Clients trust their lawyers with secrets. Depending on what kind of law you practice, those client confidences may be benign. Or they may be your clients’ darkest secrets that could land them in jail.
OPSEC stands for “operations security.” It’s the practice of identifying important information and taking thorough measures to protect it.
In the past, secrets usually stayed in lawyers’ heads or in paper files in a locked office. With the digitization of much of our lives, they’ve moved into our computers, our pockets, and the cloud. This is tremendously convenient, of course, but it also has risks. This series of posts aims to help protect your clients’ secrets—first by thinking through the threats, and then by securing your information with some of the best tools available today.
What’s Your Threat Model?
Before you rush to change your behavior, you first need to understand who your potential adversaries are, and then evaluate how much of a threat they each pose. Security professionals call this your threat model.
What Are You Protecting?
While thinking about your threat model, think first about what you are protecting. For lawyers, that’s client secrets and work product. This encompasses many things, including:
- Your email (and copies of your emails are probably in the cloud, on your PC, and on your phone),
- Your client files, including those on your server or in your practice management software, and the papers strewn across your desk.
- Any other recorded communications with your clients.
Yes, opsec includes more than just digital security. You still need to lock the door to your office to prevent thieves getting to your secrets the old-fashioned way.
Start by making a list of all the accounts and locations that might contain client secrets or work product.
Who Are You Protecting Against?
Depending on your practice area and clients—and now, your evaluation of smoke signals coming from the Trump transition team—your opponents could include opposing counsel, opposing parties, random hackers, the Chinese government, Russian organized cybercrime gangs, foreign intelligence agencies, or the federal government.
How Likely is Each Threat?
Not all of these represent the same magnitude of threat, of course. Most US lawyers wouldn’t hack their opposing counsel (although a few astoundingly unethical ones will). This means that simpler measures will likely suffice. But if you’re suing a Russian state-owned gas company, or if you represent a high-level politician, you’ll want to worry more about advanced adversaries, and you should take different precautions.
The Ethics Angle
Of course, legal ethics rules require lawyers to keep client secrets confidential. The ABA Model Rules specifically mention the duty to prevent unauthorized access. Model Rule 1.6(c) says:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Despite some efforts toward giving this requirement more teeth, what’s “reasonable” has never been very clear. No matter what your rules say, what’s very clear is that if your client gets screwed because you got hacked, you’re going to have a bad time.
If you think through your threat model and use the tools in the next few posts, you’ll be doing way better than most lawyers. And if you need some help getting started on setting up a threat model, here is a free template to help you assess your risks.
Read the next post in this series: "Baseline Computer Security for Lawyers."