GPSOLO June 2008
Cyber-Security: You Owe It to Your Clients
It used to be that most legal malpractice actions concerned “simple” missed deadlines or statutes of limitations. Today, however, many more malpractice claims emerge from conflicts of interest or other aspects of unethical conduct.
Every lawyer is bound by professional duties to keep clients’ confidences secret and records private. Securing files and client information used to be easy: We would simply lock up our file cabinets when we weren’t around. That elementary measure was sufficient against most of those without authorized access.
But nowadays, files are likely to be electronic, not paper. And we e-mail everything. We e-mail our clients. We e-mail about our clients. We send attachments with our e-mails. We send electronic documents, protecting some against tampering, intending others to be edited by the recipient.
And then there’s wireless. Hook, line, and sinker, we’re all buying in to wireless. We’ve got wireless keyboards, wireless mice, wireless alarms and lighting controls, wireless entertainment systems. Lawyers use wireless connections to link laptops and cell phones to the Internet. With wireless systems and devices proliferating everywhere, how do you know when someone is “listening in” or intercepting your communications?
“Wardriving,” the practice of driving around and looking for open, unsecured wireless networks, has become obsolete in some areas because of the proliferation of such networks. (The term “wardriving” derives from “wardialing”: using a computer to dial phone numbers, looking for computer modems—remember Matthew Broderick in the movie WarGames, whose character programmed his computer to dial up other computers looking for games to play?)
If you open a wireless-equipped laptop at a coffee shop and look at the wireless networks that appear, it is often nearly impossible to distinguish among those that are intended to be shared and those that are open solely because their owners were ignorant of proper security configurations. Wireless security is so complicated that even many large companies fail to use sufficient security protocols.
So, how do you protect electronic records not stored in physical file cabinets? How do you guard against snooping and tampering when you can’t see electronic information nor know when it’s being manipulated?
Nothing is foolproof. Some people use encryption software to keep their wireless communications private. With a good encryption system, even if the data is intercepted, it will be useless to anyone who doesn’t have the password key. But encryption only protects information generated by your computer. You still need to worry about what’s coming into your computer.
It used to be that only anti-virus software was needed and that most viruses were delivered by e-mail. Today, 83 percent of the viruses, worms, Trojans, and other forms of malware out there come from completely legitimate websites. According to a recent report from the computer security company Sophos ( www.sophos.com), one newly infected web page is discovered every 14 seconds. That is one reason why anti-virus software is not effective against all the threats out there, and why it should be used only in combination with spyware scanners and firewalls, all of which operate differently. With a combination of such safeguards, you can visit any website and be fairly well protected in case the criminals have hidden malware traps there.
The more you understand, the better you can protect yourself. Consider, for instance, that your e-mail to someone just across town might still have been sent through e-mail servers in Germany, India, or Guam. Copies may have been left on servers around the world. Oh, and there’s “Echelon,” the name given at one time to the National Security Agency’s system for mass eavesdropping on communications around the world. (President Bush again expanded the National Security Agency’s role in cyber-security on January 8, 2008, by signing the “National Security Presidential Directive 54/Homeland Security Presidential Directive 23.”)
You might also want to leave your laptop at home the next time you travel near a U.S. border. As it stands now, U.S. authorities may inspect your laptop if you attempt to cross a border; if your hard drive is encrypted, the Fifth Amendment still protects you from being compelled to disclose your password, but you might not get the laptop back.
You do not have to act unethically in order for the government to suck up your e-mail or read through your hard drive. That information will likely be stored somewhere for some length of time, and it could become embarrassing or costly if it gets out, even given your perfect ethics.
Wariness pays. New cyber-hazards are being discovered all the time. Internet-connected network printers have been found infected with the Blaster and Sasser worms, and now even refrigerators are connecting to the Internet. Instant messaging involves all kinds of security challenges. People wrongly think of web mail as being as safe as regular mail, but faster. Portable storage devices, sometimes called “thumb drives,” are so easy to hide and hold so much data that some companies have begun super-gluing USB ports shut so data cannot be downloaded at all. Camera phones are being banned in many places thanks to YouTube. Skype and other Internet phone services were created for consumers and do not have the security that is built into business applications.
Should you discover the technology you use presents a potential security breach, you owe a duty to do something about it. One day, long after having e-mailed someone a PDF file I had created, I found my document posted on the Internet, listed along with the complete path on my computer hard drive where the document had been when I originally e-mailed it. Now, my hard drive’s hierarchy wasn’t particularly confidential, but I sure hadn’t planned on broadcasting it to the world. So, I reorganized my hard drive, and now, before I e-mail anything to anyone, I move my intended attachment to an innocuously named “temp” folder, and send it from there.
The less we know about the technology we use, the greater the potential for inadvertently compromising ourselves. Yet, as we learn more, our standard of care changes. One day, for instance, the majority of lawyers, whether they use Word or WordPerfect, will know how to separate the files containing document edits from the documents themselves, so that if they e-mail a document, the recipient can’t open it and then just click “undo” to reveal its prior incarnations.
Ethics lawyers sometimes argue that the breach of an ethics rule is not malpractice, that standard-of-care issues are outside the purview of ethical codes. Technology does implicate the relevant standard of care, but advances in technology affect ethics too. Besides, though a simple breach of ethics is not malpractice, a breach of ethics that causes damage to the client is malpractice.
A little knowledge is not necessarily a bad thing. Plato thought ethics is knowledge.
James Ellis Arden practices law in the Los Angeles, California, metropolitan area and specializes in litigation, attorney ethics, and client relations. He may be reached at email@example.com.