Improve your cybersecurity without a Ph.D.
By Claude Ducloux
Nothing strikes terror into the heart of a busy practitioner like the haunting fear of losing client information due to inadequate digital security. Hacking, viruses, and the increasing danger of ransomware present challenges never before experienced by our legal predecessors, who could keep client information safely under lock and key.
The facts and figures about cyber losses across the country are startling: An estimated $325 million to ransomware alone in 2015, with a predicted increase to $11.5 billion in 2019. Cybersecurity Market Report, an online publication, estimates that cybercrime damages will exceed $6 trillion annually by 2021. We have already seen a string of law firms breached in 2015-2016 to obtain secrets on upcoming mergers and acquisitions. With each breach, lawyers stand to lose sensitive information, business disruption, and the complete loss of client trust.
Where Do We Start?
What steps can we take that make sense, and, more importantly, steps that are understandable to the average practitioner, who has good intentions but a limited budget to employ experts?
First, let’s understand the problem: The “insider threat” is the most significant risk that firms take. Giving all employees passwords and access to files mean that your employees can take digital copies out of the office, intentionally and often unintentionally, on thumb drives with more storage than ever before. Disgruntled employees account for roughly 20 percent of all lost or copied data that leave a business.
Second, our demand for 24/7 access from anywhere leads to leaks over unsecure Wi-Fi and information obtained from our lost devices.
Third, our reluctance to change our passwords, and to strengthen those we have, means most of us use the same combinations for all our sites, making it infinitely easier to hack our systems.
Let’s see how we can address these issues in some simple steps.
The Cyber-Asset Inventory
Every lawyer should make a template of each device used by the lawyers and their support staff. (Free templates are available for this purpose from several sources online, but you can easily create your own.) The list should include each computer and laptop, the owner, the user, and the make and model. If your firm uses mobile devices or tablets (e.g. iPads), those assets should be included in the inventory. Also identified are the internet service provider, or ISP, and the network hardware, and how it is configured. Do you have a separate guest Wi-Fi? Who has Wi-Fi access? Is each channel password protected? How often do you change those passwords?
The purpose of this inventory is to see who has access to which devices, and to see if all those people actually need access. Limiting access by changing and hardening passwords is a direct way to avoid the disgruntled employee from copying files for others. For example, few employees should have access to accounting information or bank accounts. Limit access whenever possible to those individuals who have a proven need to know.
A second purpose of this inventory is to ensure you are backing up information from all those devices in the case of a breach or virus. Seeing the number of devices on a page gives you checklist access to ensure each device has some means of regular backup. Also, it makes you decide where and who has access to those backups. The overall goal is to strengthen every asset in your office, limit employee access when access is not necessary, and make sure backups are updating.
Weak passwords are the easiest way to hack into private information. This includes networks, Wi-Fi, email, and all other accounts we are forced to use every day. The experts recommend using a password manager, which can generate very strong passwords, and you only need to remember one very strong password to access that manager program. As a general rule, in making our passwords we are told to avoid dictionary words, foreign words, slang or jargon, and names associated with you. We should use 12 or more characters, upper and lowercase, and numbers and symbols.
In our office, we are required to have 12-digit passwords changed every 90 days. Further, we have dual authentication if we’re logging in from another computer, which means every attempt to login sends a multi-digit code to our cellphones to ensure we are the person logging in. It only takes another 20 seconds, but it gives us a great sense of security. Gmail and most providers will enable dual authentication for added security.
Fortify Your Office
In my CLE lectures, I humorously advise, “Don’t let your 15 year old set up your Wi-Fi.” Sure, they’ll do a better job than you will but won’t employ the standards needed, nor change the manufacturer’s password. Always remember that the same rules should apply to your Wi-Fi as your email: generate a very strong password, require network authentication, and select Wireless Protected Access 2, or WPA2, for most small practices. Most importantly, make sure you have a separate guest network from your office network. Most routers support one or more guest networks. Don’t use a router that does not have separate guest network capability.
Simple Updates to Your
Your office computers can be a treasure trove for an attacker, and there are multiple routes in, from open network connectivity to targeted malware. (A recent report revealed cybercriminals hacked an unnamed casino through its internet-connected thermometer in an aquarium in the lobby of the casino.) Fortunately, there are a few key tools at your disposal to counter these threats, and you should enable them. They include automatic updates, antivirus/anti-malware, and a firewall. Don’t automatically think these easy solutions have already been enabled. On Windows systems you can find them usually by going to “Control Panel?System Security” and enabling them. Most newer computers also do “whole-drive” encryption. Check to see if you have an encryption setting or ask your manufacturer.
Be Wary of
Websites You Visit
Always remember to check that the website you’re visiting starts with “https” as that final “s” indicates it is secure.
Dealing With Clients
Most lawyers overlook this easy step during the client interview—always ask if the client has special security needs. Will you be handling intellectual property or other specific information that requires enhanced cybersecurity? If so, how would the client want that handled? It is reasonable to tell the client that you will use their special encryption software, but they must either provide it or reimburse you for installing it. This important but overlooked step was discussed in depth in American Bar Association Formal Opinion 477R, which was published in June 2017.
Formal Opinion 477R
As technology advances, lawyers must determine whether it continues to be safe to send confidential information over the internet or whether additional security methods should be implemented.
The ABA restates the factors outlined in paragraph 18 of the Comment to Model Rule 1.6:
The sensitivity of the information;
The likelihood of disclosure if additional safeguards are not employed;
The cost of employing additional safeguards;
The difficulty of implementing the safeguards; and
The adverse affect of the safeguards to the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Upon consideration of these factors, lawyers are directed to consider
using these seven steps to help guard against disclosure:
1. Understand the nature of the threat. Consider the sensitivity of the client’s information and risk of cybertheft. If there is a higher risk, greater protections may be warranted.
2. Understand how client confidential information is transmitted and where it is stored. Understand how your firm manages and accesses client data. Be aware that use of multiple devices means multiple access points.
3. Understand and use reasonable electronic security measures. Use reasonable protections for client data. This may include security procedures such as using secure Wi-Fi, firewalls, and anti-spyware/anti-virus software and encryption.
4. Determine how electronic communications about clients’ matters should be protected. Discuss with the client the level of security that is appropriate when communicating electronically. If the information is sensitive or warrants extra security, consider safeguards such as encryption or password protection for attachments. Take into account the client’s level of sophistication.
5. Label client confidential information. Mark communications as privileged and confidential to put any unintended lawyer recipient on notice that the information is privileged and confidential. Once on notice, under Model Rule 4.4(b) Respect for Rights of Third Persons, the inadvertent recipient would be on notice to promptly notify the sender.
6. Train lawyers and non-lawyer assistants in technology and information security. Take steps to ensure that lawyers and support personnel in the firm are trained to use reasonably secure methods of communication with clients. Also, periodically reassess and update security procedures.
7. Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.
A full copy of this ABA Formal Opinion is downloadable and contains excellent discussions of security precautions.
At the very minimum, every law firm employee should be instructed on the nature of private information and admonished that the law requires that no such information leave the office in any form without the approval of the supervising attorney. In my own office, my longtime legal assistant knows that, no matter how well she knows the opposing counsel, she must check with me before any private sensitive information is transmitted or delivered from our client file.
The State Bar of Texas PDP-CLE Joint Resolution
The State Bar of Texas recognizes the critical nature of cybersecurity and the increasing importance that lawyers have a duty to achieve knowledge and technical skills in these areas. On April 18, 2018, at the joint meeting of the State Bar of Texas Committee on Legal Education and the Professional Development Committee, the members in attendance jointly and unanimously adopted a resolution acknowledging that:
WHEREAS, the practice of law is now inextricably intertwined with technology for the delivery of services, the docketing of legal processes, communications, and the storage and transfer of client information, including sensitive private and confidential information and other protected data;
and further relating that:
“the continued competency of Texas lawyers to deliver services, communicate, and protect such information is dependent on technology skills and competency;”
That the mission of CLE should include:
“… information on technology, technical skills, and the implementation required to operate in a manner which enhances the ethical and competent delivery of legal services, and the security of client information.”
The joint resolution further explains:
“… lawyers should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
BE IT FURTHER RESOLVED: The above committees recommend that Texas Disciplinary Rule of Professional Conduct 1.01, comment 8 be revised as follows:
8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. Isolated instances of faulty conduct or decision should be identified for purposes of additional study or instruction.
RESOLVED and unanimously adopted this 18th day of April, 2018.
/s/Xavier Rodriguez, Chair, SBOT CLE Committee
/s/Gary L. Nickelson, SBOT PDP Committee
The resolution was considered by the State Bar Board of Directors and submitted to the Texas Supreme Court for consideration. On September 10, 2018, the court requested that the Committee on Disciplinary Rules and Referenda study the proposed amendment and make recommendations to the court.
The need to review and enhance your firm’s cybersecurity is real. But a respect for the cleverness of hackers and the continuing fiduciary duty you have to protect client information should result in good habits, good processes, and implementing some relatively easy improvements to your office security. Remember the old joke: “You’re not paranoid if people really are out to get you.” Having been a victim of a ransomware attack myself, I treat every incoming email with care and delete all suspicious messages immediately. If you do believe it is a real email, call the sender first when in doubt.TBJ
is certified in civil trial and civil appellate law by the Texas Board of Legal Specialization. He serves on the Texas Supreme Court Committee on Disciplinary Rules and Referenda and is the national director of education and ethics for LawPay in Austin.