Technology—Probate provides information on current technology and microcomputer software of interest in the probate area. The editors of Probate & Property welcome information and suggestions from readers.
Digital Protection and Privacy
Lightning-paced advancements in technology are responsible for many wonderful accomplishments that span across most industries and have contributed to making day-to-day life and work easier and more streamlined. Despite such modern-day developments, technology can still cause major problems, and unexpected issues can occur in ways that were unfathomable less than 20 years ago. The breadth of general knowledge, regardless of specialty, that attorneys must possess to represent their clients is constantly expanding. One key area is how cybersecurity affects their practices and their clients’ information. Attorneys need to be prepared for phone calls from their clients on what to do if they are victims of a cybersecurity attack and how to take preventive measures to minimize their risk of being attacked. Attorneys also should be able to address questions from clients on what measures their firms are taking to ensure protection of their clients’ information. Trusts and estates attorneys need to be especially proactive in addressing cybersecurity measures with their clients, in both estate planning and estate administration. Identity theft is one key issue, and more and more people have digitized assets in need of tracking and protection from nefarious criminals.
We recently sat down with Leeza Garber, a cybersecurity and privacy attorney and an adjunct professor at the Drexel University Thomas R. Kline School of Law. Readers can learn more about Leeza at www.leezagarber.com.
Probate and Property (P&P): To start, can you tell us why the average estate planning attorney who doesn’t have expertise or experience or possibly even interest should care about the topic of cybersecurity?
Leeza Garber (LG): Yes, there are two primary components. First, attorneys should care because they need to be vigilant about the client data they have collected and stored, such as planning documents, tax returns, social security numbers, and asset identifications. Every attorney has an obligation to protect client information. Unless you understand the nature of the threats to the security of this data, it is difficult to defend against them.
Second, cybersecurity affects a majority of our personal and working lives because today so many activities we engage in have some type of online component. This means that most clients an attorney works with could benefit from a trusted advisor who can help them proactively minimize security risks and be a resource for them should they fall victim to a cybersecurity attack, a hacking or phishing scam, or any other type of online misconduct.
P&P: Regarding your first point, that attorneys need to be vigilant with the data they’ve collected from clients, I imagine this problem gets larger as the size of the attorney’s firm gets smaller because at larger firms they may have entire departments devoted to thwarting cyber threats, and that job usually gets outsourced or unfortunately ignored at smaller shops. Can you offer a checklist that attorneys can use to start to organize a cybersecurity plan?
LG: I hate to generalize, but cybersecurity is an additional line item on the budget, so for smaller offices that are on tighter budgets, it’s unfortunately going to be ignored until there is a problem. As for developing a plan, when I work with clients to prepare a cybersecurity plan, I will often start by asking the following questions:
- What type of data encryption do you use?
- What anti-virus and malware software do you use?
- Do you have a local server on the premises or is data stored in the cloud?
- What type of cloud program are you using?
- Have you vetted all third-party vendors you use as to their cybersecurity practices? [P&P Commentary: Many businesses rely on multiple vendors to support their business functions. Third-party vendors, including law firms, may have authorization and access to data and other sensitive information. If a vendor has access to such sensitive information for a business and has a cybersecurity breach, the information they have access to is at risk.]
- Have you performed a penetration test recently to determine what types of vulnerabilities your office is exposed to on a daily basis?
All of these things are just part of developing an effective plan. Having an audit done by a cybersecurity expert is also important. If your clients have not already started asking you for this type of information, they soon will. Especially, considering the implementation of the General Data Protection Regulation (GDPR), it is becoming something people can no longer ignore.
[P&P Commentary: The GDPR, which became effective on May 25, 2018, sets guidelines for the collection, processing, and privacy of personal information of individuals in the European Union (EU). The law sets forth a global precedent for consumer protection, reaching far beyond EU borders. Companies that are not located in the EU, but who have websites available in the EU or conduct business with people or companies in the EU, are subject to the new regulations. Violations of the new regulations can have crippling effects, such as a penalty of 4 percent of a company’s revenue for serious violations. Since its adoption, there has been a trickle-down effect on operations and a raised awareness that additional data protection and privacy laws will eventually be instituted in the United States. Ultimately, there will also be more specific protections and privacy laws geared toward a decedent’s digitized information and assets. A majority of states have adopted a version of the Uniform Law Commission’s Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA), which governs when and how a fiduciary can access a decedent’s digital assets. However, this is only the beginning of laws aimed toward protecting and controlling access to this type of information.]
P&P: What would you say is the most frequent type of cyberattack?
LG: There are many different types of cyberattacks, so it really depends on the industry. Health care, finance, and the legal industries frequently face ransomware attacks. But generally, when you’re talking about high net worth individuals and businesses, the primary threat is phishing emails. Phishing emails are how certain hackers got into government databases. Phishing emails are very effective at disrupting businesses, and many sophisticated professionals fall victim to this type of attack. Phishing can lead to the installation of a lot of different kinds of malware, ransomware, and other kinds of viruses, and it is a very common way that cyberattacks succeed.
P&P: That’s a good segue to focus on how attorneys can help their clients. You mentioned both a proactive and a reactive approach. Let’s start with the former; most estate planning attorneys do not have the appropriate background to perform a deep analysis of a client’s cybersecurity plan (or lack thereof), so what advice can they offer to their clients to help them start this process?
LG: I always recommend being proactive, and attorneys are in a good position to help their clients do that. Especially for high net worth individuals, it’s not if you’re going to be attacked but when you will be attacked. To minimize the threat of an attack you can start with the little things. For example, in home security you want to make your house one of the safest houses on the block because if you make it a little harder for a burglar to break in, they’re more likely to move on to the next house. The same analogy works well for cybersecurity too—you want to make your accounts harder to access.
Some proactive steps to take include:
- Regularly changing passwords.
- Use dual factor authentication for most bank accounts, webmail, and email accounts. [P&P Commentary: Also known as multi-factor authentication, dual factor authentication requires a user to enter a username, password, and some other type of information that only the user can verify, such as a text with a code sent to the user’s last registered mobile number or the requirement to verify additional personal information of the user.]
- Actively monitor your credit. Know what is going on in your accounts.
- Check your online persona as frequently as possible, especially if you have a large social media presence—not just what you find on Google, but all public facing social media. And when I say public facing, I’m including the friends you have because they could be linked to people that are nefarious. Generally, when someone posts to social media, information is being given about a person’s activities and assets. For example, if someone posts pictures of her or his cars, jewelry, or other belongings, such pictures might be geo-tagged so people can see where and when it was taken.
- Finally, it may be worthwhile to perform what’s called a dark net search, so you can see what information of yours may be for sale on the dark net.
P&P: How often would you suggest performing those types of searches?
LG: At least monthly; it’s important. There are a few services, including several credit bureaus, that will search the dark net for you. There are also ways individuals can access the dark net as well to perform these searches, but special software is needed. Searching what’s publicly available and then locking down your account is a good start. The basic strategy still applies—strong passwords, dual authentication, anti-virus, and anti-malware software.
And it may seem obvious, but some people don’t realize that your phone is a mini-computer and equally as vulnerable; however, you can still protect it with anti-virus software and by updating your operating system as frequently as possible.
P&P: As the estate planning world adopts digital tools to help individuals plan and administer estates, more and more beneficiary and estate disputes will rely on digital evidence. Can you describe what steps a forensic investigator takes to help determine the authenticity of a digital file?
LG: When a forensic investigator is looking at a digitized file, whether it’s a word document, an Excel document, or any kind of digitized piece of information, there is meta data, which is like the finger print on that digitized file—it’s information about the information. For example, on a word file it might be the last modified date, last accessed date, and last printed date. Depending on the type of document or file, different information can be pulled. Additionally, a forensic investigator will be able to tell the movement of files on whatever device they are stored. If the data is stored in the cloud, there are other types of information available, including which users logged in to access it and what types of changes were made and when.
P&P: Is there a role for forensic investigators to play when dealing with assets other than digitized files?
LG: Yes, when an estate is concerned about the authenticity of an object, such as a piece of art, an artifact, or another type of valuable collectible, a forensic investigator can help by looking at the digital files related to the object. This typical forensic investigation process starts by looking at the certificate of authenticity, examining the email chain between the buyer and seller, and studying all digital records surrounding the asset. For a high net worth individual who purchased a piece of art more than ten years ago, this may be one of the easiest ways you could attempt to prove ownership and authenticity of an asset and disprove that it was stolen from a country that is known for a high level of nefarious transactions.
P&P: Apart from looking at digitized files, how can a forensic investigator aid executors and administrators in the administration of a decedent’s estate?
LG: When looking for digital assets, accounts, and other information relevant to the administration of a decedent’s estate, an executor may be able to find some information on the decedent’s laptop or phone (assuming the executor has both physical and electronic access), but it is always better to have a third-party expert review because there is a danger that an individual who is not in the forensic field could damage certain digitized files, information, and data due to its fragile nature. [P&P Commentary: This article does not consider whether an executor or other fiduciary has the legal authority to access a decedent’s digitized assets under a decedent’s testamentary documents or the state’s adoption of a version of RUFADAA. Advisors should be aware that additional measures may need to be taken by their clients to ensure that their fiduciaries will have the requisite legal authority to access their digitized information.]
But it may still be useful to hire a third party to help beyond the basics. Forensic investigators could look at someone’s computer and figure out everywhere the decedent has gone online and where the decedent has cloud-based online accounts or an online presence, which can help to locate additional and less obvious assets.
P&P: What are your thoughts on cyber insurance?
LG: Cyber insurance is a must for businesses. Policies can cover a wide range of issues, such as data breaches, hacking, ransom, and malware, and types of business disruption, such as those related to information technology, infrastructure, and activities. Generally, it’s not terribly expensive, and in the event of an issue it can help in a number of ways, including covering costs such as public relations, legal, notifying customers about a data breach, restoring identities of affected customers, recovering compromised data, and repairing damaged computer systems.
Cyber insurance is also an extremely complicated field that is growing and frequently changing. You really need to vet your insurance company to make sure it is the right provider. For example, some providers have committed to pursue audits of their clients’ tech requirements. Advisors need to consider what type of cybersecurity issues their clients could likely face and the value of cyber insurance coverage. Otherwise, like any other insurance policy, you might be purchasing something that won’t be of much use.
P&P: Other than to contact a cybersecurity expert, what is the best immediate advice attorneys can give to their clients if they are experiencing a data breach?
LG: As a natural consequence of high-speed technological innovations, new issues and new crimes will continue to emerge. Practitioners need to be able to assist their clients in protecting their digitized assets and information and online presence and advise their clients on what to do or whom to contact if they experience a cybersecurity breach. Estates and trusts attorneys need to be aware of the additional steps to take during the estate planning process to ensure a fiduciary has legal access to a decedent’s digitized information. Further, during an estate administration, fiduciaries also need to be conscious of protecting a decedent’s digitized assets, online presence, and identity. We are in the beginning stages of the enactment of new global laws to address privacy, accessibility, and protection issues surrounding a user’s digitized assets and information during life and after death. It is essential that attorneys stay on top of these changes to ensure they are providing timely, accurate, and informative counsel to their clients.