The standards for data security are continually evolving. Many lawyers still struggle to fully understand and implement steps to ensure they are engaging in good cyber hygiene because cyber threats and cybersecurity are always changing. Typically, ethics rules and opinions lag to some degree behind the latest wrinkle, innovation or change. Generally, the ethics rules require lawyers to take reasonable measures to protect data and client confidentiality. This includes guarding against disclosures by using reasonable electronic security measures commensurate with the sensitivity of the client’s information.
Before using any technology in your practice, you should vet the product. You will want to familiarize yourself with the security measures included with the solution you choose. One foundational inquiry is whether the solution secures data in transit (to and from the platform) and/or at rest (while in the platform or device). Many consumer products do one but not the other. Given that lawyers routinely receive, handle and store confidential data, it is surprising how many don’t know, and don’t ask, whether the technology they will be using protects their and their client’s data. When we talk about securing data we typically talk about encryption but may also consider whether any single user’s data is partitioned from any other user. Think, if you will, about the difference between storing a client’s documents in a large group folder compared to creating a folder for each client’s documents.
Encryption is the primary way to protect data. You can encrypt files locally before storing them or by encrypting entire storage drives or devices. Big player cloud service providers, such as Google Cloud, Microsoft Azure or Amazon Web Services, all offer degrees of advanced encryption. For encryption-in-transit, the security standard is Advanced Encryption Standard (AES), and AES-256 is currently the gold standard.
When choosing technology, distinguish between solutions that provide document storage—whether a file-sharing solution or a more comprehensive practice management solution that offers storage and client portals—by asking questions such as: Does the product scan documents that are uploaded to be sure they are free from malware, viruses, etc.? Can you password-protect files or documents? Can you add encryption by use of an independent product?
The better products are usually business-grade technology. They will scan all incoming documents to be sure they are “safe.” Without the ability to scan for malware, you may pass on malware when sharing documents and may find your own system or network infected.
You will also want to consider firewalls. Much as the name would imply, firewalls protect to some degree against infiltration of malicious data. A newer type are cloud-based firewalls—such as tools classified as firewall as a service—which include many advanced security features that can protect both data at rest in the cloud and on-premises, which suits hybrid cloud architectures.
Additionally, consider endpoint detection and response tools, which continuously monitor end-user devices to detect and respond to cyber threats like ransomware and malware. SentinelOne is an example of a cloud-based security endpoint system geared for solos and small to midsize firms. Finally, enable built-in features on end-user devices. If you have a Mac, turn on FileVault. If you have Windows 10 Pro or 11 Pro, turn on BitLocker.
Are You Doing What You Can?
Given the foundational considerations above, are you taking reasonable measures to secure protected client information? ABA Formal Opinion 477R provides helpful guidance. Taking reasonable measures is far from an objective standard; what is reasonable will vary by practice and even by client. More sensitive data requires greater measures for protection, such as medical records and financial documents. The bottom line is that you don’t have to overspend, but you must take reasonable measures that limit cyber risks for inadvertent disclosure.
What kind of due diligence have you done before choosing technology? This may include product demos; consulting with your IT person, consultant or trusted colleagues; and reading through the product’s terms of service. Consider factors such as the product’s reputation, where the data is stored, who has control/ownership of the data, disclosures of warranties and liability. Don’t hesitate to ask the provider for a white paper on its security measures. Do shop around and compare with the help of review sites. If you aren’t tech-savvy, employ the services of an IT pro to help make a wise choice and to be sure your system is set up appropriately.
We can’t discuss cybersecurity without addressing the LastPass data breach. Long a favorite in the legal tech space, the breach was shocking. Equally disturbing was the lackluster response from the company that included delays, limited transparency and what many feel was an inadequate advisory of the seriousness of the risk to which users were subject as a result of the breach.
Given that the threat hackers were able to access this information, it potentially puts at risk exposed personally identifiable information. If you were only using basic levels of authentication—such as letting users reset their account passwords by sending a recovery email or SMS text to their mobile—and if your email addresses and phone numbers were compromised, you need to move to stronger measures to verify who can get into your accounts. Because notices of the scope of the breach were delivered in drip-fashion, you may have missed the extent of the breach and resulting risk. It was belatedly discovered that hackers had gained access to a backup of customer vault data. Hackers were able to access unencrypted information such as company names, end-user names, phone numbers, billing addresses, payment card details, email addresses and IP addresses that LastPass customers used to access the service. Since the breachers made a copy of the customer vault data, that includes gaining access to URLs for the websites that correspond with each encrypted username and password.
First and foremost, if you were a LastPass user, you should have already changed every password that was stored—and never use those old passwords or any variation of them again. Adding a few numbers or special characters to the end of old passwords that were compromised does not make them suddenly secure. You want to change to passwords that are long, strong and unique.
It’s also time to revisit your multifactor authentication (MFA) options and look for more secure methods such as a dedicated authenticator app or physical security key. Our colleagues have routinely recommended a third-party authenticator like Google Authenticator, Microsoft Authenticator or Duo Mobile. Or, if you’re looking for the top-rated physical security keys, sites such as TechRadar and PCMag have annual lists with recommendations.
If you’ve been a LastPass user, decide whether you want to stay with LastPass. Wired and other similar publications routinely publish lists ranking the available options for reputable password managers if you seek alternatives. And if you decide to leave, you’ll need to export your data, cancel your subscription so you won’t be auto-renewed and delete your account.
Thanks to our Practice Management Advisor of North America colleague, Catherine Sanders Reach, who has offered an excellent list of suggestions for those impacted in her blog for the North Carolina Bar Association’s Center for Practice Management. Some are measures you will wish to take immediately—like keeping a close eye on your bank statements, credit card activity and credit report; and keeping track of all devices logged into your accounts and removing those that you don’t recognize. Watch out for a dramatic increase in phishing emails. If you or your firm have not yet explored a robust cybersecurity insurance policy, now is the time. Keep in mind that all insurance policies are not the same, and do your research on how much insurance you may need.
Cyber hygiene is necessary in today’s world, and lawyers are required by the ethical rules in most states to have a basic understanding of the risks of technology. Reasonable practices include understanding how the systems you’re using are securing/ encrypting your data, using unique passwords and using strong MFA tools. Notwithstanding the LastPass breach, password managers are still critical tools in your cyber hygiene toolkit.