Cybersecurity: A Lawyer’s Ethical Duty to Read the News

Episode Notes

Transcript

[Music]

Sharon D. Nelson: Before we get started, I’d like to thank our sponsors Clio, CaseFleet, and PInow.com.

Intro: Welcome to Digital Detectives. Reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory but practical information that you can use in your law practice right here on the Legal Talk Network.

Sharon D. Nelson: Welcome to the 135th edition of Digital Detectives. We’re glad to have you with us. I’m Sharon Nelson, President of Sensei Enterprises, a digital forensics, managed cybersecurity and managed information technology firm in Fairfax, Virginia.

John W. Simek: And I’m John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives, our topic is Cybersecurity: A Lawyer’s Ethical Duty to Read the News. Lucien Pera is a Memphis Partner in the law firm of Adams Reese, LLP. He has wide-ranging national practice in lawyer ethics and professional responsibility and he handles everything from defending lawyers and discipline matters to expert witness work to prospective business advice for lawyers and law firms, their clients and businesses that do business with lawyers and law firms.

He’s been very active in the ethics world chairing the ABA Center for Professional Responsibility and serving as President of the Association of Professional Responsibility Lawyers. He’s also a past ABA Treasurer and a past Tennessee Bar Association President. It’s great to have you with us again, Lucian.

Lucian Pera: John and Sharon, it’s great to be with you guys. It’s so much fun talking to you guys.

Sharon D. Nelson: Let’s have some fun with it and start with the fundamentals. Lucian. What are the ethics rules that I don’t think anybody thinks ethic rules are fun, but we’ll give it a go. What ethics rules govern the duty of lawyers to keep data confidential?

Lucian Pera: Well, the people who find ethics rule is fun are us ethics nerds. And yes, I was going to say that’s the first time. I’m the only person who would answer a what is fun question with an ethics rule, but let me go on that. The ethics rules have, in the last decade, been tuned up in almost every jurisdiction to more closely more directly address our duty to keep client data confidential.

This happened in the model rules, which are the basis for the rules in every jurisdiction now in 2012 and there are two key places in those rules that this happened. And by the way, these amendments I’m about to talk about are the law I think in every jurisdiction actually, even the ones that haven’t adopted this precise language. First is rule 1.1, which is the rule on competence. It’s really simple. It’s the one under which a lot of lawyers get disciplined if they screw up a case or screw up of matter somehow. It’s that a lawyer shall provide competent representation to a client. It says also that competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary in the representation.

Well, that didn’t change, but what changed is the ABA added a comment and said that to maintain the required level of knowledge and skill, you got to “keep abreast of changes in the law in its practice.” And here’s the new part, “including the benefits and risks associated with relevant technology,” by which it means, relevant technology, technology relevant to your practice, how you represent folks. And so, okay, to be confident, we have to know how to use the tech. If you’re a bankruptcy lawyer, you can’t do that without knowing how to use PACER to file stuff.

The other rule that really is almost more important, really with respect to our duty to keep data confidential is rule 1.6. It’s the main confidentiality rule. It’s the one that in most jurisdictions says that we’ve got to keep confidential all information relating to the representations, broader than privilege and work product, and that rule now has a new section in most jurisdictions and I believe it’s section C. And it says a lawyer shall make reasonable efforts, those are the key words, to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.

The touchstone is reasonable efforts. That’s what we have to do. And then, we can talk about this a bit, but the comments and ethics opinions talk, we’ve got some guidance on what reasonable efforts means, but that’s the first word we all learned in law school is reasonable. And that same word is part of the standard for our duty to keep our client’s information safe.

John W. Simek: What about the ABA’s opinions? They published a couple of them 477R and 483. Talk to our listeners and tell us what do those opinions tell lawyers about cybersecurity and their ethical duties.

Lucian Pera: That’s part of what I was just talking about. The rule that says you got to use reasonable efforts to keep your client confidential information private, it then refers to the comments in the model rule. The comments go on, there are probably two or three paragraphs, but those were new in 2012, and they talked about a bunch of factors, a bunch of things we have to do as far as client confidentiality, what reasonable efforts looks like.

(00:05:10)

And then 477R, that’s ABA formal opinion, 477R. And by the way, I think it’s still up on the ABA website for free essentially, but it took those paragraphs and riffed on that for about 10 or 12 pages. That is what amounts to a reasonable effort. And specifically, they talked about a number of factors, some of them mentioned in the rule. For example, the factors that — well, actually, before I get to the factors, one interesting thing is that the opinion says it adopts the language in the ABA cybersecurity handbook, which is a wonderful publication of the ABA. It talks about the reasonable effort standard, and it says that it rejects requirements for specific security measures.

In other words, for years people have asked me, well, what do the ethics rules say about whether I need to use encrypted email or our fax is secure or whatever, whatever the question is. Well, they’ll say anything except I gave you a general rule and then you have to apply it. And so, the factors on that include things that are sort of obvious when you hear them, but they include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing those safeguards, the difficulty of implementing the safeguards and the extent to which those safeguards adversely affect the lawyer’s ability to represent a client. Do they make it impossible to use the information?

The opinion then uses then goes on and walks through sort of, not quite a checklist, but a series of about seven considerations to use that are related to the list I just mentioned that you have to understand the threat environment. You guys would probably talk about the threat to the confidential information. You got to understand where it is, where your client confidential information. You got to understand security measures that are available and that are in use. Things like that.

And then also obviously, it includes, let’s see, I’m flipping through it here a bit. Let’s see. Label client confidential information. That’s actually kind of important to keep it in a place where you know that’s what’s there, and training. It mentions training. It also talks for a bit about due diligence on vendors. You can’t just hire Joe’s Garage Cloud Company to do your security, to store your client confidential information knowing that it’s not run by a guy named Joe and his garage or at least that it’s not secure. Maybe Joe has a very secure garage. I don’t know.

But in any event, that’s what 477 does and it is a lovely primer. 483 is the one about protecting against and responding to data breaches or data incidents and the headlines there are pretty simple, although execution — you got a duty under the ethics rules to monitor for breaches. You’ve got a duty to respond to not just breaches, but things that might be breaches, something weird in your system. You got to respond. You got a duty to figure out what it is and if it is a breach, how bad is it? What got destroyed, attacked, removed, exfiltrated is that word that people use. I love that word. It’s a great word. And then a duty to notify clients if their information is hacked, I guess is one way to look at it and then the fact that other law controls, it’s like data breach notification law.

what I like about those two opinions, and by the way, actually, there’s another one which is 482, which is about ethical obligations related to disasters, and I sure think a breach is a disaster, but so is if you’re in a flood or a tornado. Those three opinions I think are a lovely tool to get you oriented towards your duties and I think they’re actually a lovely basis on which to sit down with your tech guru and say, “Okay, let’s do a refresher. Here are my duties. Read these three opinions, they’re not heavy reading. Read them and then let’s talk.” They’re a good basis to communicate in close to English with a tech person to let them in case they’re not fully aware of what your obligations are.

Sharon D. Nelson: Speaking of talking to somebody in a way they understand, we have learned that we can’t just use the word exfiltration because too many words, don’t know what it means. We have to say, when your data is taken from you.

Lucian Pera: I understand but it’s still a cool word.

Sharon D. Nelson: And then we say, “That’s called exfiltration.”

John W. Simek: A Wikipedia.

Sharon D. Nelson: Exactly. We agree with you completely Lucian that lawyers should keep up with the cybersecurity news, but do you actually envision a scenario where failure to keep up might result in a lawyer being disciplined, because they don’t think so?

Lucian Pera: This all stems from a column I wrote as you know last year I guess and I probably should have put a question mark at the end of the title and it was something like our ethics duty to read the news. But the notion was a thought experiment, which is, if we got a duty to be competent, that includes knowing how to use our tech, we’ve also got a duty to keep our wits about us, to have some situational awareness, to know what’s going on in the world.

(00:10:00)

And it ranges from things like don’t use equipment past the end of their life when nobody is supporting it, but one of the things that caused me to think about this was the Microsoft, the big Microsoft email hack, where you would have to be, well, maybe not in a cave, I suppose, but if many, many people who were not techie saw the news about that or saw the news, I guess it was before that about was it North Korea that hacked some studio’s email? I forget.

John W. Simek: The Sony Pictures.

Lucian Pera: Sony, right.

John W. Simek: Never heard of it.

Lucian Pera: My point, I guess, is there is something all of us, every user in my law firm can be aware of and learn if they keep their wits about them just a little more than they normally do. I guess we can talk about the Microsoft hack, but if they learn about something that they think, wait a minute, we use Microsoft email. Is that a problem? That’s what I’m thinking.

It’s not that everybody should be calling The Wall Street Journal’s tech section for the latest development. Actually, that’s not a good place to look for this but I don’t want them to be cybersecurity nerds like you are in the way that I’m an ethics nerd, but they ought to know some cybersecurity nerds and maybe read their stuff occasionally. Anyway, that’s my point and will lawyers get disciplined? Yes, eventually.

Here’s an example. I’ve got on my desk right now, and fortunately, neither one of them has led to discipline. I’ve got on my desk right now one matter for a client, both of them are settlement hacks. They were lawsuit settlement hacks. Bad guy comes in and commandeers one side’s email account, learns settlement payout is upcoming and redirects by email sent from one of the lawyers to the other lawyers, redirects the wire transfer. And the wire-transferred money is gone.

Within the space of two or three months last year, our firm had a client who had this happen to them where they wired the money. I now have a piece of litigation that I’m working on where that happened. Now, this is litigation. This is not discipline, but to put it politely, it’s just a very short step from there to having to pay out a claim as a law firm or to discipline and what would it be for? It would be for that in each of these cases, there is some significant concern that the lawyers didn’t protect their systems well enough.

The facts vary a lot, but if it’s because you didn’t protect your system in a sort of obvious way, that’s a problem. That’s a problem. And I think it’s going to be a discipline problem. It’s going to be a malpractice problem. Do we have many cases like this yet? No, we do not. Maybe I can keep on talking about that for just a second. This last summer, we were part of a big mutual malpractice company. They did a review for us of their claims and I’ve heard similar things from other people.

They have claims that are arising from this sort of thing, some kind of hack, some kind of breach, some kind of incident that number in the single digits, which really shocked everybody. But on the other hand, it was a decent verdict on are keeping our security up collectively as members of the mutual, but they’re starting to hit. Maybe we can stay ahead of the game with good cybersecurity, but there’s no question that along the path here, law firms are going to hit for claims and that lawyers are going to get disciplined for not keeping their security up to date and if part of that is they’re using tech so old that all they have to do was read their State Bar journal and realize this was a problem, so there’s the duty to read the news, isn’t it?

Sharon D. Nelson: I think, yes. Before we move on to our next segment. Let’s take a quick commercial break.

[Music]

Sharon D. Nelson: What could be more important than knowing the facts of your case inside and out? CaseFleet’s Powerful Software makes it easy to create a chronology of each case and to track the evidence for each fact. With an intuitive interface, full text search and built-in document review, CaseFleet makes fact management easy. Sign up for a 14-day free trial at casefleet.com/DigitalDetectives and get 10% off your first subscription.

[Music]

Male Speaker: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one-of-a-kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation are up-to-date on the latest technology and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a pre-screened private investigator today. Visit www.PInow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Cybersecurity: A Lawyer’s Ethical Duty to Read the News. Our guest is Lucian Pera, a Memphis Partner in the law firm of Adams and Reese, LLP.

(00:15:00)

John W. Simek: Lucian, I know you’re a big proponent of a tech guru who’s available around the clock. My editorial comment is don’t call me round the clock, but if you have that, that can be kind of expensive proposition. Especially for solo and small firm lawyers, what’s your advice for those folks?

Lucian Pera: I’m less concerned. You’re right. You’re right in my concern. I think, first of all, it’s having a tech guru, somebody you can trust, who speaks English, who knows about the risks out there to help design your system and set it up and do regular maintenance because frankly, some system design, that’s what I’m calling and issues can resolve some of these.

For example, on security, our firm big firm, but we crossed the Rubicon a few years ago from the view that we had needed to own all our servers to the point of view today that we need to use the cloud and outsource our security, because the cloud providers we use do security better than we do. I think we live in a sort of golden age for solos and small firms because at least in my view and I’m not the expert you guys are, but think of Microsoft 365, or whatever it’s called now, the online product tuned up right with the help of a tech person, I think it’s better security than any individual lawyer could probably afford or manage.

And so, and other providers, you can find other providers that do the same thing with cybersecurity. And so, if you have it picked, designed, tuned up right in the first instance, the likelihood of needing a 7 PM call on a Saturday night to your tech guru is dramatically decreased. On the other hand, you still got to have some understanding what you got to do at 7:00 on Saturday night when you come out from the restaurant and your car window’s smashed and your laptop or your iPhone is gone. And that may require that you actually know who to call and you may require a tech guru to have an after-hours number that they can call for advice, but I think a lot of that can be reduced dramatically with good systems, frankly. And I’d be interested in y’all’s view on this because you’re in this business.

Sharon D. Nelson: We’re a boutique small firm, but there is always someone accessible 24/7. I mean, that’s just the way it has to be these days, but you’re right. You don’t get those calls as often as you use to because of the amount of security that’s already in place, which is true. And I noted in that article which was wonderful. You said that there are two questions you should always ask your IT provider after learning about a big security disaster. What are those two questions?

Lucian Pera: Well, they’re really common sense and they are, am I safe? Is this particular danger? I read about? Is it going to affect me? Am I safe? Do we use this software that’s now dangerous? And the second is, is there anything I can learn from what I just read about. With the Microsoft email hack, for example, the first question was, well, if you’re using Microsoft 365, we’re golden. Don’t worry about it.

If it’s yes because you have your own server, but I patched it last week as soon as the patches came down and updated and we’re fine. You’re fine. And then the next question might well be, okay, so why do we still have a server that you have to patch every week or whatever? Then what can we learn from this that may be the value of the cloud. It may be the value of outsourcing security.

That’s an example where it’s really not rocket science to be the owner of the system that has a good trusted tech guru who they can ask. But the point is, you got to know enough to ask. You don’t have to be the tech guru yourself, but you got to have your wits about you.

John W. Simek: What does that attorney do, Lucian, if the person they’re asking has no flipping idea what the answer is?

Lucian Pera: Well, the flip answer is to get a new tech guru. Two things on that. One, likely our scenario in my experience is the tech guru may know what’s happening, but they have trouble conveying it English. There’s no excuse for that frankly. I realize some of us are not as savvy as others in dealing with tech people, but you got to have a tech person who can communicate effectively to you and some of these things are difficult.

Number one, you need to make sure that they understand what you’re asking. Yes, I saw this article about Sony. Does that have anything to do with me? They got understand the question you’re asking, but you might be time to get a new tech guru if they don’t have that kind of awareness themselves of the marketplace, because after all, they are your first line of advice as far as security even if you’re outsourcing it. They’ve got to be in a position to help you judge whether moving your stuff to Microsoft 365 is a good move or not, whether a big vendor of case management software is secure or not. They ought to at least be able to go look.

And by the way, there’s no shame for a lawyer or a tech person in getting a question like that and saying, “I’m not sure. Let me check. I will get back to you. I’m not weirded out by that answer.”

Sharon D. Nelson: No, I agree with you and sometimes you have to because I mean, there’s too much information out there. No one can keep up with all of it.

John W. Simek: Well before we move on to our next segment, let’s take a quick commercial break.

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Cybersecurity: A Lawyer’s Ethical Duty to Read the News. Our guest is Lucian Pera, a Memphis Partner in the Law Firm of Adams and Reese, LLP. Lucian, why do you think some lawyers are so deeply resistant to learning about cyber security and how can we change that?

(00:20:20)

Lucian Pera: I’m reminded, I think it was supposedly Max Planck, the physicist who was asked about how change occurred and thinking about science, quantum mechanics, all that stuff, and his answer apocryphally was one funeral at a time. Not to be morbid, but the truth is it is a generational thing. It’s not only that though and that’s unfair. I know lots of lawyers that’s old and older than me, who are perfectly savvy enough to use the tools they need. And we’re, again, in a good era in that respect because the tools are better for not tech savvy users if that’s the right way to put it. You don’t have to know what’s under the hood. You just — usability is much more dramatic.

I think what can be done to change it is, exhorting people to learn about tech it’s difficult. But the more you can get your lawyers to learn how to do new stuff. They use Word, fine. Help them figure out how to do footnotes better, or to do a table of authorities, if they’re a trial lawyer, for example, something. Because my experience is that when you actually explain new stuff on a regular basis and get users to increase their actual tech competence, maybe it’s using PACER, maybe it’s having a lawyer learn how to use PACER rather than have their paralegal do it all the time, because actually, of course, they can use PACER in a way they don’t need their paralegals do like by looking up documents and things like that.

My experience is that tech competence increases lead to people being more understanding about security. I got no data on that, but I mean, that’s my experience. I don’t know if it’s verified. Y’all deal with a lot of users by your experience.

Sharon D. Nelson: What do you think, John?

John W. Simek: I agree with Lucian. I think that as they get more comfortable, I guess, more knowledgeable about things, certainly they become more efficient.

Sharon D. Nelson: As we found today, I mean, one lady said, “You have terrified me for an entire hour.” And we were trying to educate not terrify, but it is terrifying to a lot of folks.

Lucian Pera: It is a real problem because you need to be a little scared, but you can’t be immobilized by it. There’s so many things in life that way and certainly in the law that way. I will say the training piece is I think frankly the most difficult piece in lawyer use of tech, period, full stop. And we use all, and our firm, we’re not great and we’re certainly not perfect, but we use all kinds of stuff. We send out fake phishing emails to our lawyers, which I find to be cool and interesting and a little scary, and people do learn from that.

And by the way, it sometimes engages their competitive Instinct. We also send out videos that we require people to watch with examples, particularly on phishing. Again, it’s a big risk these days. We do video training on Word, Excel, whatever. Again, on that theory, that we can make them both more efficient and more comfortable with tech, I’m a believer in the walking around training thing, which we don’t do quite as much as I’d like us to do.

I’ve learned more about Word and most of our software from my secretary than I have from anybody else and that goes back 20 years. Having a tech person wander around once in a while and poke their head in and say, “Hey, how you doing? Anything going on?” Because if they can spot a problem, if they’re lucky enough to come on a user with a problem and they can walk them through fixing it, that’s great from so many different perspectives. Training, I think, is the big challenge. And I think the more training not just on cybersecurity, but on tech generally, I think the better off our cybersecurity posture is. That’s my view.

John W. Simek: I want to go down a little bit different path and talking about cybersecurity awareness training, which is similar in that and the whole phishing thing and the simulations you were referencing and I agree, I think Sharon and I find that when we do cybersecurity awareness training, whether it’s webinar with us live or whatever, it’s more effective than someone watching a movie on TV.  The training video things, I think that stuff is much, more effective but we’re seeing so much more interest, certainly among lawyers today and doing cybersecurity awareness training, and they’re looking for CLEs in those kinds of things, but do you have any thoughts about how often they should be doing that awareness training?

Lucian Pera: I don’t know. I don’t think anybody has solved that particular puzzle. Multiple attacks, multiple angles of attack. CLEs are fine. CLEs are fine. The short videos we send out I think monthly, they’re fine. The phishing attacks, the fake phishing attacks, we send out, not monthly, but those are fine. Those are useful. I like mixing it up a little bit.

The other thing I will say, in the ethics world, I’ve been inside a law firm doing the ethics thing for the firm, loss prevention and such since about since before 1990, so a long time. And one of the things I think better people in ethics and loss prevention do is they’re always looking for what we call teachable moments. I’m sure a lot of people do, where whether it’s the Microsoft hacks or it’s something outside the firm, or maybe it’s something inside, my point being I think we should do this for tech as well.

(00:25:15)

If it’s the Microsoft hack and you can send something about that to your users or it’s the latest phishing attempt that they’re starting to see at our help desk that when we get three or four, and it starts growing, we send out a note saying, “Watch for this, just coming.” The immediacy of that and also, sometimes when you can find a mistake that somebody has made or almost made and use it as a way to teach people, that’s really effective.

I mean, frankly, in the ethics world, we often use those teachable moments and sometimes expressly so that we can tell people, “We want you to learn from somebody else’s misfortune, to me! You just got to have a complete awareness if you’re running an office’s security operation. And I don’t mean the tech side. I mean, the lawyer side, whether it’s a 3-lawyer firm, or a 300-lawyer firm that you got to keep poking people to be aware of this stuff because it’s so constantly changing and it comes from so many different directions.

The latest I heard in trying to remember how this works, but it’s some malevolent piece of software that will go sit in Outlook and look for email threads with familiar-looking Word documents and then inject some kind of malware into the email thread. Oh, the other thing I heard about lately is hidden rules in Microsoft Outlook. Didn’t even know they existed. Our tech people didn’t know they existed until we got one inserted. There’s no way around. It’s not like you could do a monthly course on this. People wouldn’t put up with it, but things are changing so much that the more little bits of training you can give people in the more different directions you can give them from, I think the better off we are.

Sharon D. Nelson: I think you’re right and we certainly, as always, we’ve enjoyed the laughter and the conversation. It’s really wonderful to talk to you, always is, and we’re so glad you came back to be a guest with us. I know that people learned a lot today from listening to the podcast and I know your time is very valuable and you’re always generous with it. Thank you very much.

Lucian Pera: Thank you for having me. It’s been a blast.

John W. Simek: That does it for this edition of Digital Detectives. Remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcast. If you enjoyed our podcast, please rate us on Apple Podcast.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com. We’ll see you next time on Digital Detectives.

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

The views expressed by the participants of this program are their own and do not represent the views of nor are they endorsed by Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.