Cybersecurity: Lawyers need a back up plan for their backup plan
Criminals are growing more sophisticated, and backing up data, while a good idea, is not always successful
A May 2021 ransomware attack that temporarily shut down the Colonial Pipeline — and ignited a gas panic on the East Coast — was a wakeup call for then Ninth Circuit Chief Judge Donald A. Myers, Jr.
Concerned, Myers worked with the court clerk to conduct a cybersecurity review.
“We began to learn about many municipalities and court systems being attacked as well,” he said. “We went through a process internally with our IT folks.”
Myers, who recently retired, joined Sterlington PLLC Cybersecurity Practice Head Steven Teppler and Samsung Semiconductor Security Director Eric Hibbard as presenters for a legal technology segment of the 2022 Masters Seminar on Ethics at the Bar’s Annual Convention in Orlando.
Florida lawyers have an ethical responsibility to protect client confidentiality, and they would be wise to follow Myers’ example, Teppler said.
“This is what I counsel both law firms and my corporate clients to do,” Teppler said.
Myers’ cybersecurity review was thorough.
“We developed a written information security plan,” he said. “There was already one in place, but we found it a good opportunity to update it, ensuring that it covers all of the data and the inventory of data that we were managing, and then put into place a regular review period.”
Regular reviews make cybersecurity part of the “institutional culture” and ensure the plan doesn’t “just get shelved and dusty,” Myers said.
Myers also developed a data breach response plan.
“We needed to know who was responsible for doing what, how it would be done, and who needed to be contacted, how it would work as a process,” Myers said.
To make sure the response plan worked, Myers conducted drills.
“We actually role-played different scenarios that we had seen playing out, to ensure that we were prepared to respond to those things and more,” he said.
Finally, Myers developed a cybersecurity education plan.
“This was probably the most important thing for us because so many attacks to governmental entities came through phishing emails, for example,” he said. “Please don’t open these emails, please don’t click on that attachment — that was so critical for us to be pro-active, because it helped us avoid these data breaches.”
Experts warn that because lawyers handle sensitive client data, they are prime targets for ransomware attacks in which a cybercriminal infects an IT system with “ransomware,” and demands payment for a key to restore access.
“Our point here in bringing this session is to underscore what has become a very, very recent, very, very serious problem for practicing attorneys, myself included,” Teppler said. “What is our obligation to maintain our clients’ confidences?”
Criminals are growing more sophisticated, and backing up data, while a good idea, is not always successful, said Hibbard, the Samsung expert.
“In turns out, in many cases, especially with larger firms, a backup isn’t going to help you, because the attacker has been doing reconnaissance in your environment for a while, and the first thing they hit is your backup,” he said. “In many cases, you have to do backups on your backups.”
Cybercriminals may demand a second ransom not to sell the client data on the dark web, Teppler said.
Lawyers should do everything to prevent an attack, and anticipate that their security will fail, the experts said.
“Is it possible to 100% protect yourself?” Teppler said. “The answer is no.”
Lawyers who turn to cloud storage should investigate the vendor’s security, Teppler said.
“If your cloud provider has a problem, and your client’s information gets sent out into the wild, are you responsible for that?” Teppler said.
Depending on the nature of a data breach — generally affecting 500 or more people — the Florida Information Protection Act (FS. §501.171) requires “a covered entity” to provide notice to the Department of Legal Affairs and the individual victims, Teppler said.
And depending on the nature of the breach, lawyers may also be required to notify The Florida Bar, Teppler said.
“Why?” he said. “Because our client’s confidences have just been exposed.”
The Board of Governors in 2015 added language to the comment to Rule of Professional Conduct 4-1.1 (Competence).
“Competent representation may also involve the association or retention of a non-lawyer advisor of established technological competence in the field in question. Competent representation also involves safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.”
The comment also added language that lawyers should have “an understanding of the benefits and risks associated with the use of technology.”
In a 2016 Florida Bar Journal article, former Executive Director John F. Harkness, Jr., acknowledged that determining what constitutes “competent and reasonable” measures can be difficult.
“The ethics requirements should be seen as the bare minimum,” Harkness wrote. “Anything less is a violation of an attorney’s professional duties.”
Panelists suggested that lawyers employ common security devices, such as data encryption and multi-factor authentication, and consider obtaining cyber insurance.
“What it comes down to is what is reasonable, from a firm basis, from a practice basis — have you addressed these sufficiently?” Hibbard said. “If you encounter a problem, can you look in the mirror and say, yes, we actually took some steps in advance?”
Teppler said an emerging standard is “commercially reasonable security.”
“It’s an objective standard,” he said. “What would a reasonably situated attorney in your position objectively do to protect information.”
There are many factors to weigh, Myers said, such as the “sensitivity” of the information that is being safeguarded.
“If you are in a practice that deals with highly sensitive [data,] then that adds a burden under that commercially reasonable expectation,” he said.
Another consideration is the likelihood of disclosure if someone doesn’t deploy the safeguard, Myers said.
“That can include simply the number of people, for example, that have access to that data,” he said.
The cost of deploying a security device and the difficulty are other factors, Myers said.
“Finally, is the extent to which the safeguards adversely affect the lawyer’s ability to represent clients,” Myers said. “There are circumstances where a device, or important piece of software, just makes it too difficult for us to carry out our responsibilities.”
But lawyers should also remember that every convenience, such as working from home on a laptop, comes with a risk, Meyers said.
“Every time that we take advantage of a convenience, particularly in technology, we sacrifice some security,” he said.
When it comes to cybersecurity, half measures don’t work, Teppler said.
“If you build a house with 11 doorways, and you install 10 doors, you’re not almost secure,” he said.