Extract from Steven W. Teppler’s article “The Expanding Cyber Liability Landscape for Attorneys: Upstream and Downstream Risks”
Attorneys and law firms face increasing cyber liability from multiple directions, including regulators, state attorneys general, and class action litigants. As stewards of highly sensitive client data, legal professionals are being held accountable not only for their own cybersecurity practices but also for those of their vendors and service providers.
Cybersecurity threats to law firms are intensifying as regulators, clients, and the courts impose stricter requirements on the legal profession’s handling of sensitive data.
Attorneys are now exposed to both upstream and downstream cyber liability, facing regulatory enforcement, professional discipline, and civil litigation arising from cybersecurity failures.
Upstream liability stems from obligations imposed by regulators, state attorneys general, and courts, as well as risks introduced by third-party service providers such as core IT service providers, cloud storage vendors, e-discovery platforms, and “Managed Security Providers” or “MSPs”. When these MSPs experience breaches or fail to meet compliance standards, law firms can face regulatory scrutiny and legal consequences.
