Cybersecurity—Frequently Asked Questions

[These FAQs are neither legal advice nor an ethics opinion, and are not a substitute for your obligation to adhere to the requirements of the Michigan Rules of Professional Conduct (MRPC), the Michigan Code of Judicial Conduct , statutes, court rules, and/or case law and to review ethics opinions. This document does not reflect the ethical implications of any updates, modifications, or added features.]


Reminders

Cybersecurity: Frequently Asked Questions

Reminders


Lawyers have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach, RI-381.

Many lawyers have requested guidance on how to comply with their ethical obligations. These FAQs provide guidance on how to comply with the rule, but do not impose an ethical requirement to follow the recommendations provided. The ethics committee acknowledges that technology progresses quickly and that some recommendations may become outdated before updates to these FAQs can be made.

 

Lawyer Competence

Lawyers must provide competent representation. MRPC 1.1. A general knowledge of cybersecurity is required to ensure competent representation. MRPC 1.1 Comment, RI-381.

 

Terms of Service

A lawyer should review the terms of service offered by every provider to determine whether adequate security measures are in place to maintain and protect client confidences and secrets. A lawyer should also discuss a provider’s security and confidentiality provisions with the client to ensure an understanding of the risks of use if appropriate. MRPC 1.1, 1.4, 1.6.

 

Supervising Non-Lawyer Employees

A lawyer may not permit or encourage an agent to engage in ethically prohibited conduct. MRPC 5.3; RI-191, RI-205.

 

Terms of Service


Should a lawyer review and consider the terms of service offered by any cloud computing vendor?

Yes. Terms of service set forth by cloud computing vendors such as offering storage or case management service in the cloud can vary in significant ways. Differences among vendors regarding terms of service can include provisions relating to whether the vendor assumes responsibility and legal liability for the confidentiality of data; whether the vendor agrees that the customer (e.g., the law firm or lawyer) is the sole owner of the data with the vendor having no ownership or the rights to the data; whetherthe vendor has a stated plan fordisclosure to a customer if a breach occurs; and whether the vendor will notify the customer, before disclosure, of any order from a court or administrative body of competent jurisdiction requiring disclosure of customer data.

 

Securing a Network


What should I know about creating and maintaining a secure computer network?

Security is a vast topic that cannot be comprehensively discussed in an FAQ, in part because cybercrime itself is vast. An independent study in 2018 estimated that cybercrime resulted in at least $1.5 trillion in revenues, equal to the GDP of Russia[1]. Threats of cybercrime abound, including theft of trade secrets and other proprietary information, extortion, and “social engineering.” Expropriated data can be, and often is, sold on the black market, or “dark web.” Computer networks can be held hostage until ransomware is paid, and firm personnel can be tricked into transferring money or other assets by criminals impersonating high-ranking firm members. A high percentage of law firms have been targeted and victimized by cybercriminals.[2]

In a perfect world, a lawyer could purchase an off-the-shelf secure network in a box. But we live in an imperfect, ever-changing world, particularly as it relates to technology and cybersecurity. Effective cybersecurity requires a collaboration of updated technological defenses, clear policies and procedures, and regular education of personnel. Lawyers entrusted with their own or their firm’s data security should be at least generally familiar with elements of an effective network security program. Some helpful resources include:

Basic steps that an attorney should follow to minimize the cyber risk involved with smart technology are as follows:

  • Change the default name and password for the network. Strength of signal means neighbors, nearby businesses, and passersby can likely see the network. Consider setting up a separate “guest” network if the equipment supports this function. The guest network should be just as secure but can be isolated from the main network consisting of computers, printers, storage, etc, and still allow others to access the Wi-Fi. This way, if a security breach occurs, there is one extra layer of defense and also keeps sensitive information segregated from visitors who may request access. Moreover, this allows the law firm to provide access to clients and opposing counsel without risking access to confidential data.
  • Take inventory: Take an inventory of the internet-enabled devices connected to the network. Review the listing occasionally to keep it up to date. Many Wi-Fi management systems allow the owner to control/block which devices are connected to the system.
  • Take control: Reflect on whether it is appropriate or necessary for certain devices to connect. Further, consider using time-of-day controls so devices are only accessing the internet when necessary. Shut off or disconnect devices not in use.
  • Make sure that all passwords are changed from the factory settings. Passwords should be sufficiently complex, and unique. Use of a “password strength checker” is not recommended as some have been used to learn passwords and hack into personal systems. If one is breached, it is important to prevent the others from being breached as well. The Cybersecurity & Infrastructure Security Agency provides Security Tips for Choosing and Protecting Passwords.
  • Routine maintenance: Like a computer or phone, smart home devices will periodically get routine bug fixes and security patches. Keeping devices up to date is important. Many devices have auto-update features. To make this easy, make this part of the inventory process: review the devices, disable inactive units, patch active devices, and consider password changes.
  • Be aware: Some devices record and assess personal conversations. Move or disable devices to keep discussions private.

[1] Into the Web of Profit, (accessed September 27, 2020).

[2] See, e.g., Why hackers target law firms (accessed September 27, 2020); REvil ransomware threatens to leak A-list celebrities' legal docs (accessed September 27, 2020).


 

Are there any insurance policies that cover cyberattacks?

Lawyers Professional Liability policies often include some insurance coverage for cyberattacks. Insurance brokers usually have informational resources on best practices for cyber loss prevention. In addition, cybersecurity insurance is a reasonably affordable coverage, and carriers often provide free educational resources and recommended incident response vendors.

 

What services are available to perform risk assessments?

There is an array of cybersecurity vendors that are available to perform risk assessments and mock attacks to inform the strength of one’s network security and methods for improvement.

 

Encryption Devices, Documents, and Data


What is encryption and when should I use it?

Encryption is the translation of data into a form unintelligible without a deciphering mechanism.[3] Encryption uses a mathematical formula to convert readable plaintext into unreadable “ciphertext.” The mathematical formula, or algorithm, can decrypt the ciphertext back to readable plaintext.[4]

A technical explanation of encryption is beyond the scope of this FAQ, but encryption is no longer the tool of heads of state and spies alone. Encryption is available as a feature of popular commercially available products for email and data storage. As it is readily available there is no excuse not to use it when it is appropriate to do so.

The Professional Ethics Committee recently clarified a lawyer’s duties to take reasonable measures to safeguard client electronically stored information. Michigan Informal Ethics Opinion RI-381 (February 2020). What constitutes “reasonable measures” depends on the circumstances, including sensitivity of the information to the client, potential threats, the risk of harm to the client if unauthorized disclosure occurs, and the availability of protective technology. Id. Those circumstances, or an express agreement with a client,[5] may require encryption of emails and other client data. ABA Formal Opinion 477R (2017) notes that “special security precautions” may be required when the lawyer transmits sensitive client information. Thus, “a lawyer should exercise judgment on whether to encrypt communications that include particularly sensitive information, such as trade secrets, secret formulas, proprietary client information, and personal health information.” Id.

Those same considerations may warrant encryption of client data stored by a lawyer. Encryption will not only make illicit access more difficult, it could also mitigate the effect of a hack by averting a threat of extortion to prevent publication of client information.[6] Just as most popular email programs include encryption functionality, most updated computer devices and software allow users to enable encryption to avoid exfiltration of data if a device is lost or stolen.


[3] National Institute of Standards and Technology, Publication SP 800-47 (August 2002).

[4] Ries, Simek, Nelson, Encryption Made Simple for Lawyers (ABA 2015).

[5] See, e.g., Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information (2017 Association of Corporate Counsel) (including provisions that require outside counsel to use encryption as prescribed by the client when transmitting and storing client confidential information).

[6] See, e.g., Meet the Hacker Groups Snatching Law Firms' Client Data (accessed September 27, 2020).


 

Home Smart Services


What types of products are covered by home smart services and what are the risks with using such a service?

(Though called home smart services, some attorneys may use the same or similar products in the office and the same recommendations apply.)

Home smart services cover a variety of the most common electronic products in different ways. There are protections available for routers, desktops, laptops, Wi-Fi devices, and tablets. However, each device introduces a variety of risks such as hackers or intruders obtaining personal private information, passwords, personal activities, and conversations. Attorneys should check with their home smart service provider to determine what protections are available against cybersecurity risks.

 

What steps should an attorney take when choosing a home smart service?

The Basic Steps cited in these FAQs under What should I know about creating and maintaining a secure computer network? should also be followed when utilizing home smart services.

 

Virtual Private Network (VPN)


What is a VPN and when should it be used?

A VPN or virtual private network is a private computer network that functions over a public network (such as the internet) and usually utilizes data encryption to provide secure access to something (such as an internal business server or private network). ”Miriam Webster accessed February 4, 2021.

If working remotely or otherwise outside the lawyer’s internal network, the lawyer should consider using a VPN to properly secure the information being transmitted through the network. The VPN should use end-to-end encryption and not save the data passing through the network. Public networks are essentially networks, wired or Wi-Fi, that can connect computers and devices from numerous sources and can provide inadvertent or malicious access to information stored in other devices on the public network. Any internet connection or connection between two or more computers or devices not accessed through the lawyer’s internal network is public, including access in places such as hotel and conference centers, airports, restaurants, libraries, and coffee shops.

 

Public Wi-Fi


What should a lawyer consider when accessing Wi-Fi not controlled by the lawyer or law firm?

[NOTE: The term public network includes using any connection not controlled by the lawyer, including a connection controlled by clients, opposing counsel, coffee shops, the court, mediation centers, an arbitrator’s office, etc.]

Lawyers haveexercise reasonable care to protect a client’s electronically stored information (ESI). This duty extends to using public Wi-Fi in accordance with MRPC 1.6 and RI-381. The lawyer should use reasonable care under MRPC 1.6(d) to prevent the disclosure of confidential client information. MRPC 1.6; 1.6(d); Ethics Opns. RI-104, RI-187, RI-344; ABA Model Rules of Professional Conduct 1.6; ABA Formal Op. 477.

Lawyers often conduct business in public places including coffee shops and in court houses by accessing public Wi-Fi. However, Wi-Fi can cause both legal and ethical issues. While this rule does not prohibit the use of public Wi-Fi, information sent or received and access to the attorney’s confidential files can be intercepted and decoded, exposing confidential and/or privileged client information without appropriate precautions in place. See VPN above.

 

Emails and Email Spoofing


What are best practices to ensure email security?

Email security is an important concept not only due to the confidential nature of lawyer-client communication, but also because it can be used to gain information (including login credentials) for critical systems.

Best Practices:

  • Emails often contain sensitive information. While disclaimers placed at the bottom of law firm emails are helpful instructions to an intended recipient to destroy the email if received by a non-authorized party, those instructions are not always followed and do not alleviate the lawyer’s ethical duty to maintain confidentiality. Mistakes happen when adding email recipients or by accidentally using the “Reply All” function. Before sending, ensure that you are sending the right email to the right recipient and consider encrypting the email in certain situations. The lawyer may also consider not cc’ing the client on the communication and instead sending a copy to the client immediately after sending to the intended recipient. This helps to alleviate the accidental use of “Reply All” by the client who may want to provide a confidential response to the attorney.
  • Use a secure password generator. A secure password generator creates a random, secure password that a person may use for their email or any other website. Using the same password for every login is a dangerous practice. The secure password generator should be vetted by the attorney to ensure that the recommended generated password is not stored by the generator. (Note: This is different from the password security checker that is not recommended for use.) The Cybersecurity & Infrastructure Security Agency provides security tips for choosing and protecting passwords.
  • Don’t play “getting to know you” Facebook games. This may not seem like an email security best practices tip, but it is. They look harmless: first pet, first car, first job, favorite teacher, elementary school. Those inquiries (and others) are potential password reset questions. The committee recommends that you do not play those games. The answers could reset your email password or even the password to your online bank account.
  • Use two-factor authorization. Many email programs allow a two-factor authorization. It is an added layer of security for the data. Even if a password is compromised, there is extra security.
  • Use antivirus software that scans emails and attachments. The lawyer should ensure that all devices used to access email have an antivirus software that scans emails and attachments for dangers. The lawyer’s IT department or company with whom the law firm partners for IT services should be able to make an appropriate recommendation for a law firm as to which services will best fit the firm’s needs. Additionally, some malpractice insurance carriers have preferred vendors.

 

What is email phishing and what steps should be taken to avoid the risk of a phishing email?

Phishing still happens. Phishing occurs when an official-looking email asks the recipient to “log in and verify your account.” Phishing began over phone calls and now includes email, text messages, and other forms of communication. Just as a lawyer would never provide an account number to anyone calling and stating they are with a certain organization without verification, the lawyer should not respond to similar emails.

Upon opening the email (if it is opened), there is a little arrow near the “From” email. Clicking it provides more information about the email. From here, it is fairly simple to figure out if the email is legitimate. When in doubt, contact the company listed in the email directly to determine if the email is legitimate. Do not reply to the email or call the phone number; instead, use the official contact information for the company. The Federal Trade Commission provides helpful tips on How to Recognize and Avoid Phishing Scams. Last accessed February 4, 2021.

It is recommended that phishing emails be reported to the internet service provider, and that users block the sender and ensure the entire law firm knows and understands how to spot these dangerous emails.

 

Cloud Services, Storage, and Transmission


What should lawyers consider when using cloud computing services for storage of client information?

While cloud computing may be used by lawyers, law firms, and their employees, the lawyer must retain ownership of the files and communications and have access to the same upon termination of the vendor relationship. And the lawyer must exercise reasonable care, as required by MRPC 1.6(d), to prevent others from accessing confidential communications and materials, including due to inappropriate storage by the vendor. The lawyer and law firms should also use reasonable care to ensure the integrity of the cloud computing software and entities they contract with to ensure that the entities are reasonably protected by malware and against unauthorized access. MRPC 1.6; 1.6, 5.3, RI-104, RI-187, RI-344; RI-355.

 

Flash Drives


What security risks do cell phones, tablets, and flash drives present?

Due to their portability alone, smartphones, tablets (such as an iPad), and flash drives (also called thumb drives or memory sticks) present heightened cybersecurity risks, particularly for loss of electronic data.

Precautionary measures for phones and tablets include enabling the password and/or facial recognition feature on a device and turning on features permitting a device to be found if lost. Some devices with proper features enabled can also be erased remotely if lost or stolen.

The use of transportable devices has led to a phenomenon called “juice hacking” where the unsuspecting device owner uses a hacker’s charging cord. The cord, while looking innocuous, is equipped with a data connection that allows the hacker to access all data on the device or install malware; some even allow remote access to the device. It is recommended that the device owner only use charging cords that they know are secure.

Flash drives pose additional risks for data loss due to their small size, making them particularly prone to becoming lost or stolen. Flash drives ordinarily can be encrypted by a user so that the data stored on them can only be accessed with a password or similar encryption key. Moreover, flash drives received from sources outside a law firm may contain malware aimed at creating havoc after being inserted into a computer. These small drives can also provide a means for data stored on a lawyer’s computer or network to be inappropriately copied and removed by someone with access to a physical computer within the firm.

 

Bring Your Own Devices (BYOD)


What precautions should be taken when a lawyer uses their own personal mobile electronics, such as smartphones and tablets (BYOD) to access client confidential information?

A “bring your own device” (BYOD) is a policy that allows individuals to use their own personal mobile devices to access confidential client information. The obligation to have proper safeguards to protect confidential information on a personal device is the same as on a “firm” or “work” device.

BEST PRACTICE: Two common approaches to safeguarding mobile devices for accessing confidential information are the use of a mobile device manager (MDM) application and using cloud or virtualization. An MDM application creates a “walled garden” or “corporate sandbox” on the personal device. This approach segregates firm/client data from personal data and allows to enforce security policies on the personal device. Virtualization[7] allows mobile devices to access the confidential information on the firm network or a secure cloud service through an encrypted VPN connection. With this approach, no confidential information is stored on the personal device.


[7] “Virtualization creates a simulated, or virtual, computing environment as opposed to a physical environment. Virtualization often includes computer-generated versions of hardware, operating systems, storage devices, and more. This allows organizations to partition a single physical computer or server into several virtual machines. Each virtual machine can then interact independently and run different operating systems or applications while sharing the resources of a single host machine.” Microsoft Azure: What is Virtualization? Accessed February 4, 2021.


Additional Resource

The Sedona Conference Commentary on a Reasonable Security Test


Last updated: March 2021