♫ What makes you think that you are invincible
I can see it in your eyes that you’re so sure
please don’t tell me that I am the only one that’s vulnerable
Lyrics, music and recorded by John Vesely, under the pseudonym Secondhand Serenade.
The State Bar of Arizona has issued one of the first Ethics Opinions on preserving client confidentiality when placing client documents for access over the Internet. Arizona stated:
“Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information.”
What is interesting in the Opinion is not the fact that the electronic storage of client files was permitted as long as lawyers and law firms “take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence” or that ‘reasonable precautions’ was the standard that was set forth; but rather that the ethics opinion specifically approved the manner in which the remote access could occur:
“First, the client files would be accessible only through a Secure Socket Layer (SSL) server, which encodes documents, making it difficult for third parties to intercept or read them. Second, the lawyer would assign unique randomly generated alpha-numeric names and passwords to each online client folder. The folder names contain no information that could identify the client to which it belongs. The password would not be the same as the client folder name. Third, all online client files would be converted to Adobe PDF (Portable Document Format) files and protected with another randomly generated unique alpha-numeric password.”
The ethics opinion goes further in terms of how to determine if you have ‘reasonable precautions’ in place:
“It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to “those matters reasonably necessary for the representation.” Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security.”
I concur with the need to consult with someone competent in the area of online computer security. In fact, I passed this ethics opinion by John Simek, a legal computer forensic expert and Vice-President of Sensei Enterprises, Inc., a computer forensics and information technology firm.
“I would have liked to see additional requirements, which is where a security professional would come in. I don’t see any mention of a logging system to alert if there are “door rattle” attempts. That means somebody could keep trying to attack the system and nobody would know it.
As you know, having a password on a PDF is not very secure (see: Securing PDF Documents), especially if they use only the edit password and not an open password as well. They don’t specify, but I would guess that they are accepting that the edit password makes the document secure. Wrong.
The other thing that bothers me about web-based applications is the potential for SQL injection attacks. Given the complexity of the described system, I would think that there is some sort of SQL code in the application and perhaps a back-end database too. SQL injection attacks are very common these days and it’s criminal how many applications are vulnerable. I would have liked Arizona to at least mention that a security professional should periodically “attack” the application and identify vulnerabilities.”
John does agree that a lawyer should work with a security professional to meet his/her ethical requirements, particularly so if they do not feel competent to deal with the issues involved; the last thing you want is thinking that you might be invincible…