As members of a self-governing profession, law firms are bound by the Rules of Professional Ethics in addition to state, federal, and (sometimes) international regulations. Cybersecurity compliance means ensuring that you are following all of the regulations that apply to your firm as a business, as well as the rules of conduct that apply to members of your firm as attorneys. As such, cybersecurity compliance requires cross-specialty training in both technology and law.

The first, and most obvious reason why cybersecurity compliance is important is that the rules are there to protect you and your clients. They were written to prevent your firm from being vulnerable to each and every threat floating around the internet, and to ensure that you have enough harm mitigation strategies in place to prevent a data breach from bankrupting you.

Of course, you can abate human error, but you can’t eliminate it. Even if you have excellent informal cybersecurity practices, you may still be the victim of a data breach. That’s why the Colorado Bar Association doesn’t consider a data breach to be grounds for professional sanction alone. Instead, they look to see whether you had sufficient firm-wide cybersecurity procedures in place. If you didn’t have any formal procedures in place prior to the breach, you were out of compliance with the C.R.P.E, Colorado law, and best practices guidelines. This could expose your firm to a litany of consequences including, but not limited to:

• Irretrievably losing vital work product.

• Having to pay extortionate amounts of money to ransomware attackers.

• Facing bank fines of up to $500,000.00 for PCI violations.

• Being sued by Colorado’s attorney general for statutory non-compliance.

• Malpractice liability.