Vermont Bar Journal, Vol. 40, No. 2 Vermont Bar Journal, Summer 2019 | Page 40

BOOK REVIEW
The ABA Cybersecurity Handbook
(2nd Edition, 2018)
By Jill D. Rhodes & Robert S. Litt
Reviewed by James Knapp, Esq.
This well-organized book creates a good
balance between describing the current
state of cybersecurity risks while simulta-
neously reminding readers that the nature
and scope of cyber incidents is always ex-
panding and changing. The information
provided in the book is sufficiently gener-
ally applicable so as not to risk becoming
obsolete as the landscape of cybersecurity
shifts and changes with time.
The ABA Cybersecurity Handbook is or-
ganized in four sections, beginning with
the basic concepts of cybersecurity and
proceeding through the basis for attor-
neys’ legal and ethical obligations regard-
ing cybersecurity. The middle section in-
cludes chapters on when and how to dis-
cuss cybersecurity with clients, with discus-
sion addressed to different types of prac-
tices including small firms, in-house coun-
sel, government attorneys, and public in-
terest attorneys. There is an entire chap-
ter on insurance aspects of cybersecurity as
well. The substantial appendices include
relevant federal and state statutes and case
law, and a collection of ethics opinions re-
lated to cybersecurity. Section I of the book
includes three chapters, one of which pro-
vides a primer on cybersecurity risks. That
chapter discusses the general nature of
common cybersecurity risks that might
confront an attorney in whatever area she
or he might practice. The material is ad-
dressed in language that a person with a
basic grasp of technology will understand,
making the material accessible to those
who may feel that they do not have enough
knowledge to understand the scope of the
cybersecurity issues. The third chapter in
Section I speaks to the concepts of net-
working, both locally and on the internet.
Those with an interest in the topic, but lim-
40
ited familiarity, will find helpful content.
Section II of the book contains informa-
tion that any attorney using technology in
their practice should understand. Through
the course of three chapters, the authors
and contributors explain in detail an attor-
ney’s legal obligations to manage cyberse-
curity issues in their practice and the eth-
ical obligations regarding protection of
data in the attorney’s custody. The chap-
ters on legal obligations and ethical obliga-
tions should be read by every attorney who
has any responsibility for management of a
law firm, whether a solo, small firm or large
firm. The risks of failing to understand the
scope of the duties regarding data in the
possession of law firms are too great to
leave to a general concept gleaned from a
one or two-hour seminar.
Section II, Chapter 4 addresses the le-
gal basis for the obligation to secure data
derived from statutory law, common law,
and touching on the ethical requirements.
Within that discussion the authors of the
Chapter helpfully point out the kinds of
data that are covered and more important-
ly discuss the legal standards for what con-
stitutes “reasonable security” in the con-
text of the practice of law.
Section II, Chapter 5 provides a basic ex-
planation of the international framework
imposing obligations for securing data in
the possession of a law practice. Gener-
ally, local law firms may not think about
the international impacts of their prac-
tice, though many Vermont firms have cli-
ents who live and work in other countries.
It is wise to consider what impact, if any,
that laws and treaties may have when deal-
ing with people living and working in other
countries. That is particularly so, given the
ease with which communications can cross
national boundaries when conducted in cy-
berspace.
Section II, Chapter 6 examines the spec-
trum of ethics opinions addressing attor-
neys’ obligations related to data security.
At the beginning of the Chapter, the au-
thors examine ABA Formal Opinion 477R
addressing data security. The remainder
of the chapter includes commentary on the
text of the ABA Model rules as those rules
apply to technology and data security, ref-
erencing a mix of State and ABA opinions.
The chapter also discusses favorite topics
such as encryption of email, the duty to
warn clients about potential third party ac-
cess to shared computers, cloud comput-
ing and social media. The final section con-
tains an interesting list of 10 points regard-
ing the intersection of ethical obligations
and technology. The appendices collect
references to ethics opinions from the ABA
THE VERMONT BAR JOURNAL • SUMMER 2019
and State ethics advisory committees on
technology and cybersecurity issues, mak-
ing it easier to find guidance from around
the country.
The seventh chapter introduces a top-
ic that is not often considered by most at-
torneys practicing in Vermont: “Occasions
When Counsel Should Consider Initiating a
Conversation about Cybersecurity with the
Client.” The chapter provides an introduc-
tion to a number of situations when tech-
nology and cybersecurity will impact a cli-
ent’s interests. The authors also provide
suggestions to help the practicing attorney
think about certain cybersecurity and tech-
nology topics to discuss with clients. The
discussion points are organized by subject
matter, for example, there is a subsection
providing discussion points for use with cli-
ents when litigation is threatened or be-
comes a possibility. Every attorney, not just
litigators, should have enough knowledge
to give clients clear instructions on their
obligations regarding preservation of digi-
tal information in the case of potential liti-
gation. The talking points in that section of-
fer up a primer for the non-litigator and a
good reminder for the occasional litigator.
Section III of the book switches focus
from cybersecurity and technology com-
petence generally to offering guidance to
several types of practices. There is chap-
ter dedicated to each category of large
firm, small firm, in-house counsel, govern-
ment attorneys and public interest attor-
neys. Each chapter focuses on aspects of
the practice type and how the general top-
ics offered up in the first part of the books
would apply in the practice setting.
Section III ends with “Get SMART on
Data Protection Training and How to Cre-
ate a Culture of Awareness.” As the au-
thors and contributors regularly point out
throughout the book, being aware of the
risks and creating an awareness in every-
one in the firm, department or division,
about the types of cybersecurity risks is
the start of limiting exposure. One of the
most difficult challenges for the average
Vermont law firm or small corporate de-
partment is finding the resources to cre-
ate a viable training program. Chapter 13
provides a framework within which a firm
manager or department head can develop
a program for the individuals in their firm
or department.
For all the useful information presented
in Sections I, II and III of the book, there
is significant value for any attorney practic-
ing law in any setting without a dedicated
information security department in Section
IV of this book. The final chapter of Sec-
tion III and the two chapters in Section IV
www.vtbar.org