• United States



Senior Writer

Duty of care: Why (and how) law firms should up their security game

News Analysis
Jul 10, 20188 mins
Data BreachLegalSecurity

Lawyers have been slow to adopt modern technology — and even slower to respond to security threats. That may be changing.

nycrr cybersecurity gavel regulation compliance law nyc statue of liberty
Credit: Getty Images

June 17, 1972, changed the legal profession forever.

The Watergate break-in, and subsequent coverup, implicated more than a dozen lawyers working for the White House or the Committee for the Re-election of the President (CREEP). The scandal led to calls to regulate the legal profession, and today ethics is a mandatory part of law school training and bar association rules of conduct.

Lawyers are now facing a similar watershed moment, but not in ethics — in technology, as modern technology threatens to destroy the confidentiality afforded by attorney-client privilege.

While law firms have been slow to react to this existential threat to the profession, that may be starting to change as bar associations and clients themselves are pressuring law firms to stake out a stronger security posture.

Lawyers must be able to have candid conversations with their clients to represent them in a court of law. The world of mass surveillance and targeted hacking we now live in, though, raises the question whether attorney-client privilege can survive. What does it mean if those candid conversations are no longer possible?

“[Attorney-client privilege] is a doctrine as old as the legal system itself,” lawyer Fred Jennings of Tor Ekeland Law, who defends individuals accused of cyber crime, says. “If that’s not only technically obsolete, but also is generally understood to be obsolete…. I don’t know how you can retain a functioning justice system in that scenario.”

How mass surveillance threatens attorney-client privilege

As the Snowden revelations made clear, the U.S. and U.K. governments are spying on basically everything we do, including privileged attorney-client conversations, and only the thinnest of legal and bureaucratic pretexts prevent that sensitive data from being abused. The practice of parallel construction, now explicitly legal in the U.K., and common in the U.S. and other Five Eyes countries, involves information laundering, when spies pass “anonymous tips” to law enforcement with the understanding that police officers will obscure how the information was gathered.

“There’s certain information that an attorney needs to represent their client, and that would be fatal to the case if passed to the other side,” Jennings tells CSO. “Law enforcement has the technical capability to obliterate attorney-client privilege.”

Yet this violation of attorney-client privilege happens all the time, and not just in highly classified settings at the NSA. In 2015, prison phone service Securus suffered a breach of 70 million phone calls, including 14,000 recorded voice calls between attorneys and their clients in prison.

“This may be the most massive breach of the attorney-client privilege in modern U.S. history,” the ACLU’s David Fathi told The Intercept at the time. One wonders how many similar conversations are stored at the NSA’s Utah data center, and how many they’ve shared with the FBI, DEA, or federal prosecutors on the sly.

Unencrypted phone calls and emails are no longer an acceptable way for attorneys to communicate with each other or with their clients, but too few laws firms are aware of the risk, and fewer still are prepared to defend themselves from targeted hacking intended to end run around encryption on the wire.

Hackers target law firms, too

The Panama Papers scandal revealed not only widespread money laundering on a global scale, but also woeful information security practices at the Panama-based law firm of Mossack Fonseca, which has since shut down. We may in the same breath celebrate the Panama Papers and condemn Mossack Fonseca for not doing a better job at protecting attorney-client privilege.

Mossack Fonseca is by no means an outlier, at least as far as poor information security practices go. Law firm breaches don’t make the news the same way a breach at a major retailer does. A breached law firms need only disclose the incident to their clients, and since no one gains from that kind of publicity, these breaches fly under the radar more often than not.

“[Mossack Fonseca] were just hanging onto untold amounts of data,” Vincent Liu, managing partner at information security consultancy Bishop Fox, says. “How do you do that securely? Do you keep that online and hot and accessible? Or do you put it in cold storage?”

An attacker, never publicly identified and with unknown affiliation, breached the law firm’s email and web server with a trivial exploit. More than 11.5 million documents — amounting to 2.6TB of data — were publicly available to download by any script kiddie or intelligence agency C-team rookie on the planet.

Attorney Claudia Rast of law firm Butzel Long, who represents breached law firms, and who is a member of the American Bar Association’s Cybersecurity Legal Task Force, agrees with Liu. “It’s clear from my work with cybersecurity incidents and breaches,” she says, “that the old days of one big file server, where all client information is stored, is not today’s best practice.”

Larger law firms have begun hiring CSOs or CISOs, and rudimentary due diligence goes a long way toward preventing a Mossack Fonseca-like breach. One of the hardest problems in legal infosec, however, is law firms’ addiction to the crack cocaine of digital tools: email.

The “e” in email stands for “evidence”

Email is simple, easy to use, lets users share both messages and documents, plus everyone has it. The fact that it’s totally insecure seldom concerns people, and finding an alternative that’s both widely interoperable and deployable at enterprise scale is hard. As a result, law firms, by and large, are stuck using email.

“It’s important to try to encode client confidentiality as much as possible by having the means of communications used be more than just a promise,” David Huerta, a digital security trainer at the Freedom of the Press Foundation, and who runs security workshops for lawyers, tells CSO. “Anything you say in email is creating a permanent record; be cognizant of that as it’s being used.”

Any law firm of any size also has obligations to its clients to maintain good records. Those obligations are hard to meet if you’re using ephemeral encrypted chat apps on your phone. So, while it’s tempting to say “just use Signal,” when dealing with large law firms that’s not as easy as it sounds. All the same, it’s clear that law firms will have to kick the email habit sooner or later — for their own health and for the survival of the legal profession in these insecure times.

“While today we may not see widespread adoption of encrypted email and encrypted messaging,” Liu says, “I do think it’s the direction firms will be heading in the future.”

The American Bar Association (ABA) is well aware of the importance of encryption and strong endpoint security practices for lawyers, and is actively using its bully pulpit to push law firms toward best practices.

Duty of care

The ABA amended its “duty of care” guidance for lawyers to include the need to address information security obligations to clients. The ABA’s 2017 Formal Opinion on secure communication spelled out the problem: “Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients…and (2) the information in their possession is more likely to be of interest to a hacker.” The ABA also published the second edition of the “ABA Cybersecurity Handbook” in 2017.

The California bar has also weighed in on the issue. “An attorney’s duties of confidentiality and competence,” they conclude, “require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representation does not subject confidential client information to an undue risk of unauthorized disclosure.”

Both the ABA and California bar ethics rulings make clear that lawyers have a duty of competence to use technology to ensure client confidentiality, but also that, lacking sufficient technical competence, they may employ technical experts to help them do so.

“Attorneys in general are pretty good at protecting confidential information,” Rast says. “‘I have your documents, I will keep them under lock and key.’ But as everything becomes digitized, it’s a difficult process for lawyers to stay up to date, to keep [information] safe in digitized form.”

While bar associations can thump their bully pulpit, their ability to enforce is limited; poor information security practices are so common across the legal industry that it would be impossible to discipline everyone. Top-down pressure alone is not enough to force law firms to perform their due diligence. 

Client pressure to the rescue?

You’re only as secure as your weakest link.

When it comes to enterprise security, that weakest link is often a law firm. Clients that handle sensitive information, including defense contractors, are demanding their law firms improve their security posture. A nation-state attacker looking to steal military secrets, or to pilfer data to gain advantage during an international mergers and acquisitions deal, would logically target the corresponding law firm, a known soft target.

Smart clients know this and are raising their voices. “The loudest person in the room is going to be the client,” Rast says. “Law firms are very sensitive to the requirements of their clients. More and more clients are demanding questionnaires be filled out…. ‘How are you going to handle my information, and what kind of security you’re going to provide?’”

If this turns out to be the case, it will surely be one of the rare times when market forces select for strong cybersecurity.

Senior Writer

J.M. Porup got his start in security working as a Linux sysadmin in 2002. Since then he's covered national security and information security for a variety of publications, and now calls CSO Online home. He previously reported from Colombia for four years, where he wrote travel guidebooks to Latin America, and speaks Spanish fluently with a hilarious gringo-Colombian accent. He holds a Masters degree in Information and Cybersecurity (MICS) from UC Berkeley.

More from this author