By Jill Schumacher, 14th Court of Appeals, and Adam Schumacher, CISSP, IT Operations & Security at FlightAware, LLC
The Internet is always on, always present, and lawyers almost always have access. The modern lawyer uses the Internet to communicate, research, and store massive amounts of data. Without the Internet, most law practices would grind to a halt. At the same time, cybersecurity threats have become increasingly prevalent, and lawyers of every breed know that cybersecurity matters to their practice. Translating that fuzzy background awareness into action can be hard, particularly for lawyers who do not have a background in Information Technology (IT). How should lawyers respond to the growing awareness that cybersecurity is important?
Lawyers can take some guidance from the rapidly changing ethical obligations relating to technology and cybersecurity. In the American Bar Association’s assessment, a lawyer’s knowledge of the skills and risks of various technologies reflects on the lawyer’s competence as a practitioner. Model Rule of Professional Responsibility 1.1 requires a lawyer to provide competent representation to a client. Comment 8 recently was revised to state:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
To date, Texas has not adopted a similar requirement that lawyers continually keep abreast of the benefits and risks associated with relevant technology. Texas ethics opinions have focused on whether a lawyer reasonably may use different technologies. For example, Ethics Opinion No. 648, published in April 2015, addressed whether the Texas Disciplinary Rules of Professional Conduct permit lawyers to communicate confidential information by email. In concluding that a lawyer ethically may communicate confidential information by email, Ethics Opinion No. 648 analyzes the technology, the concern that unauthorized individuals may gain access to the communication, the risks inherent in other forms of communication, and the expectation of privacy present in email based on laws making it a crime to intercept emails.
Though the ethics rules and opinions in Texas do not explicitly place the onus on lawyers to assess the risks inherent in different technologies, many states are moving to adopt broader requirements that more closely mirror the position of the American Bar Association. Similarly, many clients subject to security regulations and interested in the security of their data mandate that the lawyers they retain meet a higher standard than required by the rules governing professional responsibility.
Law firms of every size — from the biggest firms to solo practitioners — work with and store many kinds of confidential records of their own and their clients. Increasingly, individuals seeking unauthorized access to data have targeted a third party, such as a contractor or a law firm rather than the party that originated the data. Third parties are often the weakest link in the data security chain and often store the data in a concentrated form — in short, lawyers already have done a lot of the “doc review” for the individual seeking unauthorized access.
The 2015 breach of Mossack Fonseca has become a famous example of how even relatively small and obscure firms are targets for cyberattack. The breach resulted in millions of client documents, emails, database records, and other data colloquially known as the “Panama Papers” being leaked publicly. An analysis of the breach indicated that an unpatched webserver was the most likely entry point.
One response to learning that unauthorized individuals accessed law firm data by breaching an unpatched webserver might be to label the breach as an IT problem. A law firm with an IT security department should be able to expect that department to manage software patching and systems maintenance. (A solo practitioner relying on third parties to maintain and manage systems should ensure she is using third parties who reliably are patching and maintaining those systems.) Although lawyers should expect IT professionals to properly manage systems, cybersecurity is not simply an IT problem. In the case of Mossack Fonseca, the fact that so much data was so easily accessed from an internet-facing server suggests the firm as a whole was not adequately assessing the risks it faced and protecting the data with which it had been entrusted.
While IT professionals can provide access to technology, lawyers are in the best position to ensure their confidential information is stored securely. Lawyers can minimize risk by working with their IT professionals to locate where this information is stored, enumerate the risks to the data, and identify the necessary controls to protect it.
Many security threats that practicing lawyers face may bypass the IT department entirely. Although social engineering is one of the oldest security threats, it remains one of the most effective. The ubiquity of technology, like email, that removes or masks a person’s true identity has enabled sophisticated scammers to operate on an unprecedented scale. By default, there is no mechanism for validating or verifying the authenticity of a sender’s email address or name. Just as one could put any return address on an envelope and sign any name in the body of the letter sent through the postal service, so too could an attacker with an email they send.
Lawyers must be cognizant of the fact that an individual seeking unauthorized access might send an email that mirrors some of the most routine emails lawyers regularly receive without thought or question. While Ethics Opinion No. 648 might shield lawyers in Texas from ethical responsibility, awareness of these types of attacks is the best way to help prevent them. Lawyers should be involved in discussions with clients and other individuals in their law practice about ways to verify the authenticity of emails and provide alternate means for an email recipient to follow up on any communication that seems questionable.
Lawyers can implement many types of safeguards without becoming cybersecurity experts. Lawyers are not required to have degrees in IT fields. (Lawyers interested in learning more about cybersecurity can learn the basics by reading publications geared towards lawyers, such as The ABA Cybersecurity Handbook by Jill D. Rhodes and Robert S. Litt.) While lawyers may not have IT backgrounds, lawyers are incisive thinkers who often are required to work with experts in other fields. Lawyers can and should think critically about cybersecurity and engage with IT professionals. Lawyers need not become cybersecurity experts to safeguard client data. But, lawyers can go a long way toward improving the safety of their clients’ confidences simply by thinking about the data they possess and the ways they might minimize the risk of unauthorized access.