Cyber (in) Security
Client Confidentiality in the Digital Age” by Ed Finkel was originally published in the May edition of the Illinois Bar Journal. It is republished here with permission.
The pathways for breaching client confidentiality — whether due to simple carelessness or inadequate security — continue to multiply as technology advances.
One Illinois attorney responded to a bad review on Avvo in a way that the ARDC said violated client confidentiality. Another uploaded to YouTube a video recording of his client involved in a drug transaction. A third disclosed to the state’s attorney that his client had (privately) changed his story in a case to say that he had, in fact, engaged in conduct that resulted in a felony murder charge.
“There are many recent cases where lawyers have found themselves in trouble because of their use of client confidential information in settings that might surprise people,” says Mary K. Foster, counsel to the Attorney Registration and Disciplinary Commission (ARDC) review board and lecturer on legal ethics at Northwestern University School of Law. “They can send unencrypted e-mail. They can use client information gained through conversations with the client, in ways that the client might not anticipate.”
Regarding these types of cases and other confidentiality-related matters — which can be related to the set-up of physical office space, in-office computer networks, and external services like the cloud — attorneys and their firms need to review Rule 1.6 of the Rules of Professional Conduct that covers confidentiality, says Nerino Petro, chief information officer with Holmstrom & Kennedy, P.C. in Rockford and before that a lawyer-technologist with the State Bar of Wisconsin.
“That’s kind of the foundation for where we need to begin,” he says. “Rule 1.6 applies to conversations we have in public, at the office, in electronic communication, with our data. There are certain levels of protection you can obtain, but then there’s another layer of complexity if you’re dealing with anything that may be covered by HIPAA or HI-TECH, or federal regulations like FERPA, which may have higher standards than what we may think is necessary based on the Rules of Professional Conduct.”
Allison Wood, a former ARDC litigator who’s now principal with Legal Ethics Consulting, P.C., sees two main concerns around confidentiality. “Attorneys must be mindful in taking the requisite steps to ensure the protection of client information when they utilize social media, and when they engage in advancing technologies to deliver legal services,” she says.
“Breaches most often occur when an attorney sends an e-mail communication to the wrong party; when they post client information on social media without the client’s consent; when they leave a laptop unattended and someone steals it or hacks into it; or when office mates leave copies of client documents on the shared copying machine,” Wood adds. “There just needs to be a mindfulness in the way the attorney manages his or her practice. They have to think before they post [and] consider their surroundings when they meet clients, or where they will work on client matters.”
Errors of Commission
Attorneys don’t adequately monitor their e-mail and social media behavior in part because they don’t understand that electronic communication leaves behind a footprint, Foster says. “I teach my students that e-mail equals ‘electronic eternal evidence,'” she says. “What you do online, there’s a record of it, just as if you were writing a letter to someone or stating it in a court transcript. We’ve become so accustomed to using the Internet and using these [online] tools; we sometimes use them in situations that violate our client confidences.”
In the example involving the bad Avvo review, the client had complained that the services provided in an employment discrimination case had been inadequate. In her response, the attorney “stated that the client had lost his case because he had engaged in a physical altercation with someone, which wasn’t in his initial [Avvo] review,” Foster says.
The ARDC reprimanded the attorney for violating client confidentiality for responding, which “might surprise lawyers, that they can’t respond that way,” she says. While an attorney can certainly mount a defense if sued for malpractice, “they can’t respond in a more informal setting,” even if the information they disclose is accurate.
In the YouTube case, the defense attorney had received the video recording from the prosecutor and uploaded it with the title, “Cops and Task Force Planting Drugs.” “He claimed he was trying to get a sense of whether the video actually showed the cops planting drugs,” Foster says. “He realized later that it showed the client purchasing drugs.” The client lived in a small town, and when the clip went viral around the town, “she wasn’t happy, understandably.”
In the felony murder case, the defense attorney initially said his client had an alibi and then disclosed the client’s change of story to the prosecutor, which he did not have permission to disclose, yet “argued that he was doing it on behalf of his client,” Foster says. The state’s attorney then charged the client with felony murder, and the attorney was found to have violated confidentiality rules. “In all of these cases…the lawyers didn’t necessarily have bad intent…,” she adds. But they were disciplined nonetheless.
Creating Secure Physical Space
Aside from cases in which attorneys take an active role in breaching confidentiality, Foster presents a second set of concerns revolving around errors of omission, starting with both physical and cyber security in-house and extending outward to the cloud.
Regarding physical office space and related firm policies, Foster poses a couple questions that she says attorneys and firms should be asking themselves. “Are hard copy documents secured properly?” she says. “Can client conversations be overheard from the waiting room?”
For Petro, concerns about physical office space boils down to “the little things,” such as “putting files away in your cabinets, not putting your server in open areas — I’ve seen break rooms where a firm has put their server — and not leaving [computer] passwords lying around.”
Lawyers and their firms are vulnerable to cyber attacks precisely because they think they’re invulnerable, Foster says. “To most lawyers, this sounds like the stuff of science fiction,” she says. “But it’s becoming a real concern. It should concern most lawyers, not only lawyers in large firms representing corporations in mega-deals but also small firm lawyers because increasingly, these lawyers are becoming targets for hackers.
“In that situation, it’s not the lawyer making a judgment error, but being a luddite and not understanding new technology,” Foster adds. “They can’t put their heads in the sand and think they’re safe from attack because they’re not.”
Attorneys and law firms have become targets for hackers because they maintain a lot of confidential client information in their records, such as financial details and Social Security numbers, often in electronic form, Foster says. “Just like anyone else, just like any other agency that keeps information on behalf of a client, you need to make sure you’re securing it properly,” she says. “It isn’t so much a disciplinary concern as it is a risk management concern for lawyers.”
Few cybersecurity-related cases have reached disciplinary boards like the ARDC, Foster says, but their potential to cause other kinds of trouble is rampant. “We’ve all heard about the possibility that the [National Security Agency] listened in on confidential lawyer communications,” she says. “The ABA wrote a letter last year to the NSA about concerns about NSA’s use of confidential attorney-client communications, that they might be spying.”
More broadly, “What we’re hearing is that it’s not uncommon these days for law firms to be targeted by hackers for private information, just like anyone is, just like citizens are,” Foster adds. “While you can never alleviate all possibilities of a breach, you can reasonably protect yourself with some planning.”
External and Internal Hackers
Related “How to Encrypt Attorney-Client Communications”
While intellectual property lawyers and those who handle corporate secrets probably understand the need for strict security measures, “the average lawyer probably spends far less time thinking about data and confidentiality risks,” Foster says. “All lawyers, however, should consider whether their client information is secure, whether it be from a cyber attack, an e-mail scam, or from an errant employee.”
To protect themselves and their firms, attorneys need to ask themselves another series of critical questions, Foster says. Regarding their own computer systems, “Should they encrypt their e-mail? Should they scrub their documents? Should they install [security] systems in their office to protect client matters?” she says. “Should they rely on outside [security] services? And how do they protect themselves from their own employees? How do they protect their employee information?”
There have been cases where employees have taken confidential information and misused it, Foster adds, and in some of those cases it’s been disgruntled or otherwise malevolent departing employees. “They take the laptop,” she says. “What if confidential client information is contained on those laptops?”
That leads to a set of policy questions, Foster says. “Do you allow employees to take home laptops, tablets, or firm cellphones?” she says. “What is your firm policy on the use of cellphones? Do you allow guests and clients to gain access through Wi-Fi while in the office? If so, is it secure? Are your clients’ identities protected?”
Attorneys who value their mobility away from the office have to be doubly careful, Wood says. “Generally speaking, the truly mobile attorney has to recognize that meeting with a client in an open public place does not lend itself to a secure confidential exchange,” she says. “Working on a laptop in a coffee shop could create a risk when you tap into the Wi-Fi of the coffee shop, which could mean anyone can see your files.”
Related “Your 4-Step Computer Security Upgrade”
Petro mentions some practical steps attorneys and their firms can take to secure their systems against hackers. For one thing, out-of-date hardware and software that’s no longer manufacturer-supported makes you vulnerable. “This is where a lot of lawyers fall down,” he says. “This is not a secure operating system. You’re going to have to keep your technology up to date.”
Attorneys and firms also need anti-virus, anti-malware, and firewall programming, as well as individual, secure log-ins and passwords, Petro says. “It’s all of these kinds of basic, due-diligence things that people overlook,” he says. “Everybody has to have their own user log-in-not ‘Worker 1′ and ‘Worker 2′ and everybody shares it. They need passwords. Systems need to lock down when they’re not at their desk. If a client comes in late, and their kids are running around, and the secretary’s work station isn’t locked, the next thing you know it has a virus because they’re playing on it.”
Passwords need to be changed on a “semi-regular” basis, at least annually, and ideally they should be no fewer than 12 characters, with upper and lower case letters, numbers, and special characters, Petro says. “The problem is, not every website supports that [length],” he says. “But the longer, the better.”
Password manager apps like LastPass generate random passwords and assign them to various sites, so that all you need to do is remember your password for LastPass itself. “Otherwise, you can’t keep track of everything,” Petro adds.
Related “HIPAA-Compliant Cloud File Services”
For those using outside contractors to manage their cloud services, Foster has another series of questions: “Have you chosen that contractor carefully? Does the contractor work with other lawyers? Do you know where data is stored? Have you completed an assessment of your risks within the last year? Do you have a system in place to detect a breach of security or a cyber threat? Do you have a plan in the event of a breach to remediate the damage? Do you regularly communicate your policies to all firm employees? To clients?”
Illinois does not yet have a governing ethics opinion on using cloud technology, which means that “it comes down to due diligence,” Petro says. He echoes Foster in suggesting that attorneys and firms check out the reputation of possible service providers, find out how they secure data and what steps they take.
But don’t be afraid of the cloud, Petro says. “Everybody’s like, ‘I can’t use the cloud, it’s too insecure,'” he says. “I don’t agree with that. You have to take reasonable precautions to ensure the confidentiality and security of your data. You can’t guarantee there’s never going to be a breach.”
A growing number of attorneys and firms are using cloud-based services, Petro says. “As a profession, we can continue to say, this is what our rules require [and stay away from the cloud],” he says. “The reality is that the rest of the world is passing us by and saying this is acceptable. We’re going to have to find some way to live in that world. That’s going to be the key.”
Related “Sookasa Provides HIPAA-Compliant, Encrypted File Storage”
To keep data in the cloud safe, Petro suggests not using free cloud software like Dropbox, or at least use services like Sookasa or Boxcrypter that encrypt the data you upload into accounts like Google Drive. “Everybody uses Dropbox because it’s drop-dead easy to use. I understand that,” he says. “I use Sookasa, which is a paid product, with Dropbox. It’s HIPAA and FERPA compliant.”
“You’ve got to be encrypting your data if you put it out on the cloud, unless your service encrypts the data and you control the key,” Petro adds. “That’s the ideal situation,” and SpyderOak is among the services that do so. “At a minimum, you need to do due diligence, for folks providing the encryption of data, that keys are kept separately from the data and not stored on the same server. [Separate storage] decreases the likelihood that hackers will be able to get at everything.”
Aaron Brooks, partner at Holmstrom & Kennedy, says that encryption is perhaps the most useful single security measure one can take and suggests encrypting data at all phases of its existence-at rest, in transit, or at the end of its useful life.
“Encryption at rest refers to protecting the electronic storage medium upon which a unit of information resides. In other words, any place that electronic client information is stored should be properly encrypted,” he says. “Thus, laptop computers, tablets, phones, USB drives, and other places that can be used to store client information should be encrypted in a manner that complies with NIST and federal standards for encryption.”
Encryption in transit refers to the movement of electronic data from one device to another, Brooks says. “For example, when transmitting data to and from a cloud-based storage service such as Dropbox, one should be able to observe that the browser is connecting via the standard ‘HTTPS’ secure communications protocol,” he says. “Alternatively, when transmitting sensitive information between private networks…a comparable secure mechanism, such as a VPN connection, should be used.”
Finally, at the end of a document’s or device’s useful life the device used to store electronic client information should be destroyed, Brooks says. “Attorneys can use reputable shredding services to destroy old devices such as hard drives and USB drives, and often these services will provide a certificate of destruction for the file,” he says.