Back to All News Articles >

COVID-19 Has Disrupted the Legal Industry

Posted by  Carolynn Beck

COVID-19 Has Disrupted the Legal Industry

Carolynn Beck and Conor McDonough

There is no doubt that the COVID-19 pandemic has
had a significant impact on the legal industry. At the
beginning of the pandemic, law firms who had failed to
adopt remote working technology for their lawyers and
staff grappled with new social distancing limitations on
their traditional approach to practice. Some firms were
forced to furlough or lay off their people, and many wellestablished firms braced themselves for the predicted lack
of productivity in the months ahead by reducing partner
draws and cutting associate salaries.
Compounding these issues, courts varied in their
approaches to the pandemic, requiring multi-jurisdictional
attorneys to adjust to more than one new litigation
normal.1 Some courts quickly transitioned to virtual
hearings, while others simply shut down for months and
forbade new filings. Some court systems had previously
adopted electronic filing methods, or quickly adjusted to
allow attorneys to do so, while others required lawyers to
submit their filings by mail, causing additional slowdown
in the progression of cases. Outside of court, prudent
lawyers started conducting depositions and witness
interviews remotely to observe social distancing rules.
The increased need for remote depositions, typically
conducted via videoconferencing software, presented, for
some lawyers, novel logistical and security challenges.
In other words, the legal landscape has changed
rapidly in the last few months. Distancing requirements
have forced a decade’s worth of technology transformation
in the legal industry into the span of mere months.2 Some
firms are finding the adjustment easier than others.3
A May 2020 survey from Martindale-Avvo found that
81% of surveyed law firms had decreased revenues in
the wake of COVID-19. 4 Of those firms, 27% reportedthat revenue had declined by more than half since the
start of the COVID-19 pandemic.5 It is not all bad news,
however. It is too early to predict with any certainty
whether the technology changes will be permanent, but
initial data and anecdotal evidence seems promising—a
recent survey conducted by MyCase indicates 80% of
law firms have transitioned to working remotely, 64% of
law firms have been using videoconferencing tools since
the beginning of the pandemic, and 25% of law firms
upgraded hardware (such as laptops and phones).6
A majority of surveyed law firms reported
transitioning to working from home in a week or less,
with 6% taking two to three weeks to adapt, and 4%
still transitioning.7 Some are predicting the COVID-19
experience may motivate previously skeptical law firm
employees to buy into legal technology.8 And where
advances in computer sciences have led to technologies
that may supplant or heavily supplement certain aspects
of legal practice, being aware of technology developments
can provide lawyers access to tools that allow them to
stay nimble.

All Law Firms Should View This as an Opportunity
to Make Long Overdue Updates to Their Legal

The COVID-19 pandemic has already been a catalyst
for change to firms who resisted updating their data and
staff management practices pre-pandemic. And law firms
who had prepared their employees to work from home
long before nationwide lockdowns and closures of office
spaces continued with business as usual in March of
2020.10 Though the legal field is steeped in tradition, it
is not without its fair share of disruptors who have long
been pushing for a change in the way legal work is done.
As observed during the aftermath of the 2008 financial
crisis, many law firms on the forefront of innovation,
technological or otherwise, saw significant successes.11
Similarly, the COVID-19 crisis has led to a reassessment
of law firm structure and culture by law firms and clients
alike, including, most obviously, the viability of remote
work.12 The pandemic has taught us that simply adopting
established, tested technologies can result in significant
operational resilience and competitive advantage.
In addition, there are reasons to consider the ethical
obligations of competence as related to technology. A
majority of jurisdictions have adopted recent amendments
to American Bar Association (ABA) model rule 1.1,
comment 8: “a lawyer should keep abreast of changes in
the law and its practice, including the benefits and risks
associated with relevant technology.”13 Theoretically,
the failure to implement basic technology measures
allowing for more secure storage and/or transmission of
confidential client data could see attorneys running afoul
of this rule.
The May 2020 Martindale-Avvo survey has indicated
that more than 50% of lawyers are planning to allow their
staff to work remotely in some fashion once the pandemic
is over.14 For firms that have been forced to pack a
decade’s worth of adoption of technology into a span
of mere months, the prospect of making these changes
permanent may be daunting. However, being properly
equipped for remote work allows firms to implement
overhead-cutting measures—most significantly, the real
estate demands of most traditional law firms, along with
the attendant costs associated with providing office space
to all their lawyers.

As Law Firms Update Their Technology They Must
Do So Thoughtfully

There are a multitude of relevant security and ethical
considerations law firms should be prioritizing now that
the dust is starting to settle and remote working legal
technologies are becoming more prevalent. In addition
to rule 1.1, ethical rules relevant to consider as attorneys
adopt such technology include ABA model rules 1.6(c)
(lawyers must “make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a
client”), 5.1 (Responsibilities of a Partner or Supervisory
Lawyer), 5.2 (Responsibilities of a Subordinate Lawyer),
and 5.3 (Responsibilities Regarding Non-Lawyer
Assistance).16 In other words—law firm leadership must
ensure they are taking appropriate security measures and
training their lawyers and staff to protect client files and
confidential information.
Even the relative “innovators” of the law firm world,
however, are failing to take basic steps to secure client
data. Lawyers who reported in a pre-pandemic 2019
ABA technology survey that they already used cloudbased services reported a shocking lack of attention to
recognized confidentiality, security, and due diligence
issues.17 As cloud-based data storage and other basic legal
technologies become more prevalent (and permanent)
post-COVID-19 pandemic, it will become even more
critical for law firms to take a closer look at the basic
precautions they should be taking to ensure their lawyers
are complying with relevant ethical rules and protecting
their clients’ and law firms’ interests.
Though there are a multitude of considerations for
law firms who are considering making remote working
and/or adoption of legal technology a more permanent
fixture in their firms, we identify two basic considerations
which should be top of mind for any firm, below.
1. Do Your Due Diligence
As law firms consider legal technology vendors,
for cloud computing, e-discovery, or otherwise, it is
important to consider them in the proper context. These
are third-party service providers who do not, by default,
have the same ethical and/or legal obligations to the
clients of the firm hiring them. The results of the abovementioned 2019 technology survey by the ABA found
that about 58% of surveyed lawyers reported usingcloud-computing services pre-pandemic.18 Additionally,
whether or not they had chosen to adopt cloud-computing,
surveyed lawyers identified confidentiality and security
concerns and concerns about losing control of data as
their top concerns relating to cloud-based computing.19
And yet, only 28% of those lawyers who adopted cloudbased services had reviewed their cloud service providers’
privacy policies. Only 23% had reviewed the vendors’
company history, and only 4% negotiated confidentiality
agreements with their cloud service providers.20
Arguably, the failure to take these basic due
diligence measures could be a breach of lawyers’ ethical
duties to their clients. As articulated in a September
2017 Wisconsin ethics opinion, an assessment of the
reasonableness of an attorney’s efforts to protect client
data is commensurate with the risks presented.21 The
factors to be evaluated include, among a myriad of other
factors, the experience and reputation of the legal service
provider, the terms of the agreement, and the legal and
ethical environments of the jurisdictions within which
services will be performed.22
Similarly, the New York State Bar Association
Committee on Professional Ethics has provided that
reasonable care includes:
(1) ensuring that the provider has enforceable
obligations to preserve confidentiality and
security, and that the provider will notify the
lawyer if served with process requiring the
production of client information; (2) investigating
the online data storage provider’s security
measures, policies, recoverability methods,
and other procedures to determine if they are
adequate under the circumstances; (3) employing
available technology to guard against reasonably
foreseeable attempts to infiltrate the data that is
stored; and (4) investigating the storage provider’s
ability to purge and wipe any copies of the data,
and to move the data to a different host, if the
lawyer becomes dissatisfied with the storage
provider or for other reasons changes storage
Additionally, New York lawyers must stay informed
regarding any changes in the law or technology
which could affect privilege or confidentiality of the

In other words: do your research. Review your
vendor contracts to ensure your technology vendors are
taking at least the same security and privacy precautions
you would require if you controlled the data in-house,
and, more specifically, as required by the ethical rules of
the jurisdiction(s) where you practice.25
2. Cybersecurity Is Critical
In addition to reviewing and negotiating their vendor
contracts and vendor privacy and cybersecurity policies,
law firms should be implementing basic cybersecurity
precautions and planning to ensure they are preventing
cyber incidents and that they are prepared to respond
in the event of such an occurrence. In its 2019 legal
technology survey, the ABA found that over a quarter of
survey respondents reported security incidents, including
hacker activity, website exploits, and stolen hardware.26
Given the financial risk, for firms with a generous
budget dedicated to technology and/or cybersecurity,
the benefits of hiring cybersecurity experts to do a risk
assessment, put together an incident response plan, and
conduct employee training are obvious. But such services
are expensive—and not all firms have a dedicated
technology budget to spend on such services. There are
some basic steps any firm can, and should, be taking,
however, to help mitigate cybersecurity risks.
A. Conduct Security Awareness Training
By far, the biggest risk in any organization is its
people—a 2014 IBM study found that around 95% of
IT security breaches were caused by “human error.”27 In
other words, even if you install a firewall and advanced
virus and malware protection, and take other hardware
and software-driven measures to protect your data—all
those efforts can be rendered worthless if an employee
unwittingly falls prey to a phishing scam and provides
a username and password giving access to the firm’s
document database to a malicious actor.28
The COVID-19 crisis has, in fact, seen efforts of
hackers to take specific advantage of remote working
conditions to target sensitive and/or private business
information.29 Especially in light of the sudden transition
to remote working (and attendant technology), basic
security training for law firm employees should be top
priority. Attorneys and staff should be trained on good
password and wi-fi hygiene, identification of phishingemails, malware, ransomware, and the basics of social
engineering.30 Free or low-cost online resources are also
available to supplement employee training with simulated
phishing attack campaigns—a good way to identify
vulnerable users within the firm who could benefit from
additional education and training.31
B. Prepare an Incident Response Plan, and
Prevailing wisdom among cybersecurity industry
experts is that security breaches are not 100%
preventable—in other words, it is a question of “when,”
not “whether,” a security incident will eventually occur.32
The 2019 IBM survey found that “[c]ompanies with an
incident response team that also extensively tested their
incident response plan experienced $1.23 million less in
data breach costs on average than those that had neither
measure in place.”33 Preparing an incident response plan
reduces risk (and cost) by allowing organizations to act
quickly and in a coordinated fashion to secure data while
maintaining their operational capabilities, and to identify
vulnerabilities within the system in advance.
While detailing the preparation of an incident
response plan is outside of the scope of this article,
there are ample (and free) resources online to help any
organization walk through the basic components. At its
base, any cyber incident response plan should identify
(1) the key response team, and their roles and
responsibilities; (2) system and network information
mapping out where (and what) data and hardware is
stored; (3) planned procedures for incident handling,
communication, and recovery; (4) assessment of the
response and plans for improvement; and (5) reporting
to clients, vendors, business partners, and governmental
authorities as applicable.34
As a result of the COVID-19 pandemic, the legal
world has experienced an accelerated adoption of legal
technology. Law firms are already, or should be if they
are not, using this opportunity to make adoption of
technology within their practices a more permanent
change. As law firms make these technological shifts,
however, they must do so thoughtfully, keeping in mind
their ethical and legal obligations.