Practicing Law Securely — To Be Aware: Look Both Ways (Before Clicking)
People are not nearly as careful as they should be when accessing, sharing, recording, transmitting, and receiving confidential information and documents.
12 December 2014
Crossing the Street
I grew up learning to be a safe and secure pedestrian by looking both ways before crossing the street. As this now charmingly antiquated New York City Public Service Announcement from 1968 warned me, “Cross at the Green, Not In Between.” Without hesitation, we lock and alarm homes, cars, and bicycles. In our law offices, we have locked doors, cabinets, and safes to protect confidential documents and records, and we work in secured and monitored buildings.
I fear we are not nearly as careful when we access, share, record, transmit and receive confidential information and documents. We lawyers may not meet the standards of care exercised by our clients and colleagues when we handle information protected by law, including personal information, financial, transaction, and health information. The urgency of this risk has the eye of the Treasury Department, as reported in The New York Times on October 21, 2014.
The difficulties are real. Crossing the street, we can at least see and hear oncoming traffic. Our computer data and documents can be stolen or destroyed with barely a sight or sound. Just read the TribLive News article about the dangers of hacking.
Data security “accidents” can hurt much more than their immediate pain.
I lost my (smartphone / tablet / laptop)! Again! Laptops, tablets, and smart phones serve as a portal into the wider firm network and can carry rich collections of confidential client documents, email, messages, contact information, and even personal identity information (such as health and financial records).
Reports by HHS required by the HITECH Act (42 U.S.C. §§300jj et seq.; §§17901 et seq.), compile data security breaches of health care information. In 2014 alone, lost or stolen laptops resulted in reported data breaches affecting up to hundreds of thousands of people.
Mobile devices also contain the identities, passwords, and locations of the systems and servers that support our practice. If a device is lost, unknown parties may be able to open the secure lock we thought protected our confidential client data and documents. We must use passwords far stronger than “123456” or “password” (the number one and two Worst Passwords of 2013, respectively) to protect our information. Fingerprint security or other multifactor aunthentication methods on newer devices offer safety and reassurance. Mobile devices must also be configured so their data and documents can be wiped out remotely when lost or stolen. The newest capabilities of Information Rights Management, to be explored in a future post, can allow for remote wipe out of individual documents.
Look before you click. We are flooded by email messages and websites from evildoers being masqueraded as legitimate. Watch Consumer Reports’ tuneful “Gone Phishing” as a reminder to be careful, vigilant, and thoughtful when viewing email and websites. Do you know the sender of the message? Did you go to the website yourself or follow a link?
Hover over a hyperlink and look carefully at the name of the linked site. If it is not completely familiar to you, or if you have any doubt at all, don’t click!
“It’s a Trap.” As Admiral Ackbar famously warned in Star Wars, evildoers may entrap you before you have a chance to escape. Phishers spoof email messages, and websites have become better and better in their imitations. Spear phishing targets individuals, with messages that appear to be addressed specifically to the reader — some may also appear to come from a trusted source. The massive data security breaches such as Target, Home Depot, and JP Morgan Chase have given the wrongdoers critical personal information with which more similar attacks can be perpetrated. The Target attack has been reported to trace back to malware-laced phishing at a vendor whose computers connected to those of Target.
Once someone clicks on the apparently valuable or valid link, the attacks begin. While phishers most often seek to capture personal information from their prey, for lawyers, I worry that phishers may seek to take or damage the lawyers’ data and documents. In “Practicing Law Securely — Be Aware,” I described the ransomware Cryptolocker. Though the original Cryptolocker ransomware was stopped, copycat attacks continue to appear, and they get even harder to prevent — such as Cryptowall and CryptoDefense. Encrypting documents for ransom, as Cryptolocker and its spawn do, can interfere with lawyers’ duty to represent their clients. Attacks that capture and transmit other data from their prey may compromise the confidentiality of the information that lawyers have a duty to protect.
On the Attack. 2014 should be called “The Year of the Data Breach.” Nearly every day brings news of another compromise of significant public data systems, with the evildoers harvesting identities and passwords. Tens of millions of accounts are hacked. It might appear that law practices are too small of targets compared to large retailers and financial institutions, and less fruitful for monetary theft. Yet, the connection between law practice technologies and that of their clients creates a channel that may be exploited. Law firms are targets.
Attacks directed at law practices for their own documents and data have also been reported. Hackers have sought to undermine deals, steal from trust accounts, and steal business intelligence. The attacks are growing in sophistication, and techniques that may have started as state sponsored could spread. In 2011, Wiley Rein LLP was reported to be the subject of a hacking attack thought to be linked to the Chinese military. A December 1, 2014 New York Times article, based on a report from Fireeye, describes an attack from a group called FIN4 focused on M&A information from biotech companies and their legal counsel.
Data breaches have a significant financial impact. A 2014 Ponemon Institute study estimated the costs of remediating data breaches to be in the range of $160 to $230 per record exposed.
Next Time: Safe Paths; Safe Havens
Understanding these risks can make us want to practice law with technologies and habits that follow safer paths, where we can work in safe havens.
My next blog posts will look to see whether that safety exists, and if so, where we can find it. We may need to focus on how data and documents can wear their own protective armor to keep information safe.
Robert L. Blacksberg Esq.
Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.