As originally published by the DC Bar, April 3, 2020
The Most Vulnerable Part of Technology in Your Office Is You
by Jeremy Conrad
You’ve got VPN, end-to-end encryption, multifactor authorization, and top of the line antivirus protection for all your devices, but none of these precautions will protect your clients unless you maintain a consistent vigilance in protecting your data.
Choosing the right tools to secure your data is still vitally important to your overall security, but even those who are rigorous about their use have discovered the hard way that however many locks you install on your metaphorical door, they provide precious little safety if, in a lapse of judgment, you open it indiscriminately.
Be More Suspicious
Heinan Landa, CEO of the Maryland-based Optimal Networks and author of the upcoming book The Modern Law Firm: How to Thrive in an Era of Rapid Technological Change, says that the biggest security pitfall is the failure to take it seriously. He points out that 95 percent of security breaches begin with a phishing attack, a communication in which a hacker attempts to fool their target into giving up valuable information and access. “It’s the people that fall victim to the breach, not a failure in tech security,” he says.
The rapid shift from working within a secured environment to home following the coronavirus outbreak has posed more than just technical security risks. Crisis, Landa says, results in heightened fear and fast movement, which can cause people to act without first considering potential risks.
Diligence can be maintained with relatively little expense or effort. Landa recommends an annual hour-long training session and an ongoing diet of monthly tips. Major events, such as the COVID-19 crisis, typically merit additional trainings to address emergent risks. However, trainings are only effective if you continue to be on the lookout.
What’s on the Line Online
Attorneys have a three-pronged responsibility associated with data breaches. A security breach implicates their ethical, contractual, and regulatory duties. The costs of a lapse in security can be staggering. Saul Jay Singer, senior legal ethics counsel for the D.C. Bar, recently authored an article pointing to two sections of the D.C. Rules of Professional Conduct relating to technology and the maintenance of security. D.C. Rule 1.6 on the confidentiality of information creates an ethical duty to maintain a client’s confidences and secrets. This duty is, he says, extremely broad. Ethics Opinion 371 on the use of social media in providing legal services connects the dots between the duty to maintain a client’s confidences and D.C. Rule 1.1’s requirement that practitioners be competent with the use of technology.
“It is a lawyer’s duty to be sufficiently technologically proficient to protect a client’s confidences and secrets. If a lawyer lacks such knowledge, then he or she could retain a competent technological expert to advise them regarding their security,” Singer says. Where lapses occur, an attorney has an ethical obligation to notify his or her client.
In addition to potential ethical repercussions, the failure to disclose a hacking event can result in costly breach of contract litigation. A Missouri law firm was sued in March of this year for failing to disclose a data breach that occurred in 2016 that exposed a client insurer’s data.
Hiscox Insurance Company Inc. v. Warden Grier, LLP alleges that an international hacker organization called “The Dark Overlord” gained unauthorized access to Warden Grier’s systems and that the firm paid a ransom to prevent the data’s disclosure.
Hiscox says that Warden Grier did not notify them of the breach and that they only came to know about it when an employee happened to read on social media that the company’s information was being leaked on the “dark web.” The insurer says these lapses are a violation of the retainer agreement, which included a contractual duty to protect their information. The failure to disclose the breach was a violation of the fiduciary duty created by the contract, they say, and they’re seeking more than $1.5 million in damages.
Finally, there is a regulatory responsibility to disclose data breaches to clients. D.C. Code § 28-3851 requires that consumers receive prompt notification of any breach of security of a system that includes the personal information of consumers. D.C. Code § 28-3852 goes on to require the notification of law enforcement and, where the breach impacts more than 1,000 people, of consumer reporting agencies. Failure to notify can result in a civil penalty of up to $100 for each violation, the costs of the action, and reasonable attorney’s fees.
Return on Investment
The dangers may be daunting, but technology is a functional necessity for the modern practice of law and a pathway to new opportunities to meet your clients’ needs. Attentiveness to security can help you net the benefits while avoiding the most significant risks. Just remember to lock the door on your way out.