Ruminations on the Ethics of Law Firm Information Security
Lest anyone have forgotten Rule 1.6 of the ABA Model Rules, here it is – and similar rules apply everywhere:
Rule 1.6 Confidentiality Of Information
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:
(1) to prevent reasonably certain death or substantial bodily harm;
(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services;
(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services;
(4) to secure legal advice about the lawyer’s compliance with these Rules;
(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client; or
(6) to comply with other law or a court order.
The trick, of course is how to keep client data secure in the digital era. It isn’t easy. Computer security is expensive – and it takes time to understand it – and you will never be done learning because technology morphs constantly.
Are lawyers abiding by their ethical duty to preserve client confidences? Our opinion is that they are not. Here are a few reasons why we have that opinion:
- Security expert Rob Lee, a noted lecturer from the security firm Mandiant has reported to us that Mandiant spent approximately 10% of its time in 2010 investigating data breaches at law firms.
- Security expert Matt Kesner, who is in charge of information security at a major law firm, reports that his firm has been breached twice – and that he is aware that other law firms have suffered security breaches – and failed to report them to clients.
- Our own company, Sensei Enterprises, Inc., has never performed a security assessment at a law firm (or for that matter, at any kind of business) without finding severe vulnerabilities that needed to be addressed.
Why do otherwise competent lawyers fail so miserably in their ethical duty to maintain the confidentiality of client data? Here are some of the reasons.
- Ignorance – they simply need education.
- The “it can’t happen here” mentality. This is flatly wrong – even the FBI issued an advisory in 2009 that law firms were specifically being targeted by identity thieves and by those performing business espionage – much of it originating in China and state-sponsored, though of course the Chinese government has vehemently denied involvement in such activities. Matt Kesner, mentioned above as an expert, reports that the Chinese don’t bother using their “A” squad hackers to infiltrate law firms – their security is so bad that the rookie “C” squads are able to penetrate law firms.
- It’s expensive. And it is. Protecting the security of client data can present a big burden for solos and small law firms. This does not take away a lawyer’s ethical duty, however – and it is one reason why the authors lecture so often on computer security. Once a lawyer sees the most common vulnerabilities, he or she can take remedial steps – or engage their IT consultant to do those things that are beyond the skill of the lawyer.
- Vigilance never stops. You cannot secure your data once and think you’re done – the rules of information security change on darn near a daily basis – certainly someone in the firm needs to keep up with changes on a regular basis or the firm needs to engage an security consultant to do periodic reviews – the standard advice is that security assessments need to be done twice a year. While that is desirable, it is in our judgment mandatory that assessments be done at least annually.
In the paper world, keeping client data confidential was easy and cheap. In the digital era, abiding by this particular ethical rule is hard and expensive – but it must be done.
“In the digital era, abiding by this particular ethical rule is hard and expensive…”
That’s the problem with security in the digital age: statements like this which are patently false and lead people to believe that taking precautions to secure client data is something beyond their ability. The fact is that there are many relatively inexpensive steps small firms and solos can take, ranging from better passwords to full-disk encryption for laptops, which are not only inexpensive and easy–they are often free.
Yes, computer security is a moving target, so it does take diligence to stay on top of securing your client data. But that’s the role of a lawyer: to exercise caution and point out potential issues to clients. The same is well within the grasp of attorneys when it comes to their own data security, provided they choose to make it a priority and not just bury their heads in the sand.
Thank you for this appropriately blunt reminder. As a security professional, I tend to agree. I would also add that new exploitable vulnerabilities are being published daily and new holes will continue to appear in the IT infrastructure of even the most secure organizations. While these holes should certainly be found and patched, it is ultimately users and the policies, controls and security awareness that govern their behavior which determine how easily an organization will be breached from day to day.
If a firm has never had a security assessment, they should get one and act on the assessor’s recommendations to remove themselves from the category of low-hanging fruit by addressing basic technical issues like obsolete/unpatched software and default admin passwords (both of which are an all-too-common occurrence on first-time engagements). However, developing resilience against real attacks requires a balanced, persistent approach which includes sound policy, technical controls and security awareness training for those pesky users.
Once a firm has done some work to bring their information security practices up to a reasonable level of maturity, a penetration test can provide useful performance metrics by testing people, processes and technology against realistic attack scenarios. This can include actual non-destructive penetration of the network using a combination of technical and social engineering tactics.
In British Columbia, LSBC 3-68 would be the applicable rule pertaining to information security. Information security was also touched on lightly in LSBC’s recent report of the cloud computing working group.
Though he could have been a bit more gracious in framing the comment, I have to agree with Dave’s implicit point that most security breaches derive from simple vulnerabilities that should not have existed and which could have been eliminated easily and cheaply.
Whenever a company gets “hacked,”–and they always call it hacked even when no true hacking was involved–they always claim they were the victim of a sophisticated attack. In truth, the exploits prove to be pretty simple, but who wants to publicly admit their system were so vulnerable that a six year old with a Speak ‘n Spell could have gotten in?
Of the last 100 corporate laptops I’ve acquired, almost all supported biometric authentication and full disk encryption. But you know how many of them were protected? Yup, NONE. Not even a threshold BIOS password was enabled.
Perhaps we should have amplified our words a bit. We think lawyers, who are very busy people and generally not technically inclined, find keeping up with information security darn near impossible. They tend to characterize the attempt to stay educated in this area as “hard.”
Craig, while we certainly agree that there are many easy, inexpensive steps that will aid in securing data, most law firms really need to have, as Ryan points out, an information security assessment (on a regular basis) and then take the remedial steps that are recommended. This does tend to be expensive – and it is not an expense that law firms have traditionally had in their budgets.
Sharon,
I couldn’t post a comment on your blog (http://ridethelightning.senseient.com/2011/11/is-information-security-hard-and-expensive.html) so I am posting it here. As you know (and I make no pretenses), I am a practicing lawyer who uses technology, but not a technologist. I also tend to believe that lawyers — and consultants — exaggerate the risks of technology and I do believe that some do it for their own self-interest (I do not put your company in this category since you have been educating lawyers on technology risk for years).
I do not make the claim that some consultants exaggerate the risks of technology lightly – though granted, it is based on my own observation and experience as opposed to a systematic study. However, lawyers have always faced some risk when safeguarding data. I remember that one of the first blog posts I wrote at MyShingle back in 2002 had to do with an AmLaw 100 law firm that hacked into the opposing side’s expert witness’ account on a local machine. Likewise, I recall what happened to the solo lawyers whose data was destroyed in catastrophic events like 9/11 or Katrina. It is hard to say that the cloud poses greater risks. In addition, you have to keep in mind that for all talk of privilege, much of the information that the majority of lawyers retain would cause very little harm if inadvertently disclosed to the general public (yes, there could be harm if disclosed to the other side, but again, those types of targeted break ins were always a risk). The sole exception is personally identifiable data – SS#s and credit cards and those should be safeguarded in accordance with applicable state and federal law.
Second, I have witnessed first hand how over-regulation can kill an industry. As you may know, my “day job” involves working with emerging renewable developers of marine and hydrokinetic technology. Not only do they confront a crippling regulatory regime that precludes them from placing small demonstration projects into the water, but the difficulty is further exacerbated by some (but not all) unscrupulous environmental consultants who recommend every study under the sun to generate more work for themselves. I see this trend happening with the approach that the bars are taking towards cloud computing – the independent audits and contract negotiation will only make more work for lawyers and consultants.
Third – and what I find most unusual – is that my husband is in fact a technologist – a computer scientist who has worked for some of the largest tech companies in the world as well as for banks and the defense industry. He also tends to our family’s home machine, and we have had firewalls and other safeguards for at least two decades. However, he is perfectly comfortable using gmail or putting our tax filings on the free version of Google docs (something I would not even do with client files). His feeling is that these companies invest heavily in security and are expert at combating threats – and in addition, have a strong interest in averting breaches for PR reasons. The level of security that these companies provide for free is far greater than what an individual solo could procure independently.
Until I start seeing pervasive concerns raised by bonafide technologists at Google or Microsoft or even defense contractors on security breaches, I feel perfectly comfortable making my technology choices by educating myself through blogs and articles by folks such as yourself and my own experience using these technologies.