4-Step Computer Security Upgrade
Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.
“Tool or Trap?” by James W. Gayton & Greg Tolbert was originally published in the July/August edition of NW Lawyer. It is republished here with permission.
When it comes to using technology, it appears that common sense is a lot like Bigfoot. You hear people talk about it, but you don’t invest your own money looking for proof.
The legal profession and the practice of law — like many other professions and businesses — are undergoing profound transformative changes driven, in large measure, by rapid technology changes. Most lawyers will be impacted, including large multi-office firms who face greater competition for their services, small firms and sole practitioners who lack in-house IT staff but must file electronically and connect with clients, in-house counsel who face increasing cost pressures to rationalize their legal spending, and litigators who must address age-old disputes with the rules of civil practice and the modern realities of stored electronic information.
Before identifying some of the myriad ways in which lawyers can get into trouble with technology (as well as offering a few practical suggestions), let’s first scope the opportunity.
- As of 2012, every day, people create 2.5 quintillion (yes, that’s a word — just add 18 zeroes) bytes of data;1
- It is estimated that 90 percent of the data in the world today has been created in the last two years;
- Collectively, each day, people send approximately 145 billion email messages; and
- A great deal of this data either is stored on a mobile device or may be accessed remotely.
In short, there is a lot of electronic information out there that lawyers, along with almost everyone else on the planet, store, access, and use. Of course, that also means there is no shortage of opportunities for things to go horribly wrong. For example:
- Companies’ IT systems are attacked an average of two million times . . . per week;2
- Annually, travelers lose thousands of mobile devices at U.S. airports, including laptops, mobile phones, and portable data drives;3 and
- According to a recent study by a mobile security company, every 3.5 seconds, someone in America loses a cellphone.4 Usually, it occurs in a coffee shop. And if you live in Seattle, well, it stands to reason that it’s the number-two city for lost cellphones.
What to Do?
What is a lawyer to do? Well, according to the ABA Commission on Ethics 20/20 report in 2012, there are a couple of things.5
First, lawyers who wish to be considered competent (presumably, that’s most of us) should “stay abreast of changes in the law and its practice, [which] includes understanding relevant technology’s benefits and risk.” This doesn’t mean that lawyers must have a computer science degree. It does, however, mean that you cannot turn a blind eye to the technology-driven global economy; rather, lawyers must “remain competent in a digital age.”
Second, lawyers who wish to be considered ethical (again, presumably that’s most of us) should “take reasonable measures to protect a client’s confidential information from inadvertent disclosure, unauthorized disclosure, and unauthorized access, regardless of the medium used.” Lawyers, of course, are not required to guarantee digital security, but should take into consideration whether their information technology provides protection appropriate to the risk and the data entrusted to (or created by) them.
Today, in the 21st century (and more than half a decade past the introduction of the iPhone), attorneys must address the obvious tension between safeguarding client data and confidentiality on the one hand, and the business realities of data mobility and security on the other. For example, while technology is ever more ubiquitous and enables mobility, carries the potential for easier client communication, and places enormous resources into the palm of an attorney’s hand, it also escalates the risk that data (including client confidences) can be compromised — e.g., theft (hacking; stolen devices); loss (lost smartphone or tablet); and carelessness (unsecure connections; free email accounts where data is mined; corrupted via virus).
How to Get Into Trouble with Technology
Like anyone else, lawyers have a variety of ways to create trouble with technology. Space limitations preclude an exhaustive list, but the following examples are illustrative.
Email. Perhaps because of its easy availability, immediacy, and casualness, email continues to provide a target-rich environment for trouble. In the recent criminal action against certain leaders of the Dewey & LeBoeuf LLP law firm, the 106-count indictment references email messages alleged to provide evidence of concocting a scheme to cover a financial shortfall. One email bragged, “We kicked ass! Time to get paid.”6 Little wonder why the prosecutors included that. What is a mystery, however, is why anyone would write and send such an email.
Altering Documents. The advice that many parents use with their toddlers — i.e., “just because you can, doesn’t mean you should” — is also useful for attorneys. It should go without saying that altering documents and email messages — used in court — should have mental alarm bells going off. Not always. In King County Superior Court, a case had to be stayed while a party sought new counsel after their attorney acknowledged that he falsified a memo and emails before turning them over to plaintiffs in a nationwide class-action lawsuit.7 Similarly, this spring, U.S. District Court Judge Lewis Kaplan, in a 500-page opinion, blasted a legal team (who previously had “won” a $19 billion judgment in an Ecuadorean court) for their “egregious fraud” which included ghostwriting “independent reports.”8
Cellphones. It’s not 1990. We know you have a cellphone — it’s probably even a smartphone — with a quirky ringtone. But do you really need to take it to court to field your calls? Before mobile phones, would you ever have considered dragging a landline around with you and plugging it in regardless of where you happened to be? Increasingly, judges are getting fed up with cellphones in the courtroom and are sanctioning attorneys when their phones ring.
Zombie Counsel. Clients — just so you know — don’t like to be represented by zombie counsel. Quite the contrary. Clients expect their counsel to be present . . . in the moment. That means, quite often, that you should resist the temptation to mentally check out of meetings or court hearings to check your email, text messages, stock portfolio, or social media posts. While some may think that such behavior makes you seem busy or important, more seasoned clients (and counsel) will recognize you as a zombie counsel — there only physically and, during meetings, having an undue fascination for staring at your lap and making faces . . . er, checking your email on the sly. Some leaders now insist that meetings be device-free simply to ward off the zombies and actually get things accomplished efficiently.
Identity Theft. It does not matter if you are a lawyer. Lying (er, “pretexting” for those with professional degrees) to obtain records is not only poor form, it increasingly is illegal. For example, a pretexting scandal at Hewlett-Packard in 2006 (which was designed to obtain telephone records of HP board members) implicated the highest levels of the corporation, including its chairwoman and its general counsel, both of whom resigned.
Gadgets. There are many differences between super-spy James Bond and lawyers. While he has a license to kill, you have a license to practice law. Which you can lose. As counsel — subject to the Rules of Professional Conduct — you will want to remain mindful of these differences. Just because you have the ability to use technology and deceive people doesn’t mean it is prudent. Washington’s Court of Appeals recently ruled that Washington’s anti-SLAPP act does not protect a law firm and its attorneys who transcribed telephone calls with an opponent’s former employee without his knowledge from possible liability for invasion of privacy.9
Social Media. Hopefully, this is not news: People (including opposing counsel) read your Internet postings. That seems obvious, but counsel and their clients need to be mindful of that reality. Recently, a single Facebook post cost a family $80,000 when, following the post (which evidenced breach of a confidentiality agreement), a Florida court tossed out a settlement agreement. In that case, the daughter of the plaintiff took time to post that her parents “won the case against Gulliver. Gulliver is now officially paying for my vacation to Europe this summer. SUCK IT.”10
Data Theft. The conventional wisdom is that bank robbers rob banks because that’s where the money is. For at least a generation, however, some criminals have figured out that law firm data also is where the money can be found in the form of deal data. In one case, it appears that the Chinese government may have targeted several Canadian law firms in an apparent effort to derail a $40 billion acquisition.11 In another, a firm’s managing clerk is alleged to have accessed inside information about the firm’s clients as part of an insider-trading scheme.12 Also, it recently was revealed that hackers working for the Chinese military targeted one company for information useful in ongoing litigation.13 Failure to secure such data from malicious employees, cyber-attacks, or carelessness can cause drastic reputational damage as well as liability.
Practical Suggestions to Reduce the Opportunity for Trouble
Notwithstanding the large number of opportunities for trouble with technology, there are practical ways to reduce your risk. Again, these examples are not meant to be exhaustive. We’ve divided these tips into four categories.
Lawyers and their staff — on a daily basis — often deal with vast amounts of confidential or sensitive information. It used to be that the physical form of the data imposed obvious transaction costs that tended to minimize the potential for loss, theft, or corruption. However, digital data — which is now the vast majority of client data —is mobile and readily recordable at astonishingly low costs. Accordingly, the risk for loss, theft, or corruption is substantially greater and continues to grow. Client data and firm data, need to be safeguarded from loss, theft, and corruption. There are practices to address these risks:
Minimize. Obviously, you have no obligations for data you do not have. But because lawyers tend to squirrel away data, and online data tends to stay online forever, this strategy has limited application. But for those who wish to reduce risk and minimize security costs, it’s an option. Your records management practice should be disciplined and cognizant of changing technology.
Protect. Okay, you’re not going to minimize. We get it. Fortunately, there are strategies to reduce risk to the data that you retain:
- Use firewalls, current antivirus software, strong passwords, and other security measures.
- Practice safe data disposal — e.g., remove hard drives and memory devices from scrapped, sold, or swapped devices.
- For off-site data (e.g., cloud computing), use reputable providers, with robust data security and redundancy practices (and insurance).
- Back up your data — including the easy stuff such as networked computers as well as your mobile devices.
- Password protect sensitive documents and encrypt confidential information.
Keep Current. Technology evolves quickly. Although it is sensible to avoid the bleeding edge, it is important to stay abreast of changing technology (e.g., Boeing, for example, recently announced a high-security smartphone). Simply said, you shouldn’t just buy a Palm Pilot and fax machine and call it done.
Mobile devices (e.g., laptops, tablets, smartphones, data drives) and data mobility are inextricably connected. These devices, which enhance productivity, also present obvious risks. Accordingly, you will want to use security measures and data protection strategies:
Security Measures. Password-protect all mobile devices. Use encryption tools for sensitive communications.
Data Protection Strategies. You should minimize data storage on mobile devices and:
- Install and utilize data wiping technology to help manage risks pertaining to lost/stolen devices.
- Consider partitioning smartphones to segregate business and personal data and apps.
- Use tracking software to locate the device once it is connected to the Internet.
- Preclude installation of applications that may create security issues.
- Regardless of the temptation, don’t use your laptop (and its sensitive client information) as payment collateral with an alleged prostitute.14
- Use a firewall to reduce unauthorized access.
Data Breach Response Plan
As the number of cyber attacks increase overall, there is nothing to indicate law firms are immune, in fact, some consultants now see professional firms as likely targets for cyber attacks. While reducing vulnerabilities is important, law firms — like other businesses — also need to figure out how to respond to a breach.
Start (and End) at the Top. Make sure your organization’s leaders are aware of the risks associated with potential breaches. Educate them about best practices, your response plan, and provide periodic updates.
Know What Information You Have. Learn what is stored (personal information, health information, client trade secrets), where it’s stored (on premises, cloud), how it’s stored (encrypted or not), and who has access to it (internal IT, subcontractors, service providers). Answers to these questions will help inform the details of your plan.
Identify Response Team Members and Roles. Establish a team leader and specific members from different teams within your organization (executive, IT, HR, communications) and outline their responsibilities beforehand. For smaller organizations, consider selecting, after appropriate due diligence, an outside consultant in advance to perform tasks that can’t be staffed in-house.
Practice, Practice, Practice. Having a plan is a good first step. Making sure everyone with a role to play knows what to do and how to do it is the next. Regularly test your plan and consider, if you have the resources, inviting third parties to conduct an audit.
Technology consultants will tell you that users don’t properly evaluate technology risks (e.g., hard drive failure) until an event occurs, at which point they over-value the risk. Which is to say that individual behavior is difficult to manage and, quite often, is your biggest risk.
Educate. Those same technology consultants will tell you there is no firewall for stupid. Stated more kindly, you don’t know what you don’t know. The same is true for the people around you as well as your clients. You should make it a priority for you and your clients to appreciate the advantages as well as the risks of utilizing various technologies in your practice. Accordingly, you should consider:
- Regularly educating your staff and clients. A little bit of knowledge goes a long way — e.g., email guidelines, and data security best practices. As with data breach plan testing, this training should be an ongoing activity.
- Regularly update computer operating systems with the latest security protection or risk leaving a vulnerability in place for hackers to exploit, as was recently revealed at the Oregon Secretary of State.15
- Alert clients to the risk that forwarding your legal advice or updating their blog postings with it may waive the attorney-client privilege.
- Remind clients that — even though convenient — communicating with you on someone else’s equipment (e.g., the employer they may be asking you to sue) entails risk.
Use Common Sense. Unless you are a reality television star, data leaks don’t create value. Therefore, you will want to exercise common sense.
- Use private networks. Although handy (and free), public Wi-Fi lacks security for your mobile data.
- Avoid communicating with “free” email services and use encryption for sensitive information.
- Avoid third-party computers that may have key logging or viruses (e.g., the hotel business center).
- Use caution — e.g., thumb drives (even new ones) may come with pre-loaded malware. Don’t connect them to a device that does not have current anti-virus software.
- Scrub metadata before distributing documents.
Shift the Risk. As with any transaction, deal terms involving firm or client data should not be limited to price and a service description.
Try to avoid click-through agreements. Not surprisingly, these are not pro-consumer terms. Look for cloud service providers or third-party resellers who are willing to accept some risk for storing sensitive data.
Obtain cyber liability insurance (generally speaking, your comprehensive, umbrella, and E&O insurance likely will not cover cyber liability issues).
Today, we’re half a generation removed from the chatter about whether communication by cellphone or email-waived attorney-client privilege and what, precisely, needed to be included in sometimes shockingly long facsimile and email notices and disclaimers. The technology scolds notwithstanding, we’ve long left the days when one of the biggest risks to client confidentiality was leaving the file cabinet unlocked or leaving behind a deal sheet on a photocopier. Today’s technology enables users to have orders of magnitude greater data in their pocket . . . or left behind on a coffee counter. Accordingly, the need for common sense — and keeping abreast of technology — is even more urgent.
James W. Gayton is an experienced private and public sector attorney with extensive information technology experience. He can be reached at firstname.lastname@example.org.
Greg Tolbert is a member of the WSBA Editorial Advisory Committee and has helped build small and large e-commerce businesses. He can be reached at email@example.com.
Featured image: “Primary Japanese girl playing dodge ball” from Shutterstock.
See, e.g., “Data on Big Data” (July 18, 2013), www.marciaconner.com/blog/data-on-big-data. ↩
“Airport Lost & Found: Over 8,000 Laptops and Cell Phones Left at Major Airports,” Travelers Today (July 6, 2012). ↩
See ABA Commission on Ethics 20/20, www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120508_ethics_20_20_final_hod_introdution_and_overview_report.authcheckdam.pdf. ↩
“Fallen Law Firm’s Leaders Are Indicted,” Wall Street Journal, B1 (March 7, 2014). ↩
See “Lawyer Altered Documents in Best Buy Case” (June 5, 2007), www.nbcnews.com/id/19056379, www.fuerstlaw.com/wp/index.php/07/lawyers-fired-bank-recants-testimony-after-it-is-discovered-that-bank-altered-document-used-at-federal-trial. ↩
Chevron Corp. v. Donziger (S.D.N.Y. 2014) [11-cv-00691 LAK]. See opinion at www.online.wsj.com/public/resources/documents/chevronruling.pdf. ↩
Dillon v. Seattle Deposition Reporters, LLC & Davis Wright Tremaine, LLP, and James Grant, Wn. App., No. 69300-0-1 (Div. 1, January 21, 2014). ↩
Gulliver Schools, Inc. v. Snay, 2014 WL 769030 (Fla Dist. Ct. App. Feb. 26, 2014). ↩
See “Prostitute Takes Laptop, Psychologist Loses License,” Seattle Times (Oct. 14, 2013), www.seattletimes.com/html/localnews/2022044490_lostlaptop