Cyber Security for Law Firms – Do It! 10/11/17 10/11/17 11:01:04 AM
Printer Friendly Version
Prof. Stephen Sieberson shares the latest information on cyber protection at the annual OBA-CU Ethics workshop.
Cyber Security for Law Firms – Do It!
By Andy Roberts
The Daily Record
You’re an attorney, sitting at your office desk, quietly working on a case.
Who could possibly want to know the content of that document?
According to Professor Stephen C. Sieberson from the Creighton University School of Law, a whole lot of people.
“I would say attorneys are just as vulnerable … as any other business people,” Sieberson said. “I can see segments of the population that would want to hack us for information.”
That, according to Sieberson, should not come as a surprise given the adversarial nature of the profession and the simple joy some people apparently get just from hacking into computer systems.
“Any time people have confidential information, as attorneys do, there will be someone who wants to get that information,” he stated. “Having said that, it’s a scary world out there.”
Sieberson and technology consultant Rich Hoffman, of United Lex, recently gave a presentation to lawyers on cyber security. Both agreed that cyber security is a subject that lawyers need to take with great seriousness.
“We operate under very strict confidentiality rules,” he emphasized. “We are supposed to keep confidential the work we do for our clients.”
According to material provided by Sieberson and Hoffman, there are a number of reasons why an attorney may be hacked. Those include:
a. Picking your pocket
b. Adware and spam
c. Stealing intellectual property
d. Turning you into a bot client (bot is short for robot)
For an attorney, as Sieberson pointed out, losing information is not only a loss for the lawyer, but also a failure to fulfill the legal obligations of the profession.
“I am not,” Sieberson answered when asked if he was aware of any local horror stories. Still, the news is full of hacks that are nothing short of devastating for businesses, and he pointed to a recent legal opinion from Iowa that pointed to the practitioner’s obligation to warn clients of their vulnerability and the potential intentions of hackers.
“It’s a new world we’re operating in from 30 years ago,” Sieberson stated, adding the old methods of doing things are not adequate. “You’ve got to be more modern than that.”
Sieberson said if a law office is hacked, it would help the attorneys who have been victimized to have records of a security consultation. “Even if it’s a consultant who came out for one hour.”
As for a particular challenge, Sieberson said the advice that is being shared is standard and solid enough to provide some help if it is followed. Simple things like using passwords to protect your information is a big first step, and that is not terribly expensive. You also should add a second level of identification.
Sieberson and Hoffman offered these best practices for law firms:
a. Don’t use personal accounts for law firm correspondence
b. Don’t use personal cloud/internet systems (DropBox, iCloud, Google Drive)
c. Don’t store firm documents on home computers or storage devices
d. Require employees to have strong passwords; reset regularly
e. Limit USB devices
f. TWO FACTOR AUTHENTI-CATION (more than a password)
All of this is something that should not be terribly difficult to accomplish.
“I don’t think cost is the biggest thing. It’s just keeping up,” Sieberson emphasized. That means staying on top of changes in technology, and much of that is information you can learn about through the news.
The profession can do more to help protect itself. Sieberson suggested that either the Omaha or Nebraska State Bar Association create a regular feature on technology in their newsletters to advise lawyers on technology issues.
“Some states are requiring lawyers to take one-hour courses on security,” he said. “I say, more power to them.”
The near future is not likely to provide much relief from this threat, Sieberson said.
“I think it’s going to get harder and harder [to protect against the threat],” he stated. “It’s just work. You can’t pretend it’s not a problem.”
Where does a law firm begin to tighten its cyber security? Building on his earlier comments, Sieberson said attorneys “absolutely” need to have a tech partner.
“If you’re a big firm, you’ll probably have somebody working in-house,” he said. Smaller firms need to have a technology consultant. At Creighton that’s not a problem, he pointed out, as “we have technology people all over the place.”
There may new technologies on the horizon that will make us more secure.
Sieberson pointed out that the new Apple iPhone has facial recognition security. If that can be done on a cell phone, he suggested, maybe it can be done on office computers.
“Is that the end?” he asked. “I really don’t know.”
Maybe something will be developed with DNA analysis, Sieberson offered.
For now, use passwords and change them often, and it is best to do it with a PIN or other second security element.
“Take your technical security seriously and pay attention to developments,” Sieberson stressed.
For now, Sieberson and Hoffman offered the following recommendations for law firms:
a. Update your devices and software
b. Don’t give out your password
c. Change your passwords often
d. Password protect mobile devices
e. Download programs only from reputable sites
f. Log out of accounts after you’re done with them
g. Use secured wireless networks
h. Charge your phone on reliable USB ports
With awareness and a good level of due diligence, lawyers should be able to maintain a good level of security for themselves and their clients.
The Nebraska State Bar Association Annual Meeting is offering several CLE sessions, especially these three on Thursday, Oct. 12:
• Tech and Cyber Law: Confidence in Contracting and Cutting Costs: Why Attorneys Need to Pay Attention to Blockchain Systems (1 hour of CLE)
• Catherine Sanders Reach from the Chicago Bar Association will be presenting, “Tech Talks Lunch: 60 Tech Tips in 60 Minutes” and “Information Management and Efficient Law Practice.”
• Business and Corporate Counsel: Cloud Computing: Key Legal and Business Issues and Other Practical Considerations (2 hours of CLE)