Cybersecurity
Tech Savvy
Improve your cybersecurity without a Ph.D.
By Claude Ducloux
Nothing strikes terror into the heart of a busy practitioner like the
haunting fear of losing client information due to inadequate digital
security. Hacking, viruses, and the increasing danger of ransomware
present challenges never before experienced by our legal predecessors,
who could keep client information safely under lock and key.
The facts and figures about cyber losses across the country are
startling: An estimated $325 million to ransomware alone in 2015, with a
predicted increase to $11.5 billion in 2019. Cybersecurity Market
Report, an online publication, estimates that cybercrime damages will
exceed $6 trillion annually by 2021. We have already seen a string of
law firms breached in 2015-2016 to obtain secrets on upcoming mergers
and acquisitions. With each breach, lawyers stand to lose sensitive
information, business disruption, and the complete loss of client
trust.
Where Do We Start?
What steps can we take that make sense, and, more importantly, steps
that are understandable to the average practitioner, who has good
intentions but a limited budget to employ experts?
First, let’s understand the problem: The “insider threat” is the most
significant risk that firms take. Giving all employees passwords and
access to files mean that your employees can take digital copies out of
the office, intentionally and often unintentionally, on thumb drives
with more storage than ever before. Disgruntled employees account for
roughly 20 percent of all lost or copied data that leave a business.
Second, our demand for 24/7 access from anywhere leads to leaks over
unsecure Wi-Fi and information obtained from our lost devices.
Third, our reluctance to change our passwords, and to strengthen those
we have, means most of us use the same combinations for all our sites,
making it infinitely easier to hack our systems.
Let’s see how we can address these issues in some simple steps.
The Cyber-Asset Inventory
Every lawyer should make a template of each device used by the lawyers
and their support staff. (Free templates are available for this purpose
from several sources online, but you can easily create your own.) The
list should include each computer and laptop, the owner, the user, and
the make and model. If your firm uses mobile devices or tablets (e.g.
iPads), those assets should be included in the inventory. Also
identified are the internet service provider, or ISP, and the network
hardware, and how it is configured. Do you have a separate guest Wi-Fi?
Who has Wi-Fi access? Is each channel password protected? How often do
you change those passwords?
The purpose of this inventory is to see who has access to which
devices, and to see if all those people actually need access. Limiting
access by changing and hardening passwords is a direct way to avoid the
disgruntled employee from copying files for others. For example, few
employees should have access to accounting information or bank accounts.
Limit access whenever possible to those individuals who have a proven
need to know.
A second purpose of this inventory is to ensure you are backing up
information from all those devices in the case of a breach or virus.
Seeing the number of devices on a page gives you checklist access to
ensure each device has some means of regular backup. Also, it makes you
decide where and who has access to those backups. The overall goal is to
strengthen every asset in your office, limit employee access when access
is not necessary, and make sure backups are updating.
Strengthening Passwords
Weak passwords are the easiest way to hack into private information.
This includes networks, Wi-Fi, email, and all other accounts we are
forced to use every day. The experts recommend using a password manager,
which can generate very strong passwords, and you only need to remember
one very strong password to access that manager program. As a general
rule, in making our passwords we are told to avoid dictionary words,
foreign words, slang or jargon, and names associated with you. We should
use 12 or more characters, upper and lowercase, and numbers and
symbols.
Dual Authentication
In our office, we are required to have 12-digit passwords changed
every 90 days. Further, we have dual authentication if we’re logging in
from another computer, which means every attempt to login sends a
multi-digit code to our cellphones to ensure we are the person logging
in. It only takes another 20 seconds, but it gives us a great sense of
security. Gmail and most providers will enable dual authentication for
added security.
Fortify Your Office
Network
In my CLE lectures, I humorously advise, “Don’t let your 15 year old
set up your Wi-Fi.” Sure, they’ll do a better job than you will but
won’t employ the standards needed, nor change the manufacturer’s
password. Always remember that the same rules should apply to your Wi-Fi
as your email: generate a very strong password, require network
authentication, and select Wireless Protected Access 2, or WPA2, for
most small practices. Most importantly, make sure you have a separate
guest network from your office network. Most routers support one or more
guest networks. Don’t use a router that does not have separate guest
network capability.
Simple Updates to Your
Computers
Your office computers can be a treasure trove for an attacker, and
there are multiple routes in, from open network connectivity to targeted
malware. (A recent report revealed cybercriminals hacked an unnamed
casino through its internet-connected thermometer in an aquarium in the
lobby of the casino.) Fortunately, there are a few key tools at your
disposal to counter these threats, and you should enable them. They
include automatic updates, antivirus/anti-malware, and a firewall. Don’t
automatically think these easy solutions have already been enabled. On
Windows systems you can find them usually by going to “Control
Panel?System Security” and enabling them. Most newer computers also do
“whole-drive” encryption. Check to see if you have an encryption setting
or ask your manufacturer.
Be Wary of
Websites You Visit
Always remember to check that the website you’re visiting starts with
“https” as that final “s” indicates it is secure.
Dealing With Clients
Most lawyers overlook this easy step during the client
interview—always ask if the client has special security needs. Will you
be handling intellectual property or other specific information that
requires enhanced cybersecurity? If so, how would the client
want that handled? It is reasonable to tell the client that you will use
their special encryption software, but they must either provide it or
reimburse you for installing it. This important but overlooked step was
discussed in depth in American Bar Association Formal Opinion 477R,
which was published in June 2017.
ABA
Formal Opinion 477R
As technology advances, lawyers must determine whether it continues to
be safe to send confidential information over the internet or whether
additional security methods should be implemented.
The ABA restates the factors outlined in paragraph 18 of the Comment to
Model Rule 1.6:
-
The sensitivity of the information;
-
The likelihood of disclosure if additional safeguards are not employed;
-
The cost of employing additional safeguards;
-
The difficulty of implementing the safeguards; and
-
The adverse affect of the safeguards to the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Upon consideration of these factors, lawyers are directed to consider
using these seven steps to help guard against disclosure:
1. Understand the nature of the threat. Consider the
sensitivity of the client’s information and risk of cybertheft. If there
is a higher risk, greater protections may be warranted.
2. Understand how client confidential information is transmitted
and where it is stored. Understand how your firm manages and
accesses client data. Be aware that use of multiple devices means
multiple access points.
3. Understand and use reasonable electronic security
measures. Use reasonable protections for client data. This may
include security procedures such as using secure Wi-Fi, firewalls, and
anti-spyware/anti-virus software and encryption.
4. Determine how electronic communications about clients’ matters
should be protected. Discuss with the client the level of security
that is appropriate when communicating electronically. If the
information is sensitive or warrants extra security, consider safeguards
such as encryption or password protection for attachments. Take into
account the client’s level of sophistication.
5. Label client confidential information. Mark communications
as privileged and confidential to put any unintended lawyer recipient on
notice that the information is privileged and confidential. Once on
notice, under Model Rule 4.4(b) Respect for Rights of Third Persons, the
inadvertent recipient would be on notice to promptly notify the sender.
6. Train lawyers and non-lawyer assistants in technology and
information security. Take steps to ensure that lawyers and support
personnel in the firm are trained to use reasonably secure methods of
communication with clients. Also, periodically reassess and update
security procedures.
7. Conduct due diligence on vendors providing communication
technology. Take steps to ensure that any outside vendor’s conduct
comports with the professional obligations of the lawyer.
A full copy of this ABA Formal Opinion is downloadable and contains
excellent discussions of security precautions.
Employee Training
At the very minimum, every law firm employee should be instructed on
the nature of private information and admonished that the law requires
that no such information leave the office in any form without the
approval of the supervising attorney. In my own office, my longtime
legal assistant knows that, no matter how well she knows the opposing
counsel, she must check with me before any private sensitive information
is transmitted or delivered from our client file.
The State Bar of Texas PDP-CLE Joint Resolution
The State Bar of Texas recognizes the critical nature of cybersecurity
and the increasing importance that lawyers have a duty to achieve
knowledge and technical skills in these areas. On April 18, 2018, at the
joint meeting of the State Bar of Texas Committee on Legal Education and
the Professional Development Committee, the members in attendance
jointly and unanimously adopted a resolution acknowledging that:
WHEREAS, the practice of law is now inextricably intertwined with technology for the delivery of services, the docketing of legal processes, communications, and the storage and transfer of client information, including sensitive private and confidential information and other protected data;
and further relating that:
“the continued competency of Texas lawyers to deliver services, communicate, and protect such information is dependent on technology skills and competency;”
That the mission of CLE should include:
“… information on technology, technical skills, and the implementation required to operate in a manner which enhances the ethical and competent delivery of legal services, and the security of client information.”
The joint resolution further explains:
“… lawyers should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
BE IT FURTHER RESOLVED: The above committees recommend that Texas Disciplinary Rule of Professional Conduct 1.01, comment 8 be revised as follows:
Maintaining Competence
8. Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. Isolated instances of faulty conduct or decision should be identified for purposes of additional study or instruction.
RESOLVED and unanimously adopted this 18th day of April, 2018.
/s/Xavier Rodriguez, Chair, SBOT CLE Committee
/s/Gary L. Nickelson, SBOT PDP Committee
The resolution was considered by the State Bar Board of Directors and submitted to the Texas Supreme Court for consideration. On September 10, 2018, the court requested that the Committee on Disciplinary Rules and Referenda study the proposed amendment and make recommendations to the court.
Conclusion
The need to review and enhance your firm’s cybersecurity is real. But
a respect for the cleverness of hackers and the continuing fiduciary
duty you have to protect client information should result in good
habits, good processes, and implementing some relatively easy
improvements to your office security. Remember the old joke: “You’re not
paranoid if people really are out to get you.” Having been a victim of a
ransomware attack myself, I treat every incoming email with care and
delete all suspicious messages immediately. If you do believe it is a
real email, call the sender first when in doubt.TBJ
CLAUDE DUCLOUX
is certified in
civil trial and civil appellate law by the Texas Board of Legal
Specialization. He serves on the Texas Supreme Court Committee on
Disciplinary Rules and Referenda and is the national director of
education and ethics for LawPay in Austin.