Ignoring cybersecurity puts you and your clients at risk
Lawyers don’t need to be IT professionals to meet competency and confidentiality standards, but ignoring cybersecurity could risk serious consequences.
That’s just some of the advice experts offered June 9 at the Annual Technology Symposium Powered by LegalFuel: The Practice Resource Center of The Florida Bar. Also sponsored by the Standing Committee on Technology and the Continuing Legal Education Committee, the daylong seminar comprises 7 hours of CLE-eligible programming.
Florida Bar Rules of Professional Conduct 4-1.1 (Competence) and 4-1.6 (Confidentiality of Information), require lawyers to be familiar enough with technology to take reasonable precautions to protect client data, said Halley J. Peters, a lawyer and consultant.
“We now have the requirement that you need to understand the relevant technology,” she said. “We do not need to have hacker-level status by any means, but we need to understand what’s out there.”
The threats are more acute now that the COVID-19 pandemic has forced lawyers to work remotely, Peters said. Personal computers can be less secure than company equipment, especially if they’re shared with other household members.
“There are unprecedented cyberattacks by non-state actors,” she said. “A lawyer’s files, clients’ files, they are protected by the confidentiality rule — make sure it’s protected with reasonable efforts.”
A member of the Standing Committee on Technology who maintains her own practice, Halley J. Peters, PLLC, Peters is also a client executive with Esquire Deposition Solutions, where she offers technology-based solutions to more than 300 law firms.
She was joined as a presenter by fellow Standing Committee on Technology member Carlos A. Baradat. A founding member of the Law Office of Carlos A. Baradat, P.A., Baradat is also an adjunct professor at Hodges University where he teaches eDiscovery, Social Media & Privacy Law, Intellectual Property and Mediation.
In an hour-long presentation, “Embracing Technology & Protecting Client Data From Your Office to Your Home,” Peters and Baradat stressed that in addition to protecting client data, proper use of technology can make a firm more efficient and resilient to natural disasters.
“It’s hard to see a situation today in which we can adequately represent clients without some foundational understanding of technology,” Baradat said. “For me, it’s about business continuity, to make sure that you have an office that can tackle just about anything that comes your way.”
A law office can be considered a “virtual firm,” if it has a means to securely communicate with clients, the courts, and other lawyers, and by using common collaborative tools such as Office 365 and Google Drive, Baradat said.
“The foundation for a virtual office was probably there all along,” he said. “You may be closer than you think.”
To protect client data and maintain business continuity, all law firms should be backing up data in an off-site location and consider using such common security measures as multi-step authentication and email encryption, the experts recommended.
A common Outlook feature that delays the transmission of emails can help lawyers avoid a potentially devasting “reply all” mistake, they said.
Cybersecurity also implicates Florida Bar Rule of Professional Conduct 4-5.3 (Responsibilities Regarding Non-Lawyer Assistants), the experts stressed.
Lawyers should know how vendors who supply cloud storage or scanning services protect and archive data, they said.
Most ransomware attacks begin with a socially engineered email designed to entice the reader to click on an infected link, Baradat said. The criminals have grown more sophisticated, he said. Where they once simply froze a victim’s data, they now harvest it and threaten to publicly release it unless the ransom is paid, Baradat said.
For that reason, establishing written policies, procedures, and training programs for data security can be more effective than the most expensive anti-virus software, Baradat said.
“We can really throw all the money we want at firewalls, but at the end of the day, the biggest weakness that I see is training,” he said.
Peters said she knows of one law firm that tests the effectiveness of its data security training by issuing officewide emails that instruct readers to click on a link for free Marlins tickets. People who fall for the ruse are required to take additional training, she said.
Baradat says he has randomly scattered unlabeled thumb drives in law offices. Employees who insert them in a computer are also sentenced to additional training.
It’s not a bad idea before a deposition to ask all parties to turn off digital helpers like “Alexa,” Peters said. The devices are always listening for certain cues, and often record conversations.
And lawyers should also be careful to make sure that a digital document or spreadsheet doesn’t contain hidden meta data before transmitting it, Baradat said.
“You would be surprised how much information is in a Word document,” he said.