All lawyers face technology threats, ranging from the inconvenient to practice-threatening disasters. From unauthorized access, lawyers risk having confidential information stolen, destroyed or made inaccessible. Hackers might be thrill seekers, criminals seeking to monetize information or denials of access, or state-sponsored attackers seeking intellectual property. Cybersecurity, which includes computer system security, describes the many steps that can be taken to protect computer users, including lawyers, from these threats.
Legal ethics require lawyers to know enough about cybersecurity to protect clients’ confidentiality and to practice law competently. In light of new technology and evolving security concerns, and to guide lawyers regarding the use of technology, the American Bar Association amended the Model Rules of Professional Conduct. These technology amendments primarily changed Model Rules 1.6 (Confidentiality of Information) and 1.1 (Competence). In a state by state chart updated March 21, 2017, the ABA reports that 34 states have adopted all or most of the model rules technology amendments and another nine states are “studying” the amendments. Even for lawyers in a state that has not adopted these amendments, ethics require enough technological competence to protect clients’ confidentiality and require basic legal competence.
So what are today’s cybertechnology risks for lawyers? Every lawyer should consider password fundamentals, mobile security, avoiding scams and computer system security. In the past, I have written about password fundamentals and mobile security, and will address avoiding scams in another soon-to-be-published article. Here, in this article, the cybersecurity focus is on computer system security.
Cybersecurity Steps Every Lawyer Should Consider
To be competent, lawyers should plan ahead for technology risks. A lawyer would make a mistake to assume that the risks of being hacked cannot be significantly reduced. Hackers typically use bots to scan random computer systems, looking for vulnerabilities to exploit. Hackers often go after the low-hanging fruit — those who do not take steps and do not have a plan to stop them.
A lawyer’s cybersecurity plan should include steps to avoid problems from known vulnerabilities. But a plan should also include what to do if a hacker is successful or other problems are not avoided. And that plan should be periodically updated.
Foremost, a lawyer probably should hire a good computer security consultant for the specifics on safeguards to protect entire computer systems. For example, a lawyer should make sure that his or her computer system has updated antivirus software and other security software, including a firewall. Unless one is the rare lawyer with the technical skills and background, finding someone with the expertise to help is advisable.
For interested lawyers, the ABA cybersecurity legal task force’s website gathers numerous resources, including descriptions and links for cybersecurity events, legislation and news. For examples, the task force webpage describes a two day CLE event, the Second Internet of Things National Institute, to be held May 10-11, 2017, in Washington D.C., and announces “Cyber Risk Management: How Lawyers, Corporations and Governments Deal with Risks,” an Aug. 12, 2017, presentation at the ABA annual meeting in New York.
For any lawyer, his or her cybersecurity plan should include reasonable steps to make computer systems more secure and to limit vulnerabilities. When identifying parts of a computer system to safeguard, a lawyer should consider not only the vulnerabilities of servers, desktops and laptops, but also tablets, smart phones, copiers, scanners or any other device that can connect to a computer system. A hacker can gain computer access by taking advantage of the vulnerabilities of any part of a computer system.
A lawyer should consider regularly updating software and replacing software that can no longer be updated. For example, 10 percent of the lawyers responding to the ABA’s 2015 legal technology survey report responded that they still use Windows XP. Because Microsoft no longer supports Windows XP, it no longer has security updates. Windows XP still operates, but becomes more and more vulnerable to security risks and malware infections as time passes.
For all electronic data (i.e., information), a lawyer should consider whether the data should be encrypted. Encryption is the process of encoding data so hackers cannot read it, but authorized parties can. Encryption turns words into scrambled gibberish. Without the encryption key, deciphering encrypted data is very difficult if not impossible.
A lawyer should also consider what data might need to be encrypted. A lawyer should use an email program that automatically encrypts data when sent. Another issue is whether to encrypt data at rest. Such encryption complicates the user experience; encrypting all electronic information interferes with using the information efficiently. Data taken out of the office creates additional risks. When data relating to the representation of a client is on a portable hard drive, a thumb drive, a mobile device, or attached to an email, whether it should be encrypted requires thought and depends on a number of factors. Many free encryption tools are available.
Another consideration is whether safeguards comply with the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act. Even if a lawyer does not represent healthcare providers or financial institutions, he or she is likely to have medical and financial information that raises similar confidentiality issues. One might also argue that all confidential information, including attorney-client communications, should be protected with the same or similar safeguards.
A lawyer should consider complying with regulations applicable to clients’ industries, as well as complying with concepts from industry-specific regulations even if not practicing in that industry. For example, the New York State Department of Financial Services (NYDFS) recently issued cybersecurity regulations, effective March 1, 2017, for banks, insurance companies and certain other financial service providers. These regulations require, with varying dates, covered entities to take a number of steps, including encrypting nonpublic information or using alternative compensating controls, having a cybersecurity program, a cybersecurity policy, and a chief information security officer, maintaining and retaining for five years certain documents for an audit trail, and having written policies or guidelines for third-party vendors.
Regular automatic backups of computer systems that are separate from main computer systems is another consideration. If hacked, a lawyer may need clean backups to continue representing his or her clients. In anticipation of natural disasters, a lawyer should also consider having such backups in more than one location or at least geographically remote from the main computer systems.
Another issue is whether lawyers should use the cloud. First, this cloud has nothing to do with weather. Referring to “the cloud” means a computer accessible through the Internet. A lawyer using the cloud stores data on a computer owned by a third party. Because cloud computing places client data on remote servers not in a lawyer’s direct control, the issue becomes whether lawyers should store client information on the cloud.
According to an ABA webpage that summarizes cloud ethics opinions, 20 states have considered whether a lawyer can use cloud computing and they all advised yes, if reasonable care is used. Often, using a cloud vendor is more secure than the lawyer’s own computer systems. A cloud vendor is also likely to have better backup capability. If considering a cloud vendor, a lawyer might include asking or investigating the following questions:
- How does the vendor safeguard data?
- Are the vendor’s safeguards HIPAA and GLB compliant?
- After data is deleted, can the vendor certify that it is destroyed?
- How often does the vendor back up data?
- Does the vendor back up data in multiple locations?
- How stable is the vendor as a business entity?
- Does accessing the lawyer’s data require proprietary software?
- If the relationship ends, how is the data accessed and returned?
- What confidentiality provisions are in the vendor’s standard contract?
- Will the vendor agree to other confidentiality provisions?
In summary, when choosing a cloud vendor, a lawyer should consider whether the data will be secure and backed-up and whether he or she will have any problems if and when the relationship with the vendor ends. For any technology-related vendor, a lawyer should consider these same concerns and many of these same questions.
When choosing any technology-related vendor, a lawyer should consider many of these same questions as discussed for a cloud vendor. The ABA cybersecurity legal task force in October 2016 published a 27 page single spaced “Vendor Contracting Project: Cybersecurity Checklist” to assist lawyers address information security requirements in their transactions with vendors. The checklist addresses vendor selection, but also risk assessment, due diligence and contract provisions. An appendix also gives examples the National Institute of Standards and Technology has identified as key areas that must be addresses in a cybersecurity program.
Examples of cloud storage and sharing services include Dropbox, Google Drive, Box, and Microsoft OneDrive for Business. According to a Legal IT Insider April 2016 article urging network security administrators to block Dropbox from corporate computer networks, Dropbox is the most popular cloud file storage and sharing service, with more than 300 million users, including many lawyers. Whether Dropbox — even Dropbox for Business — is secure enough for businesses has been questioned. It has been annually reported that Dropbox has been identified as the app that companies ban more than any other. In 2016, Dropbox, apparently responded to these concerns, publishing “Dropbox Business security: A Dropbox whitepaper.”
Another computer system consideration might be what to do with computers when they are no longer being used. Lawyers should be careful when discarding computers, copiers and any other devices storing data. A possible risk that might be overlooked is data on leased computers and copiers. For example, the U.S. Department of Health and Human Services reported that Affinity Health Plan Inc., paid a fine of $1,215,780 for alleged HIPAA violations after it returned multiple copiers to a leasing agent without erasing data on the copiers’ hard drives.
Finally, a lawyer should consider cyberliability insurance. Policies vary widely with exclusions and riders that may or may not suit a particular legal practice. Buyer beware. According to a February 2017 press release, the American Bar Association has expanded its insurance offerings to include cyberinsurance underwritten by Chubb Limited, and the policy “includes cyber coverage for a firm’s own expenses, such as network extortion, income loss and forensics, associated with a cyber-incident as well as for liability protection and defense costs. The coverage can be tailored to meet a law firm’s unique needs and also includes Chubb’s loss mitigation services both before an incident and following an incident.”
As emphasized by the model rules’ 2012 technology amendments, an ethical lawyer should have reasonable technological competence. A lawyer should use good judgment, taking reasonable steps to have cybersecurity to protect his or her computer system.