How to Think Better About Technology Risk in Four Simple Steps

1. Is it real?
2. What does it cost if it happens?
3. How does it compare to the status quo?
4. Are there other risks that are important, too?

Whether we have overcome our storied risk aversion, or we have merely been given a more important risk to avoid, the legal profession in Canada is now struggling to adopt technology at a very fast pace.

And as might be expected, success is not evenly distributed. The difference between the people who take this opportunity for change and those who miss it will be how they think about risk.

Here’s how to think better about technology risk, and make sure you don’t miss valuable opportunities to improve your practice. In four easy steps.

1. Is it real?

Let’s say someone tells you that there is a risk (e.g. Zoom meetings can be “bombed” by random uninvited attendees), how do you deal with that information? First, determine if the risk is real. As it happens, Zoom has removed meeting IDs from the normal interface and has implemented waiting rooms by default. Zoom bombing was always possible to completely avoid by using passwords and waiting rooms. If it is something that it is easy to mitigate entirely, and that mitigation costs almost nothing, it isn’t a real risk.

On the other hand, people have complained that Zoom does not, as it previously advertised, use end-to-end encryption. That’s true. And the result of that fact is that Zoom could conceivably overhear your conversations with your clients. And there is no way to use Zoom and completely eliminate that risk. That risk is real.

2. What does it cost if it happens?

Just because a risk is real doesn’t mean it is important. The cost of a risk is a combination of two factors: how likely is this risk to materialize, and if it does, how bad will it be, and why? Cost = likelihood x severity.

For Zoom Bombing, the likelihood is basically zero, as long as you communicate the ID for the meeting to your client privately, and enable the waiting room feature. And the cost is also low. At worst, it is an unwelcome distraction from what you are trying to accomplish. But no one is going to accidentally continue an online consultation with a stranger in the room. So there is no substantive risk to the client’s confidentiality.

What about the absence of end-to-end encryption? How can that risk manifest? In basically one of two ways: targeted and opportunistic spying. Either your client is someone that someone else wants information on, and is willing to try and hack their Zoom meetings to get that information, or your meeting is just one of a large number of meetings that are being hacked in an attempt to get random, but still valuable information, such as credit card numbers or other information useful in identity fraud.

In order for that to be a problem, because Zoom’s servers are the only place where the data is not encrypted, either Zoom, some nefarious actor who has infiltrated Zoom’s servers undetected, or a government agency with the authority to spy would need to be doing the spying. The likelihood that opportunistic hackers are going to infiltrate Zoom’s infrastructure is not zero, but it’s close. The likelihood that Zoom itself is going to spy on its customers in a targeted or opportunistic way is again, not zero, but close to zero. The likelihood that national security agencies are going to spy on your meetings with your client likely depends on who your client is. But for most people, it’s going to be very close to zero.

So the likelihood that the lack of end-to-end encryption is going to cause a problem at all is very, very low. But that’s only half the equation.

How bad is it if that risk materializes? For the lawyer, there is a risk that you will be deemed liable for having allowed your client’s confidential information to be disclosed. But considering that Zoom is being used by courthouses, parliaments, law offices and everyone in between, the idea that using Zoom would fall below the standard of a reasonable lawyer is pretty low. That, or there are a lot of unreasonable lawyers out there. That risk can also be mitigated by having your clients provide informed consent to it when they sign your retainer agreement.

For the client, there is the risk of the disclosure of confidential information. How important using Zoom is to protecting that confidential information depends on what the information is, and who you are trying to protect it from. If it is your bargaining position on a matrimonial support claim, the likelihood that an interested party will get that information from Zoom’s servers is nearly zero.

If it is a defense strategy on terrorism charges? Probably don’t use Zoom.

3. How does it compare to the status quo?

This is the one thing that most people in the legal profession get wrong when thinking about technology. I can almost guarantee that you have committed this error, because I still find myself committing it all the time.

You must consider the risks of the status quo. And when you consider those risks, you must consider the same risks, not only the obvious risks of the status quo.

For example, let’s assume the status quo for meeting your client is an office.

What are the obvious risks of the status quo? Well right now, they include getting sick and dying, and causing an outbreak of a deadly virus. Those risks have a disturbingly high likelihood and a very high severity, and so have a very high cost, which is why our risk aversion has now motivated us to adopt technology instead of avoiding it.

So we know the office is a place we can catch Covid-19, and Zoom isn’t. We have compared the same risk across the two options. But we were also talking about the risks to client confidentiality with regard to the new option. So what are the risks to client confidentiality from an office?

That is the step most people forget to go through. Compare the risks of the new thing to the same risk in the status quo.

So what are the risks to confidentiality from an office? They are still opportunistic or targeted spying. How likely are those things in your law firm office? Not high. Opportunistic data thieves are going to go where there is a larger collection of data, probably places online. Targeted spying is actually probably more likely, though, because a person who is interested in data about your client may actually know that you are their lawyer, particularly if the interested person is the other side in a court case. So in terms of the ability of motivated targeted spying to find the location that needs to be infiltrated, your office is probably worse.

If opportunistic or targeted spying was going to happen, it would need to be done by someone who had infiltrated the building your office is in, or by someone who owns the building, or by a public authority that had the opportunity to require access. Your landlord is probably not going to spy on your office, because it’s not in their interests to get that reputation.

Are you seeing a pattern, here?

For all the attention that we give to the security policies of people like Zoom, do we know how our landlords vet the staff at the cleaning company to whom they give the keys to our offices?

4. Are there other risks that are important, too?

So often, technology conversations get reduced to the question of confidentiality. And confidentiality should be a focus, but it should not be the only focus.

Confidentiality is an ethical and professional duty. But we are also ethically and professionally duty-bound to make efficient legal services available to the public.

Adopting a smaller amount of risk with regard to confidentiality, particularly when the client provides informed consent to that risk, can be justified by reducing the risk that the public cannot access the legal services they need. Which we know happens not occasionally, but in the vast majority of circumstances.

That risk is a risk of the status quo. It is real. It is certain to manifest, and it is very costly for the people who suffer the detriment.

When we are deciding whether or not to adopt a technology that might make legal services considerably more affordable, that risk that people will go without help must be front and center in the analysis.

If we serve only those ethical duties that are enforced by discipline and liability, we are serving only ourselves. And if we are serving only ourselves, we do not deserve to call ourselves professionals.

Think Better, Do Better

Zoom may or may not be a good idea for your work. I’ve just discussed a couple of concerns people have with it, and there are more to consider. This is not a defense of Zoom, though in the interests of full disclosure, I use it in my practice.

The point is that if you avoid a technology with major benefits because of risks that aren’t real, that aren’t important, or that are no worse on balance than the risks you readily adopt now, including the risks of not helping as many people as you can, you are doing it wrong.

The current climate, where we have been forced to focus so intently on what sort of risks really matter, is the perfect opportunity to think differently about risk, and get better at choosing them.

Start the discussion!

Leave a Reply

(Your email address will not be published or distributed)