January 01, 2014

Cybersecurity: Practical realities for environmental, energy, and natural resources lawyers

Claudia Rast

It may be a hot topic in domestic and international media, and it’s the stuff of thriller movies and international intrigue, but are the risks presented by cyber espionage and cyber theft true concerns for an environmental lawyer? Or an energy or natural resources lawyer? Well, unless you work in a cave with candles and a typewriter and communicate via smoke signals and the Pony Express, the answer is yes.

Let me explain why. The economic consequences are high, there are target industries squarely in a corporate lawyer’s wheelhouse, and as a trusted counselor with close and constant access to these industry clients, any lawyer can represent a real risk to the very clients we seek to protect. As recently quoted in the September 2013 issue of the ABA Journal, Shane M. McGee, general counsel and vice president of legal affairs at Mandiant Corp. (the security firm that published the detailed report on the People’s Liberation Army of China and its involvement in cyber espionage), noted: “Law firms need to understand that they’re being targeted by the best, most advanced attackers out there. These attackers will use every resource at their disposal to compromise law firms because they can, if successful, steal the intellectual property and corporate secrets of not just a single company but of the hundreds or thousands of companies that the targeted law firm represents. Law firms are, in that sense, ‘one-stop shops’ for attackers.”

Think about it: What better way to gain access to a high-value industry target than through its lawyer-representative who happens to be working on a mobile device, using open guest-access Wi-Fi at the hotel or nearby coffee shop where industry representatives are meeting?

Companies—and their legal counsel—are vulnerable to cyber attacks, particularly those in critical infrastructure areas

Companies face huge exposure and vulnerability from cyber threats, and these companies hire legal counsel. In this instance, we’re not talking about the theft of credit card information for pure economic gain, but the loss of valuable business information and malevolent injection of code meant either to gather information or cause mayhem. These threats present themselves in two major categories: (1) the general loss of confidential information, ranging from trade secrets and other intellectual property to pre-public deal information and (2) the loss of operational integrity and availability caused by malicious interference, resulting in the malfunctioning of systems or the inability to access the systems, or both. A year ago, National Security Administration Director Keith Alexander estimated the annual economic losses stemming from cybersecurity breaches at $250 billion. That’s just based upon what we think we know.

Many companies comprise the “critical infrastructure” of this country, and they hire legal counsel. The Department of Homeland Security defines critical infrastructure as “the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof,” and such critical infrastructure companies are possible high-value targets precisely because the companies’ operations are so essential. Examples of such companies include petroleum refineries, water treatment plants, nuclear power plants, natural gas pipelines, chemical manufacturers, pharmaceutical labs, hydroelectric plants, and others. A debilitating malfunction, or the inability to access the industrial control systems to correct a malfunction, at one of these facilities could lead to devastating economic, health, and environmental losses.

As legal counsel to such companies, we have a special responsibility to understand the potential security threats and to take proactive steps to guard against vulnerabilities.

The lawyer’s ethical obligations to critical infrastructure companies

We have been trusted counselors for critical infrastructure companies for many decades. We understand the environmental aspects of effective remediation; we know the compliance requirements for constituents that are released into the air, water, and soil; and we are effective and efficient counselors when unexpected events have the potential to adversely impact the environment and human health and safety.

But here’s the rub: Does the average lawyer practicing environmental, energy, or natural resources law have the technological proficiency to understand the ways and means of today’s cyber threat agents? And do we realize that it is our ethical obligation to our clients to have this proficiency? This is not to suggest that we must become information technology (IT) experts, but it does mean that we must be cautious and risk aware about using unprotected public Wi-Fi on our mobile business devices, that we don’t upload client documents to public cloud apps, and that we know enough about our firm’s or company’s IT infrastructure to keep high-value, high-risk information and documents in carefully segmented and secure locations.

The best way to understand the requirement that we have some basic level of technological competency about cybersecurity is to examine the recent changes to the rules governing our ethical obligations. But let’s go back to a fundamental premise: The care we take to protect client confidences and communications is second nature. If the care you take to protect client confidences is the same “care” that you’ve taken for the past three or more years, then you most likely are in violation of Rules 1.1 (competency) and 1.6 (confidentiality) of the ABA Model Rules of Professional Conduct, which were updated in 2012. There is a reason that law firms have become “one-stop shops” for cyber attackers. In the context of cybersecurity, one focus of the 2012 amendments to the Model Rules was on protecting client information from inadvertent disclosure by ensuring competent representation. But what does “competent representation” mean in your everyday practice?

Comment [1] to Model Rule 1.1 identifies the relevant factors when determining whether a lawyer has the requisite skill set to represent a client on a particular matter—focused on the particular field of law in question. The critical change to Rule 1.1 arises from the modification to Comment [8], noted in bold below:

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (emphasis added).

To illustrate the point, let’s use an example of a new client which is a company that has developed a game-changing solar energy technology. The client seeks help to sort through applicable federal and state environmental and energy regulations. Would you think twice about accepting that representation, assuming, of course, that you were versed in this subject matter? If this client asked you to describe the IT security protections that your firm had in place to protect the company’s sensitive trade-secret information, could you? Would you have a colleague that could help? Would your IT manager’s answer satisfy the client?

These questions may sound obscure, far-fetched, or paranoid, but they are becoming increasingly relevant and critical to all lawyers and corporate counsel in particular. Companies that have experienced security breaches at the hands of their unknowing, vulnerable suppliers—their lawyers—are beginning to demand confirmation of security compliance at the outset of the representation. Cybersecurity questionnaires are gaining traction among companies when they seek new legal representation or have security concerns about a particular matter, and an environmental, energy, or natural resources lawyer who hasn’t seen or responded to such a questionnaire should be prepared to do so in the near future.

Separately, Model Rule 1.6 (c), which was adopted in August 2012, states in part that: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The operative phrases here are “reasonable efforts” and “information relating to the representation of a client.” Where a lawyer once could rely on locked doors, mechanical shredding of sensitive paper documents, and discreet and professional colleagues and staff, the challenges posed in a digital world of increasingly mobile devices require constant diligence and continued education. Should you know that public Wi-Fi is inherently insecure and that conducting client business in such an environment may not be a “reasonable” effort to prevent unauthorized disclosure?

Recommendations for the lawyer

What to do in the face of these risks? A great resource is The ABA Cybersecurity Handbook published in July 2013 and available both in paperback and eBook versions. This handbook is continually updated on the Cybersecurity Task Force’s website and its “resources” webpage. Immediate Past President Laurel Bellows created this task force last year, and their work led the ABA in 2013 to formally adopt of Resolution 118, condemning “unauthorized, illegal governmental, organizational and individual intrusions into the computer networks utilized by lawyers and law firm.”

There are, of course, some basic precautions you should take on your own:

  • If you have an IT department, pay attention to its policies—they’re intended to protect client information, not to thwart you.
  • Keep your mobile devices up to date with patches and upgrades (assuming your IT department is handling computers, tablets, smartphones, servers, and other network hardware).
  • Avoid accessing your secure firm/company network with your unsecured, personal device—that goes for USB devices from any third party (you don’t know where it’s been or what might be on it).
  • Encrypt the data on your devices.

A last recommendation for you and your client or company is the new National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework due to be released in its final form by February 2014. The Framework’s focus is on critical infrastructure companies, and it provides a detailed process to assess cyber risks. Many lawyers may not think NIST has much to do with their practice, but you would be mistaken not to give this Framework serious attention. 

Claudia Rast

Claudia Rast is a shareholder in the Ann Arbor, Michigan, office of Butzel Long, where she counsels clients across practice areas on privacy, IP protection, technology, and cybersecurity issues. She is a former chair of the ABA Section of Environment, Energy, and Resources and is serving a second term on the ABA Cybersecurity Legal Task Force.