telecommunication Union.

Lawyers must now focus on the concept of ‘cybersecurity,’ a new phenomenon that is changing the way they work as they know it

In contrast to European countries, several others such as the United States, Canada and Australia have regulated the issue of cyber security and law firms in their Deontological Codes. For instance, the New Hampshire Bar Association, in its Advisory Opinion 2012-13/4, regulates the competence of a lawyer in the following terms:

“Competent lawyers must have a basic understanding of the technologies they use. Furthermore, as technology, the regulatory framework, and privacy laws keep changing, lawyers should keep abreast of these changes.”

Cyber security and law firms: The Spanish Deontological Code

In this regard, there are also similar provisions missing in the Spanish Deontological Code, but we cannot even see any duty related with the lawyer’s due competence. Taking this into consideration, it would be highly recommendable to add a new article providing a definition of the lawyer’s competence. This definition should include understanding the importance of cyber security and keeping abreast of the benefits and risks associated with relevant technology. This specification would be extremely useful in helping to distinguish whether a lawyer’s performance has been diligent or not and, in the event of any disciplinary liabilities, being able to measure the extent to which a lawyer has been incurred.

Moreover, some sort of provision regarding confidentiality and client information would help us to assess, not only disciplinary liability, but also civil liability with the client.

Above all, the mere inclusion of the necessary knowledge of new technologies would encourage Spanish lawyers to apply different measures when implementing cybersecurity into their law firms. And as regards cyber security and law firms, as of yet, only 41.7% of law firms have introduced cyber security into their daily practices, according to a recent investigation conducted by Lefebvre (“Estudio de Innovación en el Sector Jurídico. 2019”, p. 80).

Cyber attack protection

We should pay close attention to the following aspects when debating whether to enforce cybersecurity:

  • Private cloud: as opposed to the public cloud, the private cloud guarantees that the law firm will be the only party allowed access to the resources and information available in the cloud. Moreover, private clouds enable the law firm to negotiate service agreements with the provider, so as to ensure the proper level of security meets the law firm’s requirements.
  • Encryption and tokenization: encryption is the process of converting information or data into a code, whereas tokenization is the process of substituting data with symbols which have no extrinsic or exploitable value. Both methods seek to protect confidential information from third parties.
  • Internal code of conduct: this suggests the need for some sort of code to be implemented within the law firm. The code would use decisive and unique measures and accountabilities to adapt to the specific security requirements of each law firm.

All of the above would work in conjunction with one another to properly ensure our law firms are protected from emerging technological threats, without being disadvantaged. Finally, all the benefits and advantages relating to efficiency and cost reduction that are being advocated by the current digital transformation will still remain.

Jaime Sardina is a tax lawyer at Garrigues. He studied Law & Business Administration at ICADE and has been recently awarded with XII José María Cervelló prize for his paper “La ciberseguridad como deber deontológico del abogado: una mirada al futuro de la profesión”.

Note: The views expressed by the author of this paper are completely personal and do not represent the position of any affiliated institution.