By Phil Brown and David W. Tollen
Lawyers love tradition, but many clients want to communicate with 21st Century tools. Texting, Skyping, SnapChatting: all of these would mystified most lawyers ten years ago. But habits change. The flood of technological “advances” in communication methods brings new threats to attorney-client privilege and confidentiality.
The truth is, lawyers and clients have been putting privilege and confidentiality at risk for decades with emails, faxes, loud conversations, and public cell phone calls. But the risk has grown more targeted and immediate, with the potential to lose huge volumes of information, thanks to today’s technology. With the advent of high capacity USB keys, flash drives, cloud storage, smart phones, and tablets, confidential client information is ever more vulnerable to loss and attack. And with email communication now standard, it’s time lawyers took more than basic steps to protect their clients.
Recognizing this, at least twenty states[1] have adopted Rule 1.1 of the ABA Model Rules[2] and its commentary,[3] which together codify the concept of technological competence. One point of note in the commentary is that lawyers should know not just the benefits of technology but also the risks associated with using it. And we might take that one step further and suggest that it’s the attorney’s duty to make clients aware of the risks associated with certain technologies.
A number of those same state bars have published opinions on using cloud computing in the practice of law. Twenty have formal opinions and suggest a “reasonable care” standard. In Canada, while no province has offered a formal opinion, British Columbia has published a thirteen page “cloud computing” checklist for lawyers to consider, prior to using the cloud.[4]
Most opinions suggest an attorney should know how his or her provider handles storage and data security, and they advise attorneys to consult with an expert if they don’t have the necessary knowledge. There are various schools of thought around whether the attorney has an obligation to disclose how the client’s confidential information will be stored and transmitted using information technology. Some attorneys disclose the risks in their retainer agreements. After all, some clients might choose not have their information stored in the cloud, if aware of the risks, and not to communicate via any electronic means. Arguably, clients should assess the risk with each new engagement.[5]
The threats to confidentiality go beyond data storage. Attorneys should, at a basic level, understand data transmission, including via email, and transfer of data across borders, as well as threats like phishing and water-holing scams[6], man-in-the-middle attacks[7], hacking, loss of unprotected storage media, and data corruption. Are your VoIP lines vulnerable to attack[8]? What about your nanny cam or thermostat on your home Wi-Fi network (assuming you sometimes work from home)[9]? And can the government access your data without your permission or knowledge? Are these the “screen doors” in an otherwise secure law practice?
This paper describes internal solutions for a safer practice: steps you can take to protect your data and your clients’. It also discusses your relationship with technology vendors, including the terms of their contracts.
INTERNAL SOLUTIONS FOR A SAFER PRACTICE
Below are suggestions for a safer practice. Remember: the standard in most cases is “reasonable care.” So some of the suggestions below may go further than necessary for your practice. Remember also, though, that you’ve been entrusted with someone else’s sensitive information. Clients have high expectations for their lawyers, and rightly so.
Policies
A starting point for any office should be written policies. You should develop a policy for Internet usage. Are employees allowed to use the Internet, and under what circumstances? Are they allowed to open attachments? Are they allowed to use social media? The Law Society of British Columbia has developed a helpful example of an Internet and email usage policy that highlights some of the issues.[10] Once you have policies in place, you should monitor to ensure compliance. In some cases, you might even consider a special computer that isn’t connected to your work network, for employee Internet use, to reduce your computers’ exposure to malware.
Strong Passwords
Another way to secure client confidential information is to implement strong passwords. Passwords should not only be complex and include numbers, upper and lowercase letters, and symbols; they should also be long. You should not use any of your own confidential information in passwords (birthdates, kids’ names, etc.). A number of websites can help you craft good strong passwords.[11] And remember to change passwords often, particularly when someone leaves your firm. Another option is an online password manager like LastPass or 1Password, although some have been hacked.[12] You might also keep a written list of passwords in a secure location.
Secure Browsers
It’s a paranoiac’s dream-world, and we leave cookie trails with every website we visit. We can avoid these public trails through a special browser, like Epic[13] or Tor.[14] Each of these creates barriers to establishing a user’s location and to identifying sites visited. It might be overkill, but if necessary, you can go further and use DuckDuckGo: a non-tracking search engine.[15]
Email encryption used to be cumbersome and somewhat James Bondish; not so anymore. Today, we have multitude ways to encrypt email, either within the mail application or through a special email account, like Tutanota[16] or Virtru.[17] Common email applications like Outlook[18] usually offer encryption these days too. Remember, your email doesn’t travel in a straight line from your computer or phone to your client. It might be intercepted while it meanders through various countries. The best practice is to encrypt your message.
Text Messaging
Many clients want to communicate via text message these days. That’s difficult for lawyers because of our need to document all our client communications. And although there are programs to copy texts, most resort to screenshots and to dictating memos to file: cumbersome solutions. There are other options, and the Electronic Frontier Foundation recently published a scorecard rating the security of messaging apps, which is worth examining.[19]
Data Storage
There are a variety of means to store data in the cloud, especially for sharing with clients. Some of the best known vendors are DropBox, GoogleDrive, OneDrive, and Box.com. But there are many others. Some have been hacked, and they do involve risks to confidentiality. One technical step is to ensure data encryption not just in transit but also at rest. There are various options for encrypting the data prior to uploading it to the cloud. You can also find simple apps, like Viivo, which enable encryption with a drag and drop option on your portable device.[20] Obviously, you should pick apps that work on your platform or device.
For more on data storage vendors, see below: “Cloud Computing Vendors and their Contracts.”
Encryption
Few topics have been hotter during the past few years than encryption. How do you protect data on your network, your smartphone, USB, Flash Drive, laptop, or tablet? The options include built-in encryption for Windows (Bitlocker) and for Macs OS (FileCrypt). Ubuntu has native encryption features too. A quick Google search will show you how to locate and engage all these encryption features. And if you’re looking for an open-source alternative, there’s VeraCrypt[21] and a number of others. Veracrypt even has a beginners’ tutorial online.[22] The advantage of using open source software is that you create your own encryption keys, and no large company (Microsoft, Apple, etc.) can turn over your keys to the authorities.
Clean Devices
One thing we have to be more aware of in this age of super-portability is protecting data we carry or access when we travel. You can find good guides online about best practices for traveling with technology, with suggestions like clean devices and hidden boot sectors.[23]
You should be aware that Canadian and U.S. law provide no guaranty that asserting privilege will prevent seizure of critical electronic files.[24] A best practice would be to access critical data using a VPN or remote desktop protocol while traveling. You could also carry client files on an encrypted device. That way, you at least maintain control over the files, even if they’re seized—assuming your encryption is strong enough.
VPNs and RDPs
The best feature of public Wi-Fi is that it’s convenient. For many of us, it’s a day-to-day reality, used in café’s, in hotels while we’re on the road, at the community centre while we’re waiting for the kids to finish swimming or dodge ball, etc. The worst part about public Wi-Fi is that it’s insecure, and we can’t expect our data to be safe. The connection might be “spoofed.” (You think you’re connecting with McDonalds, but it’s really a honeypot, and a nefarious third party is capturing your data.) Or you might be subject to a man-in-the-middle attack” or any number of other schemes. And the public network could simply be insecure, putting you (and your clients’ data) in a dangerous space.
A Virtual Private Network (VPN) offers a way to access your data on public Wi-Fi, using a secure pipeline you’ve created within the public connection. No data security solution is impenetrable, but VPN’s increase your security when you use a public connection. VPN’s are often used with a Remote Desktop Protocol (RDP) or Remote Desktop application. Microsoft has an RDP, and so does GoToMeeting,[25] where you can also share computer screens and collaborate on documents. There are many options, and VPN’s and RDP’s are much simpler to set up than they were five years ago. Access may be a little slower, but increased security is usually worth the burden.
Criminals can obtain wireless devices to retrieve unprotected information through a simple Internet purchase, and much of the software they need is free.[26] So beware.
CLOUD COMPUTING VENDORS & THEIR CONTRACTS
If you use software-as-a-service (SaaS) or other cloud-based tools, internal policies and procedures win only half the battle. What is your vendor doing with your data, particularly your clients’ confidential information? The first step in vendor management is due diligence. Does your vendor have a good reputation for data security and for respecting privacy? Has it received any sort of accreditation, like a Privacy Seal from TRUSTe, which says that a privacy accreditation company has confirmed that the vendor’s policies meet certain minimum standards? (A seal does not, however, mean TRUSTe has verified the vendor’s compliance with those policies.) Just as important, does the vendor perform an annual data security audit? “SOC-2” and “SOC-1” (a.k.a. “SSAE-16”) are auditing standards published by the American Institute of Certified Public Accountants. An annual third party certification of compliance with one of these standards won’t guarantee your data’s safety, but it’s a major stop in the right direction.
There are countless other data security metrics to check regarding your vendor, including many of those discussed above. If you’re not sure how to vet your vendor, consider working with an IT consultant or advisor. You can also review the due diligence discussion in one of the other papers provided through this year’s ABA TechShow: Terms and Conditions – To What Did I Just Agree? by David W. Tollen and Nathan Leong. [This paper will be posted shortly at TechContracts.com. Apologies for the delay.]
Your vendor’s contract probably falls closer to your area of expertise than its IT systems. But you’ve got to read it! First and foremost, what kind of license does it require to your data? Does your document sharing and storage vendor demand a perpetual license to use your data, and your clients’, to market and improve its services, or a right to share data with subcontractors without restriction? Lawyers can’t grant rights like those to client data, but some vendors include them in their standard terms.
The vendor contract should also address the sort of data security precautions discussed above. It’s great if the vendor currently runs effective data protection systems, but does it promise to keep running them—or at least to notify you if it stops? For instance, many vendors say they’ve got a SOC-1 or SOC-2 data security certification, but they don’t promise that it’s current, and they don’t promise to get another one next year, or the year after.
You can learn more about cloud vendor contract terms from the other conference paper cited above: Terms and Conditions, by Tollen and Leong. And you can learn more about cloud vendor terms from an ABA book written by one of our authors and also from the book’s website, which has free contract forms and other resources. The book is The Tech Contracts Handbook,[27] and the website is www.TechContracts.com.
CONCLUSIONS
Ten years ago, we’d have sounded fanciful to suggest that lawyers should employ methods like encryption and VPN’s to secure client information. Now—with more law firms targeted by hackers and more lawyers managing and backing up their data through cloud-bases systems—we need more proactive steps to secure our information. And when we encounter technology we don’t understand, we need help from an expert.
—————
About the Authors and this Paper
Phil Brown, Law Society of Upper Canada, Counsel, Professional Development & Competence
Phil Brown graduated from Dalhousie University with a B.Sc. (Hons) and an LLB. He was called to the Bar in Nova Scotia and Ontario. He also holds a post-graduate certificate from Centennial College in e-commerce. After working in private practice and in legal aid, particularly in criminal law, Phil joined the Law Society of Upper Canada in 2008 as Counsel in the Professional Development and Competence department. There, has been involved in CPD planning, accreditation, and certified specialist certification. He participates in developing resources for solos and small firm lawyers and for the past seven years has worked on the Practice Management Helpline team assisting lawyers and paralegals with issues related to the Law Society By-laws, Rules of Professional Conduct and professionalism questions. He has recorded over 35 podcasts on basic technology for lawyers with David Whelan. Phil is currently a member of the Ontario Criminal Lawyers Association and is the Photo Editor of “For The Defence” magazine. He is a presenter at continuing professional development programs and has spoken at the Criminal Lawyers Association, Hamilton Lawyers Association, Toronto Lawyers Association, and Law Society programs. He has been a lecturer and instructor in the professional responsibility course.
David Tollen, Author of the Tech Contracts Handbook and founder of Tech Contracts.com
Please see Mr. Tollen’s bio for more.
This paper was presented to the American Bar Association’s TechShow conference in March of 2016. This is its first publication.
—————
[1] Ambrogi, R. (2015, March 16). “20 states have adopted ethical duty of technology competence” Retrieved from http://www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html.
[2] Model Rule 1.1: Competence. Retrieved January 15, 2016, from http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence.html.
[3] Comment on Model Rule 1.1. Retrieved January 15, 2016, from http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/comment_on_rule_1_1.html.
[4] Practice resource: Cloud computing checklist. (2013). . . Retrieved from http://www.lawsociety.bc.ca/docs/practice/resources/checklist-cloud.pdf.
[5] Technology practice tips: Engagement retainers (Podcast) | the Law Society of Upper Canada. Retrieved January 15, 2016, from http://www.lsuc.on.ca/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=2147495522
[6] Technology practice tips: Phishing (Podcast) | the Law Society of Upper Canada. Retrieved January 15, 2016, from http://www.lsuc.on.ca/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=2147499869&libID=2147500936
[7] Technology practice tips: Man in the middle (Podcast) | the Law Society of Upper Canada. Retrieved January 15, 2016, from http://www.lsuc.on.ca/WorkArea/linkit.aspx?LinkIdentifier=id&ItemID=2147499868&libID=2147500935
[8] Paganini, P. (2015, June 17). Cyber attacks against VOIP systems on the rise. Retrieved January 15, 2016, from http://securityaffairs.co/wordpress/37844/cyber-crime/voip-systems-hacking.html
[9] ZoneAlarm. (2015, February 11). How secure is your WiFi-Enabled camera. Retrieved January 15, 2016, from http://www.zonealarm.com/blog/2015/02/how-secure-is-your-wifi-enabled-camera/
[10] Model policy: Internet and Email use policy | the Law Society of British Columbia. Retrieved January 15, 2016, from https://www.lawsociety.bc.ca/page.cfm?cid=1508&t=Model-Policy:-Internet
[11] Password Do’s and Don’ts — Krebs on security. Retrieved January 15, 2016, from http://krebsonsecurity.com/password-dos-and-donts/
[12] Siegrist, J. (2015, June 15). LastPass security notice. Retrieved January 15, 2016, from https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
[13] Epic privacy Browser. Retrieved January 15, 2016, from https://www.epicbrowser.com/
[14] Project, T. T. Tor Browser. Retrieved January 15, 2016, from https://www.torproject.org/projects/torbrowser.html.en
[15] DuckDuckGo. Retrieved January 15, 2016, from https://duckduckgo.com/
[16] Secure Emails become a breeze. Retrieved January 15, 2016, from https://tutanota.com/
[17] Email Encryption from Virtru | Encrypted Email service. Retrieved January 15, 2016, from https://www.virtru.com/
[18] Encrypt e-mail messages – outlook. (2007). Retrieved January 15, 2016, from https://support.office.com/en-us/article/Encrypt-e-mail-messages-84d7e382-5f76-4d71-8705-324489b710a2#bm2
[19] Secure messaging scorecard. (2015, November 3). Retrieved January 15, 2016, from https://www.eff.org/secure-messaging-scorecard
[20] Viivo developed by PKWARE. Retrieved January 15, 2016, from https://viivo.com/
[21] VeraCrypt. (2015, October 7). Retrieved January 15, 2016, from https://veracrypt.codeplex.com/
[22] VeraCrypt. (2015, July 13). Retrieved January 15, 2016, from https://veracrypt.codeplex.com/wikipage?title=Beginner%27s%20Tutorial
[23] Schoen, S., Hofmann, M., & Reynolds, R. (2012). Defending privacy at the U.S. Border: A guide for travelers carrying digital devices ELECTRONIC FRONTIER FOUNDATION. Retrieved from https://www.eff.org/files/eff-border-search_2.pdf
[24] CBP Directive: Border Search of Electronic Devices Containing Information. Retrieved from https://www.cbp.gov/sites/default/files/documents/elec_mbsa_3.pdf
[25] Easy online meetings with HD video Conferencing. (2004). Retrieved January 15, 2016, from http://www.gotomeeting.com/
[26] Paksoy, V. (2015, February 25). Beware the pineapple: An overview of WiFi pineapple mark V. Retrieved January 15, 2016, from http://volkanpaksoy.com/archive/2015/02/25/beware-the-pineapple-an-overview-of-wifi-pineapple-mark-v/
[27] Tollen, The Tech Contracts Handbook: Cloud Computing Agreements, Software Licenses, and Other IT Contracts for Lawyers and Businesspeople, 2nd Edition (ABA Publishing 2015): http://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=224879160&term=tech%20contracts%20handbook (also available from Amazon).
—————
© 2016 by Phil Brown and David W. Tollen. All rights reserved.