Practicing Law Securely — No More Attachments
How should lawyers be securely storing, transmitting, and sharing information? Here are some law information security best practices from Bob Blacksberg.
4 February 2015
There are too many dangers, too many traps. Nearly every day, a news feed searching for “cyber risks at law firms” brings another article (or two or three) to light. Phishing messages continue show up in our email inbox (if they escaped the spam and antivirus filter). And Sony Pictures demonstrated all too well how much confidential and damaging information could leak in a security breach. Less publicized, more than two months later, the lost files and shut-down servers at Sony Pictures remain inaccessible, while their tech team rebuilds and restores their systems.
The Law Society of British Columbia on December 31, 2014, warned of ransomware damage to a law firm’s files.
How can we lawyers respond? One way could be to stop attaching documents to unsecure email messages. Instead, you can gain protection for confidential and sensitive information by including a link in an email to secured documents in secure places. When email messages link to secured documents in secure places, we gain protection for confidential and sensitive information.
If our clients do it, why can’t we? Our clients, especially those in health care and financial services, already work in this way. Shouldn’t their lawyers do the same? And if those lawyers do, why not all?
The Bad Guys are Not Reasonable
We lawyers craft standards for liability and professional responsibility based on reasonableness. Rule 1.6 (c) of the American Bar Association’s Model Rules of Professional Conduct, states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” (Emphasis added.)
Cyber criminals — reasonable? Hardly. Data destruction, extortion, exposure — all occurred during the Sony Pictures cyber-attack. Wired Magazine included these examples in The Biggest Security Threats We’ll Face in 2015. Safety for the documents and information of law practice may require radical thinking.
Email transmits documents and information outside the firewall, the protective wall of a law practice’s technology. Inside law practices, we protect documents, in secured systems, often restricting access in document management and other systems to those authorized to work on particular matters. Once sent outside the firewall, email messages and their attachments lose these protections, leaving their safety to the care and responsibility of sender and recipient, and the systems that transmit and receive the messages.
Outside our protected environments, email messages may be copied, redistributed and exposed through malicious software and other code. Cyber criminals can and have infected the chain of transmission of emails and other data by hijacking wireless access points and home routers. However, document-level protection, such as information rights management, could help protect content no matter where it travels — more on this later.
We need tools that capture outgoing email messages with attachments, encrypt and deposit the attachments in a secure, sharable storage location (call it a repository) and convert the attachment into a link. The recipient must either already have credentials to the repository (User ID and password) or the link can enable the recipient to have access to the repository, with access only to the linked document. Within the repository, the documents themselves should be encrypted. The repository should also offer information rights management, so access to the documents, whether inside or outside of the repository, can be terminated at any point.
Too Difficult? Perhaps Too Easy
Perhaps we have become addicted to “easy.” Many programs make attaching documents to email messages simple. Our writing, editing, storage, and email systems all invite us to attach files to email. What will make us (and our colleagues) change how we work? The headlines (and perhaps even these blog posts) raise the fear level. New work procedures should be motivated by positive goals (professionalism, client service) as much as fear and risk (exposure, malpractice liability). Recognize that changing work habits, like health habits, can be very difficult. We can earn from the guidance of health experts, “…any effort you make in the right direction is worthwhile, even if you encounter setbacks or find yourself backsliding from time to time.”
And Yet, Our Clients Already Live By These Rules
“No more attachments” is a rule that governs the work of our clients in the financial services and health care industries. For those in financial services, compliance with the disclosure limitations in FINRA has been enabled through secure email systems, in which documents reside on their servers and email only contains links. Clients must establish and confirm their online accounts, and then can open the linked documents only within the secure system. Their access, use, and download of the documents is tracked. The same discipline applies to documents shared by the medical world and governed by HIPAA.
We Already Know How to Do It
When our clients require it, we learn how to use links to documents instead of attachments to emails. We work in controlled document environments when we conduct due diligence investigations in deal rooms. Some of us send links to documents instead of the documents themselves within our practices to maintain the integrity of versions of a document stored and controlled by a document management system.
We Should be Ahead Instead of Behind the Security Curve
Some of our colleagues devote their practice to the protection of their clients’ data security. Others help defend clients from the consequences and liabilities for breach. The articles that appear about cybersecurity and law practice often tout the expanded, or even new cybersecurity practices at law firms. If we were to measure our practices by the standards we advise for our clients, would we pass? We can use their lessons to protect the security of our work and the information of our clients throughout our law practices.
Questions for Next Time: Balancing Risks, Untangling Confusion
Must we convert every email attachment to a link? If not, how do we choose? If our law practice uses an internal document management system, when do we use that and when do we use an external secure repository? Will there be too much confusion managing both?
More than enough to consider for the next post.
This blog and its contents is not intended to be legal advice. You should consult a legal professional for individual advice regarding your own situation. The information on this blog is not a substitute for legal advice.
Robert L. Blacksberg Esq.
Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.