February 21, 2017

Combat Alexa hacks, fight ransomware, other tech musts to best secure client data

Lawyer and blogger Chris Dale has written, “Lawyers are winning cases and business by demonstrating competence in the use of technology in the management of their own and their clients’ business; the corollary to that is that work is being lost by those who lack that ability.”

A program at the ABA Midyear Meeting in Miami, “What Does Ethical Competence Mean in the Digital Era?” sponsored by the Government and Public Sector Lawyers Division, discussed these issues.

It was presented by Sharon D. Nelson, president (attorney), and John Simek, vice president (technologist), of Sensei Enterprises in Fairfax, Va., who discussed a number of ways lawyers need to show technological competence in order to do their jobs well and ethically.

Nelson opened by saying that lawyers have a “duty to safeguard” their clients’ information, which is spelled out in the Model Rules of Professional Conduct, specifically Rule 1 (specifically Rule 1.1 Competence, Rule 1.6 Confidentiality of Information and Rule 1.4 Communications) and Rules 5.1, 5.2 and 5.3, all dealing with supervision.

Alexa and other personal assistants

Lawyers use devices such as Amazon’s Alexa to turn on the office smart coffee pot while en route to the office, to order office supplies and to add meetings to the calendar, among other tasks. Personal assistants access a database of “pretty canned responses,” Simek said.

But are Alexa and the others secure?

The device is only listening for the “wake” word (usually the name of the device) and it captures only words spoken after the name is used and a fraction of a second before. It doesn’t store anything. It captures that stream and any ambient noise, which goes up in the cloud, Simek said.

The device cannot detect voice differences (male vs. female, adult vs. child) so a guest at your house could ask Alexa for your bank account info and it would respond if it knew it. Alexa’s default configuration is to order from Amazon (although you can configure it to opt out of that).

The data is tied to your account, so “You can go to your account and play back the sound,” Simek said.

Police investigating a murder in Arkansas requested Alexa data for evidence. Amazon refused, but did supply the pertinent account details and ordering history.

For law firms using Alexa, Simek recommends putting her in a private room where only authorized people have access. He advises muting the device, changing the default wake word and deleting specific recordings as needed (although then the device will no longer recognize your voice and will have to relearn it).

A hacker may be able to get into Alexa, but Simek said the greater danger is that a hacker will crack the password to your account and be able to order and know your ordering history.

Ransomware

“We can no longer stop the barbarians at the gate,” Nelson said. The new mantra for information security is to “detect, respond and recover,” which means being eternally vigilant.

She said to assume that any urgent email is a phishing request for information.

Incidents of ransomware have shot up quickly. Ransomware is malware that lands on your device, and a hacker holds your data hostage until you pay a ransom for the key to unlock it. You can either pay the ransom or give up the data. You usually need bitcoin to pay it back, Simek said, and if you don’t pay, the ransom usually goes up.

Published accounts say law firms have paid as much as $2,500 to get their data back, said Nelson, but she said larger firms may have paid more and kept it quiet.

Simek advised making sure you have all your data on a back-up that is not connected to your hard drive, which will allow you to ignore any ransomware demand.

With cloud-based back-up, Simek said to make sure to ask if it is impervious to ransomware attacks.

Nelson said that 91 percent of hacking attacks begin with a phishing email.

A 2016 PhishMe study revealed that users click on phishing emails because of:

  • curiosity (such as might get to see racy photos)
  • fear (message might say “bar complaint attached”)
  • urgency (“boss needs this today”)
  • recognition (you’ve gotten an award)

Other clues that it is a phishing email can be that one letter or number is off, the email is in poor English, you weren’t expecting the email and/or hovering over the link doesn’t tell you where it goes, Nelson said.

She advises thinking before clicking, especially if it involves money, and to pick up the phone to check on a questionable request before clicking.

Nelson also recommends giving employees phishing tests to educate them on the signs and dangers.

According to the FBI, she said, from Oct. 2013 to Feb. 2016, there were 17,642 victims of phishing, resulting in $2.3 billion in losses.

In 2016, the FBI requested that the ABA share the FBI Private Industry Notification cybersecurity alerts with the legal community. FBI Cyber Alerts.

One alert was about a Russian cybercriminal seeking a hacker to assist in compromising nearly 50 law firms.

Nelson recommended joining Infragard, a public-private partnership between the FBI, the financial sector and the legal sector, for free. It takes a few months, but you will receive a weekly newsletter sharing cyber alerts for law firms and educational events, she said.

Minimum technology competence

These days, Nelson said, “lawyers don’t know what they’re supposed to know.” Among the things they need to know are:

  • how to do legal research online
  • the fundamentals of using Word, including the table of authorities and how to scrub metadata
  • Electronic filing in courts, including whitelist court addresses
  • Adobe Acrobat
  • electronic accounting
  • e-discovery (in 2015, California became the first state to require competence in this)

Florida now requires technical competence CLEs, Nelson said, and other states may follow.

She told the story of Kia Motors, who tested the senior associates in nine firms on technical skills, and they all flunked. Some firms were then not hired, and some agreed to a 5 percent price reduction until they could pass the test.

Among the things the associates couldn’t do well were:

  • use the basic functions of Word and Excel
  • print to a PDF
  • use Excel’s sort filter
  • batch search PDFs

Nelson said the Legal Tech Assessment, available online, is a test that can be taken by anyone, and she said it can help with job placement if you can say you passed it.

Nelson and Simek recommended resources to improve technical competence:

Simply File v4 by Tech Hit (to help organize email)

The Lawyer’s Guide to Microsoft Word 2013 by Ben Schorr

The Lawyer’s Guide to Microsoft Outlook 2013 by Ben Schorr

The panelists also covered issues in legal marketing, including responding to negative reviews online, and organizing email efficiently.