Cybersecurity—Frequently Asked Questions

[These FAQs are neither legal advice nor an ethics opinion, and are not a substitute for your obligation to adhere to the requirements of the Michigan Rules of Professional Conduct (MRPC), the Michigan Code of Judicial Conduct , statutes, court rules, and/or case law and to review ethics opinions. This document does not reflect the ethical implications of any updates, modifications, or added features.]

Reminders

Cybersecurity: Frequently Asked Questions

Reminders

Lawyers have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach, RI-381.

Many lawyers have requested guidance on how to comply with their ethical obligations. These FAQs provide guidance on how to comply with the rule, but do not impose an ethical requirement to follow the recommendations provided. The ethics committee acknowledges that technology progresses quickly and that some recommendations may become outdated before updates to these FAQs can be made.

 

Lawyer Competence

Lawyers must provide competent representation. MRPC 1.1. A general knowledge of cybersecurity is required to ensure competent representation. MRPC 1.1 Comment, RI-381.

 

Terms of Service

A lawyer should review the terms of service offered by every provider to determine whether adequate security measures are in place to maintain and protect client confidences and secrets. A lawyer should also discuss a provider’s security and confidentiality provisions with the client to ensure an understanding of the risks of use if appropriate. MRPC 1.1, 1.4, 1.6.

 

Supervising Non-Lawyer Employees

A lawyer may not permit or encourage an agent to engage in ethically prohibited conduct. MRPC 5.3; RI-191, RI-205.

 

Terms of Service

Should a lawyer review and consider the terms of service offered by any cloud computing vendor?

Yes. Terms of service set forth by cloud computing vendors such as offering storage or case management service in the cloud can vary in significant ways. Differences among vendors regarding terms of service can include provisions relating to whether the vendor assumes responsibility and legal liability for the confidentiality of data; whether the vendor agrees that the customer (e.g., the law firm or lawyer) is the sole owner of the data with the vendor having no ownership or the rights to the data; whetherthe vendor has a stated plan fordisclosure to a customer if a breach occurs; and whether the vendor will notify the customer, before disclosure, of any order from a court or administrative body of competent jurisdiction requiring disclosure of customer data.

 

Securing a Network

What should I know about creating and maintaining a secure computer network?

Security is a vast topic that cannot be comprehensively discussed in an FAQ, in part because cybercrime itself is vast. An independent study in 2018 estimated that cybercrime resulted in at least $1.5 trillion in revenues, equal to the GDP of Russia[1]. Threats of cybercrime abound, including theft of trade secrets and other proprietary information, extortion, and “social engineering.” Expropriated data can be, and often is, sold on the black market, or “dark web.” Computer networks can be held hostage until ransomware is paid, and firm personnel can be tricked into transferring money or other assets by criminals impersonating high-ranking firm members. A high percentage of law firms have been targeted and victimized by cybercriminals.[2]

In a perfect world, a lawyer could purchase an off-the-shelf secure network in a box. But we live in an imperfect, ever-changing world, particularly as it relates to technology and cybersecurity. Effective cybersecurity requires a collaboration of updated technological defenses, clear policies and procedures, and regular education of personnel. Lawyers entrusted with their own or their firm’s data security should be at least generally familiar with elements of an effective network security program. Some helpful resources include:

Basic steps that an attorney should follow to minimize the cyber risk involved with smart technology are as follows:

  • Change the default name and password for the network. Strength of signal means neighbors, nearby businesses, and passersby can likely see the network. Consider setting up a separate “guest” network if the equipment supports this function. The guest network should be just as secure but can be isolated from the main network consisting of computers, printers, storage, etc, and still allow others to access the Wi-Fi. This way, if a security breach occurs, there is one extra layer of defense and also keeps sensitive information segregated from visitors who may request access. Moreover, this allows the law firm to provide access to clients and opposing counsel without risking access to confidential data.
  • Take inventory: Take an inventory of the internet-enabled devices connected to the network. Review the listing occasionally to keep it up to date. Many Wi-Fi management systems allow the owner to control/block which devices are connected to the system.
  • Take control: Reflect on whether it is appropriate or necessary for certain devices to connect. Further, consider using time-of-day controls so devices are only accessing the internet when necessary. Shut off or disconnect devices not in use.
  • Make sure that all passwords are changed from the factory settings. Passwords should be sufficiently complex, and unique. Use of a “password strength checker” is not recommended as some have been used to learn passwords and hack into personal systems. If one is breached, it is important to prevent the others from being breached as well. The Cybersecurity & Infrastructure Security Agency provides Security Tips for Choosing and Protecting Passwords.
  • Routine maintenance: Like a computer or phone, smart home devices will periodically get routine bug fixes and security patches. Keeping devices up to date is important. Many devices have auto-update features. To make this easy, make this part of the inventory process: review the devices, disable inactive units, patch active devices, and consider password changes.
  • Be aware: Some devices record and assess personal conversations. Move or disable devices to keep discussions private.

[1] Into the Web of Profit , (accessed September 27, 2020).

[2] See, e.g., Why hackers target law firms (accessed September 27, 2020); REvil ransomware threatens to leak A-list celebrities' legal docs (accessed September 27, 2020).

 

Are there any insurance policies that cover cyberattacks?

Lawyers Professional Liability policies often include some insurance coverage for cyberattacks. Insurance brokers usually have informational resources on best practices for cyber loss prevention. In addition, cybersecurity insurance is a reasonably affordable coverage, and carriers often provide free educational resources and recommended incident response vendors.

 

What services are available to perform risk assessments?

There is an array of cybersecurity vendors that are available to perform risk assessments and mock attacks to inform the strength of one’s network security and methods for improvement.

 

Public Charging Stations

What should a lawyer consider when using public charging stations for secured devices?

In April 2023, the FBI issued a warning advising not to use free public charging stations in airports, hotels, and other public areas due to an increase in "juice jacking." The FBI’s warning includes that hackers have installed devices in the outlet, which may install malware or device monitoring software on cell phones and tables. This allows the hacker to lock the device or steal information on the device, including client confidential information, passwords, bank records, and more.

The FBI recommends using personal chargers and a regular outlet. Other cybersecurity experts recommend use of a USB data blocker, which are inexpensive.1

[1] Please see Forbes, April 20, 2023 How ‘Juice Jackers’ Plant Malware On Your Phone At Airports And Hotels (forbes.com), last accessed May 16, 2023.

 

Encryption Devices, Documents, and Data

What is encryption and when should I use it?

Encryption is the translation of data into a form unintelligible without a deciphering mechanism.[3] Encryption uses a mathematical formula to convert readable plaintext into unreadable “ciphertext.” The mathematical formula, or algorithm, can decrypt the ciphertext back to readable plaintext.[4]

A technical explanation of encryption is beyond the scope of this FAQ, but encryption is no longer the tool of heads of state and spies alone. Encryption is available as a feature of popular commercially available products for email and data storage. As it is readily available there is no excuse not to use it when it is appropriate to do so.

The Professional Ethics Committee recently clarified a lawyer’s duties to take reasonable measures to safeguard client electronically stored information. Michigan Informal Ethics Opinion RI-381 (February 2020). What constitutes “reasonable measures” depends on the circumstances, including sensitivity of the information to the client, potential threats, the risk of harm to the client if unauthorized disclosure occurs, and the availability of protective technology. Id. Those circumstances, or an express agreement with a client,[5] may require encryption of emails and other client data. ABA Formal Opinion 477R (2017) notes that “special security precautions” may be required when the lawyer transmits sensitive client information. Thus, “a lawyer should exercise judgment on whether to encrypt communications that include particularly sensitive information, such as trade secrets, secret formulas, proprietary client information, and personal health information.” Id.

Those same considerations may warrant encryption of client data stored by a lawyer. Encryption will not only make illicit access more difficult, it could also mitigate the effect of a hack by averting a threat of extortion to prevent publication of client information.[6] Just as most popular email programs include encryption functionality, most updated computer devices and software allow users to enable encryption to avoid exfiltration of data if a device is lost or stolen.

[3] National Institute of Standards and Technology, Publication SP 800-47 (August 2002).

[4] Ries, Simek, Nelson, Encryption Made Simple for Lawyers (ABA 2015).

[5] See, e.g., Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (2017 Association of Corporate Counsel) (including provisions that require outside counsel to use encryption as prescribed by the client when transmitting and storing client confidential information).

[6] See, e.g., Meet the Hacker Groups Snatching Law Firms' Client Data (accessed September 27, 2020).

 

Home Smart Services

What types of products are covered by home smart services and what are the risks with using such a service?

(Though called home smart services, some attorneys may use the same or similar products in the office and the same recommendations apply.)

Home smart services cover a variety of the most common electronic products in different ways. There are protections available for routers, desktops, laptops, Wi-Fi devices, and tablets. However, each device introduces a variety of risks such as hackers or intruders obtaining personal private information, passwords, personal activities, and conversations. Attorneys should check with their home smart service provider to determine what protections are available against cybersecurity risks.

 

What steps should an attorney take when choosing a home smart service?

The Basic Steps cited in these FAQs under What should I know about creating and maintaining a secure computer network? should also be followed when utilizing home smart services.

 

Virtual Private Network (VPN)

What is a VPN and when should it be used?

A VPN or virtual private network is a private computer network that functions over a public network (such as the internet) and usually utilizes data encryption to provide secure access to something (such as an internal business server or private network). ”Miriam Webster accessed February 4, 2021.

If working remotely or otherwise outside the lawyer’s internal network, the lawyer should consider using a VPN to properly secure the information being transmitted through the network. The VPN should use end-to-end encryption and not save the data passing through the network. Public networks are essentially networks, wired or Wi-Fi, that can connect computers and devices from numerous sources and can provide inadvertent or malicious access to information stored in other devices on the public network. Any internet connection or connection between two or more computers or devices not accessed through the lawyer’s internal network is public, including access in places such as hotel and conference centers, airports, restaurants, libraries, and coffee shops.

 

Public Wi-Fi

What should a lawyer consider when accessing Wi-Fi not controlled by the lawyer or law firm?

[NOTE: The term public network includes using any connection not controlled by the lawyer, including a connection controlled by clients, opposing counsel, coffee shops, the court, mediation centers, an arbitrator’s office, etc.]

Lawyers haveexercise reasonable care to protect a client’s electronically stored information (ESI). This duty extends to using public Wi-Fi in accordance with MRPC 1.6 and RI-381. The lawyer should use reasonable care under MRPC 1.6(d) to prevent the disclosure of confidential client information. MRPC 1.6; 1.6(d); Ethics Opns. RI-104, RI-187, RI-344; ABA Model Rules of Professional Conduct 1.6; ABA Formal Op. 477.

Lawyers often conduct business in public places including coffee shops and in court houses by accessing public Wi-Fi. However, Wi-Fi can cause both legal and ethical issues. While this rule does not prohibit the use of public Wi-Fi, information sent or received and access to the attorney’s confidential files can be intercepted and decoded, exposing confidential and/or privileged client information without appropriate precautions in place. See VPN above.

 

Emails and Email Spoofing

What are best practices to ensure email security?

Email security is an important concept not only due to the confidential nature of lawyer-client communication, but also because it can be used to gain information (including login credentials) for critical systems.

Best Practices:

  • Emails often contain sensitive information. While disclaimers placed at the bottom of law firm emails are helpful instructions to an intended recipient to destroy the email if received by a non-authorized party, those instructions are not always followed and do not alleviate the lawyer’s ethical duty to maintain confidentiality. Mistakes happen when adding email recipients or by accidentally using the “Reply All” function. Before sending, ensure that you are sending the right email to the right recipient and consider encrypting the email in certain situations. The lawyer may also consider not cc’ing the client on the communication and instead sending a copy to the client immediately after sending to the intended recipient. This helps to alleviate the accidental use of “Reply All” by the client who may want to provide a confidential response to the attorney.
  • Use a secure password generator. A secure password generator creates a random, secure password that a person may use for their email or any other website. Using the same password for every login is a dangerous practice. The secure password generator should be vetted by the attorney to ensure that the recommended generated password is not stored by the generator. (Note: This is different from the password security checker that is not recommended for use.) The Cybersecurity & Infrastructure Security Agency provides security tips for choosing and protecting passwords.
  • Don’t play “getting to know you” Facebook games. This may not seem like an email security best practices tip, but it is. They look harmless: first pet, first car, first job, favorite teacher, elementary school. Those inquiries (and others) are potential password reset questions. The committee recommends that you do not play those games. The answers could reset your email password or even the password to your online bank account.
  • Use two-factor authorization. Many email programs allow a two-factor authorization. It is an added layer of security for the data. Even if a password is compromised, there is extra security.
  • Use antivirus software that scans emails and attachments. The lawyer should ensure that all devices used to access email have an antivirus software that scans emails and attachments for dangers. The lawyer’s IT department or company with whom the law firm partners for IT services should be able to make an appropriate recommendation for a law firm as to which services will best fit the firm’s needs. Additionally, some malpractice insurance carriers have preferred vendors.

 

What is email phishing and what steps should be taken to avoid the risk of a phishing email?

Phishing still happens. Phishing occurs when an official-looking email asks the recipient to “log in and verify your account.” Phishing began over phone calls and now includes email, text messages, and other forms of communication. Just as a lawyer would never provide an account number to anyone calling and stating they are with a certain organization without verification, the lawyer should not respond to similar emails.

Upon opening the email (if it is opened), there is a little arrow near the “From” email. Clicking it provides more information about the email. From here, it is fairly simple to figure out if the email is legitimate. When in doubt, contact the company listed in the email directly to determine if the email is legitimate. Do not reply to the email or call the phone number; instead, use the official contact information for the company. The Federal Trade Commission provides helpful tips on How to Recognize and Avoid Phishing Scams. Last accessed February 4, 2021.

It is recommended that phishing emails be reported to the internet service provider, and that users block the sender and ensure the entire law firm knows and understands how to spot these dangerous emails.

 

Cloud Services, Storage, and Transmission

What should lawyers consider when using cloud computing services for storage of client information?

While cloud computing may be used by lawyers, law firms, and their employees, the lawyer must retain ownership of the files and communications and have access to the same upon termination of the vendor relationship. And the lawyer must exercise reasonable care, as required by MRPC 1.6(d), to prevent others from accessing confidential communications and materials, including due to inappropriate storage by the vendor. The lawyer and law firms should also use reasonable care to ensure the integrity of the cloud computing software and entities they contract with to ensure that the entities are reasonably protected by malware and against unauthorized access. MRPC 1.6; 1.6, 5.3, RI-104, RI-187, RI-344; RI-355.

 

Flash Drives

What security risks do cell phones, tablets, and flash drives present?

Due to their portability alone, smartphones, tablets (such as an iPad), and flash drives (also called thumb drives or memory sticks) present heightened cybersecurity risks, particularly for loss of electronic data.

Precautionary measures for phones and tablets include enabling the password and/or facial recognition feature on a device and turning on features permitting a device to be found if lost. Some devices with proper features enabled can also be erased remotely if lost or stolen.

The use of transportable devices has led to a phenomenon called “juice hacking” where the unsuspecting device owner uses a hacker’s charging cord. The cord, while looking innocuous, is equipped with a data connection that allows the hacker to access all data on the device or install malware; some even allow remote access to the device. It is recommended that the device owner only use charging cords that they know are secure.

Flash drives pose additional risks for data loss due to their small size, making them particularly prone to becoming lost or stolen. Flash drives ordinarily can be encrypted by a user so that the data stored on them can only be accessed with a password or similar encryption key. Moreover, flash drives received from sources outside a law firm may contain malware aimed at creating havoc after being inserted into a computer. These small drives can also provide a means for data stored on a lawyer’s computer or network to be inappropriately copied and removed by someone with access to a physical computer within the firm.

 

Bring Your Own Devices (BYOD)

What precautions should be taken when a lawyer uses their own personal mobile electronics, such as smartphones and tablets (BYOD) to access client confidential information?

A “bring your own device” (BYOD) is a policy that allows individuals to use their own personal mobile devices to access confidential client information. The obligation to have proper safeguards to protect confidential information on a personal device is the same as on a “firm” or “work” device.

BEST PRACTICE: Two common approaches to safeguarding mobile devices for accessing confidential information are the use of a mobile device manager (MDM) application and using cloud or virtualization. An MDM application creates a “walled garden” or “corporate sandbox” on the personal device. This approach segregates firm/client data from personal data and allows to enforce security policies on the personal device. Virtualization[7] allows mobile devices to access the confidential information on the firm network or a secure cloud service through an encrypted VPN connection. With this approach, no confidential information is stored on the personal device.

[7] “Virtualization creates a simulated, or virtual, computing environment as opposed to a physical environment. Virtualization often includes computer-generated versions of hardware, operating systems, storage devices, and more. This allows organizations to partition a single physical computer or server into several virtual machines. Each virtual machine can then interact independently and run different operating systems or applications while sharing the resources of a single host machine.” Microsoft Azure: What is Virtualization? Accessed February 4, 2021.

 

Payment Apps

What should an attorney consider when using an online payment app to accept funds from clients or third parties related to the practice of law?

Whether or not the use of online payment apps complies with the Michigan Rules of Professional Conduct (MRPC) is not answered by the rules of professional conduct nor has it been reviewed by the Attorney Discipline Board. There are no exceptions in the MRPC to the requirement that all client funds must be placed in an attorney trust account. Additionally, there is no grace period for transferring those funds from the pay app to the trust account. As such, outlined below, the lawyer must immediately deposit those funds into a lawyer trust account. However, lawyers using these types of apps to accept payments related to the practice of law should consider the following:

Confidentiality, MRPC 1.6

  • Lawyers should review the terms of service to ensure that the information shared is minimal and protects client confidentiality.[8]
  • Some pay apps allow others to see transactions. This setting should be changed to ensure that all transactions are confidential and not shared with others using the app.

Safekeeping Property, MRPC 1.15

  • Lawyers must keep client funds separate from their own funds in an attorney IOLTA or non-IOLTA lawyer trust account. MRPC 1.15.
  • Funds received from the client that are earned are to be deposited into the lawyer’s own account, not a lawyer trust account.
  • Unearned fees and third-party funds must be placed directly into a lawyer trust account.MRPC 1.15, R-21, RI-344, R-7, RI-64.
  • “A lawyer is not permitted to commingle the lawyer's funds with client or third-person funds. When funds are received from a client or third person in a ‘lump sum’ that represents a combination of earned funds or incurred expenses along with unearned funds or unincurred expenses, the entire sum must be placed in trust and then any earned funds or incurred expenses must be promptly withdrawn.” R-21.
  • A careful review of Ethics Opinion RI-344 is recommended.In part, it provides the following along with guidance on establishing an ethical process to receive funds through a third-party vendor:
    • “Lawyers may want to enter into two . . . merchant contracts: one for earned legal fees and expenses and one for advance legal fees and expenses.”
    • “If the lawyer uses one account for earned and advance legal fees and expenses, all credit card company payments must be deposited into the lawyer's trust account and handled as described in this opinion.”
  • Some pay apps charge a fee for transactions or immediate deposit to a lawyer trust account to comply with MRPC 1.15.If the client is to pay the fee charged, the client should be notified in writing how the fee will be calculated.The attorney may not charge more than the fee actually incurred.

Disputed Funds, MRPC 1.15(d)

Some pay apps remove funds that are available in the account when a charge is disputed by the payor.This becomes problematic when the funds in the account are not those belonging to the client disputing the charge, but to another client.As such, RI-344 advises:

“To insure that … chargebacks do not impact the trust account, where chargebacks and … company fees are deducted from the trust account, legal fees and expenses paid by the … company into the trust account should not be considered fully earned until the … dispute period has expired.”This recommendation holds true for pay apps as well as credit cards. Much like waiting for a check to fully clear before disbursing funds.

Trust Account Overdraft Notification, MRPC 1.15A

Financial institutions “must be approved by the State Bar of Michigan in order to serve as a deposit for lawyer trust accounts.”If the lawyer trust account is to be held in an account by the app provider, the provider must be an approved financial institution. See our Trust Account Overdraft Notification page for more information.

[8] MRPC 1.6

 

File Migration

What considerations should an attorney review when migrating client files and other firm data from one software program to another software program?[9]

Law firms hold thousands of documents, files, names, paperwork, evidence, and other data. The amount of information a law firm holds for a client can seem overwhelming. Some steps to take are:

Get organized and take inventory. To ensure a smooth data migration, firms should have a list of what is being migrated. Data migration requires making choices about what data the firm needs to transition to the new software based on the firm’s record retention policy. The firm may choose to migrate all data or just the data required under the firm retention policy.

  1. Software Considerations
    • Security and accessibility. Firms must consider the security and accessibility of the data that is being transferred to an electronic platform.
  1. Functionality. How does the program actually work and are members of your firm comfortable enough to actually use the software?
  2. Integration. Will the software integrate with other programs your firm utilizes like accounting software, word-processing software, billing software, etc.
  3. Security measures in place to reduce susceptibility to cyberattacks.
  4. Review the terms of services to safeguard confidentiality of data and ensure compliance with MRPC 1.6.[10]
  5. How is electronically stored information accessed and does this fit with how your firm operates, including web and mobile access to data?
  6. What functions of the software are important to your firm, for example, lawyer trust account management and compliance, litigation docketing, time management, billing options, document storage, payment options, document assembly and template, client portals, and many others. See the ABA Litigation Support Software Comparison Chart for more information on commonly used products and what services each offers.
  7. Determine if tech support will be offered.
  8. Compliance with requirements of the firm’s malpractice insurance carrier if appropriate.
  9. If your firm requires specialized functionality, can the software be modified to fit your needs?
  10. Determine how updates are deployed and installed.
  1. Migration considerations. It is important that all necessary files, and subfiles, are migrated to ensure that no important client data is left behind. Once migration is complete, a member of your team should audit migrated files to ensure that no documents are missing based upon initial inventory of files to be migrated.
    • Lawyer trust account records must be maintained for five years.[11]
    • There are no time requirements on retention of client files, but lawyers are required to have file retention policies[12] and the firm should follow its policy.[13]
    • Consideration should be given to the statute of limitations on malpractice cases.
    • If the lawyer has malpractice insurance, consultation with the malpractice insurance carrier regarding file retention is recommended.

[9] Information culminated from The State Bar of California—Electronic Files.

[10] Please see RI-381 and Cybersecurity FAQs.

[11] MRPC 1.15

[12] Please see R-19.

[13] Please see Record Retention Resources. Specific information may be found in the following guides and resources: A Sound Record Retention Policy , Record Retention Kit, and How to Handle Requests for Copies .

Additional Resource

The Sedona Conference Commentary on a Reasonable Security Test

Last updated: September 2023

Member Area SBM Connect
About SBM
What We Do
Members Only
Stay Connected
© Copyright 2021 SBM. All rights reserved.