The 'Soft Underbelly' of Cybersecurity Meets Legal Ethics

The Model Rules, despite their antiquated style, present a coherent structure for analyzing plans for marketing and performing legal services. Lawyers and law firms can use this foundation in constructing self-protection plans and, more important, in advising clients along the lines indicated in the legal ethics rules and associated comments. Many of the legal ethics rules have been substantially copied in federal and state laws, industry standards, and regulations.

Preserving records for benefit of inspection by regulatory agencies and for information exchange in litigation discovery figures prominently in legal ethics rules. The duty to preserve is triggered when a party reasonably foresees that records may be relevant to issues in present or anticipated litigation. All evidence in a party's “possession, custody, or control,” including the custody of the party's lawyers, is subject to the duty to preserve. Failure to preserve can lead to severe sanctions for the client and the lawyer.

Yet, the lawyer has high duties of protecting confidentiality but doing so within the law. Conflicting lawyer obligations are resolved by courts and in ethics opinions. Rule 3.4 provides that a lawyer shall not “unlawfully obstruct another party's access to evidence or unlawful alter, destroy or conceal a document or other material having potential evidentiary value.” Similarly, a lawyer may not “counsel or assist another person to do any such act.”

Lawyers owe their duties of confidentiality to prospective clients, current clients and former clients. A lawyer is also obligated to be truthful in communications with others including opposing parties, witnesses and individuals. Familiarity with data protection, with technology and with vulnerability to hacking or theft or even inadvertent loss of content is a necessity.

While much of the attention given to cybersecurity focuses on personal information (PHI and PPI), a substantial portion of the attention relates to strategic/financial business information (e.g., an intended IPO or merger) and technology trade secrets. Reform legislation such as the federal Defend Trade Secrets Act (DTSA) amended the Economic Espionage Act of 1996 and related statutes to provide a federal right of civil action against trade secret misappropriation, increase sanctions and provide for ex parte seizure of contraband and/or evidence. Cybersecurity that is designed to prevent misappropriation of trade secrets in the first instance can also be used as part of forensic (audit trail) tools for helping to detect such misappropriation that does occur.

The Securities and Exchange Commission (SEC) directs public companies and the financial industry to assess collected data, where it is stored, how it is stored, and the technology used in its storage and retrieval. The SEC also urges assessment of vulnerabilities of stored data, security controls and processes in place; potential fallout and liability of a breach; and management of the risks posed by the system.

Federal and state statutes and executive agency and court rules protect personal privacy information (PPI) and personal health information (PHI) by setting minimum standards (and high aspirational standards) for holders of PPI/PHI. The standards include encrypting information if the information is sensitive enough. With encryption is increasingly common and cheap, the State Bar of Texas issued an opinion in 2015 listing the six circumstances where it would be prudent to consider when “encrypted email or another form of communication [should be used].” Business clients are getting their cybersecurity systems compliant with and audited under ISO/IEC standards including the 27001 set of security standards, and the recently-added 27018 standard covering cloud service usage. These clients expect their in-house lawyers and outside law firms to follow suit.

As information is moving increasingly to the cloud, so too is law firm data storage. Law firms should take a good look at where their data is being stored. Third-party data storage providers like Dropbox often encrypt data on the storage server, but not all servers for all data storage companies are housed in the U.S., exposing the stored data to different privacy laws. Further, data is often unencrypted when it is moved, exposing it to other vulnerabilities. For example, Dropbox files are encrypted using 256 AES when not in use. But files don't remain encrypted when downloaded to handheld devices where Dropbox isn't installed.

Software that encrypts the data on a device is not only a reasonable step, but it may potentially be malpractice to not encrypt sensitive files if they are stored on a laptop or mobile device. Indeed, there are some states, such as Massachusetts and Nevada, that already require encryption of personal data. Forty-seven states, along with the District of Columbia and several U.S. territories, have enacted legislation regarding notification of individuals when their personal identifiable information has been stolen, and notifications requirements vary from state to state, along with special federal rules for certain industries, such as financial or medical institutions.

This can result in embarrassment and the potential loss of clients. It is also an ethical lapse under Model Rule 1.6, which requires attorneys to exercise reasonable efforts in making sure a client's confidential information (i.e., trade secrets as well as PPI/PHI in client or law firm custody) is disclosed or made vulnerable to theft or corruption.

Cybersecurity assessment is incomplete unless it is appreciated that losses of confidentiality/privacy occur through human error as well as technology vulnerabilities. As some examples:

• The most used password is “password” and many others are equally weak;
• Passwords are written on sticky notes attached to or near a computer;
• Gullibility of users enables “spear phishing attacks;”
• Dual factor access is still a minority of protection artifacts; and
• People travel abroad with laptops, mobiles and storage media (e.g., USB drives) loaded with sensitive data.

Lawyers and court employees sometimes fail to redact or impound sensitive parts of court filings. Balancing protection with economics leads to evolving legal discovery standards of proportionality including claw-back provisions — a lawyer who cuts corners to save time and money (as encouraged in the rules) may inadvertently produce privileged information to opposing counsel, and seek to retrieve it (claw-it-back). This is cold comfort to lawyers and clients. However, benefits of proportionality include reduction of cost and delay and enablement of a focused due-care to protect confidentiality.

Laptops, mobiles and storage media are easily stolen. Even if they're not stolen, phone calls and data can be intercepted if transmitted over an unsecure connection, such as one in a coffee shop or in an airport. When using wireless technology, a lawyer should always take precautions to make sure they have a secure connection through something like Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2 (WPA 2), which are standard on most devices. FBI-recommended practices for travel abroad include use of “naked” computing devices. In traveling abroad there is a danger of government seizure of devices apart from risk of theft or interception.

Lawyers and law firms can add value to client services in the evolving area of cyber-breach insurance with user assessments for themselves and clients, adoption of best practices and modification from time to time to stay ahead of threats.

*****
Jerry Cohen is an attorney with JAMS. A long time intellectual property practitioner, he has served as a patent examiner, in a corporate legal department environment and in private practice. He can be reached at [email protected]. This article also appeared in our ALM sibling, Legaltech News.

Legal departments for business organizations rate cybersecurity, regulation and ethics compliance among their chief concerns, and they are well aware of surveys showing law firms to be the “soft underbelly” of business security due to weakness of their cybersecurity. Lawyers and law firms are often behind trends but very good at playing catch-up. In the area of cybersecurity, the American Bar Association's Model Rules of Professional Conduct can help serve as a guide.

The Model Rules are drafted by and for lawyers and, yes, they include lots of flexibility (read, wiggle room) with expressions of “reasonableness.” But these rules express a commitment to improve awareness and competence in technology usage.

Technology awareness includes such issues as encryption and other safeguards of various Internet services and many more. Lawyers and law firms must ask and answer several questions for their own operations and for effectively advising clients. What does a candidate service provider do by way of capturing and using metadata and content it acquires through the service? Guard it securely? Sell it to others? With filtered privacy information? Mine it to create more profits? What are its duties under its Terms of Service and governing law to notify subscribers of data usage, breach, or loss of stored data? How does the provider accept new instructions to delete or correct data relating to the subscriber? What are its encryption, anti-hacking, anti-theft measures? How and when does it give access to federal and state government officials?

The Model Rules, despite their antiquated style, present a coherent structure for analyzing plans for marketing and performing legal services. Lawyers and law firms can use this foundation in constructing self-protection plans and, more important, in advising clients along the lines indicated in the legal ethics rules and associated comments. Many of the legal ethics rules have been substantially copied in federal and state laws, industry standards, and regulations.

Preserving records for benefit of inspection by regulatory agencies and for information exchange in litigation discovery figures prominently in legal ethics rules. The duty to preserve is triggered when a party reasonably foresees that records may be relevant to issues in present or anticipated litigation. All evidence in a party's “possession, custody, or control,” including the custody of the party's lawyers, is subject to the duty to preserve. Failure to preserve can lead to severe sanctions for the client and the lawyer.

Yet, the lawyer has high duties of protecting confidentiality but doing so within the law. Conflicting lawyer obligations are resolved by courts and in ethics opinions. Rule 3.4 provides that a lawyer shall not “unlawfully obstruct another party's access to evidence or unlawful alter, destroy or conceal a document or other material having potential evidentiary value.” Similarly, a lawyer may not “counsel or assist another person to do any such act.”

Lawyers owe their duties of confidentiality to prospective clients, current clients and former clients. A lawyer is also obligated to be truthful in communications with others including opposing parties, witnesses and individuals. Familiarity with data protection, with technology and with vulnerability to hacking or theft or even inadvertent loss of content is a necessity.

While much of the attention given to cybersecurity focuses on personal information (PHI and PPI), a substantial portion of the attention relates to strategic/financial business information (e.g., an intended IPO or merger) and technology trade secrets. Reform legislation such as the federal Defend Trade Secrets Act (DTSA) amended the Economic Espionage Act of 1996 and related statutes to provide a federal right of civil action against trade secret misappropriation, increase sanctions and provide for ex parte seizure of contraband and/or evidence. Cybersecurity that is designed to prevent misappropriation of trade secrets in the first instance can also be used as part of forensic (audit trail) tools for helping to detect such misappropriation that does occur.

The Securities and Exchange Commission (SEC) directs public companies and the financial industry to assess collected data, where it is stored, how it is stored, and the technology used in its storage and retrieval. The SEC also urges assessment of vulnerabilities of stored data, security controls and processes in place; potential fallout and liability of a breach; and management of the risks posed by the system.

Federal and state statutes and executive agency and court rules protect personal privacy information (PPI) and personal health information (PHI) by setting minimum standards (and high aspirational standards) for holders of PPI/PHI. The standards include encrypting information if the information is sensitive enough. With encryption is increasingly common and cheap, the State Bar of Texas issued an opinion in 2015 listing the six circumstances where it would be prudent to consider when “encrypted email or another form of communication [should be used].” Business clients are getting their cybersecurity systems compliant with and audited under ISO/IEC standards including the 27001 set of security standards, and the recently-added 27018 standard covering cloud service usage. These clients expect their in-house lawyers and outside law firms to follow suit.

As information is moving increasingly to the cloud, so too is law firm data storage. Law firms should take a good look at where their data is being stored. Third-party data storage providers like Dropbox often encrypt data on the storage server, but not all servers for all data storage companies are housed in the U.S., exposing the stored data to different privacy laws. Further, data is often unencrypted when it is moved, exposing it to other vulnerabilities. For example, Dropbox files are encrypted using 256 AES when not in use. But files don't remain encrypted when downloaded to handheld devices where Dropbox isn't installed.

Software that encrypts the data on a device is not only a reasonable step, but it may potentially be malpractice to not encrypt sensitive files if they are stored on a laptop or mobile device. Indeed, there are some states, such as Massachusetts and Nevada, that already require encryption of personal data. Forty-seven states, along with the District of Columbia and several U.S. territories, have enacted legislation regarding notification of individuals when their personal identifiable information has been stolen, and notifications requirements vary from state to state, along with special federal rules for certain industries, such as financial or medical institutions.

This can result in embarrassment and the potential loss of clients. It is also an ethical lapse under Model Rule 1.6, which requires attorneys to exercise reasonable efforts in making sure a client's confidential information (i.e., trade secrets as well as PPI/PHI in client or law firm custody) is disclosed or made vulnerable to theft or corruption.

Cybersecurity assessment is incomplete unless it is appreciated that losses of confidentiality/privacy occur through human error as well as technology vulnerabilities. As some examples:

• The most used password is “password” and many others are equally weak;
• Passwords are written on sticky notes attached to or near a computer;
• Gullibility of users enables “spear phishing attacks;”
• Dual factor access is still a minority of protection artifacts; and
• People travel abroad with laptops, mobiles and storage media (e.g., USB drives) loaded with sensitive data.

Lawyers and court employees sometimes fail to redact or impound sensitive parts of court filings. Balancing protection with economics leads to evolving legal discovery standards of proportionality including claw-back provisions — a lawyer who cuts corners to save time and money (as encouraged in the rules) may inadvertently produce privileged information to opposing counsel, and seek to retrieve it (claw-it-back). This is cold comfort to lawyers and clients. However, benefits of proportionality include reduction of cost and delay and enablement of a focused due-care to protect confidentiality.

Laptops, mobiles and storage media are easily stolen. Even if they're not stolen, phone calls and data can be intercepted if transmitted over an unsecure connection, such as one in a coffee shop or in an airport. When using wireless technology, a lawyer should always take precautions to make sure they have a secure connection through something like Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access 2 (WPA 2), which are standard on most devices. FBI-recommended practices for travel abroad include use of “naked” computing devices. In traveling abroad there is a danger of government seizure of devices apart from risk of theft or interception.

Lawyers and law firms can add value to client services in the evolving area of cyber-breach insurance with user assessments for themselves and clients, adoption of best practices and modification from time to time to stay ahead of threats.

*****
Jerry Cohen is an attorney with JAMS. A long time intellectual property practitioner, he has served as a patent examiner, in a corporate legal department environment and in private practice. He can be reached at [email protected]. This article also appeared in our ALM sibling, Legaltech News.