Lawyers face new security expectations after rule change
Peter Vieth//March 28, 2016
Lawyers face new security expectations after rule change
Peter Vieth//March 28, 2016//
It’s a question no one answers.
For most folks, security mandates silence. You never give out your password, especially not to some official sounding IT person on the phone.
Some lawyers might not disclose their password for another reason: It’s embarrassingly simple.
Whether from annoyance or lack of imagination, a lot of people resort to “123456” or “password” when the computer screen demands a password.
For lawyers who take such a casual approach to security, the Supreme Court of Virginia has sounded a warning. If your client secrets are compromised by short-sighted digital defenses, trouble lies ahead.
New language in the ethics rules makes it clear that lawyers have a duty to take reasonable preventive steps to protect client information.
The changes took effect March 1. With the change has come an increased appetite among attorneys for cyber security knowledge.
The rule changes were the result of a nearly two-year conversation with lawyers, digital experts and those who regulate the legal profession.
An addition to Rule 1.6 of the Rules of Professional Conduct now requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, [client] information….”
A new comment to the rule calls on law firms to “keep abreast on an ongoing basis of reasonable methods for protecting client confidential information.”
Areas to address include staff training, preventing access by departing employees, controlling access by third parties, data backup, password strength and security software.
After two years of talk, are lawyers now any more sensitive to the need for cyber security? “Oh, absolutely,” says Sharon D. Nelson, a past-president of the Virginia State Bar and president of Sensei Enterprises Inc. of Fairfax. “It’s enormous. They are so hungry for information about information security.”
Nelson had just returned from speaking at the American Bar Association TechShow in Chicago. She said lawyers asked very specific questions about information protection.
Ellen C. Carlson of Norfolk is among small firm lawyers riding the wave to better practices for security. She said lawyers are gradually becoming more comfortable with technology.
She knows of lawyers who still have secretaries print out emails and deliver them to the desk along with the paper mail. Nevertheless, in the last five years, she has had not had a case with an opposing lawyer who refused to communicate by email.
And lawyers are recognizing the need for security in the process. “There’s definitely awareness of protecting client information,” she said. “They seem to be paying attention to that now,” she added.
Carlson has been a regular attendee at the Virginia State Bar’s TechShow.
“I came back with a lot of good ideas about things we could do to make things safer for our clients,” she said.
The 2016 VSB TechShow is April 25 at the Richmond Convention Center. The fee is $100 and includes a lunch.
More than 430 people had signed up as of March 17, Nelson reported. Even with a larger facility this year, the event was in danger of selling out.
“Part of it is the sheer hunger [for information] and part of it is: These are really great experts,” Nelson said.
Easier than you think
For lawyers looking to shore up their defenses against hackers and inadvertent disclosures, the biggest obstacle is the perception of cost, Nelson said.
Reasonable security is not as expensive as some might think, she said. Basic standards are published in a 24-page, easy-to-read publication from the National Institute of Standards and Technology.
“It’s not overly burdensome,” she said.
Lawyers also are unsure who to listen to when they decide to upgrade security measures. Some lawyers “just don’t want to change,” Nelson said.
For those who embrace the new security standards, it’s more than just complying with broadly worded rules. It’s also a marketing tool, Nelson said.
“They want to be able to say they’ve taken these steps,” she said.
In the digital age, awareness of the potential threats is essential.
Nelson said would-be hackers are using any tool available to slip past lawyers’ safeguards. One of their tricks: Locating court case information in public files and sending custom emails to fool the lawyer into thinking he’s clicking on an attachment with a case-related document.
“It’s like chum. Remember ‘Jaws’? All this chum is being thrown out there and the sharks are gobbling it up and using it against you,” Nelson said.
There is no shortage of opportunities for lawyers to learn what is required. Programs and seminars will be plentiful this year.
“We felt obliged, if we were going to make these ethical requirements, to provide a large educational component,” said James M. McCauley, VSB Ethics Counsel.
Besides the VSB TechShow, various bar groups are sponsoring “Tech Talk” or similar programs in coming months. The VSB’s solo and small firm conferences will offer multiple presentations on cyber security.
“We’re doing a huge push on this,” McCauley said.
Bar officials said the focus of the new rules language is education, not bar discipline. Both McCauley and Bar Counsel Edward L. Davis said they were unaware of any Virginia lawyer — current or past — facing trouble because of cyber-incompetence.
“The idea behind the guidelines is to emphasize the duty of lawyers to realize the times have changed,” Davis said. “We’ve just got to be reasonably vigilant and take reasonable measures,” he added.
It’s not the lawyer who has to become a tech whiz, Davis said. Hiring staff with cyber skills or hiring outside experts is the way most attorneys meet the “reasonable efforts” standard.