Bouchons, Cybersecurity & Ransomware

Yesterday, I met with lawyers from the Lamoille County Bar Association.  Leslie Black, president-emeritus (by my proclamation) of the LCBA, had me up to talk legal ethics.

As an aside, Leslie stole the show by showing up with a fresh batch of bouchons.  You might have heard of Thomas Keller and the Bouchon Bakery.   Fine stuff, I’m sure.

Well, Leslie’s lemon bouchons, with a hint of cinnamon, are better.  And that, my friends, is not mere puffery.   The trick, je pense, is her brown butter recipe.

Leslie – les bouchons etait magnifique!

Now, back to business.

First off, I hope I’ve dispelled those who are less tech competent than others of the notion that “bouchon” has something to do with cybersecurity & ransomware.

Next, yesterday, we had an interesting discussion on cybersecurity & ransomware.  I’ve blogged previously on the issue here.  I’m blogging again for a few reasons.  Mainly, to stress a key point that David Polow made at the CLE:  back-up.  Storing info only in the cloud isn’t enough.

My prior blog post includes links to several helpful articles.  I failed to link to this one from the ABA Journal: Ransomware is a growing threat, but there are things you can do to protect your firm.  A critical point in the article echoes David:

  • ” The panelists say that the core of ransomware protection is a robust backup system. However, Simek said that backups need to be tested on a periodic basis.If a firm’s backup is in the cloud, then redundancies of that backup system should be made as well—in other words, one backup is insufficient. For the truly business-critical data, McNew said a backup should be stored offsite and ‘air gapped,’ meaning it is not able to connect to the internet.”

Or, as Jim Knapp says, when it comes to backup “onsite, online, air-gap.”

Are you likely to be targeted? I don’t know.  It happened to one of the nation’s largest firms.  And, a Vermont firm was targeted in April.  The firm did not have sufficient back-up and data was at risk.

If it’s an issue that concerns you, talk to someone with a tech background.  Here are a few links from my original post that might be helpful:

As always, let’s be careful out there.

Ransomware & Cybersecurity Insurance

As I’ve often blogged, Rules 1.1 and 1.6 require lawyers to act competently to safeguard client data.

Last month, I became aware of a law firm that was the subject of a ransomware attack. The cyber attacker blocked the firm’s access to client files and demanded a ransom.

Reminder: if a lawyer’s electronic files are compromised in a cyber attack, the question of whether the lawyer violated the Rules of Professional Conduct will likely turn on whether the lawyer took reasonable precautions to safeguard against the unauthorized access of client data.  In other words, being the victim of an attack is not, in & of itself, an ethics violation.

For example, consider two scenarios.

Scenario 1:  Lawyer operates a solo practice.  Lawyer employs a state-of-the art security system.  Nevertheless, a determined criminal uses C-4 to detonate into the office, into the safe, and then steals Lawyer’s files.

Scenario 2:  Attorney operates a solo practice.  Attorney keeps client files in an unlocked cabinet that’s on the front porch.  A lazy criminal walks up the steps, opens a drawer, and takes some of Attorney’s files.

Between the two, my guess is that a hearing panel is more likely to conclude that Lawyer is the one who took reasonable precautions against the inadvertent or unauthorized disclosure of confidential information.

In any event, on the subject of ransomware, here are few thoughts:

As always, let’s be careful out there.

Hill Street Blues

 

 

 

ABA Journal Provides Cybersecurity Tips

Rules 1.1 and 1.6 operate to impose a duty to act competently to safeguard information relating to the representation of a client.  The duty includes taking reasonable steps to protect against the unauthorized or inadvertent disclosure of (or access to) electronically stored client data.

In 2018, the ABA Journal will publish a year-long series on cybersecurity.  Last month, and as part of the series, the ABA Journal posted 5 cybersecurity steps you should already be taking.  I recommend it.  A quick summary:

  1. Check to see if you’ve been pwned.
  2. Consider a password manager.
  3. Improve the strength of your passwords.
  4. Use 2-factor (or multi-factor) authentication.
  5. Encrypt your devices.

Again, read the post.  It’s not long, and the tips are as simple as they are valuable.

Finally, don’t forget that the Vermont Bar Association is offering its first ever Tech Day on May 16.  It’s shaping up to be a fantastic CLE.

cyber-security