Lawyers Can’t Be Luddites

By Bill Kammer

Published: November 19, 2014
American Bar Association

Many of us probably chose law school because we didn’t like math. That hasn’t changed. But the profession is changing, and the changes are rapid. Until the mid-nineties, you could only send email to others on the same network. AOL was then the largest network, but it did not connect its customers to the outside, the “Internet,” until 1995. Nothing would ever be the same. In 1997, two Stanford students registered the domain name “google.com.” Google grew in several directions, and in 2007, Gmail went public. Today there are about 450,000,000 Gmail accounts. Times have changed.

A current lawyer’s concern should be cybersecurity. We owe our clients a duty to preserve their confidences, and we hold vast, untold amounts of client information on our systems and servers. We store some of it in the “cloud,” and we even have the confidential documents of litigation opponents within our domains. Yet, our profession has been identified as particularly vulnerable to hackers and intellectual-property thieves. Clients have worked to tighten up their defenses, and we must do the same.

The thief does not have to be the Chinese military to threaten our defenses. The special agent in charge of the FBI’s relevant office in New York recently allowed that hundreds of law firms are being increasingly targeted by hackers. Sometimes the invader will be an unethical competitor; sometimes it’s a bored teenager with a home computer.

The weakest link in any law office’s security may be us, its professionals and our employees. Short, simple passwords are always a concern. Any password of fewer than 12 varied characters represents unnecessary risk. Test the ones in use by visiting Stan Gibson’s Password Haystack site and quickly determining how vulnerable they may be. Add a few more characters and observe the increased difficulty a hacker might face. Does your office or firm have a password policy? When was it last reviewed?

Another concern must be the propensity of some people to download documents, open files attached to suspect email, visit dangerous sites, or click on malicious links. Only education and training can minimize the risk that a single employee can compromise our servers and systems and our clients’ confidential information. If our staff uses computers, and those computers are connected to a network, we must train the staff to minimize risks and avoid malware, shark phishing, and hacking. A defense chain can be no stronger than its weakest link.

Recent reports highlight another risk that lawyers and law offices might confront. All of us have used USB or thumb drives for years to move files and data or to access them during travels. We plug them into the computers at our destinations or in our hotels. We will never know what malicious software might be on that computer, just waiting to transfer itself onto our thumb drive. When we get back to the office (or our home) and plug it into our computer, we face the risk that the malware has now deposited itself into the midst of confidential information and will now wreak its intended havoc.

We must also pay attention to the mobile devices used by attorneys and staff. Ninety percent of American adults have a mobile phone, and more than half of those are “smartphones.” Do they remotely connect to the office servers or computers or to the email accounts? Commonly, those devices, mobile phones and tablets, are the property of the individuals, and our offices are basically following a bring-your-own-device (BYOD) policy. The single most important thing is to make sure that everyone locks those devices with a four-digit passcode to protect the information and data on them. Also insist on the ability to track a phone using “Find my phone” applications and the right to “wipe” any lost or stolen device to protect confidential information.

Finally, many attorneys and their staff also use “cloud” storage such as Dropbox, OneDrive, and Google Drive to move documents from place to place or to provide remote access. If those stored documents are confidential, we must protect them with robust passwords and appropriate encryption. If we also use those storage locations to receive files and data from clients and opponents, we must take certain precautions before downloading and examining them. At a minimum, include virus scans as a necessary precaution and pay particular attention to “zip” files before harvesting their contents.

None of this rises to the level of rocket science, but all of it implicates the considerations of competency and confidentiality owed by all attorneys to their clients. See the comments to Rules 1.1 and 1.6 of the ABA’s Model Rules of Professional Conduct. Attorneys have no choice but to confront these realities and to modify their practices accordingly.