Computer-related security is vital not only to your business, but also to your obligation as a lawyer to protect client information. Law firms can be targets of cyberattacks for myriad reasons, including systems that contain a treasure trove of sensitive or confidential data, are abundant with financial information, and are frequently engaged in wire transfers of funds. The saying goes that these days “you’ve either been the victim of a cyberattack or you soon will be” (Robert S. Mueller III, “Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies,” Federal Bureau of Investigation website, March 1, 2012). Arm yourself with the general information we’ve compiled here to help you use technology to protect your technology and raise your awareness of how cybersecurity impacts the legal profession specifically. If you have the resources, hire an information technology company or cybersecurity expert with the technical know-how most suited to your firm’s needs, and use this basic primer to assist you in understanding best practices to keep you, your firm, and your clients’ information secure and to bolster your awareness of the professional ethics obligations associated with technology breaches and the disclosure of confidential client information.
Hackers are smart. If you, like most people, are using the same, easy-to-remember/easy-to-guess password(s), often across multiple online accounts, you are leaving yourself open to attack. A password vault, also called a password manager, offers a one-stop-shop service that will generate and save random passwords for your online accounts, often across multiple devices, all while limiting the number of passwords you have to remember to one: the password to access the vault.
Both hard drive and cloud-based options exist, each with its own pros and cons. Cloud-based versions can, as with everything in the cloud, be subject to hacking, but they also generally are easier to use and can more frequently generate new passwords that are also more complex compared to hard drive–based systems. There are many options available. Some of the more well-known include Dashlane (choice of cloud or hard drive), KeePass (hard drive), and LastPass (cloud). Some services are free, or free for a single device; others charge a monthly or annual fee (generally $25 to $60).
Protection from Hackers
Nothing is foolproof, but taking even small steps to protect your computers from being compromised with malware, viruses, or ransomware—to name but a few nightmare scenarios—will help set you on the right track. For example, be sure you have a firewall installed. A firewall is designed to block unauthorized access to your network while still allowing it to communicate outward. Most major computer operating systems have built-in firewalls, but additional protection can (and should) come from purchasing a separate system. Also consider installing antivirus software to protect your computer against viruses that can, among other things, slow your computer, shut it down, or delete files altogether. Be sure to run the program regularly to ensure your system is virus free. Another often ignored but simple step: Shut your computer down. If your computer is always on, it’s more of a target. Shutting down not only can prevent entry into your system, it may break a connection that was already established. Another layer of protection comes with using multifactor authentication and encryption. With multifactor authentication, a computer user is granted access only after successfully presenting two or more pieces of evidence to an authentication system. For example, the computer shuts the user out and asks that a digital code be entered. That code is then texted to another device (e.g., a smartphone or tablet) belonging to the user. Only after the code is successfully input will the computer be opened for use. With encryption, a user is required to have access to a password or key that allows him or her to open the file/message before it can be read. No password or key, no access (Jackie Dove, “12 Ways to Secure Your Computer from Hackers,” Business News Daley, January 10, 2019).
In general, companies can legally monitor employees’ activities on company time and equipment, but best practices demand they have written policies stating that employees should not have an expectation of privacy at work. Employees are responsible for following company policies and guidelines with respect to technology, and companies are responsible for notifying employees about what type of usage is acceptable and the consequence for misuse.
The technology for monitoring employee computer use has evolved rapidly, to say the least. This technology can be used to measure productivity, ensure policy compliance, and improve security. Employee monitoring software can record keystrokes and passwords, track productivity, and provide screenshots and even full video surveillance. It can also alert employers to criminal or other suspect activity, track social media usage, and limit or block access to certain websites.
If you share space with other businesses, you have additional or at least different concerns. One major concern is WiFi security, and password protection is not enough. Network security basics include using a firewall and ensuring that all data that passes through the router is encrypted. At the very least, you should frequently change passwords, or require an automatic login update every month for all your users. Because hackers can gain entry from inside the network, even seemingly harmless activities can help them enter. By changing the passwords frequently, you can go a long way to protecting network security. In shared workplaces, blocking access to even potentially problematic websites is strongly encouraged (Junel Seet, “Protecting Network Security in Your Shared Workspace,” Coworking Resources, January 28, 2019).
In addition to your own awareness of the risks of cybercrime, it’s important that your employees understand the threats that are out there. Security awareness training is critical and can inform your staff about everything from their responsibility to protect company and client data to the perils of improper Internet, e-mail, and social media use and the importance of protecting computer security in general. Your employees should be particularly aware of the dangers of phishing—the fraudulent practice of sending e-mails that appear to be from reputable persons or businesses in order to obtain personal confidential information from the recipient, such as account numbers, credit card numbers, passwords, or Social Security numbers, or to install viruses or malware by opening an attachment.
Spotting these e-mails isn’t always easy, but look for these signs when deciding whether to open an e-mail or click on an attachment:
- You do not know the sender.
- The website or e-mail address from which the message comes looks suspicious.
- The e-mail has misspellings or is worded poorly.
- The message asks you to confirm or provide personal information and/or you are asked to open an attachment (Mike James, “5 Ways to Spot a Phishing Email,” StaySafeOnline, August 22, 2018).
Your employees should know enough to avoid opening these messages and attachments to save your system from viruses, shutdowns, or other data breaches.
Ethical Obligations of the Profession Associated with Technology
Technology is complicated, but the need for it straightforward; the question of how to protect your online security and live up to your ethical obligations is more nuanced.
Every lawyer is aware of the ethical responsibilities inherent in protecting confidential client information; however, when it comes to cyberattacks such as hacking e-mails, changing wiring instructions, inserting viruses, or exposing client data during a border search, it can be complicated to determine whether you’ve done enough before or after the data breach. Lawyers’ ethical responsibilities come directly into play when a law firm experiences a data breach, whether by virtue of a hack or, as discussed below, by a law enforcement search at the border. The American Bar Association (ABA) has opinions and other written materials available to members to assist them in understanding their obligation to protect client data and practical advice on how to meet this obligation.
Rules pertinent to a data breach are, most generally: ABA Model Rules of Professional Conduct Rule 1.1: Competence (“keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . .”); Rule 1.4: Communication; Rule 1.6: Confidentiality of Information (and preventing the “inadvertent or unauthorized disclosure” of confidential information); Rule 5.1: Responsibilities of a Partner or Supervisory Lawyer; and Rule 5.3: Responsibilities Regarding Nonlawyer Assistance (a lawyer’s obligation to make sure staff comply with the Model Rules and, in this context, to use technology responsibly and with reasonable safeguards). In 2018 the ABA issued Formal Opinion 483: Lawyers’ Obligations after an Electronic Data Breach or Cyberattack, which speaks to the ethical responsibilities of an attorney after a data breach involving client information.
In general, lawyers have an obligation to keep abreast of the ongoing changes occurring in technology use and should oversee their technology so that a breach in the system exposing client data is discovered in a reasonably quickly manner, taking into account the fact that hackers might make quick detection impossible. According to the ABA, the kind of breach this applies to is one where “material client confidential information is misappropriated, destroyed, or otherwise comprised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly comprised by the event” (ABA Formal Opinion 483, at 4).
Although the kinds of hacks to which we are all exposed as technology users are too numerous to name, one not uncommon situation involving a breach of this sort occurs when hackers infiltrate computer systems, send e-mails that appear to be originating from the actual parties to the transaction, and instruct that wire transfers of funds be directed to a different bank using different wire instructions. Again, knowing that this scheme is a popular one with criminals, taking simple measures can help prevent a huge problem. Never accept a change in wire instructions at face value. Always call to confirm wire instructions. Ensure the person you are talking with is the person you think it is—ask them to answer a question about something unique to the transaction. Also important, double-check the e-mail address from which the e-mail is being sent. Any discrepancy between it and the ones you have been receiving throughout the transaction is a sign that the person behind the message is not who you think it is. Should this or any other breach exposing confidential client information happen to you, be sure you understand your ethical obligation to communicate about the issue with your client(s).
Border Crossing and Electronic Device Searches
The U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) agencies currently maintain policies that permit them to search and review information stored on electronic devices at U.S. borders. Predicated on national security concerns, neither a warrant nor any probable cause that the owner of the device has done something wrong is required before the agencies are legally permitted to conduct such a search. Naturally, devices belonging to lawyers more often than not contain confidential client information. For this reason, when traveling outside the country, lawyers should carefully consider which devices to take with them and what information should be stored on them lest they find themselves in such a position. The ABA has been closely involved in seeking to address this issue.
The Model Rules generally considered applicable to the cross-border search situation are Rule 1.6: Confidentiality of Information; Rule 1.1: Competence; and Rule 1.4: Communication. Obviously, practitioners should consult the rules in effect in their jurisdiction(s) of practice. The New York City Bar Association Ethics Committee relatively recently issued Formal Opinion 2017-5: An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information. In it, the committee reviewed the ongoing concerns and concluded that taking into account the possibility of a search at the border, a lawyer should take reasonable steps to avoid the possibility of disclosure of confidential client information. Of course, what is “reasonable” is fluid, and no one particular measure will determine if an ethical violation occurred. In general, the committee suggested that to live up to best practices, lawyers seriously consider whether any/all devices they intend to bring across the border are necessary, and, if so, what information should be on them. If stopped at the border and ordered to submit to a device search, lawyers should inform the agent of their status as lawyers and assert attorney-client privilege (traveling with a bar card or other professional indicia is a good idea), and, in the event of disclosure, the attorneys should inform the affected clients.
In January 2018 the CBP (but not ICE) did make certain revisions to the policy, which represent at least some improvement. For example, CBP officers are now instructed, in basic situations, to avoid accessing remotely stored data (i.e., cloud-based storage); where a claim of attorney-client privilege is asserted, CBP officers are instructed to discuss the claim with CBP counsel; any privileged documents that are copied are to be destroyed at the end of the process (unless transferred to another agency); and a reasonable suspicion of criminal activity or a national security concern is required for an advanced search (one involving an officer connecting the device to external equipment to be reviewed), as compared to a basic search, which does not require any such suspicion. Regardless of these revisions, practitioners should remain cautious and seriously consider which devices should accompany them on international travel and, if they bring them, whether certain information should be removed from the device.
There is no silver bullet that will stop all cyber criminals if they have targeted you, but by using the commonsense approach outlined here, you will make any would-be attacks less likely— and certainly less likely to succeed. In addition, knowing that you have ethical obligations with regard to technology use, and having a basic understanding of some of the means you can employ to make breaches far less likely, can go a long way in helping to prevent them.
Published in GPSolo magazine, Volume 36, Number 6, November/December 2019. © 2019 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association or the Solo, Small Firm and General Practice Division.