November 23, 2020

Cyber Security 101 for Paralegals

Ceaser Espinoza, JD, Program Director and Faculty member, El Centro College, Paralegal Studies Program

Our reliance on technology to improve our daily lives and our profession comes at a price. With all the information and data that we store and send virtually, we are more than ever susceptible to infiltrations and breaches. In this new millennium, we’ve experienced personal data breaches from several large companies including, Equifax, Facebook, Marriott, and Twitter.[i] Unfortunately, the legal profession has not been immune. As hackers realize the vast amount of personal and corporate information housed by law firms, they have become a lucrative target for data theft or piracy.[ii] Adding to the dilemma is the legal profession’s slow-paced acceptance and adaptation to technology and cyber security. Most recently, high-profile law firms have reported data breaches or had their data held for ransom in 2020. [iii] This is only a fraction of what is to come.  

Compliance

Regulations are nothing new to the legal profession. However, complying with technology related regulations has not been the legal profession’s strong suit. Although legal professionals understand that data protections must be enacted as a course of business, they may not be fully aware of all the applicable federally mandated cyber security measures. Take for example the following federal regulations that apply to law firms:

  • Health Insurance Portability and Availability (HIPAA) rule considers law firms “business associates” because they engage with personal health information (PHI) as part of personal injury claims
  • Gramm-Leach-Bliley Act (GLBA) incorporates law firms, albeit indirectly, as business partners to the extent that they maintain a client’s financial information
  • Payment Card Industry Data Security Standard (PCI DSS) applies to law firms since they accept, store, and transmit cardholder data (CD), defined as personally identifiable information (PII) such as primary account number (PAN) in conjunction with any of the following: cardholder name, expiration date, or service code
  • Federal Reserve System considers law firms a service provider since they manage financial information for clients and connect to banks
  • Federal Deposit Insurance Corporation (FDIC) also considers law firms as service providers for maintaining and distributing funds[iv]

Similarly, the American Bar Association (ABA), state bar associations, and national paralegal associations have established ethical guidelines regarding cyber security and technological proficiency. For example, ABA Formal Opinion 483[v] describes obligations in the event of a data breach or cyber-attack. Whereas ABA Formal Opinion 477R[vi] and the National Federation of Paralegal Associations (NFPA) Informal Opinion 96-1[vii] both focus on securing confidential client e-communication. One thing that is clear, is that Attorneys and Paralegals both have a duty and responsible to ensure client data is secure and protected. Are you thinking, what can I do? I don’t own the firm, I’m not IT, etc.

Now, just because we don’t control or implement most, if not any, of the cybersecurity polices at a law firm or in-house legal department, doesn’t mean we don’t play a significant role in securing client data. In fact, many of the breaches at the law firms mentioned above happened when front-line employees made mistakes that jeopardized the firm’s data. As to whether it was negligence, a mistake, or lack of training is not important to us now. What is important, is that we learn from those events and ensure that we are educated in the nuances of this challenging new world of e-security. Although we can’t control every aspect, we can learn some basics so that we can minimize human error.  

The legal profession is not immune from cyber security attacks.

The legal profession is not immune from cyber security attacks.

Securing Passwords

Let’s start by saying, “Password1234” is not a good password. You may be thinking, “what does a good password look like?” How about, XKr567%$2345@1. Is this password any better? Unfortunately, it really isn’t because hackers use the same algorithms as the ones used to generate these types of passwords.[viii] Eventually, the algorithm will figure it out.

We need to move away from passwords and embrace passphrases.[ix] Personalized passphrases are proven to be more difficulty to hack because they do not rely on logic.[x] Here’s how to create an effective passphrase. First, you want to think of a personalized phrase such as “I like to watch Soccer.” Second, manipulate it so that you replace letters with numbers and special characters such as “1like2watch$occer.”[xi] This new passphrase now contains letters, numbers, and special characters that is unique and easy to remember—win, win![xii]

Email Encryption

One of the primary benefits of email is the ease in which we can share documents. It’s also highly vulnerable for that very same reason. Client retainers, questionnaires, and scanned personal documents (birth certificates, marriage licenses, affidavits, etc.) are primarily shared via email. Although you can’t control how you receive information, you can control how you share it. As an aspiring legal professional, I recommend that you start encrypting all documents that contain personal or sensitive information. And not just work documents, you should consider encryption when sharing your personal documents, too. Encryption provides an extra layer of protection in the event your email account or provider’s servers are compromised. Plus, encryption is not really that difficult.

Word documents have an encryption function called Protect Document, which is found in the Info section of Word (if using Office 365). It allows the user to password protect the document, limit edits, and other security measures. Just search “Protect Document” in your version of Word and it should take you to the right place. Unfortunately, if you’re a fan of Google Docs there is no preestablished security function for encryption. However, there are several extensions that you can add from the Google Play Store to enable encryption. On that note, if you have a Word doc that is encrypted, you can save it in your Google Drive, manipulate it in Google Docs, and it will maintain the encryption.  As for PDF’s, Adobe Reader does not provide the ability to encrypt a file without the Adobe Pro subscription. You’ll need to install a third-party software or app to secure PDF’s.  

Email Phishing

Impulsive behavior is the most common culprit with regards to data breaches. Human error generally occurs when a party unintentionally given access to hackers through a trojan horse or malware via Email Phishing.[xiii]  Email Phishing is the use of a fraudulent email from a familiar company or person to access a firm’s or individual’s system or secure data.

Meaning that an employee clicked on a link or opened an attachment, bypassing all the security measures above, and giving unfettered access to the firm and client data. However, there are some simple steps that we can follow to prevent most of these infiltrations.

First, trust your spam filter. It will catch most of the emails that have irregularities. Even if you see an email from someone you know in the spam filter, that account could have been compromised. If you’re unsure, contact the person through another mechanism and confirm. Second, be wary if the email asks you to click on a link to enter data or access additional information. Do not click on the link.

For example, if you receive an email from Netflix that said, “you need to update your account, please click here.” Even though there are Netflix images and logos in the email, and it looks legitimate, “click here” could be sending you to an unsecure site. Instead of clicking on the link, I recommend that you open a browser and visit the company site to check your account. One final note, when checking emails, you need to ask yourself, “does this seem odd?” Even a slight hesitation of your part is enough for you to question the legitimacy of the email. Trust your instincts.

Technology has provided us many tools and enhancements that will forever change the legal profession. We need not fear change, instead we should embrace it and accept the numerous new obstacles we will encounter as we strive to secure legal data.  To that end, the American Bar Association (ABA) has now established a Cybersecurity Legal Task Force to provide guidance and resources to help in this brave new digital world.

[i] https://www.cnbc.com/2019/07/30/five-of-the-biggest-data-breaches-ever.html

[ii] https://www.law.com/2019/10/15/more-than-100-law-firms-have-reported-data-breaches-and-the-picture-is-getting-worse/?slreturn=20200231190206

[iii] https://www.abajournal.com/news/article/hacking-group-publishes-full-dump-of-law-firms-data-another-responds-to-cybersecurity-incident

[iv] https://zeguro.com/blog/law-firm-cybersecurity-protecting-attorney-client-privilege-in-a-digital-age

[v] https://www.americanbar.org/groups/cybersecurity/

[vi]https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.pdf

[vii] https://www.paralegals.org/files/Ethics_Opinion_96_01_cyberspace.pdf

[viii] https://zeguro.com/blog/five-tips-for-better-cyber-hygiene

[ix] https://zeguro.com/blog/five-tips-for-better-cyber-hygiene

[x] https://zeguro.com/blog/five-tips-for-better-cyber-hygiene

[xi] https://zeguro.com/blog/five-tips-for-better-cyber-hygiene

[xii] https://zeguro.com/blog/five-tips-for-better-cyber-hygiene

[xiii] https://us.norton.com/internetsecurity-online-scams-how-to-protect-against-phishing-scams.html