Duty of care: Why (and how) law firms should up their security game

Lawyers have been slow to adopt modern technology — and even slower to respond to security threats. That may be changing.

nycrr cybersecurity gavel regulation compliance law nyc statue of liberty
Getty Images

June 17, 1972, changed the legal profession forever.

The Watergate break-in, and subsequent coverup, implicated more than a dozen lawyers working for the White House or the Committee for the Re-election of the President (CREEP). The scandal led to calls to regulate the legal profession, and today ethics is a mandatory part of law school training and bar association rules of conduct.

Lawyers are now facing a similar watershed moment, but not in ethics — in technology, as modern technology threatens to destroy the confidentiality afforded by attorney-client privilege.

While law firms have been slow to react to this existential threat to the profession, that may be starting to change as bar associations and clients themselves are pressuring law firms to stake out a stronger security posture.

Lawyers must be able to have candid conversations with their clients to represent them in a court of law. The world of mass surveillance and targeted hacking we now live in, though, raises the question whether attorney-client privilege can survive. What does it mean if those candid conversations are no longer possible?

"[Attorney-client privilege] is a doctrine as old as the legal system itself," lawyer Fred Jennings of Tor Ekeland Law, who defends individuals accused of cyber crime, says. "If that's not only technically obsolete, but also is generally understood to be obsolete.... I don't know how you can retain a functioning justice system in that scenario."

How mass surveillance threatens attorney-client privilege

As the Snowden revelations made clear, the U.S. and U.K. governments are spying on basically everything we do, including privileged attorney-client conversations, and only the thinnest of legal and bureaucratic pretexts prevent that sensitive data from being abused. The practice of parallel construction, now explicitly legal in the U.K., and common in the U.S. and other Five Eyes countries, involves information laundering, when spies pass "anonymous tips" to law enforcement with the understanding that police officers will obscure how the information was gathered.

"There's certain information that an attorney needs to represent their client, and that would be fatal to the case if passed to the other side," Jennings tells CSO. "Law enforcement has the technical capability to obliterate attorney-client privilege."

Yet this violation of attorney-client privilege happens all the time, and not just in highly classified settings at the NSA. In 2015, prison phone service Securus suffered a breach of 70 million phone calls, including 14,000 recorded voice calls between attorneys and their clients in prison.

"This may be the most massive breach of the attorney-client privilege in modern U.S. history," the ACLU's David Fathi told The Intercept at the time. One wonders how many similar conversations are stored at the NSA's Utah data center, and how many they've shared with the FBI, DEA, or federal prosecutors on the sly.

Unencrypted phone calls and emails are no longer an acceptable way for attorneys to communicate with each other or with their clients, but too few laws firms are aware of the risk, and fewer still are prepared to defend themselves from targeted hacking intended to end run around encryption on the wire.

To continue reading this article register now

The 10 most powerful cybersecurity companies