Free ebooks ==> www.Ebook777.com

Locked Down

SHARON D. NELSON, DAVID G.

RIES, AND JOHN W. SIMEK

Commitment to Quality: The Law Practice Management

Section is committed to quality in our publications. Our authors are experienced practitioners in their fields. Prior to publication, the contents of all our books are rigorously reviewed by experts to ensure the highest quality product and presentation. Because we are committed to serving our readers’ needs, we welcome your feedback on how we can improve future editions of this book.

Cover design by RIPE Creative, Inc.

Nothing contained in this book is to be considered as the rendering of legal advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. This book and any forms and agreements herein are intended for educational and informational purposes only.

Free ebooks ==> www.Ebook777.com

The Law Practice Management Section of the American Bar Association offers an educational program for lawyers in practice. Books and other materials are published in furtherance of that program. Authors and editors of publications may express their own legal interpretations and opinions, which are not necessarily those of either the American Bar Association or the Law Practice Management Section unless adopted pursuant to the bylaws of the Association. The opinions expressed do not reflect in any way a position of the Section or the American Bar Association, nor do the positions of the Section or the American Bar Association necessarily reflect the opinions of the author.

© 2012 American Bar Association. All rights reserved.

Printed in the United States of America.

16 15 14 13 12 5 4 3 2 1

Library of Congress Cataloging-in-Publication Data

Nelson, Sharon D.

Locked down: information security for law firms / Sharon D. Nelson, David G. Ries and John W. Simek.

p. cm.

Includes index.

ISBN 978-1-61438-364-2

1. Law offices—Computer networks—Security measures—United States. I. Ries, David G., 1949-II. Simek, John W. III. American Bar Association. Section of Law Practice Management. IV. Title.

KF320.A9N45 2012 340.068’4—dc23

2012007683

Discounts are available for books ordered in bulk. Special consideration is given to state bars, CLE programs, and other bar-related organizations. Inquire at Book Publishing, American Bar Association, 321 North Clark Street, Chicago, Illinois 60654-7598.

Dedication

AUTHORS NELSON AND SIMEK dedicate this book to our

ever-growing family, having enjoyed two weddings last year and the addition of two grandchildren to our family. With great love, we dedicate this book to Kelly and Jeff Ameen, JJ and Sarah Simek, Sara and Rob Singmaster, Jason and Natalia Simek, Kim and Chris Haught and Jamie Simek as well as grandchildren Samantha and Jordan.

About the Authors

Sharon D. Nelson, Esq.

Sharon D. Nelson is the President of Sensei Enterprises, Inc. Ms. Nelson graduated from Georgetown University Law Center in 1978 and has been in private practice ever since. She now focuses exclusively on electronic evidence and information security law.

Ms. Nelson and Mr. Simek are the coeditors of the Internet law and technology newsletter Bytes in Brief. Ms. Nelson,

Mr. Simek and their Sensei colleague Maschke are the coauthors of the 2008, 2009, 2010, 2011 and 2012 editions of

The Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple. Ms. Nelson and Mr. Simek are also

coauthors ofInformation Security for Lawyers and Law Firms

(American Bar Association 2006). Additionally, Ms. Nelson and Mr. Simek are coauthors ofThe Electronic Evidence and Discovery Handbook: Forms, Checklists, and Guidelines

(ABA 2006). Ms. Nelson is a coauthor ofHow Good Lawyers Survive Bad Times(ABA 2009). Their articles have appeared

in numerous national publications, and they frequently lecture throughout the country on electronic evidence and legal technology subjects.

Ms. Nelson and Mr. Simek are the hosts of the Legal Talk Network’s Digital Detectives podcast, and Ms. Nelson is a

Ms. Nelson will become the Vice President of the Virginia State Bar in June 2012 and its 75th President in June 2013. She is the past President of the Fairfax Bar Association, a Director of the Fairfax Law Foundation, past Chair of the ABA’s TECHSHOW Board and past Chair of the ABA’s Law Practice Management Publishing Board. She currently serves on the Governing Council of the ABA’s Law Practice Management Section and as the Chair of its Education Board. She serves as a member of the Sedona Conference and of EDRM. She is a graduate of Leadership Fairfax and serves on the Governing Council of the Virginia State Bar as well as on its Executive Committee. She is the Chair of the VSB’s Unauthorized Practice of Law Committee and serves on both its Technology Committee and its Standing Committee on Finance. She also serves on the Virginia Supreme Court’s Advisory Committee on Statewide E-filing. She is a member of the ABA, the Virginia Bar, the Virginia Bar Association, the Virginia Trial Lawyers Association, the Virginia Women Attorney Association, the Women’s Alliance for Financial Education and the Fairfax Bar Association.

David G. Ries, Esq.

Free ebooks ==> www.Ebook777.com

He has represented clients in a variety of technology litigation matters, including major systems implementation cases, and has advised clients on a number of technology law issues such as information security and privacy compliance, hardware and software agreements, electronic payments, technology use policies, domain name disputes, electronic records management, response to computer intrusions and electronic contracting.

He is a member of the ABA Law Practice Management Section Council and a member of the ABA Section of Science and Technology’s Information Security Committee. He served on the ABA TECHSHOW Planning Board from 2005 through 2008.

Dave has frequently spoken on ethics, legal technology and technology law issues for legal, academic and professional groups, including the American Bar Association, the Association of Corporate Counsel, the Energy & Mineral Law Foundation, the Pennsylvania Bar Institute, the Information Systems Security Association and Carnegie Mellon University. He recently wrote “Safeguarding Client Data—Your Ethical and Legal Obligations,” Law Practice Magazine (July/August 2010). He is the editor of e-Discovery, 2nd ed. (PBI Press 2011) and is a contributing

author to Information Security: A Legal, Business and Technical Handbook, 2nd ed. (American Bar Association

2011) and Information Security for Lawyers and Law Firms

(American Bar Association 2006).

John W. Simek

John W. Simek is the Vice President of Sensei Enterprises, Inc. He is an EnCase Certified Examiner (EnCE) and a

nationally known testifying expert in the area of computer forensics.

Mr. Simek holds a degree in engineering from the United States Merchant Marine Academy and an M.B.A. in finance from Saint Joseph’s University. After forming Sensei, he ended his more than 20-year affiliation with Mobil Oil Corporation, where he served as a Senior Technologist troubleshooting and designing Mobil’s networks throughout the Western Hemisphere.

Acknowledgments

WE THANK SENSEI’S PARALEGAL, Jason Foltin, for

assistance with research for this book.

We express our appreciation to Chris Ries, an Information Security Engineer with Carnegie Mellon University. Chris has made a number of helpful suggestions for this book and shared his security insights with us over the years.

We are forever in debt to Tim Johnson, the former Executive Editor of LPM Publishing, for encouraging all of our authorship efforts over the years. Tim, your ability to encourage and apply the rod as deadlines slip a bit is unparalleled. At least this time, we were “close” to the deadline we set. We appreciate your support and constant good nature.

Thanks to our fantastic Production Manager, Denise Constantine, and our Editorial Assistant, Kimia Shelby. We are delighted to be working with LPM’s gifted new Marketing Director, Lindsay Dawson. As always, the Pub Board staff is a joy to work with and we thank our Project Manager Jeff Flax, an old friend and valued colleague, and Pub Board Chair Bill Henslee who has always given us his support and a great deal of encouragement.

Introduction

INEVITABLY, WHEN WE LECTURE on information security

to lawyers, they describe themselves as being scared—usually because they had no concept that there were so many bogeymen to be afraid of. Sometimes, lawyers are frightened into absolute inertia and simply leave data security to whomever provides their information technology (IT) support.

We embarked upon this book hoping to make security a little more approachable. There need to be some technical explanations of course, but we’ve tried to keep the technical stuff to a minimum so that the average attorney can genuinely understand the security demons that are out there and how to defend against them. Forewarned really is forearmed.

This is not a DIY sort of project, especially if you’ve suffered a security breach. We make no attempt in this book to document the myriad steps that a professional information security expert would take. Our objective is to teach the data security basics in language that can be readily understood by lawyers. If you’re in over your head, you’ll hear us advise you again and again to seek professional help. Even among those who called themselves experts, there is often a shocking knowledge shortfall or a failure to keep up with current developments, which happen with dizzying speed!

vigilance” is absolutely required for those of us who deal with data security issues.

Still, there are guiding principles that remain largely the same. We have tried to break information security down into digestible segments, knowing that some attorneys will pick up this book with concrete questions about specific security areas. Common questions we hear include:

1. What constitutes a strong password today? 2. How do I secure my smartphone?

3. Do I need to encrypt my laptop?

4. Can I safely use my laptop at Starbucks?

If your interests are narrow, you should be able to find what you’re looking for by scanning the Contents. We would urge lawyers, however, to take a broad interest in the security of data because they have, unlike the general public, a professional and ethical requirement to safeguard client data.

Although lawyers are all aware of ABA Model Rule 1.6 (and we have an entire chapter on an attorney’s duties to safeguard confidential data), the trick is how to keep client data secure in the digital era. It isn’t easy. The paper world was much simpler to lock down. Computer security is expensive—and it takes time to understand it—and you will never finish learning because threats and technology morph constantly.

Are lawyers abiding by their ethical duty to preserve client confidences? Our opinion is that many are not. Here are a few reasons we hold that opinion.

• Security expert Matt Kesner, who is in charge of information security at a major law firm, reports that his firm has been breached twice—and that he is aware that other law firms have suffered security breaches—and failed to report them to clients.

• We have never performed a security assessment at a law firm (or for that matter, at any kind of business) without finding severe vulnerabilities that needed to be addressed.

Why do many otherwise competent lawyers fail so miserably in their duty to maintain the confidentiality of client data? Here are some of the reasons.

• Ignorance—they simply need education.

• The “it can’t happen here” mentality. This is flatly wrong. Even the FBI issued an advisory in 2009 that law firms were specifically being targeted by identity thieves and by those performing business espionage—much of it originating from China and state sponsored, though of course the Chinese government has vehemently denied involvement in such activities. Matt Kesner, mentioned earlier as an expert, reports that the Chinese don’t bother using their “A-level” hackers to infiltrate law firms; their security is so bad that the rookie “C-level” squads are able to penetrate law firms.

• According to press reports, lawyers and law firms are considered “soft targets”; they have high value information that’s well organized and frequently have weak security. • It’s expensive. And it is. Protecting the security of client data

• The need for vigilance never stops. You cannot secure your data once and think you’re finished; the rules of information security change on close to a daily basis. Certainly, someone in the firm needs to keep up with changes on a regular basis or the firm needs to engage a security consultant to do periodic reviews. The standard advice is that security assessments need to be done twice a year. While that is desirable, it is in our judgment mandatory that assessments be conducted at least annually.

In the paper world, keeping client data confidential was easy and cheap. In the digital era, abiding by this particular ethical rule is often hard and expensive, but it must be done. We hope this book takes some of the “hard” away and also helps lawyers understand how many inexpensive steps exist to protect data without breaking the bank.

Often, this subject seems so dense and unapproachable that lawyers have the Ostrich Effect and simply bury their heads in the sand. Brian Ahern of Ahern Insurance Brokerage reported in 2011 that law firms are ranked ninth in terms of organizations with the highest risk of cyberexposure. As previously mentioned, even the Federal Bureau of Investigation warned law firms in November 2009 that they were increasingly becoming the target of hackers.

In the American Bar Association’s 2011 Technology Survey, 21.1% of large law firms reported that their firm had experienced some sort of security breach, and 15% of all firms reported that they had suffered a security breach (Appendix A).

yet that is clearly mandated in a world where technology rules us all. The crown jewels of law firms are their electronic files, and yet many law firms guard them sloppily.

For years, we’ve been warning lawyers that it’s not a question of whether law firms will become victims of successful hacking attacks; rather, it’s a matter of when. We pointed to incidents of dishonest insiders and lost or stolen laptops and portable media, but there were not disclosed incidents of successful hacking attacks. As the preceding examples show, we’ve now reached the “when,” and attorneys and law firms need to address it.

CHAPTER ONE

Data Breach Nightmares

and How to Prevent Them

Can Your Law Firm Be Breached?

In the paper world, it was remarkable when a law firm installed glass-breakage sensors on the windows of its 43rd-floor conference room, where documents were compiled for big cases and deals. The firm wanted to ensure that no one could rappel from the skyscraper’s observation deck and break through the windows to steal the information. Boy oh boy, the times have really changed.

So now you’ve read in the introduction to this book that the FBI has warned law firms that they are targets for hackers and that security firm Mandiant has been spending 10% of its time investigating data breaches in law firms. In fact, Mandiant has confirmed that it has worked with more than 50 law firms dealing with confirmed or suspected data breaches. Clearly, it can happen to any firm.

Now consider the fact that most lawyers do not have cyberinsurance that will cover the expense of complying with data breach laws, which now exist in 46 states, the District of Columbia and the Virgin Islands. A single data breach could be a financial disaster for a small law firm.

them—particularly their belief that no one would be interested in their data. Most of us can understand why merger and acquisition firms would be magnets for hackers; clearly, there is a great deal of money to be made on Wall Street with insider information.

Fewer people think about the money to be made by having an insider’s knowledge of litigation, particularly in large suits involving a major corporation, where the result is likely to influence the stock market.

But what about small law firms? What attractive data do they hold? Many small firms practice family law, and their computers contain Social Security numbers, birth dates, and credit card and other detailed financial information. This is precisely the kind of data that identity thieves are looking for. They routinely scan for vulnerable systems seeking such data.

Business espionage is another motivation for breaking into law firms. Perhaps you represent a company and a competitor wishes to acquire business intelligence from you.

There is also the press. In 2011, the News of the World

notoriously hacked into cell phones to feed the public’s insatiable appetite for gossip. Consider all the interest in a murder trial—is it conceivable that a reporter might seek private information to get a scoop? Of course.

Need More Convincing?

Take a look at the Privacy Rights Clearinghouse web site’s Chronology of Data Breaches from 2005 (when the first big breaches were disclosed) to the present. It may be found at

http://www.privacyrights.org/data-breach and there are

very sophisticated ways to sort the information.

Free ebooks ==> www.Ebook777.com

breach notification. Business executives acknowledged in congressional hearings that there had been breaches in the past, but they were not disclosed because there was no requirement to do so and it was not in their business interest to make the breaches public. As of mid-December 2011, the Clearinghouse reported 535 breaches involving 30.4 million sensitive records.

The first thing you’ll note is that there are lots of data

breaches each month. The second point you’ll note is that you don’t see a lot of law firms there. It is an open secret that law firms have played breaches very close to the vest and demand strict confidentiality agreements from information security vendors who investigate any compromise of their networks. This means, of course, that there probably are law firms out there that have chosen not to comply with state data breach notification laws, which frankly doesn’t surprise us.

The third thing you’ll notice is that there are a ton of health industry breaches here. Why? Because there is a federal law requiring that this industry report breaches, and the law has teeth. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, contains several significant changes to the privacy rules in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HITECH requires that covered entities subject to the HIPAA privacy rule and their business associates must provide notice when unencrypted protected health information has been breached.

In spite of the law and the number of breaches you see reported, a study by the Healthcare Information and Management Systems Society found that only 17% of medical practices are likely to report an incident of medical

identity theft—in spite of all the federal and state laws requiring a report.

If a federal law is passed that covers personal information generally and provides stiff penalties, you’ll be seeing a lot more industries in the Chronology of Data Breaches—and you’ll probably find that law firms, always seeking to keep embarrassing information private, may well be like the medical practices and take their chances with flouting the law if they think they can “keep the lid on.”

What’s New in the Data Breach

World?

The Ponemon Institute’s 2011 “Cost of a Data Breach” study found that data breaches cost organizations $7.2 million on average in 2010. While this is a dreadfully high number, bear in mind that many of the data breaches that are reported are breaches that have gone public, some of them involuntarily, and they tend to involve very large corporations which are far more likely to report breaches than smaller entities.

With respect to smaller businesses, the National Small Business Cyber-security Study, published in 2011, reported that almost one-fifth of small businesses don’t have or use antivirus software. Three-fifths don’t use any encryption on their wireless networks, and two-thirds have no security plan whatever.

these businesses continue to believe, in spite of all the evidence to the contrary, that they are not targets for cybercriminals; therefore, they are not taking actions to secure their data.

Another 2011 Ponemon study showed that 90% of businesses of all sizes reported a security breach in the preceding year. The majority had multiple breaches. It was striking that the majority didn’t have much faith that they could stop breaches in the future; according to 77% of these businesses, the attacks were more sophisticated and severe.

IBM published its X-Force® 2011 Mid-year Trend and Risk Report in September 2011. Here are some of the more notable findings.

• Political hacktivism, first noted widely in 2010, is on the rise again in 2011, with hackers who have political objectives in mind. The hacker group Anonymous is a prime example. • Attackers are becoming more sophisticated, developing better

and better tools. They study their targets and wait for the right moment to try to enter high-value networks.

• America (no surprise) experienced an unprecedented number of high-profile data breaches in the first half of 2011,

including Sony, Epsilon, HB Gary, Citigroup, Northrop Grumman, Booz Allen Hamilton and RSA.

• Mobile vulnerabilities and malware continue to soar and were predicted to double by the end of 2011. A Deloitte poll of 1,200 executives revealed that 28.4% believe they have unauthorized devices on their networks and almost 87% believe their companies are at risk for a cyberattack originating from a mobile device.

• Companies are beginning to ask themselves not “could it happen?” but “when it happens, how will we respond?” • We are seeing a continuing rise in what are known as

“advanced persistent threats” (APTs)—sometimes very complex—and after they compromise a network, they often go undiscovered for months.

• APTs (and this term is often too loosely used when the attack is conventional) typically cannot be defended by keeping patches current and running commercial security products. These attacks are specifically targeted as a rule and often exhibit careful long-term planning, also often using brand new vulnerabilities and obfuscation techniques.

• With APTs, it is sometimes advisable to let the attack continue while you document it and run counterintelligence on it. Forensic analysis is going to be a key activity, adding to the inevitable financial burden.

• In spite of the fact that we know a great deal about how to protect ourselves from things like SQL injections, we simply aren’t doing it. For those who were wondering, SQL injection is a code injection technique that exploits a security

vulnerability in a web site’s software.

A new development in 2011 was e-mails that appear to come from your printer, scanner or all-in-one device. They are a form of attack, using e-mails with false header information to get users to click on the link contained in the e-mail. Author Nelson got one as she was writing this chapter. Here’s what it looked like.

From: support@senseient.com

[mailto:support@senseient.com]

Subject: Re: Fwd: Re: Scan from a Xerox W. Pro #6979530 A Document was scanned and sent to you using a Xerox

Work-Centre OF986646. Sent by: KARINA Image(s): 3

Type: Image View (this part was hyperlinked) Device: XER077KD1S342079

3e12afb0-4d5c6789

This wasn’t a good scam because she knows her company doesn’t have this kind of device—and no KARINA works with her. But there are more sophisticated versions of these attacks, so beware of the new demon in town.

Verizon’s 2011 Data Breach report noted that, in 2010, the Secret Service arrested more than 1,200 suspects for cybercrimes. The investigations involved more than $500 million in fraud losses.

Verizon also identified only 16% of the threats as coming from internal sources, with 92% coming from external sources and less than 1% coming from third parties who had a relationship with the breached entity.

Where do these external threats come from? Sixty-five percent come from Eastern Europe, which is notorious for cybercrime (and where many investigations “go to die”), 19% from North America, and 6% from South and Southeast Asia. Those are the top three culprits.

The leading three threat agents are hacking, malware and exploitation of physical security vulnerabilities, followed by the misuse of data to which someone had access, and social engineering.

information from the law firms he worked for during a 17-year period. At Wilson Sonini, his most recent employer, he got the information from the firm’s document management system. As Law Technology News pointed out in a 2011

article, this underscored three law firm information security challenges:

• The need to balance security with the need to share information;

• The importance of having security policies, with people in place with enough authority to enforce and monitor the policies, updating them as needed;

• The clear message that law firms need to focus on threats from insiders, because the tendency is often to focus on external threats and ignore those in the office.

Finally, Information Week reported in 2011 that a recent

survey of 300 IT professionals, two-thirds of them working in companies with more than 10,000 employees, showed that 25% of them knew at least one coworker who used privileged login credentials to inappropriately access confidential information. There were 42% who indicated that the IT staff freely shared passwords and access to multiple systems and applications.

There were also 25% who indicated that at least some of the superuser passwords granting God rights to the network were less complex than what was required of end-users. A whopping 48% reported that privileged account passwords had remained the same for at least 90 days.

While these are big firm statistics, we have no doubt that this sort of sharing, inappropriate access of data and poor password management are rife in small firms as well.

report in 2011 acknowledging that there has been a 650% increase in malware infections and other security incidents over the past five years.

The Bad Rap Law Firms Get on

Information Security

Security consultants consistently report that law firms are “stingy” about spending money on data security and lag far behind their corporate counterparts. Only at the largest firms does one find security specialists.

Laws firms in general, and small firms in particular, are not very likely to have vulnerability assessments done. If they do have an assessment done, they often don’t follow the best practice of repeating the assessments at regular intervals.

Firmwide encryption is almost unheard of. We forget how our mobility has opened up new vulnerabilities. Flash drives, tablets, smartphones— all are easily lost or stolen, yet most lawyers do not encrypt these mobile devices. Sadly, many do not even go to the trouble to have a password or PIN on their devices.

Social media sites have become wonderful places for criminals and business espionage experts to set up shop. Even developers for social media sites have been found with their hands in the cookie jar. And yet, we find very few firms with social media policies, training about the safe usage of social media or implementing technology which might intercept malware before it is installed on the network.

A Recent Law Firm Data Breach

On October 10, 2011, it was reported in the press that the Maryland law firm of Baxter, Baker, Sidle, Conn & Jones had lost the medical data of 161 patients in a malpractice suit.

This was especially significant because it is so rare to hear of law firm data breaches; understandably, law firms are loath to have such stories become public. So how did this one come to light? The Baltimore Sun obtained a copy of one of the

notifications sent to the patients.

Here’s what happened: One of the law firm’s employees brought home a hard drive containing backup data, which was the firm’s method of ensuring that it had an offsite backup. She took the Baltimore light rail system home and—you guessed it—left the drive on the train. Though she returned just a few minutes later, the drive was gone. And yes, the drive was unencrypted.

In any event, it should be clear that traveling with unencrypted backup data is a very bad idea. The firm has begun encrypting its data and is looking into offsite data storage.

State Laws Protecting Personal

Data

• Forty-six states had breach notification laws. Generally, these require that an entity which reasonably believes that there has been a breach involving unencrypted data acquired by an unauthorized person must provide notice to the affected persons.

• Forty-eight states have security freeze laws, allowing customers who have been or believe they will be victims of identity theft to request that a consumer reporting agency place a “freeze” on their credit report, blocking any unauthorized access to it.

• Thirty-five states have Social Security protection laws that dictate how Social Security numbers may be used or displayed.

• Twenty-four states now mandate the secure disposal of personal information. States that require secure destruction or disposal of personal information often require the following: ◦ When disposing of or destroying records that contain personal

information, entities must take all reasonable measures necessary to protect against unauthorized access to or use of the records or the personal information contained in the records;

◦ Measures may include burning, pulverizing or shredding paper documents so that personal information cannot be read or reconstructed; and/or

◦ Contracts with a third party to perform the secure disposal or secure destruction must ensure that the third party is

following the requirements of state security laws;

The Massachusetts law is particularly important for all states to understand because it applies extraterritorially to all Massachusetts residents whose information resides in the database of any state.

◦ Nevada, Massachusetts and Washington have encryption statutes which require businesses to protect customer data by encrypting it on mobile devices and whenever they are transmitted electronically.

Because the Massachusetts law is so strict and causes businesses (including attorneys) that do business with Massachusetts residents so many headaches, we have included the regulations under it at the end of this book as Appendix B. Attorneys’ legal duties are further discussed in the following chapter.

Spear Phishing—and a Data

Breach Avoided

In a smaller firm, the e-mail’s subject line might well read “Referring a case to you”; that would certainly be appealing in these uncertain economic times.

In 2010, the Los Angeles-based firm Gipson Hoffman & Pancione survived an attempted spear phishing attack. The firm had filed a $2.2 billion copyright infringement suit on behalf of CYBERsitter LLC. Shortly thereafter, the firm noted a dramatic increase in suspicious e-mails.

The e-mails appeared to be sent from lawyers at the firm and included a message requesting the recipients to open an attachment. The firm’s internal investigation revealed that the attachment contained malware which appeared to come from China. We can never say enough about the value of training, and training saved the firm from making an error in this case.

Attorneys and support staff had been warned to be on the lookout for suspicious e-mails after the suit was filed because the suit accused the Chinese government and several companies of stealing code from CYBERsitter’s Internet filtering program. No one clicked on the attachments, so no malware bomb was detonated.

A new kind of spear phishing was dubbed “whaling” in the IBM report referenced earlier. Whaling specifically targets big fish or high-level personnel with access to critical data. The cybercriminals research the “whales” online—usually through social media—and are able to construct messages to people that genuinely appear to come from, say, their boss which dupes them into clicking on a malicious link. It’s an effective harpoon and is gaining traction with the bad guys.

A Nasty Law Firm Data Breach

breached for more than a year after the law firm was tipped off to the breach by law enforcement. We don’t know how law enforcement knew, but more and more, we are seeing businesses warned by authorities, which is interesting.

The law firm could not be named due to Mandiant’s confidentiality agreement, but Mandiant stated that the firm was involved in litigation involving China, common in many breaches in spite of the Chinese government’s many protestations of innocence when the words “state-sponsored hacking” come up. The intruders at the law firm were able to obtain more than 30 sets of user credentials and harvested thousands of e-mails and attachments from mail servers; they also had full access to all servers and computers on the network for an extended time. The fact that this could happen to a law firm should give lawyers a serious case of the willies.

Okay, I’m Convinced: What’s

Next?

First, understand how data breaches happen. Here are the most common ways:

• Devices with unencrypted data are stolen or lost.

• Security patches (software fixes issued by manufacturers) are not installed.

• Lawyers and staff are not trained about social engineering. One example is when someone pretends to be your IT provider and needs an employee’s ID and password to “fix something.”

• Malware comes in via an attachment or through social media (this would include the previously referenced spear phishing). • Hackers, cybercriminals and even nations find vulnerability in

Since the old, innocent days of script kiddies, youngsters who copied malicious code easily available on the Internet, we now have more sinister types trying to get your information, and their skill set has vastly improved along with the tools available. Also, our networks are becoming more interconnected and complex all the time. As Philip Reitinger, the director of the National Cybersecurity Center in the Department of Homeland Security, has said, “Complexity is the enemy of security.” As he further pointed out, if someone

really wants your data, they stand an excellent chance of

getting it.

The Department of Defense reports that its computers are probed hundreds of thousands of times each day. Now, your law firm probably isn’t probed that often, but rest assured that it is being probed. Even the power of the cloud can be used by hackers to automate the probes.

Here’s another reason to be wary from Alan Paller, the director of research at the SANS Institute: “If I want to know about Boeing and I hack into Boeing, there are a billion files about Boeing. But if I go to Boeing’s international law firm, they’re perfect. They’re like gold. They have exactly what I’m looking for. You reduce your effort.”

Essential steps to take include:

• Have a security vulnerability assessment performed, at least annually.

• Remediate any vulnerabilities discovered.

• Use enterprise-class antimalware, not single-function products like an antivirus program (for small firms, we like Kaspersky, Sophos and Trend Micro).

• Have security policies and plans in place: ◦ Remote access policy;

◦ Disaster recovery plan;

◦ Acceptable Internet and electronic communications policy; ◦ Social media policy. More than 66% of small businesses do

not have such a policy, and yet 18% of users have been hit by social media malware, according to a 2011 report by the Ponemon Institute;

◦ Employee termination checklist (Appendix C); ◦ Password policy;

◦ Mobile device (includes smartphones) policy (critical if you allow the use of personal devices);

◦ Background checks for employees;

◦ Employee monitoring policy. It is helpful to have a logon screen that specifically says that there is no right of

privacy—that makes it hard for any employee to argue that they didn’t know the policy;

◦ Guest access policy. Guests are frequently allowed on law firm networks, but they should not be able to reach client data, firm financial information and so forth—and they should be given a password that expires quickly; ◦ Vendor access policy;

• Make sure critical security patches are promptly applied. • Map your network to identify devices and applications

running on the network (you can use a free tool such as

Nmap). Regular scanning will show you what and who should and shouldn’t be on the network. Anything that looks

suspicious can be investigated.

• Depending on the size of your firm, you may want to consider an intrusion detection system (IDS) or intrusion prevention system (IPS).

• Consider using content filtering, which keeps employees from visiting sites (notably pornographic sites) where evildoers are apt to plant drive-by malware.

• Examine the security policies of business partners. • Verify that your firewall is properly configured. • Encrypt sensitive data in transit and in storage. This is

especially important for mobile devices which are so frequently lost or stolen. Make sure they can be remotely wiped and that they will wipe themselves after a certain number of incorrect passwords are typed in.

• Change all default passwords—these are plastered all over the Internet.

• If you have bent to the pleas of employees to connect their personal devices to your network, make sure you have a mobile device manager (more on that in the smartphones chapter) which can help manage security. The new trend is to have two instances of the phone, one for business and one for personal stuff, with the employer tightly managing the

business instance of the phone. Since most small law firms are not using mobile device managers, allowing personal devices on the network is a Faustian bargain with a severe security risk. It is very important that data be encrypted, that passwords be required and that the devices can be remotely wiped.

• Verify that your wireless network is properly secured (more on how to do that in the wireless chapter).

• Log remote access and limit access to sensitive data.

• Make sure you know where all your data is actually located! • Make sure you know which experts you would call in the

event of a breach.

Free ebooks ==> www.Ebook777.com

• If you accept credit cards, make sure you are following applicable parts of the PCI Data Security Standards (DSS) which may be found at

https://www.pcisecuritystandards.org.

• Get IT and partners to work together. Firm culture is a big problem— it is often true that a partner can refuse an IT security recommendation by simply saying, “I don’t want to work that way.”

• Have a plan for damage control to the firm’s reputation. • Train and keep on training both lawyers and staff. Employees

continue to fall for even easy-to-spot social engineering and threats. Lance Spitzner, director of SANS Securing the Human Program (we love that name), tells of an employee who submitted his resignation immediately upon receiving a phony e-mail about winning a lottery. And each year, the IRS tests its employees with a social engineering drill in which a bogus system administrator calls and requests the employee’s ID and password. Each year, more than 25% of the employees obligingly give out this information in spite of their annual training.

When an incident is over, sit down and do some serious Monday morning quarterbacking. You may have policies or procedures to change. Whatever your incident response plan, it probably did not wholly survive first contact with the enemy.

Never think that you can handle a data breach without expert involvement. Only an information security specialist can truly do that, which is one reason that we haven’t included a complicated set of technical instructions here. For one thing, they’d be obsolete as soon as written— and for another, they would constitute a book in and of themselves.

Secure Passwords: The Rules

Have Changed

Passwords might seem a tired subject to some, but the rules of the security game have changed, and it is high time to say goodbye to those wimpy, eight-character passwords. If you are using fewer than eight letters, shame on you! Even in 2011, PC Magazine reported that the top five passwords are

123456, password, qwerty (the top alphabet row on the keyboard, in case you’ve never noticed), abc123 and the oddly plaintive “letmein.” Not strong, not creative and an invitation to a breach.

Georgia Institute of Technology Report

The top five passwords listed above are dreadful of course, but even those who were using strong eight-character passwords received a shock when it turned out that those passwords are now insecure.

According to a report recently published by the Georgia Institute of Technology, it is time to move to 12-character passwords. In essence, Institute researchers were able to use clusters of graphic cards to crack eight-character passwords in less than 2 hours. And trust us, if researchers are doing this, so are the cybercriminals of the world.

The researchers discovered that, when they applied the same processing power to 12-character passwords, it would take 17,134 years to crack them. Cybercriminals, even when highly motivated, are going to bypass 12-character passwords; there are just too many folks out there asking for their security to be violated with less secure passwords.

facto standard we all use. It is simply too clear that the degree of your vulnerability is dictated in large part by the length of your password. Sad, but true.

The recommendation really strikes a balance between convenience and security, and it assumes that password-cracking capabilities will continue to increase, as has certainly been true since computers became an integral part of our lives.

Here’s how they came to their recommendation: They assumed a sophisticated hacker might be able to try 1 trillion password combinations per second. If that were the case, it would take 180 years to crack an 11-character password. If you add just one more character, it would now take 17,134 years to break the password. Given that the computing power of those with evil intent continues to accelerate, that added character gives (for the foreseeable future) a pretty good level of security. We are always asked, “When will the rules change again?” We sure wish we could tell you, but that’s a mystery even to the experts. It’s not just an increase in processing power that makes it hard to predict, but it is also harnessing the power of the cloud—something that the hackers are beginning to exploit.

Lawyers and Passwords

phone, which is a tremendously common experience. Now the person that finds your smartphone also has instant-on access to all your data. Not a terribly effective way to safeguard your confidential data.

Make no mistake about it, without a PIN, someone with evil intent will have access not only to data that you yourself could see on your phone but also to whatever deleted data may reside within its memory. This is precisely what we do in a computer forensics lab when phones come in as part of the discovery process, albeit without the evil intent!

Apart from smartphones, lawyers have generally gotten smarter about passwords over time and tend not to use the names of children, sports teams and so on as their passwords. We still find passwords on sticky notes on monitors or in desk drawers. That is an unending source of despair to all security experts, but apparently, most of us cannot remember our passwords—and indeed, we have a lot of sympathy for the fact that lawyers have so many passwords that it is hard to remember them all.

Passphrases as Passwords

In response, over the last few years, we have joined others who lecture on security and recommended the use of full sentences or passphrases as passwords. They are so much easier for all of us to recall.

even more difficulty for cybercriminals to break your password.

Some, including Microsoft, will argue that users should not use real words or logical combinations of letters because they may be guessed by a “dictionary attack” using a database of words and common character sequences. Maybe, but we think that is overkill unless you’re dealing with national security data or the formula for Coca-Cola®.

The research by Georgia Tech was a “brute force” attack, meaning that they tried all possible combinations of characters. The computer graphics cards they deployed are very cheap and easily programmed to perform these sorts of computations. We have software in our forensics lab that will natively use the graphics processing unit (GPU) to attack passwords so the tools are freely available. The processors in the cards all run simultaneously, working to crack the passwords. Amazingly, these processors, running together, now have the processing power of what we used to call “supercomputers.”

Practical Password Problems

So let’s say you accept the need for 12-character passwords. Several issues arise. One is that your bank, your stock brokerage and others may not allow for 12-character passwords. There are a lot of web sites out there that still do not permit long passwords, though with each passing day, that is changing.

Free ebooks ==> www.Ebook777.com

have not yet caught up with security requirements for the coming decade.

Remembering and Storing Your Passwords

Perhaps the greatest problem is remembering all these passwords. One solution is to use an encrypted flash drive such as the IronKey, which includes a password “vault” application that remembers all the characters for you. This has been our solution, which is great—until we forget the IronKey. We can only sigh remembering how many times that has happened; fortunately, we’ve always been in the same city as the IronKey. We haven’t managed to lose our IronKeys yet, but as small as they are, that would also be easy. There is an insurance policy: You can store your passwords (encrypted) on the IronKey site. But you can sense that there is a nuisance factor here.

There are web sites which will store your passwords for you, but then you must trust the security levels (and employees) of that web site.

Particularly dangerous are social media passwords, which are often used to login all over the Web. Adding to the danger is the fact that third-party applications regularly require you to turn over your social media ID and password so that they can have interaction between say, Facebook, and the popular applications Mafia Wars and Farmville. This makes things easy for the user, but now a cybercriminal with a single set of credentials may be able to access multiple sources of information.

For $19.95, you can turn to a product like eWallet (http://www.iliumsoft.com/site/ew/ewallet.php), which will

store your passwords in encrypted format and allow you to sync access to it from multiple devices, including

smartphones (be sure to check that yours is supported). This may be the best solution currently available for busy lawyers. Author Simek uses eWallet as a backup (synced to the BlackBerry) to his IronKey. With a 30-day free trial, it’s hard to go wrong. There are similar products out there, but research them carefully before selecting one. Most have been tested by independent sources, which is your best way of screening software since all vendors will trumpet their products as “the” solution to your problems.

Is there a way to store passwords on your own system securely? Well, it will help considerably if you store your passwords in a Word document or Excel spreadsheet that is itself password protected. This means that the data will be stored in encrypted format if you have Office 2007 or later.

You still need to make sure that the password you use to protect the file is very strong and not the name of your pet cat. So what if you are asked, while browsing the Web, if you’d like to store your ID and password on the computer being used? Don’t do it. If, however it happens, your machine is compromised or someone who has the keys to your network gets on your computer, you’ve given someone else the power to “be you” on any site where you’ve asked to have the ID and password stored.

Whatever you do, make sure you take passwords seriously. We know from experience that most lawyers are not going to buy a product like the IronKey or use a product like eWallet. This may change as the years go by, but for now, the majority will simply come up with passwords on the fly as required. If that sounds like you, at least take heed of the message conveyed by the Georgia Institute of Technology and make your passwords strong 12-character passwords. At least then you will have demonstrated that you took “reasonable measures” to protect client confidentiality. There’s more about passwords and authentication in the information security overview chapter.

A Conversation with a Law Firm

Security Specialist

Can we ever get law firm data properly protected from breaches? To answer the question, authors Nelson and Simek interviewed their friend and colleague Matt Kesner, the CIO of Fenwick & West LLP, a West Coast law firm representing high-tech and bio-tech clients. Matt has “walked the walk” when it comes to security and protecting data.

As we’ve previously discussed, the press hasn’t really identified many data breaches that have involved law firms. Since law firms are very much reputation based, they are not all that willing to publicize any data breach that may have occurred. Current data breach laws have changed that practice, but we still don’t hear of many specifics concerning law firms. Matt acknowledged that there have been two breaches at his own firm. His advice for security is to learn lessons from breaches so you can avoid a recurrence—at least a recurrence of the same sort of attack. Fortunately for Matt’s firm, the security incidents did not involve access to their network. Both occurrences involved their web site, which was hosted externally.

We are aware of some other firms being compromised, primarily through mobile devices and unprotected laptops. As a minimum, you should have a lock code on your mobile device, and the drives on laptops should be fully encrypted. Matt’s excellent advice is, “When in doubt, encrypt it.”

Not to scare our readers (okay, maybe just a little), but Matt confirmed that law firms are seeing an increase in hacking attempts. Reviews of his own firm’s logs show repeated “door rattles” and attempted infiltration of the network. They are being probed a lot more often, tested with various scripts being used to determine vulnerabilities and have experienced a higher proportion of successful malware and phishing attacks against their users.

receiving even if it is encrypted in transit. Another concern is bringing laptops to China. Matt advised us to weigh the laptop before and after taking it to China, as many times hardware monitoring devices will be installed in the laptop itself. He also suggested taking a disposable cell phone when traveling to China. Many in the security field have stated that we are seeing activity from China’s “C-level” (rookie) hackers since law firm systems are fairly easy to penetrate. China isn’t wasting the efforts of their “B-level” or “A-level” teams when attacking U.S. systems. Essentially, China’s entry-level hackers are practicing on U.S. law firm networks before “graduating” to more advanced hacking activities. Matt told us that Chinese students actually take hacking classes and hack Western web sites as part of their homework. Pretty scary stuff.

Increased usage of the Internet, voluminous amounts of data and the sharing of that data for legitimate purposes have made the task of security even more difficult. There are many more attack points as the data grows and reaches out to many more parties as part of our normal business activities. Matt cautioned us to be wary of USB flash drives that we obtain at conferences because they may be infected with malware such as the Stuxnet virus.

We queried Matt if there really is a fix for the security state that we are currently observing. The answer, as you might have guessed, is that there is no silver bullet for security. His primary advice is to partner with a trusted security advisor and be prepared to budget some funds for security. Your firm needs to be constantly vigilant since the security risks of tomorrow will be different from those we see today.

Free ebooks ==> www.Ebook777.com

podcast at http://legaltalknetwork.com/podcasts/digital-detectives/2011/07/is-it-possible-to-secure-law-firm-data.

This chapter has provided an overview of the substantial security threats that attorneys face today and the basics of how to avoid them. Additional details in specific areas are covered in the following chapters. Updates to this chapter may be found in Appendix N.

CHAPTER TWO

Lawyers’ Duty to

Safeguard Information

Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. These threats are substantial and real. As discussed in our data breach nightmares chapter, they have taken a variety of forms, ranging from phishing scams and social engineering attacks (e.g., using e-mail to trick attorneys to visit a malicious web site or to be lured into fraudulent collection schemes for foreign “clients”) to sophisticated technical exploits that result in intrusions into a law firm’s network to steal information. Attorneys have ethical, common law and statutory obligations to protect information relating to clients. Many attorneys also have contractual obligations to protect data. In addition, protection of confidential information is sound business and professional practice. It is critical for attorneys to understand and address these obligations and to exercise constant vigilance to protect client data and other confidential information.

Ethical Duties Generally

confidentiality. The duty of competence (ABA Model Rule 1.1) requires attorneys to know what technology is necessary and how to use it. It also requires attorneys who lack the necessary technical competence (many, if not most attorneys) to consult with qualified people who have the requisite expertise. The duty of confidentiality (ABA Model Rule 1.6) is one of an attorney’s most important ethical responsibilities. Together, these rules (included in Appendix D) require attorneys using technology to take competent and reasonable measures to safeguard client data. It is a continuing obligation as technology, threats and security measures evolve. This duty extends to all use of technology, including computers, portable devices, networks, technology outsourcing and cloud computing. Effective information security is an ongoing process that requires constant vigilance.

Model Rule 1.1 covers the general duty of competence. It provides that “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology.

Model Rule 1.6 generally defines the duty of confidentiality. It begins as follows:

A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).

The Ethics 2000 revisions to the model rules added Comment 16 to Rule 1.6. This comment requires reasonable precautions to safeguard and preserve confidential information.

Acting Competently to Preserve Confidentiality

[16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.

The comment references Model Rule 5.1 (Responsibilities of Partners, Managers, and Supervisory Lawyers) and Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants), which are also important in attorneys’ use of technology. Partners and supervising attorneys are required to take reasonable actions to ensure that those under their supervision comply with these requirements.

95-398, “Access of Nonlawyers to a Lawyer’s Database” (October 27, 1995), it requires notice to a client of compromise of confidential information relating to the client if the release of information “could reasonably be viewed as a significant factor in the representation.”

Attorneys must also take reasonable precautions to protect confidential information to which third parties, like information systems consultants and litigation support service providers, are given access. ABA Formal Ethics Opinion 95-398, provides guidance in this area and concludes, “[a] lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.”

In August 2008, the ABA issued an ethics opinion that comprehensively addresses outsourcing by attorneys of both legal services and nonlegal support services. ABA Formal Ethics Opinion 08-451, “Lawyer’s Obligations When Outsourcing Legal and Nonlegal Support Services” (August 2008). It includes requirements for protecting confidentiality.

A new Pennsylvania opinion (included in Appendix E) analyzes ethics requirements for attorneys’ use of cloud computing, a form of outsourcing. Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/ Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.” It concludes,

Free ebooks ==> www.Ebook777.com

confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

These requirements are further discussed in our chapter on cloud computing and outsourcing.

A number of state ethics opinions have addressed professional responsibility issues related to attorneys’ use of various technologies. Several examples are discussed in this chapter. It is important for attorneys to consult the rules, comments and ethics opinions in the relevant jurisdiction(s).

An early ethics opinion on this subject, State Bar of Arizona, Opinion No. 05-04, “Formal Opinion of the Committee on the Rules of Professional Conduct” (July 2005), provides a well-reasoned explanation of these duties for electronic files and communications. It notes that “an attorney or law firm is obligated to take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence.” The opinion also calls for “competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.” It further notes that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

An April 2006 New Jersey ethics opinion takes a consistent approach in reviewing obligations in lawyers’ use of electronic storage and access of client files. New Jersey Advisory Committee on Professional Ethics, Opinion 701,

“Electronic Storage and Access of Client Files” (April 2006). It observes:

The obligation to preserve client confidences extends beyond merely prohibiting an attorney from himself making disclosure of confidential information without client consent (except under such circumstances described in RPC 1.6). It also requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure. . . .

The critical requirement under RPC 1.6, therefore, is that the attorney “exercise reasonable care” against the possibility of unauthorized access to client information. A lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. “Reasonable care,” however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room or that someone will not illegally intercept his mail or steal a fax.

Lawyers providing an online file storage and retrieval system for client access of documents must takereasonable precautionsto protect the security and confidentiality of

client documents and information. Lawyers should beaware of limitations in their competenceregarding online security

measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, aperiodic reviewof the reasonability of security precautions may be

necessary.

A recent California ethics opinion addresses the use of a laptop by an attorney, where the laptop may be monitored by the law firm, and use of the laptop in public and home wireless networks. The opinion concludes that such use may be proper under the ethics rules if an adequate evaluation is made and appropriate precautions are taken. State Bar of California, Formal Opinion No. 2010-179 (included in Appendix F).

The Digest to this opinion states:

of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.

The opinion contains a detailed analysis of the ethics requirements for attorneys’ use of technology and their application to the technology covered in the opinion, including a detailed discussion of factors an attorney should consider before using a specific technology. Significantly, it includes the requirement of an evaluation before an attorney uses a particular technology.

A recent Florida ethics opinion discusses the duty to securely dispose of electronic data in storage devices. Professional Ethics of the Florida Bar, Opinion 10-2 (September 24, 2010), it concludes that “[a] lawyer who chooses to use Devices that contain Storage Media such as printers, copiers, scanners, and facsimile machines must take reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition.”

The key professional responsibility requirements from these opinions are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ competence, obtaining appropriate assistance and ongoing review as technology, threats and available security change over time.

technology and confidentiality and has released draft amendments for comment. So far, it has proposed an addition to the comment to Model Rule 1.1 to expressly address the duty of competence in technology; an addition to Model Rule 1.6 requiring “reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client”; and additions to the comments to Model Rule 1.6 to further address the obligation to safeguard information relating to clients. The Commission’s work is still in progress. Its activities and proposals are available at www.americanbar.org/groups/ professional_responsibility/

aba_commission_on_ethics_20_20.html.

Ethical Duties: Electronic

Communications

In addition to protecting computers and information systems, the duty of confidentiality requires attorneys to take reasonable precautions to safeguard confidential information transmitted in electronic form. Electronic modes of communication, including e-mail, have become routine for attorneys and other professionals. They are fast, convenient and inexpensive, but also present risks, particularly in the area of confidentiality.

because they contain qualifications that limit their general pronouncements.

The ABA accepted the approach taken by these opinions in amendments to the comments to Model Rule 1.6 that were part of the Ethics 2000 revisions. Comment 17, which requires reasonable precautions to safeguard information in electronic communications, was added to the rule.

[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

have for years warned about the lack of confidentiality of e-mail.1 For example, Bruce Schneier, a highly respected information security expert, has explained it this way: “The common metaphor for Internet e-mail is postcards: Anyone—letter carriers, mail sorters, nosy delivery truck drivers—who can touch the postcard can read what’s on the back.” Larry Rogers, a security specialist with the CERT-Coordination Center, has compared e-mail to “a postcard written in pencil,” pointing out its lack of confidentiality as well as potential for alteration.

The comment to Rule 1.6 also includes a caveat for “special circumstances.” What constitutes special circumstances is not entirely clear, but the test is likely to be one of reasonableness, which will often be judged from hindsight. A client whose information has been compromised is likely to contend that there were special circumstances.

Two ethics opinions vary from the position that encryption is not generally required. New Jersey Opinion 701, discussed earlier, notes at the end: “where a document is transmitted to [an attorney] by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.”

File password protection in some software, like current versions of Microsoft Office, Adobe Acrobat and WinZip, uses encryption to protect security. It is generally easier to use than encryption of e-mail and attachments. However, the protection can be limited by the use of weak passwords that are easy to break or “crack.” This is discussed in our data breach chapter.

attorney in an effort to ensure the confidentiality of such communications remain so when circumstances call for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.” State Bar of California, Formal Opinion No. 2010-179.

In addition to these opinions, Pennsylvania Formal Opinion 2011-200 (included in Appendix E) calls for additional precautions. After observing that the use of unencrypted electronic mail is not, by itself, a violation of Rule 1.6, it notes in its conclusion, “attorneys may use email but must, under appropriate circumstances, take additional precautions to assure client confidentiality.”

As discussed below, encryption is increasingly required in areas like banking and health care, and by new laws such as the ones in Nevada and Massachusetts that require certain personal information to be encrypted when it is electronically transmitted. These laws apply to attorneys if they have covered information. As encryption continues to grow as a standard information security measure, it will become increasingly difficult to justify attorneys’ failure to encrypt confidential client information.