At the recent Heckerling Institute on Estate Planning, I had the pleasure of sitting in on the session "Protecting Client Data: Ethics, Security, and Practicality for Estate Planners," presented by James D. Lamm, J. Michael Deege and Margaret Van Houten. Here are my notes, presented unvarnished.
a. The practice of law is about receiving, processing and transmitting information with our clients and their professional team. Over the last 60 years technology has evolved and changed how we practice law and achieve those goals. Consider the impact the following technology has had on transforming how law firms operate and attorneys work:
i. Fax Machines.
iii. Personal computers.
iv. Cell Phones.
b. Estate planning requires acquiring confidential pieces of information from clients that are sensitive, such as social security numbers, taxpayer identification numbers, financial statements, etc.
c. Protecting the confidentiality of this sensitive information was easier to achieve when all information was held in paper- lock the doors, have an alarm system, train staff how to protect documentation and avoid unauthorized access, etc.
d. Comment: While the presentation revolves around the safe and ethical use of technology to enhance the practice of law, practitioners should not forget to cross their t's and dot their i's and ensure that their procedures to protect their physical content are up to date. The strongest cyber security in the world does not mean much if a malicious actor can enter your physical workplace and either steal computers and confidential physical documents, or install malicious software on your systems through plugging a USB flash drive into computers attached to your network. Consider the use of alarm systems, talk to the security in your building to ensure they know of your security concerns and needs, change locks in the office if anyone whom has been terminated had copies of keys to secure areas, or other prudent security measures to keep your physical space safe too.
e. Confidentiality in the digital world requires understanding how computer systems work to protect transmission of information, and teach staff how to protect themselves in the cyber world. Human error is one of the most consistent weaknesses of a computer system.
f. Every day, about 7 million data records are lost or stolen.
i. 72 percent of breaches are done by a malicious outsider.
ii. 18 percent are result of accidental loss.
iii. 9 percent are result of malicious insider.
g. Consider all of the massive data breaches that have happened over the past several years: the Yahoo, Equifax and Marriott information breaches among others where hundreds of millions of files with sensitive information was stolen.
h. While one data breach alone may not provide enough information to be a serious threat (Comment: although that is a debatable statement, as the Equifax data breach shows, if the wrong system is compromised, it can cause serious financial damage on its own), the increased frequency and breadth of breaches allows for all of the stolen information to build a profile about someone's life. It may be at this point the identity thieves know more about you than you know yourself!
i. The FBI's Internet Crime Complaint Center in 2017 received reports of 301,850 malicious incidents, causing a loss of $1.4 billion.
j. The chance of arresting a cybercriminal was 0.31 percent in 2018. Comment: This is a terrifying statistic and puts into perspective how important protecting oneself, both professionally and personally, has become. If the crimes being committed have such a low risk of being caught for the perpetrators, those attacks will likely continue to grow more brazen and damaging.
k. Malicious cyber incidents cost the U.S. economy between $57 billion and $109 billion in 2016.
l. Worst password in 2017:123456. Second worst password: password.
m. "Phishing" is the leading cause of cyber attacks. Example: Emails that look legitimate, convincing you to either open an attachment to give you a malicious virus, or which request information from you that when you send it in gives it to a malicious person.
n. Comment: Recently, email received has noted a consistent increase in these "phishing" style of emails, including looking like they have come from other professionals. Disturbingly, they have also been seen to take the form of a secure encrypted email, which if clicked on would result in a malicious attack as discussed. While most phishing attempts have been thwarted through reviewing the email address of the sender, clearly showing the email as illegitimate, some have been sophisticated enough to spoof the email address as well. Consider if you receive an email you are unsure about contacting the purported sender, preferably through a phone call with a phone number you have in contacts or find from a separate source, to determine if the email is legitimate. The use of spam blocking applications, and consistently marking these style of emails when identified as junk and blocking the sender, will help prevent future phishing emails.
Protecting Client Data.
a. ABA Model Rules.
i. Even if your particular state has not adopted a specific model rule, they can be good guides to assist you in understanding your responsibilities to clients.
ii. California has its own ethical statements and opinions differing from the ABA model rules, so be sure if you are from California you review your own state rules.
iii. ABA Model Rule 1:1: "A lawyer shall provide competent representation to a client."
1. Competency requires self reflection- what are you comfortable dealing with?
2. Comment 8: Modified recently to include that lawyers should keep abreast of changes in the law and its practice "including the benefits and risks associated with relevant technology."
3. We need to understand the constantly changing technology to better serve our clients.
4. Example: If you do complex litigation, you need to be competent in using the litigation support software.
5. Comment: The amount of software being developed for the estate planning profession to help attorneys, accountants, wealth managers, insurance agents and everyone else involved in the estate planning process perform their jobs more efficiently and effectively grows every year. The use of document generation software allows attorneys to create functioning documents for both simple and complex plans, allowing the attorney to concentrate their time on working with the client to determine what that clients needs and desires are, conversations allowing the attorney to craft a more comprehensive plan for clients than may have not been economically feasible otherwise. The use of web meeting technology, where the client can see your screen so witness you working on their draft documents as you discuss them on a conference call, creates convenience for the client by providing flexibility in the estate planning process, will keeping them engaged in the planning by giving instant feedback of seeing the changes being made from the conversation. Additional technology and thoughts are discussed below.
iv. ABA Model Rule 1.6(c): "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
1. What is reasonable efforts? This is a nebulous statement that needs both common sense applications, best judgment, and to review what opinions consider reasonable to determine your technology policies moving forward.
2. Use of email: make sure protecting client information when transmitting via email. How far does an attorney need to go in this protection?
3. Comment 18, paragraph (c): Requires a lawyer to competently act to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure.
4. What if you lose your laptop, or other repository of information where you hold confidential information?
5. Comment: There are numerous pieces of both software and hardware that can be employed on a laptop to prevent catastrophic loss when a laptop is either lost or stolen. A reasonable system of backing up any documentation held on the laptop should be implemented. This backup system should be designed by each practitioner to ensure that the practitioner will make effective use of that backup system. A sophisticated backup system is ineffective if a practitioner forgets to log into the system allowing it to perform a backup. Companies such as Sugarsync, ShareFile, Dropbox, etc. all provide solutions for cloud storage backups if the practitioner is comfortable with that style of backup. There are also physical backup systems, such as Datto, which can be hardwired into a network system to perform automatic backups, requiring less maintenance of the backup system once it is setup. If a device containing data, such as a laptop, is lost there are several options out there to attempt to recover the equipment, or protect confidential data. Tile sells small physical squares that can be paired with an app on your phone to give you a GPS location of your device, as well as cause the small square to emit noise if you are close to the device. Software such as that provided by Lojack can both encrypt a laptop to protect the data on it, provide location of the laptop from the last time it was turned on, and in an extreme case where the laptop cannot be recovered, has the ability to wipe all data on that laptop to prevent others from accessing confidential information. The application of several protective systems can mitigate the damage an unfortunate event such as losing a laptop can cause.
6. Reasonable efforts includes due diligence regarding technology procedures. The need to have good training for employees, thoughtful policies in place and follows all show that due diligence and that reasonable efforts were made to prevent disclosure.
7. Another concerning incident of phishing as discussed above, the presenters mentioned an example where an email spoofed an internal communication from one attorney to another requesting information regarding an ongoing case, and it was only due to an unusual email address that the duplicity was found.
8. Use best judgment regarding when you need to take extra security measures. Consider the following reasonable effort factors:
- Sensitivity of Information.
- Likelihood of disclosure if you do not employ additional safeguards.
- Cost of employing additional safeguards.
- Difficulty of implementing additional safeguards.
- Extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g. difficult to use).
9. Client is allowed to give consent to forgo the additional safeguards, such as sending encrypted emails. Mention use of this in the engagement letter.
i. ABA Formal Opinion 99-413.
1. “A lawyer may transmit information relating to the representation of a client by unencrypted e‐mail sent over the Internet without violating the Model Rules of Professional Conduct."
2. This was the first opinion from the ABA regarding the use of email by attorneys. Note how it was left open to interpretation and did not provide much detail. As email was still in its infancy in 1999, it would take years for the internet to evolve and guidance on electronic communication to become clearer.
ii. ABA Formal Opinion 11-459.
1. Lawyers sending or receiving communications with a client via email must warn the client about the risk of sending or receiving electronic communications, especially when there is significant risk that a third party may gain access.
2. Concern over communicating with client over a business email- third party may be able to gain access. Discuss with client the concerns and suggestion of communicating through a personal email.
3. Comments: This is good advice not only for a practitioner's practice of law, but also for the practitioner's personal life. While it may be tempting for a practitioner to maintain personal files on company networks and use business email for personal matters, consider several factors: (1) what if you are terminated, and they refuse to give you access to the firm network? You may be unable to recover your personal data located on the firm's network. If you do not maintain backups of that information in other locations, you may lose that data. (2) Data located on the firm network can potentially be discoverable in the event of a lawsuit. Do you wish for your personal data to be included in the discoverable items during a lawsuit?
The conversation with clients can also go beyond discussing use of a personal email for communication. Clients, a Husband and Wife, recently had a meeting at our office and during discussions it came up that the Husband was maintaining all personal information on a work laptop. Husband did not maintain backups of the information on any other medium, relying on the backups performed through the business. What if Husband was terminated by his company? Business laptops often contain the ability for the business to remotely wipe that laptop of all data immediately upon termination- the personal information could be lost in this situation. In addition, Wife was not provided with copies of the personal information located on the work laptop. What if Husband is incapacitated or injured in some manner? Wife, during a time of extreme stress, would also be unable to access the personal information located on the business laptop, which may contain crucial information Wife needs.
iii. State Ethics Opinions.
1. Some state ethics opinions require client consent before using unencrypted email.
2. You should review all ethics opinions in your own state to ensure that your practices fall within the reasonable guidelines established within your state.
iv. ABA Formal Opinion 477R.
1. This is an update to Formal Opinion 99-413.
2. Lawyer can generally transmit confidential information to clients if reasonable efforts are taken to prevent unauthorized or inadvertent access. While unencrypted email may generally be acceptable, there are times where it may not be and this requires the judgment of the attorney.
3. The opinion included several aspects to consider when sending unencrypted emails:
- Understand the nature of the threat.
- Understand how client confidential information is transmitted and where it is stored.
- Understand and use reasonable electronic security measures.
- Determine how electronic communications about clients should be protected.
- Label client confidential information. This should include digital files.
- Train lawyers and non-lawyer assistants in technology and information security.
Conduct due diligence on vendors providing communication technology. Comment: Consider when you employ third party vendors the kind of information they may have access to. Would they have the ability to retain these files? Do they have the ability to remotely access your network (such as with IT consultants)? Consider the use of Non-Disclosure Agreements ("NDA") for any vendors that have access to sensitive information to show reasonable efforts. Also consider having the NDA include a provision that requires the third-party vendor to destroy any confidential information they may have stored, either in paper or electronic format, separately from your files as part of their assisting you within a reasonable amount of time. You can determine a reasonable amount of time based upon the kind of work the third-party vendor is performing.
v. ABA formal opinion 480.
1. Posting comments using social media or a blog. Cannot reveal information regarding clients, even information that is publically available, on any posts that you make without client consent.
vi. ABA formal opinion 483:
1. If a data breach occurs that involves client information, lawyers have a duty to notify current clients of that data breach.
2. Attorneys have a requirement to monitor for data breaches so current clients can be informed if one is discovered.
3. Interestingly, there is no requirement to notify former clients.
4. Security has to be balanced with practicality.
a. Myth: Small solo practices have security through obscurity.
i. With Phishing, Malware and other malicious attacks being so automated and sophisticated, they can throw a wide net and capture information from anyone, no matter how small.
ii. Consider the lockdown viruses where you need to pay to get access to your data. Do you have a current and usable backup of your data?
iii. Comment: As discussed above under the laptop section, there are numerous solutions for backups that allow you to set frequency of backups, and the medium the backup is performed upon. As an example, the use of a Datto backup system allows for a physical copy of the network to be stored onsite for quick retrieval (the Datto system can serve as an emergency server if needed) in case of failure of the main network. The Datto system is also connected to Datto Cloud based backups and the entirety of the network can backed up nightly, with backups maintained for long periods of time. ShareFile, or similar systems such as Dropbox business, can be used to "sync" the files on a network with a purely Cloud based backup, which has the added advantage of allowing sync of the files on the Network with other devices (such as a business laptop with the proper encryption and other security software installed) creating mobility for the practitioner. There are numerous solutions available that can be tailored for the needs of the particular practitioner.
b. Myth: I just need enough security that I am not an easy target. This is the "chased by a bear" method of cyber security.
i. However, it is not just about outrunning other people on the internet. Cyber attacks are now coming from organized crime, run by people with access to the best hardware and software to perpetrate these attacks.
ii. 91 percent of cyber attacks start with "spear fishing", which is a specific attack against your organization. About 75 percent of the firms attacked were running up to date hardware and software and still had data breaches.
c. Information for small firms to protect their data.
i. IRS Publication 4557.
ii. FCC Cyber security for small business: https://tinyurl.com/y9f74qaw
iii. NIST Small Business Corner: https://tinyurl.com/yaynpmc4.
What are the tools to protect your firm?
i. Anything that leaves the office, the presenters suggest should be encrypted. If you have a laptop that you have work and confidential information on, it should be encrypted.
ii. Symmetrical Encryption- Same password to encrypt and decrypt data that you are transmitting.
iii. Asymmetrical encryption: Can securely transmit or authenticate data without both parties sharing a common password. Issue: this requires both the sender and the recipient to be tech savvy enough to use the system. It is so sophisticated it is not practical with the average client.
iv. Weak Encryption.
1. Data Encryption Standard (DES).
2. In the late 1990s, DES was considered impractical to decrypt by guessing all of the passwords associated with this kind of encryption (known as brute forcing it). Today, it takes less than a day to decrypt DES through a brute force method.
3. Many older software systems, such as previous generations of Microsoft Word or WordPerfect, used the weak encryption system.
4. Comment: The differences discussed between the older weak encryption system and the strong encryption system show an additional reason to keep software up to date. Not only may older versions of software be using this outdated encryption, but once a company stops supporting a certain version of software, that software can potentially quickly become dangerous to operate as any security vulnerabilities found in the software after support ends are not fixed by the developer, and can be exploited by a malicious actor. For example, any Microsoft Windows operating system older than Windows 7 service pack is are no longer supported by Microsoft, and Microsoft will end Windows 7 extended support on January 14, 2020. https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet. If any of the computers in your office are operating on these outdated and unsupported operating systems, you may be exposing your network to vulnerabilities that could potentially be used as "backdoors" into more secure sections of your computer systems.
v. Strong Encryption.
1. Look for "Advanced Encryption Standard" (AES) listed on items, as this indicates that the item has strong encryption potential.
2. 128-bit AES encryption is an example of strong password combination. It takes so long to brute force this encryption that it is practically impossible to decrypt. Example: 70 billion computers attempting to crack the encryption by guessing 1 billion passwords each per second would take 77 billion years to get halfway through all the possible passwords to guess.
3. For Microsoft Word, make sure you are using the newest format that ends in ".docx" when saving documents as it will give you the option to have strong encryption on the document. Comment: Note that Microsoft Word gives you the option to save files in older formats so they can be opened by previous versions of Word. Consider avoiding doing this on documents with sensitive data, so you can provide it with the best encryption possible.
4. Weak passwords will undermine the protection of strong encryption. The encryption is only as protective as the password you use to get past that encryption. Presenters suggested the use of uppercase, lowercase, and symbol characters, as well as the use of longer passwords (suggested at least 12 characters long).
b. Office Policies
i. Consider who is responsible for the firm's technology resources. Is there an IT staff? A committee to establish policies or create literature to disseminate those policies?
ii. Should there be a committee or a person responsible with addressing ethical issues of cyber security, perform client security audits, develop and complete training and courses for staff?
iii. Reasonable efforts should include having policies in place for these situations.
iv. Best practice is to have someone who concentrates just on these issues for the law firms.
v. Comment: Whether the practitioner is a member of a larger firm, which may employ its own IT division, or in a smaller firm that has an IT consultant, consider requesting a memorandum be prepared by IT department or consultant outlining steps already taken to protect electronic systems and confidential information, and have additional suggested steps included in the memorandum. Subsequent memoranda should show any efforts made to implement the suggestions made in the previous memorandum. Establishing a clear history of steps taken and due diligence performed may help show that actions taken by the practitioner in protecting electronic information was reasonable.
vi. Should there be a written set of policies? Yes.
1. Guidelines for use of portable electronic devices, where can those portable devices be stored?
2. What information can be placed on a personally-owned computer or device? Comment: Remote access can potentially be used to access a business electronic device from a personally-owned device, allowing work to be completed without placing any confidential information on the personally-owned device. If remote access is being used in this manner, the practitioner should have sufficient protections in place so that if someone gains access to the personal device, they cannot make use of the remote access system.
3. Passwords: How often to change those passwords, how to create a secure password, with whom a password may be shared.
4. Use of Two-Factor authentication. Comment: Any inconvenience incurred by the use of a two-factor authentication system pales in comparison to the protection provided. Consider placing two-factor authentication not only on business related accounts, but personal electronic accounts as well (Bank account login, Amazon, Ebay, generally anything that having access to the account gives purchasing power is a strong candidate for two-factor authentication).
5. Remote Access: How and where should it be used?
a. Ensure that the program you use for remote access has a good reputation and is considered safe.
6. Procedures for avoiding virus problems, prohibiting users to download or update software.
7. Definition of "Sensitive Data" that must be encrypted before sharing outside the firm network.
8. Incident response policy.
9. Sanctions for violation of the above policies.
c. Engagement Letters.
i. Clients should be made aware of the policies and ethical responsibilities regarding email confidentiality, encryption, and electronic file maintenance.
ii. Engagement letters should include reference to email and information security.
iii. Comment: Engaging in discussion with clients and providing them with information on how you protect their confidential data can help assuage concerns they have, allow them to provide commentary on what uses of technology they are comfortable with and any specific requests they have regarding their representation. The presenters are spot on in their assessment of the use of an engagement letter to assist in this communication, and provide clients with information on the risks inherent with the technology used by the practitioner's firm. As each practitioner and firm uses technology in their own unique ways, the engagement letter should be customized by the practitioner. Following is a sample of language used by the author in an engagement letter to address various software employed during the course of representation of a client: "You authorize the back-up and storage of records on cloud-based back up services, including but not limited to those provided by ShareFile, Microsoft 365, SugarSync, Datto and NetDocuments and others, posting PDFs of your documents in the cloud on ShareFile or a similar service, and emailing of unencrypted confidential records. If you wish us to use encrypted electronic communications, we can do so through ShareFile." The goal of this language is to give clients a feel for how technology operates in the law firm. When a client requested all emails be sent encrypted through the ShareFile service as indicated, it was noted in that clients file and everyone in the firm was instructed to exercise caution in communicating with that client and to only use encrypted emails.
d. File Retention Policies.
i. A client should be notified of the firm's file retention policies, either in the engagement letter or upon completion of the project.
a. Look for courses dealing in cyber security. A resource of cyber security education and classes was provided by the presenters: https://tinyurl.com/y9v8hp9u.
b. Department of Homeland Security has good resources on their website.
c. Issues with training: (1) the cost of it, and (2) the availability of the resources out there.
d. Big Firms often believe if it is not done in house it is not of value. Smaller firms do not have the resources to create a full cyber security manual.
e. Larger firms have stronger security in comparison to smaller firms.
f. Small business is the low hanging fruit.
g. Even small businesses are online- 94 percent have email, 75 percent have their own websites.
h. If you hire a new staff person, make sure that they are given knowledge of the policies and keep their knowledge up and running.
i. Human error is probably the most easily fixed issue when it comes to cyber security.
j. Social Media. Need to have training in place for social media- what can people post publically?
k. Flash drives- how are they controlled? Considering the large risk of losing them, putting sensitive information on them should be discouraged.
5. Cyber attack insurance.
a. Coverage Highlights for Cyber security protection:
i. No retroactive date.
ii. Coverage for data held in electronic or paper format.
iii. Coverage for breaches of personal information and any corporate confidential information.
iv. Coverage for breach of data held by a third party.
b. If you violate something you may trigger a regulatory fine or penalties, this should be covered in the insurance.
c. Business interruption insurance. While rectifying a cyber security issue, it is probably that your firm will be out of commission. The insurance should include making up loss of revenue due to these interruptions.
d. Notification of security breach, the insurance can include reimbursement for costs incurred to notify clients of the breach.
e. System damage. Some programs are so malicious as cause broad system damage to the point of being unrecoverable. Insurance should cover replacing the hardware lost due to these viruses.
f. Breaches by rogue employees can be included.
g. 24/7 privacy breach hotline staffed by privacy breach lawyers.
h. Things to avoid as policy provisos:
i. No encryption warranty in policy or exclusion. Practitioners do not want to be forced to encrypt every single communication.
ii. No failure to upgrade equipment provision.
i. Insurance companies right now are rewriting their policies to account for cyber attack insurance.
j. Premiums are often based on the size of your firm. When the presenters asked several insurance companies for quotes, the insurance companies did not attempt to ascertain the protections presenters had in place as part of their quotes.
k. Estimation based on quotes presenters received: cost for a 5 staff firm is $500/$1000 per year. This is for a million dollar coverage. For a large firm looking for 2-3 million in coverage, the amount jumped to $40-50,000 per year.
6. Cloud based computing.
a. Presenter about 5 years ago had damage that caused data on primary server to be lost. There was sufficient backups to restore all data, but it took 48 hours to reload all data and get back up and running. This was lost time. Cloud computing if used properly can help minimize this loss of productivity.
b. Security concerns:
i. You no longer have control of the server itself- the information is on offsite systems.
c. Iowa Bar Ethics Opinion 11-01 (2011)
i. Approved use of Software As a Service (SAAS, or the cloud) for storage of information.
ii. Must perform due diligence on the location where the data will be held.
iii. Most states have ethics opinions similar to Iowa's. Be sure to review your own state opinions.
d. Questions to ask:
i. How physically secure is my data and my clients data? Server is physically located somewhere.
ii. Vulnerability to weather related disasters?
iii. Physical security (Guards, alarms, cameras, power backup, etc.)
iv. What kind of encryption is provided?
1. What level of encryption is used when transmitting (financial industry standards)
2. What level of data encryption is used for stored data.
v. How often is the data backed up?
1. Does the frequency of the data backup meet your needs?
2. Is the data backed up on site or a remote location?
3. You risk malpractice exposure if lost data and the time to restore that data, if even possible, causes missed deadlines.
vi. What minimum standards must be met?
1. Data Security.
2. Availability (uptime).
4. Intrusion detection.
5. Virus protection.
6. Uninterruptible power supply.
7. Benefits vs. risks.
vii. Comment: Consider requesting literature from the SAAS provider that is being considered that covers the standards discussed above. If a copy of that literature is maintained in file, it may help show the due diligence performed before making the decision to move to SAAS, bolstering that the actions taken were reasonable.
7. Password Manager.
a. Use a password manager to keep track of passwords and other secure information. This will allow the practitioner to use longer and more varied passwords, avoiding the weak password issue discussed above. The following are examples of companies that can store passwords: