A friend of mine used the word “lede” in a text she sent me earlier this week. So impressed that she knew the proper spelling, the word has stayed on my mind ever since. Good thing. Because as I proofed this post, I realized that I almost buried the lede.
Even Vermont-sized law firms are vulnerable to hackers.
In January, hackers stole data from five small firms. From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.
Did I mention that, at the time, 100 Bitcoin cost $930,000? Today it’s only $890,416.
I’ll return to the story in a moment. First, however, I’d like to introduce Jim Knapp.
Jim is Vermont State Counsel for First American Title Insurance. But the day I blog about underwriting will be the day I retire as a blogger.
For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!
I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.
As I noted here, there is no set answer to “what are reasonable precautions?” The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:
- “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”
With respect to cyber threats, the Committee stated:
- “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
Now, back to the story of the hackers.
Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.
MK: Thanks for doing this Jim. First reaction when you read about the hack?
Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!
MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?
Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.
You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.
MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.
Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.
MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”
Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.
MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?
Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.
Information security for a law office involves all kinds of elements, from
- properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
- running a suitable firewall; to,
- using effective anti-malware software; to,
- keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
- possibly running intrusion detection and intrusion prevention systems within your network;
- and more.
MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?
Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:
- Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
- Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
- Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.
MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.
Jim: Fortunately no, neither of my cell phones was that particular culprit.
MK: Good. The ringtone reflected a failure to act competently when choosing a ringtone.
Jim: I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?
MK: It’s almost as if you’ve seen what’s on my phone. No, I don’t want anyone rummaging through! Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.
Thanks Jim, this was great!
To be clear: being hacked isn’t necessarily an ethics violation. Even reasonable security can be breached. My point today is to encourage lawyers and firms to assess the measures that they have in place. And, to encourage those who don’t know how to perform such an assessment to find someone who does.
Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breach; and (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.
As always, let’s be careful out there.