Many lawyers still struggle to fully understand and implement steps to ensure they are engaging in good cyber hygiene because cyber threats and cybersecurity are always changing.
Ethics rules require lawyers to take reasonable measures to protect data and client confidentiality.
Cyber hygiene is necessary in today’s world, and lawyers are required by the ethical rules in most states to have a basic understanding of the risks of technology.
This article was written by Roberta Tepper, lawyer assistance programs director at the State Bar of Arizona, and Laura L. Keeler, practice management advisor at LCL Mass LOMAP, and originally appeared in The Big Ideas Issue (July/August 2023) of the ABA’s Law Practice Magazine.
When choosing technology, distinguish between solutions that provide document storage—whether a file-sharing solution or a more comprehensive practice management solution that offers storage and client portals—by asking questions such as: Does the product scan documents that are uploaded to be sure they are free from malware, viruses, etc.? Can you password-protect files or documents? Can you add encryption by use of an independent product?
The better products are usually business-grade technology. They will scan all incoming documents to be sure they are “safe.” Without the ability to scan for malware, you may pass on malware when sharing documents and may find your own system or network infected.
You will also want to consider firewalls. Much as the name would imply, firewalls protect to some degree against infiltration of malicious data. A newer type are cloud-based firewalls—such as tools classified as firewall as a service—which include many advanced security features that can protect both data at rest in the cloud and on-premises, which suits hybrid cloud architectures.
Additionally, consider endpoint detection and response tools, which continuously monitor end-user devices to detect and respond to cyber threats like ransomware and malware. SentinelOne is an example of a cloud-based security endpoint system geared for solos and small to midsize firms. Finally, enable built-in features on end-user devices. If you have a Mac, turn on FileVault. If you have Windows 10 Pro or 11 Pro, turn on BitLocker.
Are You Doing What You Can?
We can’t discuss cybersecurity without addressing the LastPass data breach. Long a favorite in the legal tech space, the breach was shocking. Equally disturbing was the lackluster response from the company that included delays, limited transparency and what many feel was an inadequate advisory of the seriousness of the risk to which users were subject as a result of the breach.
Given that the threat hackers were able to access this information, it potentially puts at risk exposed personally identifiable information. If you were only using basic levels of authentication—such as letting users reset their account passwords by sending a recovery email or SMS text to their mobile—and if your email addresses and phone numbers were compromised, you need to move to stronger measures to verify who can get into your accounts. Because notices of the scope of the breach were delivered in drip-fashion, you may have missed the extent of the breach and resulting risk. It was belatedly discovered that hackers had gained access to a backup of customer vault data. Hackers were able to access unencrypted information such as company names, end-user names, phone numbers, billing addresses, payment card details, email addresses and IP addresses that LastPass customers used to access the service. Since the breachers made a copy of the customer vault data, that includes gaining access to URLs for the websites that correspond with each encrypted username and password.
First and foremost, if you were a LastPass user, you should have already changed every password that was stored—and never use those old passwords or any variation of them again. Adding a few numbers or special characters to the end of old passwords that were compromised does not make them suddenly secure. You want to change to passwords that are long, strong and unique.
It’s also time to revisit your multifactor authentication (MFA) options and look for more secure methods such as a dedicated authenticator app or physical security key. Our colleagues have routinely recommended a third-party authenticator like Google Authenticator, Microsoft Authenticator or Duo Mobile. Or, if you’re looking for the top-rated physical security keys, sites such as TechRadar and PCMag have annual lists with recommendations.
If you’ve been a LastPass user, decide whether you want to stay with LastPass. Wired and other similar publications routinely publish lists ranking the available options for reputable password managers if you seek alternatives. And if you decide to leave, you’ll need to export your data, cancel your subscription so you won’t be auto-renewed and delete your account.
Thanks to our Practice Management Advisor of North America colleague, Catherine Sanders Reach, who has offered an excellent list of suggestions for those impacted in her blog for the North Carolina Bar Association’s Center for Practice Management. Some are measures you will wish to take immediately—like keeping a close eye on your bank statements, credit card activity and credit report; and keeping track of all devices logged into your accounts and removing those that you don’t recognize. Watch out for a dramatic increase in phishing emails. If you or your firm have not yet explored a robust cybersecurity insurance policy, now is the time. Keep in mind that all insurance policies are not the same, and do your research on how much insurance you may need.
Cyber hygiene is necessary in today’s world, and lawyers are required by the ethical rules in most states to have a basic understanding of the risks of technology. Reasonable practices include understanding how the systems you’re using are securing/ encrypting your data, using unique passwords and using strong MFA tools. Notwithstanding the LastPass breach, password managers are still critical tools in your cyber hygiene toolkit.
. . .