Ethics and the on-Line Storage of Client Documents

♫ What makes you think that you are invincible
I can see it in your eyes that you’re so sure
please don’t tell me that I am the only one that’s vulnerable
impossible…♫

Lyrics, music and recorded by John Vesely, under the pseudonym Secondhand Serenade.

The State Bar of Arizona has issued one of the first Ethics Opinions on preserving client confidentiality when placing client documents for access over the Internet. Arizona stated:

“Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information.”

What is interesting in the Opinion is not the fact that the electronic storage of client files was permitted as long as lawyers and law firms “take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence” or that ‘reasonable precautions’ was the standard that was set forth; but rather that the ethics opinion specifically approved the manner in which the remote access could occur:

“First, the client files would be accessible only through a Secure Socket Layer (SSL) server, which encodes documents, making it difficult for third parties to intercept or read them. Second, the lawyer would assign unique randomly generated alpha-numeric names and passwords to each online client folder. The folder names contain no information that could identify the client to which it belongs. The password would not be the same as the client folder name. Third, all online client files would be converted to Adobe PDF (Portable Document Format) files and protected with another randomly generated unique alpha-numeric password.”

The ethics opinion goes further in terms of how to determine if you have ‘reasonable precautions’ in place:

“It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to “those matters reasonably necessary for the representation.” Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security.”

I concur with the need to consult with someone competent in the area of online computer security. In fact, I passed this ethics opinion by John Simek, a legal computer forensic expert and Vice-President of Sensei Enterprises, Inc., a computer forensics and information technology firm.

He stated:

“I would have liked to see additional requirements, which is where a security professional would come in. I don’t see any mention of a logging system to alert if there are “door rattle” attempts. That means somebody could keep trying to attack the system and nobody would know it.

As you know, having a password on a PDF is not very secure (see: Securing PDF Documents), especially if they use only the edit password and not an open password as well. They don’t specify, but I would guess that they are accepting that the edit password makes the document secure. Wrong.

The other thing that bothers me about web-based applications is the potential for SQL injection attacks. Given the complexity of the described system, I would think that there is some sort of SQL code in the application and perhaps a back-end database too. SQL injection attacks are very common these days and it’s criminal how many applications are vulnerable. I would have liked Arizona to at least mention that a security professional should periodically “attack” the application and identify vulnerabilities.”

John does agree that a lawyer should work with a security professional to meet his/her ethical requirements, particularly so if they do not feel competent to deal with the issues involved; the last thing you want is thinking that you might be invincible…

Comments

  1. I am glad this topic for law firms is being discussed. It needs to be. In consulting in the past, I was amazed at the lack of security that law firms deploy. Don’t get me wrong, they are no worse than other companies, but I was surprised when I first started. I expected them to be more concerned about it than the average business given the sensitive nature some of the information holds.

    Hope this discussion keeps up.
    -mike.

  2. I see the need for these guidelines – however, as presented above, they are dangerous and will create liabilities:

    Second, the lawyer would assign unique randomly generated alpha-numeric names and passwords to each online client folder. The folder names contain no information that could identify the client to which it belongs. The password would not be the same as the client folder name

    Great – random-character filenames. Either people won’t use them, or they’ll start creating tiny urls. I worked on a medical project where the guidelines were similar. Long, complex urls to prevent dictionary attacks. Within 10 hours of alpha testing, the userbase switched to tiny-urls, which amplified the attack and created a bigger problem. The project was hastily withdrawn and implemented after careful thought to security.

    Security was built into the DNA of the application, not bolted on afterwards.

    Secondly, this is even more dangerous:

    Third, all online client files would be converted to Adobe PDF (Portable Document Format) files and protected with another randomly generated unique alpha-numeric password.

    A) Making any security recommendation vendor-specific is dangerous. Vendors go out of business, get bought out, let products die.

    B) For most people PDF == Adobe Acrobat readers, which in itself has a severe security problems. There’s (still) an unpatched javascript flaws in the reader that malware writers are using to infect windows PCs.

    B1) Recommending PDF as a standard is fine – FoxitPro, SumatraPDF, etc are all good readers, without the security issues inherent in Acrobat.

    C) The password-protecion mechanisms built into most commercial software (Microsoft Office, Adobe, etc) are easily crackable. Either the underlying cryptographic mechanism is weak, or the passwords are crackable via dictionary attacks.

    There’s a commercial MS Office, Zip, etc. password recovery tool where the vendor inserted a time-delay (10-30 seconds) just so the customers wouldn’t panic at how fast the passwords were recovered/cracked.

    Simply put, the guideline reinvents the wheel for information security, without referring to existing mechanisms and makes layman’s mistakes when dealing with infosecurity.

    HIPAA has great guidelines for storing and sharing information securely.

    PCI-DSS has specific guidelines and methodology for implementing a security architecture.

    NIST has standards and guidelines for implementing good infosec programs.

    In all cases, you reader an cobble something together on their own, download templates off the web or hire an expert.

    Strangely enough, same things happens in law.
    – Read Nolo press
    – Buy or download forms and templates (wills maker, anyone?)
    – Hire an attorney.

    Same rules apply here — if your practice is small, and the revenues at stake are small, you can apply one-size-fits-all guidelines. (e.g. download a wills template off the net, fill it out, give it to your heirs. Never mind that your template was from California, you live in New York and the inheritance laws are just a wee bit difference).

    If your practice is larger, then retaining an expert to advise/vet your approach is recommended. (e.g. write your own contract, or borrow someone else’s, read it carefully, and have a good attorney review it for you).

    If the revenues at stake are large enough (and only you can define what large enough means to you – though $3M is a good place to start at), then it’s strongly recommended that you retain a security professional to understand the business requiements, and implement a solution that is cost-effective and scalable.

    For example, the guidelines above do not address State Privacy Breach laws, which vary from state to state, or address intra-state clients. The FTC has taken a lead on consumer privacy issues and for firms with clients in multiple states, paying attention to FTC guidelines is a good idea.

  3. Philip L. Franckel, Esq.

    This is typical of lawyers at bar associations without knowledge of the subject for which they create rules, whether it be computer security or advertising. When you create rules about computer security without knowing anything about computer security or about advertising without knowing anything about advertising, you end up with bad rules, ineffective rules, and unconstitutional rules.

    I wonder what the purpose is of changing the names of the client folders when the PDF documents within the folder will reveal the names. Also, I agree with Raj Goel that a requirement of using a PDF document is basically a requirement of using Adobe. I have spent many hours searching for another application, but this is one area where I have not found a suitable open-source alternative or even a suitable private alternative to Adobe Acrobat.