What’s your password?

Listen to this article

“What’s your password?”

It’s a question no one answers.

For most folks, security mandates silence. You never give out your password, especially not to some official sounding IT person on the phone.

Some lawyers might not disclose their password for another reason: It’s embarrassingly simple.

Whether from annoyance or lack of imagination, a lot of people resort to “123456” or “password” when the com­puter screen demands a password.

For lawyers who take such a casu­al approach to security, the Supreme Court of Virginia has sounded a warn­ing. If your client secrets are compro­mised by short-sighted digital defenses, trouble lies ahead.

New language in the ethics rules makes it clear that lawyers have a duty to take reasonable preventive steps to protect client information.

The changes took effect March 1. With the change has come an increased appetite among attorneys for cyber se­curity knowledge.

The rule changes were the result of a nearly two-year conversation with lawyers, digital experts and those who regulate the legal profession.

An addition to Rule 1.6 of the Rules of Professional Conduct now requires “reasonable efforts to prevent the inad­vertent or unauthorized disclosure of, or unauthorized access to, [client] infor­mation….”

A new comment to the rule calls on law firms to “keep abreast on an ongo­ing basis of reasonable methods for pro­tecting client confidential information.”

Areas to address include staff train­ing, preventing access by departing em­ployees, controlling access by third par­ties, data backup, password strength and security software.

After two years of talk, are lawyers now any more sensitive to the need for cyber security? “Oh, absolutely,” says Sharon D. Nelson, a past-president of the Virginia State Bar and president of Sensei Enterprises Inc. of Fairfax. “It’s enormous. They are so hungry for infor­mation about information security.”

Nelson had just returned from speak­ing at the American Bar Association TechShow in Chicago. She said lawyers asked very specific questions about infor­mation protection.

Ellen C. Carlson of Norfolk is among small firm lawyers riding the wave to better practices for security. She said lawyers are gradually becoming more comfortable with technology.

She knows of lawyers who still have secretaries print out emails and deliver them to the desk along with the paper mail. Nevertheless, in the last five years, she has had not had a case with an oppos­ing lawyer who refused to communicate by email.

And lawyers are recognizing the need for security in the process. “There’s defi­nitely awareness of protecting client in­formation,” she said. “They seem to be paying attention to that now,” she added.

Carlson has been a regular attendee at the Virginia State Bar’s TechShow.

“I came back with a lot of good ideas about things we could do to make things safer for our clients,” she said.

The 2016 VSB TechShow is April 25 at the Richmond Convention Center. The fee is $100 and includes a lunch.

More than 430 people had signed up as of March 17, Nelson reported. Even with a larger facility this year, the event was in danger of selling out.

“Part of it is the sheer hunger [for infor­mation] and part of it is: These are really great experts,” Nelson said.

Easier than you think

For lawyers looking to shore up their defenses against hackers and inadver­tent disclosures, the biggest obstacle is the perception of cost, Nelson said.

Reasonable security is not as expensive as some might think, she said. Basic stan­dards are published in a 24-page, easy-to-read publication from the National In­stitute of Standards and Technology.

“It’s not overly burdensome,” she said.

Lawyers also are unsure who to listen to when they decide to upgrade security measures. Some lawyers “just don’t want to change,” Nelson said.

For those who embrace the new securi­ty standards, it’s more than just comply­ing with broadly worded rules. It’s also a marketing tool, Nelson said.

“They want to be able to say they’ve taken these steps,” she said.

In the digital age, awareness of the po­tential threats is essential.

Nelson said would-be hackers are us­ing any tool available to slip past lawyers’ safeguards. One of their tricks: Locating court case information in public files and sending custom emails to fool the lawyer into thinking he’s clicking on an attach­ment with a case-related document.

“It’s like chum. Remember ‘Jaws’? All this chum is being thrown out there and the sharks are gobbling it up and using it against you,” Nelson said.

There is no shortage of opportunities for lawyers to learn what is required. Programs and seminars will be plentiful this year.

“We felt obliged, if we were going to make these ethical requirements, to provide a large educational component,” said James M. McCauley, VSB Ethics Counsel.

Besides the VSB TechShow, various bar groups are sponsoring “Tech Talk” or similar programs in coming months. The VSB’s solo and small firm conferences will offer multiple presentations on cyber security.

“We’re doing a huge push on this,” Mc­Cauley said.

Bar officials said the focus of the new rules language is education, not bar dis­cipline. Both McCauley and Bar Counsel Edward L. Davis said they were unaware of any Virginia lawyer — current or past — facing trouble because of cyber-incom­petence.

“The idea behind the guidelines is to emphasize the duty of lawyers to real­ize the times have changed,” Davis said. “We’ve just got to be reasonably vigilant and take reasonable measures,” he add­ed.

It’s not the lawyer who has to become a tech whiz, Davis said. Hiring staff with cyber skills or hiring outside experts is the way most attorneys meet the “rea­sonable efforts” standard.