In my previous column, I discussed how cyber liability is a serious risk management issue for lawyers, given our Rule 1.6 duty to maintain the confidentiality of client information. Given the high profile cyber attacks against Target, Sony Pictures Entertainment, the United States Government, and the Ashley Madison website; many law firms may believe they are not big enough to be a target, or they don’t have data that cyber criminals would find attractive. These law firms would be wrong on both counts.
Even though they don’t make headlines, law firms are increasingly becoming victims of cyber attacks because cyber criminals recognize that law firms are mostly unwilling or unable to take affirmative steps to protect the data they have. This data would include things like: client communications; client credit card transactions; client mailing and email lists; patient health or medical records; employee payroll records; business and personal financial records; marketing plans; and of course, privileged legal, tax, and financial communications.
One step a firm can take to protect client data would be to read the end user agreements for every vendor that has access to firm data. Firms who fail to read end user agreements increase their risk of professional liability. For example, you may be aware that Microsoft is updating to Windows 10. They are generously allowing users to update for free for a limited time. How many of you reading this column updated to Windows 10 after reading the long and lengthy user agreement? If you didn’t read it, you missed a very important term that impacts your duty of confidentiality. In a thoughtful and well-written LinkedIn Post entitled Windows 10 v. Rule 1.6, Ryan Johnson, Co-Owner of Torus Fiduciary IT, a management services provider in Arizona whose primary focus is law firms (http://www.torusengineers.com), had this to say about the update:
Apparently, Microsoft is following the footsteps of other “Big Data” mining companies and has gotten creative in their user terms and conditions. How creative you ask, well apparently creative enough to give Microsoft ingress to virtually any and all data you may have or had access to while using their operating system! This ingress gives Microsoft permission to track your location, activities, browser history, and more importantly, READ YOUR EMAILS! Further, there does not appear to be a way for less sophisticated users to disable these settings. This is why it’s so important to be aware of what’s in that End User License Agreement.
The terms of the Microsoft agreement eliminates any expectation of privacy or confidentiality of client communications. Comment 17 to Rule 1.6 requires lawyers to “take reasonable precautions to prevent” the transmission of client communications to unintended recipients. If you are unable to disable the settings as Mr. Johnson suggests can be done, you have willingly compromised the confidentiality of your client communications.
Another way law firms can protect themselves is to be aware of the kinds of data breaches that can and do occur. Michael S. Flanagan is the Co-Founder and CEO of Big Data Insure located in Chicago, Illinois (http://www.safelawsolutions.com) that provides cyber insurance, solutions & services exclusively to law firms. He explained that data beaches can occur when (1) a lawyer loses a laptop or smartphone that contains confidential client information; (2) the accounting department is tricked into sending funds to an unknown bank account; or (3) an email is opened that infects malware into the system that is then used to corrupt files or to extort ransom for the return of your files.
If you want to gain some insight into the damage that can be caused from a data breach or a cyber attack, look no further than the most recent cyber attack on the Ashley Madison website; a dating website for married people. First, the hackers threatened to expose all of the compromised data of some 37 million users unless the site was shut down. When the site was not shut down, the hackers dumped all of the data on the internet. While the embarrassment and humiliation of having your infidelity exposed would be damaging enough; the release of the contact and credit card information exposed users to identify theft and blackmail schemes.
Just because we have yet to find a way to stop cyber criminals, doesn’t mean law firms should hold their hands up in resignation or defeat. There are at least 4 steps law firms can take to be more intentional in protecting firm data. The importance of reading all end user agreements with all vendors who have access to client and firm data was discussed herein. Law firms should also conduct a risk assessment of their firms; and create and implement a cyber security policy. All firms should review their insurance policies to see if coverage is included for a data breach. It may be necessary to obtain cyber liability coverage because data is not considered a tangible property and it may be excluded from a general insurance policy.
And finally, the next time you receive a suspicious email, please delete it.
This is a frustrating topic. First I encourage everyone to make backups of their data and store it “off-network”. Typically storing to an external hard drive and rotating those drives will work. This combats the Ransom Ware attacks where a Trojan program starts encrypting all of your documents on the network and demands money to give you the key. This is happening unlike a lot of the scare scenarios you hear about. These programs can compromise your backup disk if it is attached to the network.
The other things to be concerned about are laptops and mobile devices. It’s pretty simple and cheap (free) to encrypt a laptop. Consider VeraCrypt. I believe iPhones are encrypted by default but it does no good if you don’t require passwords be used on the phones and not the default 4 digit simple ones. Thankfully newer phones have fingerprint authentication which allows for having a complex password that you don’t have to key in because you use your fingerprint in its place. Also, encrypt and protect the computer that backs up the phones and click the box to encrypt the backup.
While I doubt most law firms really have that much data that is worth stealing, it still can be costly in dollars and reputation if your firm was to have a breach.