North Carolina Lawyers Weekly
You walk into a coffee shop or hotel that offers free public Wi-Fi, with your company email, your banking app, and your Amazon Prime app all residing on your cell phone or tablet. When you walk out, those bank account numbers, sensitive client documents, and Amazon passwords have been picked up electronically by a person you never noticed who was sitting in a corner with a digital capture device.
Another way your data might be accessed happens when you log into a Wi-Fi network and it asks you to accept its terms of use or a user agreement. By selecting “accept,” you’re allowing the network to access everything on your device. You may be asked to download something in order to access that network, and if you do, you’ve opened the door for malware on your device.
“You’ll see that at hotels here in the United States,” said an FBI supervisory special agent who requested that their name withheld to protect their digital footprint. “You’ll use their Wi-Fi, you’ll be redirected to a page and you have to agree to terms, a user agreement. So the same thing could happen overseas. The very first thing you’re presented with when you connect to a network is some sort of action you do, whether that’s a check box or going to a site, or loading a page.”
As soon as a device connects to a network, it is vulnerable to the limitations of that network’s security. Once an entity has access to a device, a keylogging program can follow every keystroke that’s made on the device. Screenshots also can be captured and saved.
A Kremlin in the networks
Attorneys are likely to have access to their work email on their phones, including sensitive, confidential client documents and communications. Attorneys could be held liable if those are compromised as a result of security lapses.
“If we have sensitive information of a client and it gets out to parties who aren’t supposed to have it and then that somehow damages the client, the client then could potentially turn around and sue us for negligence or potentially malpractice,” said Charles Kinney, an attorney at Collins and Lacy in Columbia. “Under the rules of professional responsibility you’re supposed to have a level of competence. And with the newer rules, those levels of competence also go into being technologically savvy and protecting clients’ information and your information.”
Karen Painter Randall, partner at Connell Foley in Roseland, New Jersey and director of the University of South Carolina School of Law Cybersecurity Legal Task Force, says law firms hold a Pandora’s box of confidential information, “yet are soft targets for cybercriminals.”
Law firms could suffer ethical, reputational, and operational harms if they fail to implement measures to protect the sensitive and confidential data of clients. The American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued a formal opinion in 2018 regarding an attorney’s obligations after an electronic data breach or cyberattack.
In some countries, it’s not just a hacker in a black hoodie attorneys have to worry about using public Wi-Fi to access a device—it may be the local government. Governments of nations like China and Russia control their public Wi-Fi systems, which gives them unlimited access to data.
“This is more prevalent overseas because businesses don’t have as much guidance or restrictions on how they conduct and protect data,” the FBI agent said. “In some countries, their infrastructure for cellular and wireless service is owned by the government. So they might not have any way to protect your data because the government would have to have 24-7 access as part of that service being provided in that country.”
A process, not a product
North Carolina has enacted a breach notification statute that requires businesses, including law firms, to notify citizens and clients of a cybersecurity breach. It also allows a private right of action for any individual who suffers an injury as a result of the breach. Most recently two attorneys in the state were disciplined by the bar for failure to verify procedures before wiring funds in real estate transactions that we actually part of a wire fraud scam.
Although nothing is absolute when it comes to cybersecurity, there are some ways attorneys can protect their devices and the information to which they have access.
Tod Eberle, chief of the National Security & Cyber Section of the U.S. Attorney’s Office, said that the most common current sources of cyberattacks are nation-state hacking, dark net marketplaces, and transnational organized crime. Businesses are getting hit hard in the United States with compromised emails and ransomware, he said. Account takeovers including theft of credentials are common as well.
“Law firms should understand that cybersecurity is a process, not a product,” Painter Randall said. She recommends firms follow the National Institute for Standards in Technology ISO 27001 and ethics guidelines in their cybersecurity plans.
Companies need to conduct a cybersecurity evaluation and develop a protection plan, including a response plan should the system be compromised. Data should be backed up regularly so it can easily be recovered if there is a ransomware attack. It’s not a question of if a company’s system is breached, but when.
“Importantly, the law firm should transfer cyber risk by procuring a standalone cybersecurity policy of insurance to cover first and third party losses associated with a breach,” Painter Randall said. “These policies have preferred and knowledgeable incident response forensic and legal experts available to help reduce exposure and to assist 24/7 with response efforts.”
Attorneys, meanwhile, should turn off the Wi-Fi setting on their phones and devices, deny apps any access to geolocation, photos, cameras, microphones, or other settings, and be vigilant on the apps they download. For even more security, they can set up their own Virtual Private Network and always have their devices connected to it—although even with a VPN, anything that has already been downloaded to a device could have already compromised its security.
“You’re going to a service that you are aware of and is providing encryption protection for the data that you’re utilizing. You can still get on a Wi-Fi network, but the first thing that you do is you connect to your VPN,” the FBI agent said.
Another suggestion is to have two cell phones, one for personal use and the other for professional use, and keep all the information and apps, like email, separate. Something as seemingly innocent as a free video game can contain malware.
“Clients may forgive the law firm once after an incident but will take their business elsewhere if the firm suffers another attack,” Painter Randall said. “Being prepared and responding quickly to a cybersecurity incident will help mitigate cyber-risk and keep clients coming back.”
Follow Rene on Twitter @BobcatRenee
