There is no one-size-fits-all solution to technology risk mitigation. Each lawyer must assess specifically the risks technology may pose to that lawyer’s practice and develop redundancies and safeguards applicable to the situation.
Use off-site data storage and backup. Losing access to electronic data on any device or system should not cripple a practice if it is properly prepared. Computers and other mobile devices are frequently stolen or lost. Hurricanes, tornadoes, wildfires, and other natural disasters can also cause us to lose access to our electronic information.
Regardless of the way in which access to data is lost, there is a simple way to ensure that we can keep working through these uncomfortable occurrences. Back up the data in another location off-site or in cloud programs that are accessible from any computer that has online access.
Undertake education and training for technological competence. We as lawyers must know how to use the tools we have to accomplish our work. As countless as the programs and devices lawyers use daily to practice are the mistakes lawyers make in their use because they fail to educate themselves on the proper workings of these tools.
The potential for missed deadlines looms large when one is fumbling with unfamiliar programs. Disclosure of privileged and confidential information is another significant risk. Other more prominent gaffes resulting in the disclosure of confidential information have occurred because lawyers were unfamiliar with redaction technology. Resources available to help us get redaction right include the National Security Agency’s primer on secure redaction. A redaction can be tested by cutting and pasting the redacted content into another document. If the document was properly redacted, no text should be transferred.
Any lawyer unfamiliar with new technology must seek out education and training opportunities. Most software has accompanying user manuals. Free and paid instruction can be found from sources such as bar associations, private vendors, and educational institutions.
Implement reasonable security measures to safeguard data. As lawyers, we retain voluminous treasure troves of confidential client information on our IT devices. It is our ethical responsibility to protect this information from disclosure. In addition, we store sensitive information about our own practices on our devices. While electronic storage is convenient, it also carries significant risks. The following is a non-exhaustive list of security tools readily available and accessible to lessen the risk of a data breach.
Laptop locks assist in thwarting theft and are relatively inexpensive. Software that permits the remote wiping of a device is invaluable if the device is lost or stolen. Encryption software is another tool readily available to protect mobile data.
All devices that store sensitive and confidential information, including smartphones, tablets, and laptops, should be protected with a strong password. Instead of a single word, passwords should ideally be pass-phrases that also include characters, numbers, and letters. Once a password has been selected, it is necessary to protect its secrecy. Use different passwords for different accounts.
Develop policies, protocols, and training to thwart social engineering attacks. “Social engineering” refers to the efforts by a stranger to gain another person’s unwarranted trust. In the context of electronic data, that trust is then exploited to obtain access to computer networks, where sensitive information can be stolen, destroyed, or held hostage.
One common social engineering tactic is to drop infected USB devices in locations where curious employees will pick them up and plug them into their computers. All the firewalls in the world won’t protect against a data breach that occurs from inside the network when, for instance, an employee installs an infected USB device on an office computer. Most USB devices, given their small size, have no labels indicating their content. Unless employees have been trained and tested on the risks inherent in plugging unknown devices into computers, it is highly likely that curiosity will cause them to plug the device in simply to determine what, if anything, is on it.
Another common social engineering tactic is the phishing e-mail. Phishing is an attempt to obtain personal or sensitive information through e-mail or text by disguising the identity of the sender as a trustworthy person or entity. The tactic may require the e-mail recipients to click on a link that goes to a fake website that appears to be legitimate. Upon reaching the website, the recipient is then asked to input private information that could give the criminal access to otherwise protected accounts. In other cases, the tactic calls for the e-mail recipient to open an attachment to the e-mail, which then serves as the delivery method for ransomware or other malware.
Remember, all it takes is one click to a compromised attachment or link by any employee, up to and including the chief executive officer, to endanger data. To avoid these attacks, don’t open e-mails or click on attachments in e-mails from unfamiliar or familiar but unverified sources. Also, don’t click on links that lead you to enter sensitive information into an unverified website.
Other examples of social engineering tactics include pretexting—where an attacker creates a fabricated scenario to gain unauthorized access. Pretexting might involve an attacker impersonating an external IT services auditor to manipulate a company’s staff into providing access into the building. Or the attacker may impersonate company IT personnel over the phone, promising to remotely install software updates that call for the end user to disable anti-virus software.
Use checks and balances. Missed deadlines can lead to claims of malpractice. Technology gives us wonderful tools to lessen the risk of missed deadlines. We can use electronic calendars and reminders to keep track of these deadlines. Our ability to maintain and meet these deadlines, however, is only as good as the information we receive, input, and protect.
To calendar a deadline, one must know the deadline exists. With the increasing prevalence of electronic filing, it is quite common for these deadlines to be communicated in court notices sent via e-mail. Deadlines can be missed because e-mails containing them are accidentally deleted or misdirected to a spam folder.
To avoid a deadline being missed by one set of eyes due to a wrongly deleted e-mail, have more than one person be the recipient of electronic filing notices. Protect calendared deadlines by ensuring that access to modify the calendar is limited to certain authorized personnel. Consider implementing a backup calendar so that deadlines are accessible and saved in more than one location. In addition, input the date on more than one person’s calendar.
ABA Section of Litigation
This article is an abridged and edited version of one that originally appeared on page 38 of Litigation, Summer 2018 (44:4).
For more information or to obtain a copy of the periodical in which the full article appears, please call the ABA Service Center at 800/285-2221.
Recent Books: The Trial Lawyer; Class Action Strategy & Practice Guide; Reinventing Witness Preparation; Opposing the Adverse Expert; Internal Corporate Investigations; Model Jury Instructions: Product Liability; The Attorney-Client Privilege and the Work-Product Doctrine; International Aspects of U.S. Litigation; The Trial Lawyer’s Guide to Success and Happiness; Avoiding Bad Depositions: A Simple Guide to Complex Issues.
Published in GPSolo magazine, Volume 36, Number 6, November/December 2019. © 2019 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association or the Solo, Small Firm and General Practice Division.