Cybersecurity for Lawyers–Protecting Yourself, Your Clients, and Others from Cybercrime and Privacy Threats was presented as a CLE at Pace Law School on Oct. 26, 2017. The presenters were
- John T. Bandler, author of Cybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security (ABA 2017). Mr. Bandler is a Pace Law alumnus and currently teaches a course in cybercrime and cybersecurity at Pace Law School. His law firm and consulting practice is focused on helping corporations and individuals with cybersecurity, investigations, and protecting against cybercrime.
- Adam Cohen, an attorney, author, and teacher, and the author of Electronic Discovery: Law and Practice. He teaches courses in data privacy, e-discovery, and electronic evidence at Fordham Law School.
- Christopher Jones, an investigator in the N.Y. State Police Computer Crimes Unit. He regularly speaks about cybercrime and cybersecurity, and has served as an expert witness in these areas.
Mr. Bandler discussed the current N.Y. State Rules of Professional Conduct 1.1, 1.2, 1.6, and 1.15 (these extend the duty of confidentiality and competence to cybersecurity); the ABA Model Rules; and ABA Formal Opinion 477R, which states that
a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
The opinion concludes that a lawyer must take reasonable security measures of ensure the confidentiality, integrity, and availability of client data.
All three speakers discussed cybercrime threats to data. These include hacks, malware, ransomware, social engineering, compromise of business email, and identity theft. Privacy threats have to do with the collection, storage, sharing, and use of data by private corporations and governments. Lawyers have a duty to be aware of privacy policies and terms of service, and need to ensure both physical security and cybersecurity of client data.
The speakers suggested that lawyers use two-step authentication, keep devices physically secure, keep their computer networks secure, limit the number of administrator privileges, use whitelists of permitted apps, keep software updated, never use public wifi, and use (and keep updated) virus and anti-malware software. It was interesting to hear that, among the three experts, there was disagreement on the use of encryption.
Lawyers need to be aware of the technical and legal issues in using cloud-based storage solutions, including the terms of service and privacy policies. The speakers agreed on the necessity of cloud-based data storage to ensure the availability of client data in the event of computer or network failure.
The last area discussed was the Internet of Things. These include smart appliances like refrigerators and thermostats, fitness trackers, and home security systems. The speakers pointed out that these things are the most hackable of all because the software is not updated, or, if it is updated by the manufacturer, consumers don’t bother to download the security patches. These things may allow a hacker access to your network, and the bottom line is that you should really think about whether you need to have your home appliances accessible via your computer network.
The speakers left the attendees with a lot to think about, and I noticed many people accessing their smart phones to change privacy settings immediately. The bottom line is that data has value, and attorneys have a duty to be vigilant in protecting client data.
- John T. Bandler, Cybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security (2017).
- John T. Bandler, The Cybercrime Scheme That Attacks Email Accounts And Your Bank Accounts, Huffington Post, Aug. 3, 2017.
- Adam Cohen, Documenting IT Reality: Start Here for Digital Discipline (2017).
- A.G. Schneiderman Issues Alert On Phishing Scam Targeting New York Attorneys (Press Release, Nov. 30, 2016.
- Association of the Bar of the City of New York, Committee on Professional Ethics. Formal Opinion 2017-5: An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information.
- Eli Wald, Legal Ethics’ Next Frontier: Lawyers and Cybersecurity, 19 Chap. L. Rev. 501 (2016).