THE CYBER-ASSET INVENTORY
Every lawyer should make a template of each device used by the lawyers and their support staff. (Free templates are
available for this purpose from several sources online, but you can easily create your own.) The list should include each computer and laptop, the owner, the user, and the make and model. If your firm uses mobile devices or tablets (e.g. iPads), those assets should be included in the inventory. Also identified are the internet service provider, or ISP, the network hardware, and how it is configured. Do you have a separate guest Wi-Fi? Who has Wi-Fi access? Is each channel password protected? How often do you change those passwords? The purpose of this inventory is to see who has access to which devices, and to see if all those people actually need access. Limiting access by changing and hardening passwords is a direct way to avoid the disgruntled employee from copying files for others. For example, few employees should have access to accounting information or bank accounts. Limit access whenever possible to those individuals who have a proven need to know. The second purpose of this inventory is to ensure you are backing up information from all those devices in the case of a breach or virus. Seeing the number of devices on a page gives your checklist access to ensure each device has some means of regular backup. Also, it makes you decide where and who has access to those backups. The overall goal is to strengthen every asset in your office, limit employee access when access is not necessary, and make sure backups are updating.
Weak passwords are the easiest way to hack into private information. This includes networks, Wi-Fi, email, and all other accounts we are forced to use every day. The experts recommend using a password manager, which can generate very strong passwords, and you only need to remember one very strong password to access that manager program. As a general rule, in making our passwords we are told to avoid dictionary words, foreign words, slang IT jargon, and names associated with you. We should use 12 or more characters, upper arid lowercase, and numbers and symbols.
In our office, we are required to have 12-digit passwords changed every 90 days Further, we have dual authentication if we’re logging in from another computer, which means every attempt to login sends a multi-digit code to our cell phones to ensure we are the person logging in. It only takes another 20 seconds, but it gives us a great sense of security. Gmail and most providers will enable dual authentication for added security.
FORTIFY YOUR OFFICE NETWORK
In my CLE lectures, I humorously advise, “Don’t let your 1 year old set up your Wi-Fi”. Sure, they’ll do a better job than you will but won’t employ the standards needed, nor change the manufacturer’s password. Always remember that the same rules should apply to your Wi-Fi as your email: generate a very strong password, restrict network authentication, and select Wireless Protected Access 2, or WPA2) for most small practices. Most importantly, make sure you have a separate guest network from your office network. Most routers support one or more guest networks. Don’t use a router that does not have separate guest network capability.
SIMPLE UPDATES TO YOUR COMPUTERS
Your office computers can be a treasure trove for attacker, and there are multiple routes in, from open network connectivity to target malware. (A recent report revealed cybercriminals hacked an unnamed casino through its internet-connected thermometer in an aquarium in the lobby of the casino.) Fortunately, there are a few key tools at your disposal to counter these threats, and you should enable them. They include automatic updates, antivirus/anti-malware, and a firewall. Don’t automatically think these easy solutions have already been enabled. On ‘Window systems you can find them usually by going to “Control Panel -System Security” and enabling them. Most newer computers also do “whole-drive” encryption. Check to see if you have an encryption setting or ask your manufacturer.
BE WARY OF WEBSITES YOU VISIT
Always remember to check that the website you’re visiting starts with “https” as that final “s” indicates it is secure.
DEALING WITH CLIENTS
Most lawyers overlook this easy step during the client interview—–always ask if the client has special security needs. Will you be handling intellectual property or other specific information that requires enhanced cybersecurity? If so, how would the client want that handled? It is reasonable to tell the client that you will use special encryption software, but they must either provide it or reimburse you for installing it. This important but overlooked step was discussed in depth in American Bar Association
Formal Opinion -177R, which was published in June 2017.
ABA FORMAL OPINION 477R
As technology advances, lawyers must determine whether it continues to be safe to send confidential information over the internet or whether additional security methods should be implemented.
The ABA restates the factors outlined in paragraph 18 of Current to Model Rule I.6:
* The sensitivity of the information;
* The likelihood of disclosure if additional safeguards are not employed;
* The cost of employing additional safeguards;
* The difficulty of implementing safeguards; and
* The adverse effect of the safeguards to the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Upon consideration of these factors, lawyers are directed to consider using these seven steps to help guard against disclosure:
- Understand the nature of the threat. Consider the sensitivity of the client’s information and risk if cyber theft. If there is a higher risk, greater protections may be warranted.
- Understand how client confidential information is transmitted and where it is stored. Understand how your firm manages and accesses client data. Be aware that: use of multiple devices means multiple access points.
- Understand and use reasonable electronic security measures. Use reasonable protections for client data. This may include security procedures such as using secure Wi-Fi, firewalls, and anti-spyware/antivirus software and encryption.
- Determine how electronic communications about clients’ matters should be protected. Discuss with the client the level of security that is appropriate when communicating electronically. If the information is sensitive or warrants extra security, consider safeguards such as encryption or password protection for attachments. Take into account the client’s level of sophistication
5 Label client’s confidential information. Mark communications as privileged and confidential to unintended lawyer recipient on notice that the information is privileged and confidential. Once on notice, Rule 4 4(1)
Respect for Rights of Third Persons, the inadvertent recipient would be on notice to promptly notify the sender.
- Train lawyers and non-lawyer assistants in technology and information security. Take steps to ensure that lawyers and support personel in the firm are trained to use reasonably secure methods of communication with clients. Also, periodically reassess and update security procedures.
- Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct conforms with the professional obligations of the lawyer.
At the very minimum, every law firm employee should be instructed on the nature of private information and admonished that the law requires that no such information leave the office in any form without the approval of the supervising attorney, In my own office, my longtime legal assistant knows that no matter how well she knows the opposing counsel, she must check with me before any private sensitive information is transmitted or delivered from our client file.
THE STATE BAR OF TEXAS PDP-CLE JOINT RESOLUTION
The State Bar of Texas recognizes the critical nature of cybersecurity and the increasing importance that lawyers have a duty to achieve knowledge and technical skills in these areas. On April 18, 2018, at the joint meeting of the State Bar of Texas Committee on Legal Education and the Professional Development Committee, the members in attendance jointly adopted a resolution acknowledging that:
WHEREAS, the practice of laws so inextricably intertwined with technology for the delivery of services, the docketing of legal processes, communications, and the storage and transfer of client information, including sensitive private and confidential information and other protected data and further relating that “the continued competency of Texas lawyers to deliver services communicate, and protect such information is dependent on technology skills and competency;” That the mission of CLE should include:
“… information on technology, technical skills, and the implementation required to operate in a manner which enhances the ethical and competent delivery of legal services, and the security of client information”
The Joint resolution further explains:
“.. lawyers should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject,”
BE IT FURTHER RESOLVED: The above committees recommend that Texas Disciplinary Rule of Professional Conduct 1.01, comment 8 be revised as follows.
- Because of the vital role of lawyers in the legal process, each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology. To maintain the requisite knowledge and skill of a competent practitioner, a lawyer should engage in continuing study and education. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances isolated instances of faulty conduct or decision should be identified for purposes of additional study.
RESOLVED and unanimously adopted this 18th day of April, 2018.
/s/Xavier Rodriguez, Chair, SBOT CiE Committee
/s/Cary L Nickelson, SBOT PDP Committee
The resolution was considered by the State Bar Board of Directors and submitted to the Texas Supreme Court for consideration, On September 10, 2018, the court requested that the Committee on Disciplinary Rules and Referenda study the proposed amendment and make recommendations to the court,
The need to review and enhance your firm’s cybersecurity is real. But a respect for the cleverness of hackers and the continuing fiduciary duty you have to protect client information should result in good habits, good processes, and implementing relatively easy improvements to your office security.
Page 696 Texas Bar Journal October 2018