Those are just a few warnings issued by leading cybersecurity experts during the 2020 Masters Ethics Seminar sponsored by the Professional Ethics Committee at the Bar’s Virtual Annual Convention.
Florida lawyers have adjusted to the COVID-19 pandemic with the help of remote technology, but that has put them at greater risk of data breaches, said Steven W. Teppler, a North Palm Beach attorney who has chaired the cybersecurity practice group for Mandelbaum Salsburg for two decades.
Teppler cited a recent ransomware attack on a prominent entertainment law firm in California. Criminals infected the firm’s IT system with a computer virus and demanded $42 million to restore access to its files, he said.
“We are low-hanging fruit, we are a target-rich environment for all these threat actors,” Teppler said. “All of our client data is worth a lot of money, and criminals go where the money is.”
Attorneys who fail to maintain proper data security could find themselves in serious trouble, Teppler said.
“You have civil liability for malpractice either on an attorney basis or a firm basis, and then you have ethical liability,” he said.
In a segment entitled, “Attorney Ethical Obligations and Competency in Technology,” Teppler was joined by Eric Hibbard, CTO for security and privacy with Hitachi Vantara.
Hibbard, who speaks nationally, is an expert on storage security, cloud computing, electronic discovery, and cryptography.
All states require data managers to notify customers of data breaches, “and that can be extremely expensive,” depending on the size of the victim pool, Hibbard said.
Lawyers are especially at risk, he said.
“The embarrassment can be even more significant because it can have a major effect on your ability to practice, if you or your firm suffers an incident that becomes known to the press and they talk about it,” he said.
Data breach notification laws contain a safe harbor for encrypted data, but encryption takes two forms, Hibbard said.
“When you’re transferring something, is the connection an encrypted connection?” he said. “But that’s just a transient encryption, when it’s in motion,” The data should also be protected by “at rest” encryption, he said.
“The importance of that is if someone were to gain access, it’s in protected form and you don’t have a data breach, per se,” he said. “But unfortunately, a lot of that at rest encryption is tied to the computer itself.”
Whoever has access to the computer has access to the data, Hibbard said, and security professionals “typically look at how the keys are being managed.”
Lawyers should plan for “sanitization,” or destroying sensitive data when it’s no longer needed, both experts warned.
The preferred method is “encryption erasure.”
“It’s like destroying the key to a lock to a house,” Teppler said. “There’s no way to get back into that house.”
Be careful when selling or repurposing a computer that contains client data, Teppler said.
“When you get rid of a computer, and you click ‘erase’ or ‘reformat,’ that doesn’t necessarily mean that that information is going to be prevented from harvesting by somebody else.”
A law firm’s network printer is also a reservoir of sensitive data, and the firm should be careful when taking documents to a neighborhood print shop, such as Kinko’s, Hibbard said.
“You’re leaving data droppings, and it’s important if you’re doing that, that you know what’s happening with that data on their drives,” he said.
Cloud data storage is becoming more popular for law firms, but that presents risks as well, Teppler said.
“We don’t really control that data, that hard drive, that computer tower, is not right in front of us,” he said.
Small firms can improve security by using a reputable, cloud-based service provider, Hibbard said.
“If you’re using a particular service, they own a lot of security issues, but you need to make sure you’ve vetted that they’re meeting your expectations,” he said. “Like many outsourcing situations, you get what you pay for.”
Make sure the data is encrypted when it’s sent to the cloud-based server, and make sure it’s encrypted while at rest, Teppler said.
Cloud-based data can be breached as well, Teppler said.
“Is your information backed up? How is it backed up? How quickly can you get your information back?” Teppler said. “You have to ask, what about cybersecurity, does the provider have cybersecurity insurance?”
Don’t ignore software updates, or “patches,” most of which are responses to security vulnerabilities, Hibbert said.
“If it’s found that the breach was due to something of that nature, you didn’t pass the basic cybersecurity giggle test,” Hibbert said. “You could actually be in significant trouble.”
Lawyers can be especially vulnerable to the same “deep-fake” technology that was used to make House Speaker Nancy Pelosi appear impaired in a famous political attack.
“It’s just something to keep in mind as we rely more and more on electronically stored information as evidence for legal proceedings, and in our everyday negotiations as attorneys,” Teppler said.
While computer generated graphics are a boon to the movie industry, “a lot of these tools will show up in lots of different spaces, and these deep fakes could be a scourge that we have to deal with,” Hibbard said.
Lawyers should consider buying cybersecurity insurance, since a typical data breach can cost $300,000 to $500,000 in out-of-pocket expenses, Teppler said.
Teppler recommends buying coverage of between $1 million and $3 million. The policy should cover such things as the cost of incident response for ransomware attacks, and business interruption, he said. Study the coverage exclusions carefully, Teppler warned.
“And make sure your cybersecurity insurance covers pandemics,” he said.