By Zachary Deubler
It’s hard not to have your eyes glaze over when someone mentions the word “technology” and the legal profession in the same sentence. When technology experts using phrases like VPN, Block-chain, encryption, the Cloud, Artificial Intelligence, Data Recovery, lawyers tend to tune out and understandably so. However, since February of 2019, thirty-five states have expressly included knowledge of technology in the official comments for their Rules of Professional Conduct.1 Most states have adopted language similar to comment 8 of the ABA Model Rule 1.1, which states that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”2 Moreover, in 2012, Model Rule 1.6 was amended to include the following section “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”3 The amalgamation of these two rules require that lawyers keep up-to-date, to a reasonable degree, with changes in technology while at the same time making reasonable efforts to prevent disclosure of client information. All of this to say, a lawyer needs to have a basic understanding of how Computers and IT play a role in their practice. 4
While we do not pretend that this article addresses all of the complex areas of technology in the practice of law, we do highlight some key areas to consider while you move into the new year. We encourage you to think about the implementation of some of the basics like VPN, Cloud File Sharing, and Data Recovery.
Though Virtual Private Network (“VPN”) technology has been out for quite some time, there has been a resurgence of the technology in the news as of late. There are two different uses for VPN technology. The first is a VPN server, and the second is a VPN service. Though they are very similar because they use the backbone technology, their uses are totally different. A VPN server is a business solution for accessing your office files on the road through a secure connection. A VPN server is nothing more than a software program that runs on your office PC 24 hours a day, waiting for you (the VPN client) to connect to it remotely. Once the connection is made to the VPN server, you will have access to your office PC files and other resources in the office – just as if you were physically sitting in front of your computer at your physical office. VPN servers can even be used to get your iPhone, iPads, and Android phones onto your work network and access your client files. Depending on how your VPN server is set-up, it will also include all the benefits of a VPN service, discussed below. A VPN server is not simple to set-up and will require an IT contractor to come for installation and maintenance.
A VPN service is not used for accessing files, but instead, is used to protect your online activity – banking, e-mailing, and other sensitive tasks – from being intercepted and observed. A VPN service allows you to conduct sensitive online activities on public networks – such as coffee shops, trains, hotels, courts. Normally, you would avoid these public networks when working, but with a VPN service, you can conduct your sensitive transactions online knowing your internet traffic is encrypted. To use a VPN in this manner requires that you pay for a VPN service, which can cost anywhere from $35 a year to $10 a month. Though not as fully functional as a VPN server, the VPN service is a DIY project and can easily be accomplished on your own without having to hire outside help.
Cloud File Sharing:
Clients have come to expect an easy way to collaborate with their lawyers. This is due in large part because the internet has gone mainstream and enabled simplicity of services – from banking to ordering a pizza. This has conditioned consumers to expect real-time communication and collaboration. To meet this demand, the vast majority of lawyers use unencrypted e-mail as the primary means of collaboration – e-mail is the default file sharing service – with little regard to the security of the documents contained within that e-mail.5 As discussed above, lawyers have an ethical obligation to ensure that their client’s confidential information remains secure, which includes the way we send and receive documents.
First, assume the worst. Law firms may face different risks depending on the practice area, but every firm should assume that someone is trying to access your files and recognize that though some file-sharing providers can get close, there isn’t a service or company available that can ensure data remains 100 percent confidential.6 Second, educate your clients and staff that “smart” (and not easy) collaboration is the goal of a legal practice. This education can come in the form of retainer agreements and an upfront conversation at the beginning of the matter regarding the way the firm shares and receives documents. Third, and perhaps hardest of all, is stick to your plan. It will be hard to scrap the plan when the first client (or staff member) complains that they have to enter a password every time they receive a document, or that the attachment won’t open on their phone. There are a number of venders to choose from, but there are several key things to keep in mind when picking a vendor: (1) use [a] reliable company or product to feel secure with confidentiality and ease of use; (2) know from the beginning that the product you are using is in your control and is safe for the firm and the firm’s clients; and (3) understand the geographic location of the file sharing services systems, their security, and what they have the ability to do with the files that are shared via their system.7
Imagine this: An employee at a firm opens an email attachment and, unbeknownst to them, there’s a program called Cyberlocker hidden in the e-mail, searches their computer and all of the computers on their network for MS Office documents, PDF files, JPG files, and a variety of other types of files. Once this Cyberlocker finds all the files, it encrypts (locks) them with a key only known to the hacker. Now, no one can open any of the firm’s files, move/copy them, or do anything with them without a key to unlock the files. That key is being held for ransom and their data is in someone else’s control. Depending on if the firm was prepared with data backup, they could be back up and running within the same day; or they could be down for days/weeks with massive amount of work product destroyed. In fact, “the FBI has reported that law firms are often viewed as “one-stop shops” for attackers (with information on multiple clients) and it has seen hundreds of law firms being increasingly targeted by hackers.”8
The mantra of all firms, as it relates to security breaches, should be “when, and not if.” Indeed, in 2012 then-FBI director Mueller said “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”9 In 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations. A program that is tailored to the nature and scope of the organization and the data and systems to be protected. The organizations covered by it include law firms.”10
As a first step in realizing that goal, all firms should have an individual(s) designated to be responsible for developing and coordinating a security policy. For those starting out, a good basic rule is to have at minimum two back-up locations: one back-up in your office (a local back-up drive) and the second is off-site in a secure cloud (just in case the building burns down, or a power surge damages your in office computer).
Follow the advice that we often give our clients, “recognize when you’re out of your element and get professional help and guidance.” We are primarily lawyers, and though we enjoy the immense benefits of the digital world that we practice in, we did not go to school to get a degree in cybersecurity or computer coding. Making sure we protect ourselves and our clients will often require that we seek the advice of the experts and work with trained professionals to ensure that we are conducting ourselves in the most efficient, and secure, manner possible. While we don’t pretend to be experts ourselves, we think that it’s incumbent upon our profession to help each other make better and smarter moves as we all progress in this ever-increasing digital universe.
1 Tech Competence, https://www.lawsitesblog.com/tech-competence (last visited 12/9/19).
2 ABA Model Rule 1.1 Competence-Comment, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/comment_on_rule_1_1/ (last visited 12/9/19).
3 ABA Model Rule 1.1 Competence-Comment, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/ (last visited 12/9/19).
4See ABA Opinion 477R—Securing Communication of Protected Client Information, https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_477.authcheckdam.pdf (last visited 12/9/19).
5 File-Sharing in the Legal Industry, LexisNexis Survey (2014) https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=11&ved=2ahUKEwjG_ImDgqnmAhVlTd8KHRsiBtkQFjAKegQIChAC&url=https%3A%2F%2Fwww.lexisnexis.com%2F__data%2Fassets%2Fpdf_file%2F0017%2F46061%2Fdocument-security-report.pdf&usg=AOvVaw00yr_xnLqoMSVqzjiR28dG (last visited 12/9/19).
6 See What The Dropbox Hack Means for Lawyers, Above the Law (2016) https://abovethelaw.com/2016/09/what-the-dropbox-hack-means-for-lawyers/?rf=1 (last visited 12/9/19).
7 Law Firm File Sharing: Attorneys in Their Own Words, ABA, (2017) https://www.americanbar.org/groups/gpsolo/publications/gpsolo_ereport/2014/august_2014/law_firm_file_sharing_attorneys_in_their_own_words/ (last visited 12/9/2019). See also 2018 Cloud Computing, ABA, (2019) https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cloud/ (last visited 12/9/19).
8 2018 Cybersecurity, ABA (2019) https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cybersecurity/ (last visited 12/9/19).