[BreachExchange] Cybersecurity Steps Every Lawyer Should Consider
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jun 29 19:45:43 EDT 2017
http://www.jdsupra.com/legalnews/cybersecurity-steps-
every-lawyer-should-52461/
All lawyers face technology threats, ranging from the inconvenient to
practice-threatening disasters. From unauthorized access, lawyers risk
having confidential information stolen, destroyed or made inaccessible.
Hackers might be thrill seekers, criminals seeking to monetize information
or denials of access, or state-sponsored attackers seeking intellectual
property. Cybersecurity, which includes computer system security, describes
the many steps that can be taken to protect computer users, including
lawyers, from these threats.
Legal ethics require lawyers to know enough about cybersecurity to protect
clients’ confidentiality and to practice law competently. In light of new
technology and evolving security concerns, and to guide lawyers regarding
the use of technology, the American Bar Association amended the Model Rules
of Professional Conduct. These technology amendments primarily changed
Model Rules 1.6 (Confidentiality of Information) and 1.1 (Competence). In a
state by state chart updated March 21, 2017, the ABA reports that 34 states
have adopted all or most of the model rules technology amendments and
another nine states are “studying” the amendments. Even for lawyers in a
state that has not adopted these amendments, ethics require enough
technological competence to protect clients’ confidentiality and require
basic legal competence.
So what are today’s cybertechnology risks for lawyers? Every lawyer should
consider password fundamentals, mobile security, avoiding scams and
computer system security. In the past, I have written about password
fundamentals and mobile security, and will address avoiding scams in
another soon-to-be-published article. Here, in this article, the
cybersecurity focus is on computer system security.
Cybersecurity Steps Every Lawyer Should Consider
To be competent, lawyers should plan ahead for technology risks. A lawyer
would make a mistake to assume that the risks of being hacked cannot be
significantly reduced. Hackers typically use bots to scan random computer
systems, looking for vulnerabilities to exploit. Hackers often go after the
low-hanging fruit — those who do not take steps and do not have a plan to
stop them.
A lawyer’s cybersecurity plan should include steps to avoid problems from
known vulnerabilities. But a plan should also include what to do if a
hacker is successful or other problems are not avoided. And that plan
should be periodically updated.
Foremost, a lawyer probably should hire a good computer security consultant
for the specifics on safeguards to protect entire computer systems. For
example, a lawyer should make sure that his or her computer system has
updated antivirus software and other security software, including a
firewall. Unless one is the rare lawyer with the technical skills and
background, finding someone with the expertise to help is advisable.
For interested lawyers, the ABA cybersecurity legal task force’s website
gathers numerous resources, including descriptions and links for
cybersecurity events, legislation and news. For examples, the task force
webpage describes a two day CLE event, the Second Internet of Things
National Institute, to be held May 10-11, 2017, in Washington D.C., and
announces “Cyber Risk Management: How Lawyers, Corporations and Governments
Deal with Risks,” an Aug. 12, 2017, presentation at the ABA annual meeting
in New York.
For any lawyer, his or her cybersecurity plan should include reasonable
steps to make computer systems more secure and to limit vulnerabilities.
When identifying parts of a computer system to safeguard, a lawyer should
consider not only the vulnerabilities of servers, desktops and laptops, but
also tablets, smart phones, copiers, scanners or any other device that can
connect to a computer system. A hacker can gain computer access by taking
advantage of the vulnerabilities of any part of a computer system.
A lawyer should consider regularly updating software and replacing software
that can no longer be updated. For example, 10 percent of the lawyers
responding to the ABA’s 2015 legal technology survey report responded that
they still use Windows XP. Because Microsoft no longer supports Windows XP,
it no longer has security updates. Windows XP still operates, but becomes
more and more vulnerable to security risks and malware infections as time
passes.
For all electronic data (i.e., information), a lawyer should consider
whether the data should be encrypted. Encryption is the process of encoding
data so hackers cannot read it, but authorized parties can. Encryption
turns words into scrambled gibberish. Without the encryption key,
deciphering encrypted data is very difficult if not impossible.
A lawyer should also consider what data might need to be encrypted. A
lawyer should use an email program that automatically encrypts data when
sent. Another issue is whether to encrypt data at rest. Such encryption
complicates the user experience; encrypting all electronic information
interferes with using the information efficiently. Data taken out of the
office creates additional risks. When data relating to the representation
of a client is on a portable hard drive, a thumb drive, a mobile device, or
attached to an email, whether it should be encrypted requires thought and
depends on a number of factors. Many free encryption tools are available.
Another consideration is whether safeguards comply with the Health
Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act.
Even if a lawyer does not represent healthcare providers or financial
institutions, he or she is likely to have medical and financial information
that raises similar confidentiality issues. One might also argue that all
confidential information, including attorney-client communications, should
be protected with the same or similar safeguards.
A lawyer should consider complying with regulations applicable to clients’
industries, as well as complying with concepts from industry-specific
regulations even if not practicing in that industry. For example, the New
York State Department of Financial Services (NYDFS) recently issued
cybersecurity regulations, effective March 1, 2017, for banks, insurance
companies and certain other financial service providers. These regulations
require, with varying dates, covered entities to take a number of steps,
including encrypting nonpublic information or using alternative
compensating controls, having a cybersecurity program, a cybersecurity
policy, and a chief information security officer, maintaining and retaining
for five years certain documents for an audit trail, and having written
policies or guidelines for third-party vendors.
Regular automatic backups of computer systems that are separate from main
computer systems is another consideration. If hacked, a lawyer may need
clean backups to continue representing his or her clients. In anticipation
of natural disasters, a lawyer should also consider having such backups in
more than one location or at least geographically remote from the main
computer systems.
Another issue is whether lawyers should use the cloud. First, this cloud
has nothing to do with weather. Referring to “the cloud” means a computer
accessible through the Internet. A lawyer using the cloud stores data on a
computer owned by a third party. Because cloud computing places client data
on remote servers not in a lawyer’s direct control, the issue becomes
whether lawyers should store client information on the cloud.
According to an ABA webpage[2] that summarizes cloud ethics opinions, 20
states have considered whether a lawyer can use cloud computing and they
all advised yes, if reasonable care is used. Often, using a cloud vendor is
more secure than the lawyer’s own computer systems. A cloud vendor is also
likely to have better backup capability. If considering a cloud vendor, a
lawyer might include asking or investigating the following questions:
How does the vendor safeguard data?
Are the vendor’s safeguards HIPAA and GLB compliant?
After data is deleted, can the vendor certify that it is destroyed?
How often does the vendor back up data?
Does the vendor back up data in multiple locations?
How stable is the vendor as a business entity?
Does accessing the lawyer’s data require proprietary software?
If the relationship ends, how is the data accessed and returned?
What confidentiality provisions are in the vendor’s standard contract?
Will the vendor agree to other confidentiality provisions?
In summary, when choosing a cloud vendor, a lawyer should consider whether
the data will be secure and backed-up and whether he or she will have any
problems if and when the relationship with the vendor ends. For any
technology-related vendor, a lawyer should consider these same concerns and
many of these same questions.
When choosing any technology-related vendor, a lawyer should consider many
of these same questions as discussed for a cloud vendor. The ABA
cybersecurity legal task force in October 2016 published a 27 page single
spaced “Vendor Contracting Project: Cybersecurity Checklist” to assist
lawyers address information security requirements in their transactions
with vendors. The checklist addresses vendor selection, but also risk
assessment, due diligence and contract provisions. An appendix also gives
examples the National Institute of Standards and Technology has identified
as key areas that must be addresses in a cybersecurity program.
Examples of cloud storage and sharing services include Dropbox, Google
Drive, Box, and Microsoft OneDrive for Business. According to a Legal IT
Insider April 2016 article urging network security administrators to block
Dropbox from corporate computer networks,[1] Dropbox is the most popular
cloud file storage and sharing service, with more than 300 million users,
including many lawyers. Whether Dropbox — even Dropbox for Business — is
secure enough for businesses has been questioned. It has been annually
reported[2] that Dropbox has been identified as the app that companies ban
more than any other. In 2016, Dropbox, apparently responded to these
concerns, publishing “Dropbox Business security: A Dropbox whitepaper.”
Another computer system consideration might be what to do with computers
when they are no longer being used. Lawyers should be careful when
discarding computers, copiers and any other devices storing data. A
possible risk that might be overlooked is data on leased computers and
copiers. For example, the U.S. Department of Health and Human Services
reported[3] that Affinity Health Plan Inc., paid a fine of $1,215,780 for
alleged HIPAA violations after it returned multiple copiers to a leasing
agent without erasing data on the copiers’ hard drives.
Finally, a lawyer should consider cyberliability insurance. Policies vary
widely with exclusions and riders that may or may not suit a particular
legal practice. Buyer beware. According to a February 2017 press release,
the American Bar Association has expanded its insurance offerings to
include cyberinsurance underwritten by Chubb Limited, and the policy
“includes cyber coverage for a firm’s own expenses, such as network
extortion, income loss and forensics, associated with a cyber-incident as
well as for liability protection and defense costs. The coverage can be
tailored to meet a law firm’s unique needs and also includes Chubb’s loss
mitigation services both before an incident and following an incident.”
Conclusion
As emphasized by the model rules’ 2012 technology amendments, an ethical
lawyer should have reasonable technological competence. A lawyer should use
good judgment, taking reasonable steps to have cybersecurity to protect his
or her computer system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170629/0da7bca4/attachment.html>
More information about the BreachExchange
mailing list