On March 1, 2023, the U.S. federal government released a blueprint for cybersecurity known as the National Cybersecurity Strategy 2023 (NCS). While the NCS is not legally binding, it lays out guidelines for the national approach to cyber threats.
What exactly are the NCS guidelines?
In the coming years, what can we expect in cybersecurity on the national stage?
And, most importantly for this article, what will the impact be on law firms? We explore these questions below.
What is the National Cybersecurity Strategy?
The National Cybersecurity Strategy details the Biden Administration’s approach to better secure cyberspace and ensure the United States can take full advantage of digital technologies.
As of now, it is not legally binding and only constitutes a blueprint for future legislation and regulations.
The NCS serves as a framework to protect against cyber threats to critical infrastructure and is part of the administration’s overall efforts to strengthen technology governance.
So why is the NCS necessary?
Cyber threats are continuing to exact economic and societal damage while growing ever more sophisticated. The average cost of a ransomware attack was over $4.5 million in 2022.
In addition, the NCS identifies several foreign countries with the potential to use their cyber capabilities in ways harmful to U.S. and international interests.
What guidelines does the National Cybersecurity Strategy set forth?
The NCS sets forth five pillars, as follows:
- Defend critical infrastructure
- Disrupt and dismantle threat actors
- Shape market forces to drive security and resilience
- Invest in a resilient future
- Forge international partnerships to pursue shared goals
The first pillar, infrastructure defense, is to be accomplished by establishing minimum cybersecurity requirements. The second pillar seeks to address the threats of ransomware and other cyber attacks by working with the private sector and international partners. The fourth and fifth pillars deal with (1) cybersecurity research and development and (2) working with U.S. allies and partners to counter cyber threats.
The third pillar, shaping market forces to drive security and resilience, is the one most likely to impact the private sector and law firms in general. We address this pillar in the section below.
Shaping market forces to improve cybersecurity
The NCS’s third pillar is based on the understanding that market forces alone have not been sufficient to drive best practices in cybersecurity. For that reason, the NCS advocates for financial incentives and disincentives to promote security in digital technology.
Some of the main tools set forth include (1) imposing accountability for data stewards to ensure they protect personal data and (2) shifting liability for data losses and harm caused by cybersecurity breaches.
The liability shifting is intended to be toward software vendors and away from the people and companies that use the software. The NCS seeks to end the common practice of software vendors disclaiming liability by contract.
While these vendors must have the freedom to innovate, they must also be held liable when software vulnerabilities result in harm to individuals, businesses, and infrastructure.
To that end, the Biden administration pledges to work with Congress and the private sector to prevent software vendors from fully disclaiming liability and establish higher standards of care for software.
What are the repercussions for law firms?
Law firms tend to handle and store a great deal of confidential client information. On top of this, attorneys are vested with a special obligation to safeguard any client communications or case-related information.
With the widespread use of cloud-based digital tools for practice management and a wide array of legal activities, the NCS — and the industry trends it will set in motion — must be top of mind for legal practices.
It is important to note the NCS ultimately pushes for lighter penalties for businesses that use software.
For law firms using legal technology, they can rest assured the legal tech vendors will shoulder more of the liability burden for data breaches and cyber attacks.
Meanwhile, the heightened obligations of software vendors should result in legal software having fewer vulnerabilities in the long run.
However, the NCS does not completely absolve end users such as law firms from responsibility for cybersecurity. Ultimately, lawyers owe the duty of confidentiality to their clients — it’s not the tech vendors that are responsible for your client relationships and security practices.
Nonetheless, a legal practice using software can have greater assurance they will not be held liable for a cyber breach over which they had no direct control.
The coming years will reveal how much of the National Cybersecurity Strategy comes into fruition in different jurisdictions. In the meantime, law firms should not view the NCS as a cause for alarm. Instead, firms should realize the strategy will likely usher in an age of even more secure software that firms can use to make their operations more efficient.
