Lawyers and Cybersecurity: Preventing Breaches of Confidential Information
Attorneys have a professional obligation to protect client confidences and communications, but technology has made this increasingly difficult. As a recent article in the Wall Street Journal, “Lawyers Vigilant on Cybersecurity,” explains, lawyers face serious cybersecurity threats precisely because their clients entrust them with highly sensitive and classified information. Criminal and state-sponsored hackers target law firms to gain access to these confidential cases, especially if the information involves corporate mergers or acquisitions. In some instances, insider information could be sold for millions, and so tech-savvy criminals go after the weakest link—the lawyers with access to this sensitive data.
There are no statistics of how many firms have been hacked: The FBI doesn’t keep records on which types of businesses have been the subject of attacks, and law firms have been less than forthcoming about whether they’ve had security breaches. Admitting client information leaks would be far too damaging to a firm’s reputation. Law-enforcement officials suggest, however, that more and more often, law firms find themselves the targets of cyberattacks. As the Wall Street Journal article notes, the FBI has evidence of confidential business documents exfiltrated from law firms via cyberattacks.
Recently proposed changes to attorney ethical rules by the American Bar Association (ABA) also suggest that the profession sees technical breaches as an industry-wide problem. Earlier this week the ABA Commission on Ethics announced that its proposed changes to the Model Rules includes requiring lawyers to take proactive measures to protect their client’s information when using new technologies. The proposed edits suggest that lawyers have to be more aware of both “inadvertent and unauthorized” disclosures—in other words, leaks from inside and hacks from outside a firm. These changes warn technophobes that they need to abandon their Luddite ways, because lawyers now have a duty to "keep abreast of changes in the law,... including the benefits and risks associated with relevant technology." In other words, claiming ignorance is simply not an excuse.
By putting the onus on lawyers, the ABA is acknowledging what those of us who study and track security breaches have been shouting from the rooftops for years: preventing security breaches is not just about technology; it’s about changing human behavior. As the Wall Street Journal article makes clear, “the weakest link at law firms of any size are often their own employees.”
Other industries face similar problems. For example, a recent article on data breaches in the health care industry suggests that the epidemic of breaches of confidential health care information has more to do with human error than it does with IT shortcomings. As Larry Clinton, president and CEO of the trade association Internet Security Alliance succinctly points out, when it comes to data breaches, “[p]eople are the biggest problem.” Consequently, Collins predicts that breaches in hospitals and health care systems will only be prevented if these organizations approach these breaches as a “human-resource management issue and not an IT issue.”
In other words, phones don’t just go around leaking information. Email accounts don’t shoot off confidential messages at random. Computers are not really out to get us. These technologies become weapons in the hands of adversaries because users didn’t take the necessary precautions to protect their data.
Moreover, despite what people usually assume, taking these precautions doesn’t require having a Masters degree in computer science. In many instances, all that’s called for is simple behavior modification coupled with a healthy dose of common sense:
- Password protect your cell phone, tablet and laptop.
- Use different passwords for different devices and accounts, and make sure they are hack-proof. Programs like Kaspersky Password Manager can generate virtually hack-proof passwords and keep a running list of all your different passwords.
- Don’t use free Wi-Fi connections, since hackers rely on free Wi-Fi to eavesdrop on users’ conversations.
- Don’t click on links in text messages because doing so might activate malware that could log keystrokes or even record phone calls.
- Be suspicious of any emails from unknown senders that ask you to open attachments or click on links—these so-called Trojan emails will retrieve data from your computer.
- Invest in good computer security software, and for heaven’s sake, keep its settings updated and make sure to run checks on it on a regular basis. Otherwise, it’s like investing in an expensive alarm system for your home but refusing to set it before you go out.
The real key to security for cell phone communications, internet browsing and emailing is human behavior. Peace of mind will only come once people change how they act. For lawyers, that time may be sooner, rather than later.