Even if you’re not a lawyer, you should understand cybersecurity best practices.
I rarely appear in court anymore and I no longer do any family law work (not that I did much to begin with). But last fall, an old case resurrected itself when opposing counsel filed a motion to reopen child custody and support issues. My former client and I agreed that I would withdraw to make way for substitute counsel.
I drew up the motion and order and called the clerk.
“Yes”, she said, “You can email it to me.”
So I emailed it and waited. Two weeks later . . . no reply, and the case was developing quickly. I called the clerk back and learned that because I encrypt all email, she followed the court’s policy and destroyed my email without opening it.
The clerk found a threat in encrypted email. That boggles my mind.
The real hazards lie in unencrypted email that we open without thinking twice.
Rule 1.6 of Virginia’s ethics rules requires attorneys to act reasonably to safeguard protected client information. Attorneys who fail to take reasonable steps to protect client data against unauthorized access by third parties, inadvertent release, or unauthorized disclosure may find themselves sideways not just to their client, their firm, their insurer, and the law. You might also have violated 1.6.
But, in our age of rampant cybersecurity breaches, what is “reasonable”? The answer depends on:
- The sensitivity of the information in question
- The likelihood of disclosure if additional safeguards are not employed
- Whether you employed or consulted with competent IT/ IS professionals
- The cost of additional safeguards
- The difficulty of implementing additional safeguards
- The extent to which the safeguards limited your ability to represent your clients by making a device or system so cumbersome that it impaired your ability to work.
- The size of the firm.
No internet-connected system is perfect, but data breaches are ubiquitous and lawyers have an ethical obligation to employ data protection measures.
Here are a few basic measures you should take:
- Make sure all devices are encrypted. Don’t know how? Google it (just ensure you use a good source for instruction).
- Set up remote-wipe capability for your mobile devices and know how to implement it, if necessary.
- Ensure that every device is protected by a firewall and a virus scanner set to run on a regular basis. NEVER use free public wi-fi.
- Never, ever attach sensitive documents to email. In 2017, another attorney sent me an email with three years of her client’s unredacted tax returns attached. Did your hair just stand up on the back of your neck? It should have. Best practice: stop attaching documents to email. Use the file sharing ability in your data management software instead.
- Have a data management software system… You need one that logs activity, encrypts files as they enter or leave the system, and allows secure sharing or uploading of files.
- Train your staff and yourself. Then train again. The vast majority of data breaches are caused by human error. Did you hear about the law firm partner who fell for a spear phishing email and wired $580,000 from the firm’s trust account where client funds are held?
- Adopt standard practices for managing departing employees’ access to confidential firm data after they leave and ensure their return of confidential data.
- Back up your data routinely. I use an external hard drive that is not connected to the internet.
- Redact sensitive data from documents and adopt a “need to know” policy – never share more information than someone needs to know.
- Use a password vault service that enables you to create elaborate and random passwords. Also, adopt dual-factor authentication for every log-in.
- Do NOT use your law firm email address as a username for any personal controlled-access websites.
- Don’t forget that physical security also matters: Keep sensitive documents in locked cabinets and put documents away before leaving your office. Always control access to your office.
If you’re not freaked out after reading this list because all these things are familiar to you, then you’re in pretty good shape. Just remember, this is an “evergreen” duty. As technology evolves, so must you.
And, those of you who aren’t familiar with much of this list? You have homework. Call me if you need to “phone a friend.”
Dunlap Law is a SWaM-certified law firm in Richmond, Virginia and the only B Corp certified law firm in Virginia or DC. Tricia Dunlap holds the Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals. She is also 2020-2021 co-chair of the IAPP’s KnowledgeNet, Richmond Chapter.