Attorneys are ethically bound to protect their firms from cybersecurity threats, but many feel out of their depth when choosing security options and fear the involved expense. While cybersecurity is truly a necessary cost of doing business for lawyers, there are options out there that won’t break the bank! On Balance podcast hosts JoAnn Hathaway and Tish Vincent talk with cybersecurity expert David Ries about current threats lawyers and law firms face and some common-sense, lower-cost options they can employ to protect their firm’s sensitive data.
David Ries is of counsel in the Pittsburgh, PA office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation.
State bar of Michigan – Cybersecurity Practices That Won’t Bust Your Budget – Security Basics
A Discussion with David Ries
Intro: Welcome to State Bar of Michigan’s On Balance Podcast where we talk about practice management and lawyer wellness for a thriving law practice. With your hosts JoAnn Hathaway and Tish Vincent here on Legal Talk Network. Take it away, ladies.
Tish Vincent: Hello, and welcome to another edition of the State Bar of Michigan’s On Balance Podcast on Legal Talk Network. I am Tish Vincent.
JoAnn Hathaway: And I am JoAnn Hathaway. We are very pleased to have Dave Ries of Counsel Attorney with the Law Firm of Clark Hill in Pittsburgh, Pennsylvania. Join us today as our podcast guest to talk about Cybersecurity Practices That Won’t Bust Your Budget Security Basics. Dave will also be our podcast guest next month for the second part of this two-part series to talk about Cybersecurity Practices That Won’t Bust Your Budget Practical Tips. So, we invite you to stay tuned for that upcoming podcast. So, Dave, would you share some information about yourself with our listeners to include your background in cybersecurity?
David Ries: Sure. I practiced with Clark Hill’s Cybersecurity and Privacy Practice Group. I got my first computer in the early 1980s the first year that PCs were available, so, I got in on the ground floor. Over the years, I’ve tried to strongly encourage attorneys to use technology and to use it in appropriate and secure ways. So, since the mid-1990s, I’ve been increasingly focusing my practice on cybersecurity and privacy. So, I’ve been in it since the early days.
Tish Vincent: What are the current cybersecurity threats that attorneys and law firms face today?
David Ries: Well, unfortunately, there’s a lot of them and they keep growing. Hackers often consider law firms to be one-stop shops where they can get information about a lot of different clients that’s well-organized and oftentimes without adequate security. So, the threat actors who’s trying to get them are cyber criminals, hackers, hacktivists who hack for political and policy reasons. There’s often state sponsored and/or state condoned espionage and then there’s insiders within our law firms. Some of them are malicious, but often, yeah, they’re just dishonest, or bored, or untrained. How they do it, it’s a number of ways. We’re often seeing phishing and social engineering these days, direct attacks getting on through malicious websites, it goes on and on. So, you know, one of the important things is for attorneys to know their enemies and understand, you know, who’s doing it, and how they’re trying to get us. Another important thing to understand is, what they’re after and there’s a whole laundry list, but typically, it’s money, information that can be translated into money like credit card numbers, bank account numbers and things, or information that’s valuable itself, strategy and lawsuits or transactions, intellectual property, trade secrets, and things of that nature. So, in my view, there are four greatest threats to law firms today. So, they’re important for all of us to focus on to protect ourselves. First is, ransomware, and that, of course, is where an attacker encrypts the data and requires ransom to get the decryption key. But it’s a one-two punch now because in a lot of the ransomware perpetrators are also stealing the data before they encrypt it, so the ransom is both to get the decryption key to get the data back, and it’s to prevent the attacker from selling the data or just publicly posting it. Second is, business email compromise. Those are the fraudulent emails that try to get recipients to give banking information, give credentials, or to actually encourage them to send fraudulent wire transfers. They’re spear phishing and it’s often used for these other kinds of attacks. It’s a way to get in. Most attorneys are familiar with phishing, you know, which are just the fraudulent emails. Spear phishing is a targeted email instead of being sent to a wide array of victims, it’s targeted on a particular individual, a particular law firm, or particular groups of attorneys and law firms.
And then finally, the fourth one is lost and stolen laptops, smartphones, and portable devices. As we’ll see later, that’s the easiest one to protect against. So, those are the threats that attorneys and law firms are seeing today.
JoAnn Hathaway: Dave, what duties do attorneys have to safeguard their confidential data?
David Ries: Well, there’s a whole package of duties, and they arise from four sources. First are the ethics rules, second are common law duties, third are contracts and fourth are laws and regulations. So, we’re all familiar with the ethics rules. If we violate those, we’re subject to a disciplinary proceeding. If we violate common law duties to clients, we’re subject to a malpractice or professional liability action. We’re seeing a growing number of contracts where clients, particularly ones who are involved in healthcare and financial services, are contractually requiring attorneys to employ safeguards for confidential data. And finally, there’s a series of laws and regulations we’ll talk about in more detail in a minute. So, there are five ethics rules or groups of ethics rules that apply here. There’s Competence Rule 1.1 in the ABA Model Rules, Communication which is Rule 1.4, Confidentiality of Information which is Rule 1.6, Safeguarding Property Rule 1.15, and Supervision Rules 5.2, 5.2 and 5.3. I want to mention that I use the Aba Model Rules because I often give these presentations in different states and into multi state groups. So, I focus on the Aba Model Rules. It is of course important in your practice to focus on the rules in your home state and any other state where you may practice. And there are some differences between the Michigan Rules and the ABA Model Rules and in the ones that I’m looking at today. So, Rule 1.1 on Competence, it’s the basic duty for attorneys to be competent in both substantive law and the practice of law, and also, to maintain that competence. In August of 2012, the ABA amended the comment to its Model Rule 1.1, and it added the requirement that competence includes understanding the benefits and risks of technology. As of the end of last year, 38 states had adopted that rule including Michigan. Next is, Model Rule 1.6 on Confidentiality of Information. And I do want to point out that the Michigan Rule differs from the ABA Model Rule. So, it’s important for you to focus on the Michigan Rule. But again, in August of 2012, the ABA amended both Model Rule 1.6 and the comments to it. It amended the rule by adding an express requirement that attorneys have to make reasonable efforts to protect confidential data against inadvertent disclosure and against unauthorized access. Now, Michigan, as I understand it, did not adopt that amendment, but it’s important to understand that the ABA Ethics 2020 Commission that recommended these changes pointed out that the amendment to Model Rule 1.1 and the amendment to Model Rule 1.6 do not create any new duties, they just made explicit what the existing rules and comments, ethics opinions, and some court cases had already held. So, even in states that haven’t adopted them, they may well apply. Going with that, there are two ABA Formal Ethics Opinions that I recommend that contain more about the duties and that is Opinion 477R that deals with securing communications and Opinion 483 that defines lawyers’ obligations after an electronic data breach. So, they go into more detail on the particular rules that I was discussing. On laws and regulations, we don’t have time to go through them in detail, but there are federal state and international laws that require protection of defined kinds of personally identifiable information.
And if a law firm has a breach, and they have that kind of information, they’re governed by them all 50 States, including Michigan, have breached notice laws that apply to attorneys as well as others. So that’s an overview of the duties that we have to safeguard information relating to clients.
Tish Vincent: How should attorneys address the requirement of reasonable security?
David Ries: Well, it’s particularly important to take a comprehensive approach. So, it’s just not going to work if attorneys take what I call an ad hoc approach where you just kind of take a look at some articles and things and you know, adopt one or a few of these safeguards that you learn about. So, what attorneys should do as well as others is to prepare and implement a comprehensive risk-based cybersecurity program, and it should be appropriately scaled to the size of the law firm and the sensitivity of the information. So, it depends on those two criteria, a small firm generally may not need the level of security that a large firm has, but if a small firm has particularly sensitive information, you know, estate planning, or domestic relations of celebrities, they may need the same level of security of a larger firm that has less sensitive information. And the amendments to Model Rule 1.6 actually take a risk-based approach in giving attorneys guidance on what is reasonable and it’s the standard approach in cybersecurity 101. So, it’s nothing new or special for attorneys, the ABA just applied the general approach that security professionals apply. So, it says that in determining what are reasonable efforts, you look at the sensitivity of the information, the likelihood that it will be disclosed without additional safeguards, and then, it looks at available safeguards. So, what’s available, how difficult is it to employ, how expensive is it, and what effect will it have on the ability to use technology? And just as an example, you may have something that would be very inexpensive like requiring a 35-character password for everything that you use, a different one for each application, no words in it, a mixture of symbols and numbers and letters, that would be fairly easy to implement, and it would be cheap, but it would make the technology impossible to use. So, that’s the way that you go through it. So, a reasonable security program starts with an inventory of data and the technology that needs to be protected. It should apply in information governance approach. And that means that you manage and minimize your data. If you don’t have it, if you’ve gotten rid of it because you don’t need it any longer, you don’t have to protect it. And that takes some effort, but it doesn’t take a lot of expense and it’s a good way to protect data. Attorneys should have incident response plans. For a small firm, it might just be a list of who to call for what, but it’s important to have it. I do have some information sources and checklists that I’m going to be providing that go through these details. And one of them has about 10 items of putting together a comprehensive cybersecurity program. We can spend this whole podcast going through that, and we don’t want to just go through reading a laundry list so you can refer to that to get the details of what I’ve just covered.
JoAnn Hathaway: What are the best sources of information on cybersecurity for attorneys? Well, we’re recording one of them right now, and that’s going to the Michigan Bar for podcasts and CLE programs and things of that nature. Another one that’s good is the American Bar Association Cybersecurity Legal Task Force, it coordinates cybersecurity information for the ABA. And one of the things that it has gone to a lot of effort to publish is a list of cybersecurity resources for small law firms. So, that’s an excellent source of information. Also, in the ABA, there’s the law practice division including Tech Show, in the Legal Technology Resource Center. There are a number of ABA webinars live and on demand and many of them are now free for members.
And just for example, there have been several working from home and remote working. There’s one coming up on building in technology when you start to practice. So, that’s another group of good resources. And then, finally, the Federal Trade Commission has published a series of cybersecurity guidelines for small businesses. So, it has a website that has a lot of helpful information. One of the problems in cybersecurity is, it can be like a fire hose. There’s so much information out there, and one of the things people often ask me is, where do I start? Where do I find this information?
Tish Vincent: Can attorneys provide for reasonable security without breaking the bank?
David Ries: I’ll give a qualified yes to that, and the reason is that you do have to spend some money and a lot of time and effort to make sure that you have reasonable security. It’s a cost of doing business for attorneys and really for anyone else that deals with sensitive information. And many things in security are low cost or free, and we’re going to talk about some of them in the second session of this webinar. But one thing that I want to caution is that we really need to be careful with consumer grade technology, security tools, cloud services, et cetera. In those case, a lot of attorneys, particularly who were solos or are in small firms are tempted to go for what is free, but it oftentimes doesn’t have adequate security and doesn’t have the level of security that more expensive tools and services have had. And one of the things that is low cost or even free, and is one of the most important things is having constant security awareness by every user, and every time they’re using technology.
JoAnn Hathaway: Well, it looks like we’ve come to the end of our show. We’d like to thank our guest today, Dave Ries for a wonderful program. We look forward to talking with Dave again next month when he’ll be talking about practical cybersecurity tips in this two-part series.
Tish Vincent: Dave, if our guests would like to follow up with you, how can they reach you?
David Ries: I’ll be glad to respond to emails. My email address is [email protected].
Tish Vincent: Thank you, Dave. This has been another edition of the State Bar of Michigan on Balance Podcast.
JoAnn Hathaway: I’m JoAnn Hathaway.
Tish Vincent: And I am Tish Vincent. Until next time. Thank you for listening.
Outro: Thank you for listening to the State Bar of Michigan On Balance Podcast brought to you by the State Bar of Michigan and produced by the broadcast professionals at Legal Talk Network. If you’d like more information about today’s show, please visit legaltalknetwork.com. Subscribe via Apple Podcasts and RSS. Find the State Bar of Michigan and Legal Talk Network on Twitter, Facebook and LinkedIn or download Legal Talk Network’s free app in Google Play and iTunes. The views expressed by the participants of this program are their own, and do not represent the views of, nor are they endorsed by Legal Talk Network or the State Bar of Michigan, or their respective officers, directors, employees, agents, representatives, shareholders, and subsidiaries. Mone of the content should be considered legal advice. As always, consult a lawyer.