In recent days, remote work has become the norm in the legal community. Teleconferencing, email, and myriad digital communication methods are even more important now than they were before the covid-19 pandemic. This abrupt shift requires consideration of ethical obligations when sending and receiving client data and personal information electronically. It’s especially critical now, since many organizations had to rush to get proper remote work infrastructure in place, emphasizing convenience and operationality over security protocols. The legal community is held to a particularly high standard when it comes to protecting client information, and is therefore required to stay apprised of best practices in cybersecurity. Referring to the CIA triad—a security model that focuses on the confidentiality, integrity, and availability of data—is helpful as we work to optimize security and efficiency in our remote work environments.
According to the ABA Standing Committee on Ethics and Professional Responsibility’s Formal Opinion 477R:
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
This requirement acknowledges that using technology is imperative for efficiency and ease of communication with clients. But it also maintains that lawyers must have a degree of technical proficiency and knowledge of cybersecurity best practices. Lawyers must do everything in their power to protect the confidentiality of client data, and to make sure that in the event of a compromise, data would still be accessible. The confidentiality, integrity, and accessibility of client data is paramount as the legal community continues to work at offsite locations.
Though the situation is challenging, now is not the time to shrug off poor security practices. Relying on email disclaimers such as “If you are not the intended recipient of this email, please delete” is not enough to ensure the confidentiality of client data. Shifting blame from the sender to the unintended recipient is not an acceptable security strategy. Instead, standard email encryption policies protect client data by making data unreadable until it is “unlocked” via a decryption key. Use of VPNs, strong passwords and multi-factor authentication, avoiding public wifi, and securing endpoints are all a few ways that remotely working attorneys can protect their clients. Other important steps in securing remote work environments: avoiding suspicious websites or links, updating software when necessary, and making sure to only use approved technologies (such as known USB devices or hard drives). Each remote device in your network is essentially another gateway, another potential access point for an attacker; the covid-19 pandemic has brought about a number of nasty attack campaigns for which we should all be on the lookout.
Training on phishing scams and social engineering attacks helps to mitigate some of the threat, as these attacks are regularly conducted through email. As cyberattackers continue to take advantage of covid-19, staying apprised of potential cyber threats is an element of cybersecurity awareness that is required of attorneys. Slowing down can make all the difference when it comes to becoming a victim or spotting an attack. If an email seems strange, unexpected, or urges you to act quickly in a way that violates standard procedures, think twice. Communicating any suspicious activity while working remotely helps to prevent breaches; it also helps to inform clients of when they can expect communications and what they will contain.
Just as client data must remain confidential, ensuring its integrity and availability are top priorities. Managing access controls in-house lessens the risk that client data will be inadvertently (or purposefully) altered or destroyed. Make sure that the IT department is performing regular backups in a sound manner, and that system upgrades are being conducted when necessary. This pandemic has brought about a high number of cyberattacks, especially against those organizations that were underprepared for remote work and are now even more vulnerable. Denial-of-service and ransomware attacks can leave an organization unable to operate for an extended period of time. Having a backup plan protects against the financial, reputational, legal, and operational risks that come with a cyber event.
In many ways, cybersecurity is now more important than ever. Given their reliance on digital devices and communication, attorneys should take special note of their ethical obligations in dealing with client data. Remote work security strategies should be communicated to clients, as well as how they should expect to be contacted during covid-19 (establishing, for example, what types of information will be transmitted via email). Moving out of our physical work spaces does not mean that we can ignore the security protocols governing how we use technology in the office. If anything, additional layers of diligence and information-sharing should be added to account for the complex threats we now face.
Going above and beyond those “reasonable efforts” is necessitated by the extraordinary working situation in which many of us find ourselves. Maintaining a strong personal cybersecurity posture may help to ease some of the risks that a reliance on remote work introduces; it may also ease the minds of clients during a time when many things seem uncertain.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.