Securing Your Skills

Posted by kvinson on

By: Dyane O’Leary

Every lawyer wants their work product to be excellent, complete, and accurate. But what about it also being secure?

Lawyers of past generations thought of security as lock-and-key file cabinets and careful out-of-sight placement of legal pads with confidential work product around a conference table. Tomorrow’s lawyers may still think about those things, but probably not as much as they’re thinking about a private Wi-Fi connection, vetted cloud storage third-party vendor for document storage, and a videoconference session free from “Zoombombing” interruptions.

Security for every lawyer has become cybersecurity. Society has more data, more ways to create it, more types, more online places to store it, more devices from which to access it, and more people wanting it than ever before. Consider the most private and confidential data in your life:  bank account numbers and transaction history, online dating communications, snaps from Snapchat, your school transcripts. Chances are most—if not all—of this data is electronic. And it’s not stored in hard copy in a box under your bed. It’s on (and in) your laptop, desktop, tablet, smart home assistant device, phone, thumb drive, email inbox, and cloud and social media accounts. Do you know who has access to it all? Or who could have access to it? Or who could have downloaded it during the 10 minutes you joined a Starbucks public Wi-Fi last week?

According to a 2022 Innovation Trends Report by the American Bar Association, data creation is “gathering speed exponentially, allowing 2.5 billion gigabytes of new data to be generated every day.”[i] New data—plus all the old “stuff.” All this data, new and old, is the “stuff” that makes up daily law practice:  the data lawyers locate, accept, collect, process, read, review, screenshare, hyperlink, use, send, share, attach, file, redact, and discuss.

Who wants all this data? Security threats and breaches come in all shapes and sizes, from nefarious criminal ransomware efforts asking for millions to the everyday inadvertent (and innocent) “oops I shouldn’t have clicked on that!” network exposure to malware from a phishing email that looks suspicious, seems suspicious, and, more likely, is suspicious. Lawyers often host a treasure trove of non-public information about clients and others, whether it’s a plan to acquire a corporate competitor or schematics for a patented cutting-edge smartphone invention. Lawyers must practice not by assuming the data with which they work is boring and of little interest, but by assuming that it’s valuable—and everyone may be trying for a sneak peek.

The bottom line is that 21st century lawyers have a lot more to worry about today for keeping all this electronically stored information (known as ESI) secure. And keep it secure they must. Model Rule of Professional Conduct 1.6 Confidentiality of Information imposes an ethical obligation not to “reveal information relating to the representation of a client” and requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”[ii] In 2022, New York became the first state to require lawyers to complete coursework in cybersecurity, data privacy, or data protection as part of that state bar’s continuing legal education (CLE) training.

So what does security look like in everyday practice? That varies just as much as the different practice environments lawyers experience and the different skills they do. One blog post won’t cover a fraction of considerations, but it can spark a starting line. From ensuring proper redactions of a PDF file e-filed with a court to using a password-protected virtual meeting room for a deal negotiation, what is a “reasonable effort” at security depends upon factors such as the context, sensitivity (or not) of the information, and the availability or expense and burden (or not) of possible risk-mitigation tools. Security today is not a one-stop-shop, set-it-and-forget it concept. New data sources will emerge. So too will new threats and techniques. A lawyer’s mitigation of those threats must keep pace. No lawyer would shout confidential information in a public coffee shop or leave hard-copy work product on a seat in a crowded airplane. Just because lawyers can’t hold in their hands the mounds of ESI with which they now work, it doesn’t mean they shouldn’t cling to it just as carefully.

Here are three broad categories to consider when thinking about reasonable efforts at security (and a few small tips to get started):

Hardware:

  • Keep a “clean desk” and “clean screen” policy for work and home computers, ensuring hard-copy materials are put away and access to a computer is shut down.
  • Ensure a computer’s operating system is up to date with anti-malware software updated regularly.
  • Use basic measures to encrypt a computer (set up a PIN, use facial recognition) and practice good password hygiene.
  • Only print when necessary and be cautious with common group or public printers where others could unintentionally or intentionally pick up a document.
  • Turn off smart recording devices such as an Amazon Echo or Google Home when speaking about work-related matters.

Software:

  • Use up-to-date versions of reputable videoconferencing tools with encryption enabled.
  • Screenshare individual files only—not an entire desktop—and close out of email and work product related to other matters before a videoconference.
  • Familiarize yourself with word-processing tools relevant to security, such as Microsoft® Word’s Document Inspector tool to check metadata or the Protect Document feature, which offers file access restriction options such as password-protection.

Mobile Devices:

  • Set devices used for work to go to an automatic lock screen after five minutes of nonuse.
  • Use secure encrypted messaging apps and portals for confidential client communication instead of SMS cell phone texting.
  • Disable message previews on a phone to avoid confidential content appearing on the “home” lock screen immediately upon receipt.
  • When on-the-go, use a personal phone data plan hotspot from a personal device (known as “tethering”) instead of a public unsecured network.

A lawyer’s choices about what to do, how to do it, where to store work, and how to handle and keep secure all the ESI involved in daily practice will keep skyrocketing in the next few years—whether it’s terabytes of picture files from facial recognition software reviewed for a criminal indictment, data from a microchip implanted in an employee’s arm relevant to a worker’s compensation claim, or a corporate merger deal in the metaverse with virtual reality avatars negotiating details before executing via a smart contract stored on a blockchain. Lawyers must respect security today, not fear it. By staying abreast of new risks and protection measures, consulting third-party experts, and educating those with whom a lawyer works, legal work product can be excellent, complete, accurate, . . .

and secure.

 

 

[i] American Bar Ass’n, Innovation Trends Report 2022 (2022) https://www.americanbar.org/content/dam/aba/administrative/center-for-innovation/aba-cfi-innovation-trends-report2022.pdf [https://perma.cc/M4NA-6U6S].

[ii] Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 2020).