The world is changing rapidly. As trusted advisors to businesses, it is incumbent upon us as lawyers to understand technology. This means that we need to be informed about cybersecurity and how to protect our communications with our clients.
In May of 2017, the ABA released Formal Opinion 477R, which addresses the subject of a lawyer’s obligations to protect confidential client information when transmitting information relating to the representation over the internet. Formal Opinion 477R replaced the ABA Formal Opinion 99-413 Protecting the Confidentiality of Unencrypted Email (1999). At the time, it stated that all communications, including unsecured, unencrypted email, were generally considered “secured.” However, we’ve transitioned to a time of mostly electronic ways of providing legal services to our clients, where unsecured and undecrypted email are not “secure.” Accordingly, after Opinion 477R, the ABA issued Formal Opinion 483. This opinion formalizes that there are two types of law firms: (1) law firms that have been hacked, and (2) law firms that will be hacked. Law firms tend to be excellent targets for hackers for two general reasons: (1) they possess highly sensitive information about their clients, and (2) the information in their possession is likely to be of interest to a hacker and less voluminous than that held by the client.
Unfortunately, data is not always protected by law firms. As lawyers, we weren’t taught in law schools to have a conversation about technology and how that technology might affect our representation of clients. However, cybersecurity and technology proficiency are vital foundations for competent representation (the latter of which I will write about in my next contribution). The ABA Model Rules of Professional Conduct have also undergone several changes, particularly those focusing on a lawyer’s technology proficiency and cybersecurity knowledge.
A lawyer must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. There is no ethical violation if a firm is hacked. The ethical breach occurs when no reasonable efforts are implemented to protect data. However, the term “reasonable efforts” is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.
Below is a series of reasonable efforts you should consider to protect your client’s data and avoid a breach of your ethical duties as an attorney.
- Comprehend the infrastructure. To implement appropriate security controls and safeguards, you should understand the physical infrastructure (hardware), including professional and personal networks, computers, tablets, smartphones, other portable devices, internet protocol enabled video, cloud services, software programs, and back-up services. If you need help, speak with someone on your firm’s IT team.
- Identify the type of data you are using. As a general practice, it is a good idea not to accept or request sensitive data that is not needed for one’s work and not to share data with anyone who does not similarly have a need for it.
- Consider industry standards. Feel free to use and adopt comprehensive technical measures for cybersecurity practices and policies used in the legal tech or technology industry. For example, the United States National Institute of Science and Technology (“NIST”) suggests that passwords should be based on unique passphrases, at least eight characters long.
- Implement access control policies. Law firms should adopt and establish rules for how lawyers in your law firm need to create strong passwords, how to store them securely, how often they are required to change them, restrictions on sharing passwords, what should be password-protected, and what should additionally be subject to multi-factor authentication. Personally, I use a password manager (1Password) with a strong “master password” and have a double-authentication for every access.
- Encrypt data in transit. Most email and cloud services use a basic security layer (i.e. passwords) to protect all emails and documents. However, this is not a full end-to-end encryption. To minimize risks, consider using a reputable, commercial virtual private network and using websites that employ HTTPS security. Furthermore, depending on the data, specific documents or folders should be encrypted before being transmitted.
- Consider encrypting data in the cloud. Considering encrypting data before it is uploaded to a file-sharing or cloud storage service. This feature provides the significant advantage that even if the service itself suffers a security breach, the user’s data should remain inaccessible to the intruder.
- Use encrypted messaging applications. Text messaging has been around since the dawn of cellular technology. However, text messages aren’t encrypted, meaning the contents of each text message are viewable to mobile carriers and governments and can even be intercepted by hackers. You should consider using end-to-end encrypted applications such as Signal, WhatsApp, Wire, and Telegram, which entail that sent messages are near-impossible for anyone to see and decipher.
- Avoid public networks. Avoid unprotected use of public internet networks in hotels, airports, or offices. Public Wi-Fi networks may provide hackers with access to unsecured devices on the same network, allow them to intercept password credentials, or to distribute malware. Instead of public networks, it may be preferable to use personal cellular hotspots or a reliable virtual private network (VPN) service.
- Use professional, commercial products, and tools. Avoid free or consumer versions of products and tools. Business and professional (or “enterprise”) versions of the same tools frequently are available at a minimal cost and generally include more robust security protection. For example, the iOS Mail app has exhibited security flaws in the past that make it vulnerable to hackers. Thus, you should consider the encryption of all emails, or use apps like ZERØ.
Times have changed, especially in the realm of technology and its many evolving manifestations that have become widespread in the legal profession. Laptop computers, smartphones, social media, cloud storage, and video conference calls have become prevalent.
Lawyers should take steps to understand how to use reasonably secure communication methods with clients. In a digital world with ever-increasing cybersecurity threats, lawyers will continue to have an ethical duty to protect client’s data and have technological proficiency.