Wisconsin Advisory Opinion Offers Cybersecurity Tips on Working Remotely

In late January, the Wisconsin Bar issued Formal Ethics Opinion EF-21-02: Working Remotely.  The opinion makes three important points and shares helpful and practical guidance on cybersecurity practices, training & supervision, and preparing clients.

astronaut-sitting-moon-laptop

First, the important points.

I’m a fan of the opening line of the synopsis:

  • “The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality – lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location.”

That’s critical: the pandemic hasn’t lessened or diminished our professional obligations.  Our responsibilities remain the same as in 2019 when we were working in our offices.  Further, our basic obligations to clients will not change once the pandemic ends. As the opinion points out, “it is expected that lawyers, like other professionals, will continue to work remotely in some form after the pandemic.” So, the guidance, while issued in response to the pandemic, will prove valuable in an increasingly remote post-pandemic workplace.

Next, the opinion reiterates what I’ve been blogging for years: competence includes tech competence.  Pages 2 and 3 include language that I’m certain will worry lawyers.  The language, however, is important to take to heart.

  • “Basic technological competence includes, at a minimum, knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

As the opinion notes, large firms likely will employ IT professionals for these issues.  Small firms and solos are reminded that they “may need to retain the services of an expert if they lack the knowledge to personally manage the technological aspects of practice.”

Finally, the conclusion ties together the first two points in an important reminder:

  • “The COVID-19 pandemic has dramatically changed how lawyers work and represent their clients. Some of these changes may be temporary but others are likely part of a movement towards increased reliance on technology in the practice of law. As working remotely has become the new normal, lawyers must develop new skills and knowledge to comply with their core responsibilities.”

Indeed.

I’ll finish by cutting and pasting the guidance and practical tips that begin on page 10 of the Wisconsin opinion.  I’ve reformatted & renumbered the footnotes to endnotes.

***

General Guidance

 It is impossible to provide specific requirements for working remotely because lawyers’ ethical duties are continually evolving as technology changes. It is possible, however, to provide some guidance. Cybersecurity Practices Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. The following cybersecurity practices have been recommended by a number of ethics opinions[i] and other resources. None of these practices are new: they are reasonable precautions that have helped lawyers fulfill their ethical obligations, especially the duty of confidentiality, when working in the office and when working remotely, whether at home during evenings and weekends, or during travel for work or vacation.

  • Require strong passwords to protect data and to access devices. The more complex the password, the less likely that an unauthorized user will be able to access data or devices by using password cracking techniques or software.
  • Use two-factor or multi-factor authentication to access firm information and firm networks. Although requiring an additional authentication step, such as a six-digit code sent to the lawyer’s phone or email, may seem inconvenient or burdensome, it is a reasonable precaution that increases protection and reduces the likelihood of unauthorized access by providing an additional layer of security beyond a strong password.
  • Avoid using unsecured or public WiFi when accessing or transmitting client information. Hackers can access unencrypted information on unsecured WiFi and can use unsecured WiFi to distribute malware.
  • Use a virtual private network (VPN) when accessing or transmitting client information. A VPN encrypts information and allows users to create a secure connection to another network.
  • Use firewalls and secure router settings. A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules: it establishes a barrier between a trusted network and an untrusted network. A router connects multiple devices to the Internet, and connects the devices to each other.
  • Use and keep current anti-virus and anti-malware software. Anti-virus and anti-malware both refer to software designed to detect, protect against, and remove malicious software.
  • Keep all software current: install updates immediately. Updates help patch security flaws or software vulnerabilities, which are security holes or weaknesses found in a software program or operating system.
  • Supply or require employees to use secure and encrypted laptops. All lawyers and staff should use only firm issued devices with security protections and backup systems and prohibit storage of firm or client information on unauthorized devices. All devices used by the lawyer, such as desktop computers, laptops, tablets, portable drives, phones, and scanning and copy machines, should be protected.
  • Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
  • Specify how and where data created remotely will be stored and how it will be backed up.
  • Save data permanently only on the office network, not personal devices. If saved on personal devices, taking reasonable precautions to protect such information.
  • Use reputable vendors for cloud services. Transmission and storage of firm and client information through a cloud service is appropriate provided the lawyer has made sufficient inquiry that the service is competent and reputable.[ii]
  • Encrypt emails or use other security to protect sensitive information from unauthorized disclosure. A lawyer should balance the interests in determining when encryption is appropriate.
  • Encrypt electronic records, including backups containing sensitive information such a personally identifiable information.
  • Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, online ads.
  • Use websites have enhanced security whenever possible. Such websites begin with “HTTPS” in their address rather than “HTTP,” and encrypt the communication.
  • Provide adequate security for video meetings or conferences. The FBI has recommended the following steps: use the up-to-date version of the application; do not make the meetings public; require a meeting password; do not share the link to the video meeting on an unrestricted publicly available social media post; provide the meeting link directly to the invited guests; and manage the screen-sharing options.[iii] In selecting a videoconferencing platform, the lawyer should make sure it is sufficiently secure both in its structure and its contractual terms of use, especially any terms on access to user information.[iv]
  • Do not have work-related conversations in the presence of smart devices such as voice assistants. These devices may listen to and record conversations.[v]

Training and Supervision

To comply with the duties required by SCR 20:5.1 and 5.3, partners, managers and supervisory lawyers should consider whether the firm’s policies and procedures are adequate to address the specific challenges that may arise when lawyers and nonlawyer assistants are working remotely.

  • Establish and implement policies and procedures for cybersecurity practices. These policies and procedures should be in writing and provided to all lawyers and nonlawyer assistants, and stress compliance.
  • Establish and implement policies and procedures for the training and supervision of lawyers and nonlawyer assistants in the firm’s cybersecurity practices. Training is the most basic step in avoiding a cyberattack at a law firm. In other words, it is extremely important to develop a culture of awareness. The most serious vulnerabilities of a cybersecurity system are not the hardware or software, but rather the people who use it. It is estimated that 90% of cybersecurity breaches are due to human error.[vi]
  • Establish and implement policies and procedures regarding remote workspaces to mitigate the risk of inadvertent or unauthorized disclosures of information relating to the representation of clients. Remote workspaces should be private to ensure that others do not have access to phone conversations, video conferences, or case-related materials.
  • Hold sufficiently frequent remote meetings between supervising attorneys and supervised attorneys, and between supervising attorneys and supervised nonlawyer assistants to achieve effective supervision.

Preparing Clients

Representing a client remotely may present challenges to competent representation.[vii] Consequently, a lawyer should carefully consider whether the lawyer can adequately prepare the client to testify or for interviews while working remotely.

  • The lawyer and the client should have sufficient ability with the technology.
  • The lawyer and the client should have access to relevant documents.
  • The lawyer and the client have adequate time and attention to ensure the client’s comfort with the communicating by the medium that will be used.

[i] See, e.g., Wisconsin Formal Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (Amended September 8, 2017).

[ii] Wisconsin Formal Ethics Opinion EF-15-01.

[iii] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-ofteleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[iv] Lawyers must understand that if video conferences are recorded the vendor may retain a copy under the terms of service. See INSIGHT: Zooming and Attorney Client Privilege, https://www.bloomberglaw.com/exp/eyJjdHh0IjoiQ1ZOVyIsImlkIjoiMDAwMDAxNzEtZWExYy1kMDAwLWE5N2YtZ WE3ZTkwYWMwMDAxIiwic2lnIjoidVliaWhQR3J3ZmpWcDBKeE5KY1JYV1c0RlcwPSIsInRpbWUiOiIxNTkwMjQwMzM 1IiwidXVpZCI6IndNWHUzdVFGajBEWGxkZFBKcTNSVVE9PU1ZZmVtSkhLU0hBMWtPNG8rTE50eGc9PSIsInYiOiIxIn0= ?usertype=External&bwid=00000171-ea1c-d000-a97fea7e90ac0001&qid=6912181&cti=LSCH&uc=1320042032&et=SINGLE_ARTICLE&emc=bcvnw_cn%3A7&bna_news_ filter=true

[v] For example, Google and Amazon maintain those recordings on servers and hire people to review the recordings. Although the identities of the speakers are not disclosed to these reviewers, they might hear sufficient details to be able to connect a voice to a specific person. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazongoogle-home-siri-applemicrosoft-cortana-recording .

[vi] https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-humanerror#:~:text=A%20new%20report%20from%20Kaspersky,carried%20out%20by%20cloud%20providers .

[vii] The New York County Lawyers Association Formal Opinion 754-2020 at 3.