We’ve had a great response to an Above the Law op-ed here that outlined the kinds of skills lawyers will need as artificial intelligence increases its foothold in law firms.

The piece makes clear that without the right kinds of skills, many of the benefits of AI will be lost on law firms because you still need an engaged human brain to ask the computer the right questions and to analyze the results.

But too much passivity in the use of AI is not only inefficient. It also carries the risk of ethical violations. Once you deploy anything in the aid of a client, New York legal ethics guru Roy Simon says you need to ask,

“Has your firm designated a person (whether lawyer or nonlawyer) to vet, test or evaluate the AI products (and technology products generally) before using them to serve clients?”

We’ve written before about ABA Model Rule 5.3 that requires lawyers to supervise the investigators they hire (and “supervise” means more than saying “don’t break any rules” and then waiting for the results to roll in). See The Weinstein Saga: Now Featuring Lying Investigators, Duplicitous Journalists, Sloppy Lawyers.

But Rule 5.3 also pertains to supervising your IT department. It’s not enough to have some sales person convince you to buy new software (AI gets called software once we start using it). The lawyer or the firm paying for it should do more than rely on claims by the vendor.

Simon told a recent conference that you don’t have to understand the code or algorithms behind the product (just as you don’t have to know every feature of Word or Excel), but you do need to know what the limits of the product are and what can go wrong (especially how to protect confidential information).

In addition to leaking information it shouldn’t, what kinds of things are there to learn about how a program works that could have an impact on the quality of the work you do with it?

  • AI can be biased: Software works based on the assumptions of those who program it. You can never get a read in advance of what a program’s biases may do to output until you use the program. Far more advanced than the old saying “garbage in-garbage out,” but a related concept: there are thousands of decisions a computer needs to make based on definitions a person inserts either before the thing comes out of the box or during the machine-learning process where people refine results with new, corrective inputs.
  • Competing AI programs can do some things better than others. Which programs are best for Task X and which for Task Y? No salesperson will give you the complete answer. You learn by trying.
  • Control group testing can be very valuable. Ask someone at your firm to do a search for which you know the results and see how easy it is for them to come up with the results you know you should see. If the results they come up with are wrong, you may have a problem with the person, with the program, or both.

The person who should not be leading this portion the training is the sales representative of the software vendor. Someone competent at the law firm needs to do it, and if they are not a lawyer then a lawyer needs to be up on what’s happening.

[For more on our thoughts on AI, see the draft of my paper for the Savannah Law Review, Legal Jobs in the Age of Artificial Intelligence: Moving from Today’s Limited Universe of Data Toward the Great Beyond, available here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3085263].

 

Well, another day, another email hacking story. This one involves the Bush clan, with reports that a hacker who goes by the name Guccifer accessed private emails and photographs, telephone numbers and addresses sent between members of the Bush family, including both former presidents. Among the data released are catty emails about Bill Clinton, photographs of the ailing senior Bush in the hospital, and a security code to one of the Bush homes. The Secret Service is investigating the matter.

We know that despite stories such as these, many of our clients and colleagues are unwilling to take more sophisticated measures to ensure secure email communications, some of which are detailed in our article on the General Petraeus scandal, “Lessons Learned.” For example, they are still unwilling to encrypt their messages (see our entry “Why You Should Encrypt Your Data Now” for a primer on encryption). And they fear that a service like 10 Minute Mail, which sets a self-destruct timer for messages and email addresses 10 minutes after a message is opened, is too extreme and potentially impractical.  Some even refuse to get off of Gmail, even though Google admits that it scans email content for marketing purposes. A point Microsoft is happy to exploit in a new campaign to get people to switch over to Outlook.

Short of deleting your Gmail account, what is the bare minimum you can do to make your Gmail communications more secure? A few simple adjustments would provide some peace of mind:

  • Google offers the option of two-step verification to sign in, which is a lot more secure than just using a password.  First you enter your password, which hopefully is hard to hack, and then you receive a code either via text, voice call or Google mobile app that needs to be entered as well. Google offers the option to have this two-step process every time you log in, which we think is best, or at least whenever you use a different computer. That way if someone is trying to access your email from another computer, you’ll receive a request for a code that will notify you that someone is attempting to infiltrate your account.  You can activate this feature via Accounts and then Security.
  • Google provides a list of your Last Account Activity to track where and when your account was most recently accessed. The list details what IP addresses most recently tried to log into your account. Click here and here for lessons on how to determine your IP address. And remember that your smartphone may also access your account, so you need to determine what its IP address is too. You can access the link to this data below your list of messages.

Credit Card Hackers.jpgWe have written here and here about the dangers of not having more sophisticated or complex passwords for technical devices and online accounts. We are also strong proponents of fighting hackers with encryption. None of this should come as a surprise to knowledgeable online users. Yet, as the press enjoys pointing out,  sometimes even self-professed tech geeks rely on easy-to-crack passwords, use the same passwords for multiple accounts or never bother to update the default passwords their devices and accounts came with in the first place. Whenever one of these articles is published or news stories air, you can virtually hear the echo of hands smacking on foreheads as people realize they’re guilty of the lazy practices hackers exploit. It stings to realize you’re the low-hanging fruit identity thieves love to target.

What gets less coverage, however, is how often small business owners are the weakest link in an identity theft chain. Certainly big businesses have been called out for serious data breaches, including misrepresenting whether or not their data was encrypted. But, as it turns out, personally taking pains to protect against hackers and identity thieves can all be for naught if thieves are accessing your digital data via the smaller businesses you frequent. This could include your favorite local restaurant, or the neighborhood Mom and Pop bookstore or boutique you proudly support. Take credit card terminals, for example: Small businesses are especially vulnerable to the plethora of ways hackers collect cardholder data via credit card terminals used to process credit card sales.

Here are some ways small businesses can protect their client’s data from credit card terminal breaches:

  • Some credit card terminals are set with a default password and a default programming code that vendors are supposed to change to ensure their clients’ credit card information is secure. Needless to say, many don’t make the effort, or use an easy-to-guess password, leaving themselves vulnerable to hacks. Insert hand-smacking-forehead sound here.
  • Some businesses scrimp on card terminals from reliable vendors with more sophisticated security measures. Of course, this isn’t to say that trusted vendors don’t make bad equipment, but in security, as in almost everything else, you get what you pay for. And better to pay for equipment from a vendor with a solid reputation and a good track record, and decrease the likelihood of getting hit with legal costs for data breaches.
  • Brazen hackers will go into a store pretending to be a service person sent to update or replace card terminals and actually be granted access to the terminals. Devices are then doctored to leak cardholder data.  This is akin to getting a phishing email that appears to be from your bank with a link to change the password on your online checking account. The take away is that no bank or processor is going to send out a service person without notifying the business first. If a technician claims otherwise, show him the door.
  • Sometimes hacks leave clues that there is a security breach. For instance, credit card data may be hacked by linking a credit card terminal to an external network or an external device. Card holder data is then funneled via this link. Any indication of this sort of external activity is a massive red flag that cardholder data is being leaked. Vigilant business owners will diligently monitor their connections. That way, they can track the traffic their devices generate, including whether any data is being transmitted to terminals or devices outside their network. If a leak is suspected, all traffic should be immediately stopped and the local FBI office should be notified.

GettyImages_sb10065861d-001.jpgAttorneys know that one of their primary obligations to their clients is to protect client confidences.  Therefore, great pains are taken to make sure that clients’ highly personal information stays in safe hands. But what happens when attorneys are the ones passing along their personal information? Well, unfortunately lawyers are far less careful with their own confidential information than they are with their clients’.

For example, we recently attended a legal conference where a legal recruiter summarized how scrupulously she protects her attorney client’s information. She explained that in some instances she collects highly private financial data from attorneys she’s trying to place, including tax returns. What amazes her, and us, is that these attorneys rarely ask for any assurances that their information will remain confidential.

For instance, these attorneys don’t know that although the legal recruiter takes pains to protect their personal information by encrypting her computer, she eventually turns that data over to law firms and corporations without any assurances they will be as mindful.

There are scores of instances where it’s necessary to turn over personal information to receive a service. But to do so without any effort to learn how that data will be used and protected is to relinquish responsibility for it. In this day and age that’s akin to just crossing your fingers and hoping for the best.

In other words, it’s just unacceptable.

Before you hand over personal information to a service provider, ask:

  • Access: Who will have access to that information?
  • Security: How will that information be protected?
  • Storage: Where will that information be stored?
  • Sharing: Will that information be shared with anyone?
  • Transit: How is that information transferred—Via mail? Email? A shared lockbox? Cloud computing?
  • Reasonable Efforts: What efforts are taken to protect the data in storage? And in transit?
  • Breach: What is the notification procedure in the case of a security breach?
  • Disposal: How is the information destroyed once it is no longer needed?

And for the professionals who are the recipients of this information, they may need to consider how to protect themselves from liability for the misuse or loss of data. This can be done via contractual changes in agreements between both clients and collaborators.   For instance, the legal recruiter described above could require the following:

  • Consent: That clients consent to her sending their personal information to other parties.
  • No Liability: That clients agree to not hold her responsible if the other party with whom she is collaborating fails to take adequate measures to protect the data as well.
  • Reasonable Efforts: That her collaborators take reasonable efforts to protect the data.

When it comes to your personal information, don’t assume that because you’re a trained professional who mindfully protects your clients’ data, that others will do the same with yours. Ask questions, demand answers, and don’t turn over anything until you’re satisfied that you’re in safe hands.

GettyImages_dv485145.jpgAttorneys have a professional obligation to protect client confidences and communications, but technology has made this increasingly difficult.  As a recent article in the Wall Street Journal, “Lawyers Vigilant on Cybersecurity,” explains, lawyers face serious cybersecurity threats precisely because their clients entrust them with highly sensitive and classified information.  Criminal and state-sponsored hackers target law firms to gain access to these confidential cases, especially if the information involves corporate mergers or acquisitions.  In some instances, insider information could be sold for millions, and so tech-savvy criminals go after the weakest link—the lawyers with access to this sensitive data.

There are no statistics of how many firms have been hacked: The FBI doesn’t keep records on which types of businesses have been the subject of attacks, and law firms have been less than forthcoming about whether they’ve had security breaches.  Admitting client information leaks would be far too damaging to a firm’s reputation.  Law-enforcement officials suggest, however, that more and more often, law firms find themselves the targets of cyberattacks.  As the Wall Street Journal article notes, the FBI has evidence of confidential business documents exfiltrated from law firms via cyberattacks.

Recently proposed changes to attorney ethical rules by the American Bar Association (ABA) also suggest that the profession sees technical breaches as an industry-wide problem.  Earlier this week the ABA Commission on Ethics announced that its proposed changes to the Model Rules includes requiring lawyers to take proactive measures to protect their client’s information when using new technologies.  The proposed edits suggest that lawyers have to be more aware of both “inadvertent and unauthorized” disclosures—in other words, leaks from inside and hacks from outside a firm. These changes warn technophobes that they need to abandon their Luddite ways, because lawyers now have a duty to “keep abreast of changes in the law,… including the benefits and risks associated with relevant technology.” In other words, claiming ignorance is simply not an excuse.

By putting the onus on lawyers, the ABA is acknowledging what those of us who study and track security breaches have been shouting from the rooftops for years: preventing security breaches is not just about technology; it’s about changing human behavior.  As the Wall Street Journal article makes clear, “the weakest link at law firms of any size are often their own employees.”

Other industries face similar problems.  For example, a recent article on data breaches in the health care industry suggests that the epidemic of breaches of confidential health care information has more to do with human error than it does with IT shortcomings. As Larry Clinton, president and CEO of the trade association Internet Security Alliance succinctly points out, when it comes to data  breaches, “[p]eople are the biggest problem.”  Consequently, Collins predicts that breaches in hospitals and health care systems will only be prevented if these organizations approach these breaches as a “human-resource management issue and not an IT issue.” 

In other words, phones don’t just go around leaking information. Email accounts don’t shoot off confidential messages at random.  Computers are not really out to get us.  These technologies become weapons in the hands of adversaries because users didn’t take the necessary precautions to protect their data.   

Moreover, despite what people usually assume, taking these precautions doesn’t require having a Masters degree in computer science.  In many instances, all that’s called for is simple behavior modification coupled with a healthy dose of common sense

  • Password protect your cell phone, tablet and laptop. 
  • Use different passwords for different devices and accounts, and make sure they are hack-proof. Programs like Kaspersky Password Manager can generate virtually hack-proof passwords and keep a running list of all your different passwords.  
  • Don’t use free Wi-Fi connections, since hackers rely on free Wi-Fi to eavesdrop on users’ conversations.  
  • Don’t click on links in text messages because doing so might activate malware that could log keystrokes or even record phone calls. 
  • Be suspicious of any emails from unknown senders that ask you to open attachments or click on links—these so-called Trojan emails will retrieve data from your computer. 
  • Invest in good computer security software, and for heaven’s sake, keep its settings updated and make sure to run checks on it on a regular basis.  Otherwise, it’s like investing in an expensive alarm system for your home but refusing to set it before you go out. 

The real key to security for cell phone communications, internet browsing and emailing is human behavior. Peace of mind will only come once people change how they act. For lawyers, that time may be sooner, rather than later.