Kara Wenzel - Hello, I'm Kara Wenzel. I'm a program attorney here at Quimbee. And today I'm gonna be talking with Scott Aurnou. Hi Scott.

Scott Aurnou - Hi there Kara, it's a pleasure.

Kara Wenzel - Thank you so much for joining us. Our topic today is legal ethics and cybersecurity, but before we get started, I just wanna give you all a little brief background on Scott. Scott is an attorney and a founder of The Security Advocate, which is a company that assists organizations in addressing information security and data privacy issues. This includes privacy and security awareness training, security consulting, compliance with cybersecurity and privacy laws and related legal concerns. Prior to that, Scott spent over a decade as a litigation attorney in the New York City area. He was lead counsel for private client services group at Smith Barney. So he uses this unique background in legal, security and business to make complex information security concepts easy to understand. And even into entertaining on occasion which hopefully you will see. Scott has published security related articles and national publications ranging from "New York Law Journal" to "IC Magazine." He has also created and delivered numerous presentations on information security and data privacy related issues for executives, managers, professionals at a range of organizations including the New York State Bar Association and NIST, the National Institute of Standards and Technology. Scott is certified information system security professional, and that's a bit of a mouthful. He is admitted to practice law in New York, the state US district courts for the Eastern and Southern districts of New York and the US court of appeals for the second circuit. Scott is the author of "Introduction to Information Security: LiveLessons video training series for Pearson Publishing." So thank you again Scott for joining us...

Scott Aurnou - Pleasure is mine.

Kara Wenzel - Having you and your time and your expertise. I was looking over the handout that you prepared. And frankly I think I was a little nervous to read it because there's a lot to know here, right? Wanna tell us a little bit about how the ABA has addressed kind of the evolution of the internet and what the security concerns, excuse me, have brought to light in the past couple decades I suppose.

Scott Aurnou - They'd had some stuff earlier relating to general sort of confidentiality of information, but they didn't really sort of tweak it in for security until about 10 years ago. Starting in 2009, the ABA created what's called their commission on ethics 2020. Among other things it reviewed the model rules. Basically looking for the effect of technology upon the legal profession. And as a result of that, what they came up with were three amendments to rules, which were implemented in August of 2012. Actually they were changes to the comments to the rules but sort of clarifying them specifically to deal with security.

Kara Wenzel - Well, it seems like often the comments have the most interesting insight rather than the text of the rule, right?

Scott Aurnou - Exactly.

Kara Wenzel - Yeah.

Scott Aurnou - The rules tend be a little, I don't wanna say vague, but well vague. And the comments say, okay, this is how you apply this, that type of thing.

Kara Wenzel - Why don't we start from the top? Tell us which model rules were changed and then we'll kind of go from there.

Scott Aurnou - Sounds good. Well, the three that had actual changes made were 1.1, which is basic attorney competence, 1.6, which is confidentiality of information and, 5.3, which is responsibilities regarding non-lawyer assistance.

Kara Wenzel - Okay. So competence model rule 1.1. What changed there?

Scott Aurnou - Well, in that case, again it was a comment. This was a language added to comment eight, and I'll read you the comment and mention the new part. It's a whopping nine words. "To maintain the requisite knowledge and seal, a lawyer should keep abreast of changes in the law and its practice." New part. "Including the benefits and risks associated with relevant technology." End of new part. "Engage in continuing study in education and comply with all continuing legal education requirements to which the lawyer is subject." Literally that's the full change, just the nine words. But that seemed to make a bit of a C change in terms of saying, oh, this applies to technology and you've gotta keep up with what the technology means in terms of storing and securing data.

And there was a report that accompanied the amendments which came out also in 2012 which if you'll forgive me, I'll read from that one too, just to let you know what they were thinking. "The proposed amendment which appeared in a comment does not impose any new obligations on lawyers. Rather, the amendment is intended to serve as a reminder to lawyers that they should remain aware of technology, including the benefits and risks associated with it as part of a lawyer's general ethical duty to remain competent." Plain English. It's not a new duty they're putting in place. What they're doing is letting you know it was already there. And oh, by the way, don't forget about this. Now this is not an uncommon thing. There was, I think it was OFAC last year released some guidance related to ransomware. Was exact same thing. It sounded really scary. And they made sure to say, by the way, this was always there. I'm sure they're probably twisting their mustaches while no one was looking. So as of about the end of 2021, 39 states had adopted this update to the language. And keep in mind since it's effectively a reminder, that doesn't mean that the duty changed. It just meant that they were adopting the fact that they reminded you. If that makes sense.

Kara Wenzel - Yeah, I mean, it's significant but it's not like they've really had to adopt it to still be obligated to follow, right?

Scott Aurnou - Well, it was helpful because you always wanna make sure it's spelled out for people. Certainly you would think if you're dealing with the modern world, yes, you do have to actually secure the systems that are holding client data and interacting with the greater world around us via the internet. But I think that there was some certain logic to making sure, oh, by the way, make sure that you actually do this 'cause that's important of course.

Kara Wenzel - Well I think the second rule that you mentioned was rule 1.6, confidentiality of information.

Scott Aurnou - Exactly.

Kara Wenzel - So what was changed there?

Scott Aurnou - Well, they made amendments to two different comments there, 18 and 19. Renumbered from 16 and 17 for those of you who are big model rules fans. Both of them relate to rule 1.6, paragraph C. And paragraph C, again, if you'll forgive me, I'll read it to you just so you've got the exact language. "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of or unauthorized access to information relating to the representation of a client." So, basically comment 18 notes that paragraph C requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. Protect stuff, keep an eye on the people who are working for you or with you who are also keeping an eye on stuff or using the data. Now there's a safe harbor provision relating to this which also pertains to paragraph C under comment 18. And that reads again, if you'll forgive the repeated quotes. The stuff's detailed and mind you, we have the additional materials to this program, are all of these things printed out. So please don't feel like you have to write this down. You have it all. "The unauthorized access to the inadvertent or unauthorized disclosure of information relating to the representation of a client does not," that's a not. "Constitute a violation of paragraph C if the lawyer has made reasonable efforts to prevent the access or disclosure." Now of course a natural question here is reasonableness. Great. We see that a lot in the law. What do you mean this time?

The comment lists four factors. They use the type of language, you know, including, but not limited to. So they emphasize the four of them, but there might be other factors. The ones that they look at are one, the sensitivity of the data, two, the likelihood of disclosure if additional safeguards are not employed to protect that data. Three is the cost and difficulty of employing the additional safeguards. For example you don't have to get a $10,000 firewall to protect an edness brownie recipe, unless those are some fine brownies and you built a business around them. And four is finally the extent to which additional safeguards adversely impact the lawyer's ability to represent the clients.

Basically think of it this way. If you've got a protection that you put in place and the system's great, it's locked down but it's so tricky that your staff can't figure out how to use it or your clients can't access the system when they need to. That's not gonna work. You don't have to go that far. So, also again, mentions with respect to the safe harbor provision, it expressly notes that that does not override or supersede any state or federal laws governing data privacy or post data breach reporting. Now of course comment 19, slightly different. If you'll again forgive the quote. I wanna make sure you got this exact. "When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients." And there again we have a safe harbor provision. This one states, "This duty, however, does not require that a lawyer use special security measures if the method of communication affords a," again, "reasonable expectation of privacy." Now in this case for comment 19, there were two factors to determine reasonableness of the expectation of privacy. And those include, one, the sensitivity of the data, sounds familiar. And two, the extent to which the privacy of the communication is protected by law or a confidentiality agreement.

Also a client may give informed consent to a method otherwise not permitted. Just to be clear with that, while it says that, that's gonna be a hard one to deal with if you wind up getting pulled into court based on that and you're saying, well, no, they said it was fine for us to just, you know, publish it out in the open and not encrypt anything. Don't go that route. Always take reasonable steps to begin with. Assume that is your default. If you have a client for some reason wants you to do something extremely insecurely, definitely get that in writing. You wanna make sure that's maybe even part of the retainer agreement right off the bat. But reasonable methods should always be your default. And the amended portion of comment 19 also specifically notes again, the rules do not supersede federal or state laws that require additional steps relating to safeguarding data privacy. And this could mean something like HIPAA, the Gramm-Leach-Bliley Act which was updated in 2021 or say the New York State's Department of Financial Services Part 500, which again is, has a number of actual security requirements which in itself is based on something called the Cybersecurity Framework for NIST. Again, the National Institute of Standard Technology. Sorry, I hope you're still awake through all this. Lots of fun fill detail here.

Kara Wenzel - Well, it sounds like the, just be aware of whatever are the requirements of your own practice area, the statutes that you deal with require as well.

Scott Aurnou - Yeah, there can be a lot of nasty surprises and we're not even touching the actual, what are called security controls. You sort of control the risk. There's hundreds and hundreds of them that are possible. We'll talk about a few basic ones a little later but now.

Kara Wenzel - Okay. I trust you. I think the third rule that you mentioned was model rule 5.3 and that one is about non-lawyer assistance. So how does that matter?

Scott Aurnou - Well, that relates to a non-lawyer who's, you know, "employed or retained by or associated" with you. And under paragraph C, if that non-lawyer, he/she violates the rules at your direction, or with your knowledge, any lack of effort to mitigate, you can be liable for the violation. Now, the big thing here, again, we're talking about the comments, comment three. Comment three expressly references Cloud storage services among other things that are Cloud-based. And just as a quick aside, the Cloud sounds cool and different, the Cloud. Literally, all the Cloud means is a computer somewhere else. That's it. That's the whole concept. It's taken from old network drawings. They used to draw old network maps in I think late '70s or so. It occurred to someone go, hey, the Cloud. Because on those drawings, it'll draw your network where the various devices are. And there's always this little arrow off to the side saying to internet. And for the longest time, network engineers would draw a little cloud over it. And that's where the term came from. So anyway, the Cloud is just a computer somewhere else. Sorry. I digress. So just to read them. Wait till we get into where a bug comes from, it's a moth.

Lemme just read the language from comment three again, sorry for the exact stuff, but it's just easier to know exactly what it is. "When using such services outside of the firm, a lawyer must make reasonable effort to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations." And the extent of the obligations will depend upon the circumstances including, wait, there's four factors. One, the educational experience and reputation of the non-lawyer, two, the nature of the services involved. Obviously a big difference between someone hand sensitive data and your lunch folks. Hopefully they're making good sandwiches. I digress. Three, the terms of any arrangements concerning the protection of client information. Basically the lawyer is responsible to communicate directions appropriate under the circumstances to give reasonable assurance that the non-lawyer's conduct is compatible with professional obligations. So basically if you just assume and don't tell them anything, things might go South. And then fourth, the legal and ethical environments and the jurisdictions in which these services will be performed in particular with regard to confidentiality.

 Couple things to unpack there. If you're talking about keeping an eye on this, obviously due diligence is a big thing. There is a specific thing called the Legal Cloud Computing Association standards. Actually I think I put a link to this for the other presentation I did for cybersecurity 101. But they're pretty easy to find online. Literally you Google that. Like Legal Cloud Computing Association standards. If you Google that, you'll come up with the standards right away. Are they the strictest standards seen in the industry? No, but they covered the basics. We'll talk about guidelines a little bit later and those are certainly key. And they'll include that and more. But the basic standpoint, that's been mentioned. Also when we talk about the legal and jurisdictional requirements, you're looking at local privacy laws and that can have a huge difference. If you're dealing with a Cloud service provider based in Canada, you're gonna get a very different result than if you're dealing with one based in Russia. And that needs to be factored in if you're guarding client data. And it's like, yeah, we're sending it off to a place to outside of Moscow. What could go wrong? That's the luck with that?

Kara Wenzel - I'm guessing quite a lot.

Scott Aurnou - The scooch.

Kara Wenzel - I also, I'm guessing that there are additional rules that touch on cyber security, but perhaps were not edited or mented in the comments. I have here.

Scott Aurnou - Probably the three I would point to would be rules 1.4, 5.1 and 5.2. They weren't changed but they're still kind of in the ballpark. Now 1.4 is client-lawyer relationship and communication. And this requires appropriate communications with clients. I believe the quote there is about the means by which the client's objectives are to be accomplished. Short and simple. Do not ignore your client. And under 1.4 subsection B, requires notice to a client of a compromise of the confidential information of the client. Wow, this English language is tricky. Basically what it comes down to is if something has happened, you have to notify your client. They have to be reasonably informed of something like this that might affect your representation of them, a data breach certainly counts. And you have to also under subparagraph three, keep the client reasonably informed about the status of the matter which ties into it as well. Short and simple. Don't withhold breach information if that comes up. Model rule 5.1, it relates to a supervisory lawyer's duties. And that's somewhat similar to 5.3 in that if a lawyer under your supervision or subject to your managerial authority violates the rules at your direction or with your knowledge and a lack of effort to mitigate, you can be liable for that. Now model rule 5.2 is sort of the flip side of that. That's for the subordinate lawyer. Basically to cut to the chase it means I was just following orders will not get you outta trouble if you're doing something wrong.

Kara Wenzel - That's too bad but, of course.

Scott Aurnou - Well, our partner said, sorry, digress.

Kara Wenzel - So could you explain a little bit more. What are the duties or responsibilities or how would you explain what you have to do because of the changes that were made.

Scott Aurnou - Not to overly simplify but, well, let's simplify a little bit. Lawyers and law firms are obligated under the rules to stay up to date with technology and take steps to provide or protect client data. It's funny I don't wanna say, well, they're now. It's like, you were actually always really obligated to do this, but just now they've spelled it out a little bit. And of course the tricky part there is that the applicable reasonableness standard combined with the nature of technological innovation, meaning that the proverbial go posts will always be moving both in terms of new defensive technologies and new attacks that will come up. Mean there are attacks now that you think of as commonplace which are actually pretty new. Ransomware for example which you've probably heard of is, it's a nasty one. It's using a defensive technology encryption which scrambles the data so it can't be read. It uses that as a weapon. So the attacker will basically encrypt your own data from you and then charge you money to get it back. And that was not a big deal for organizations prior to about 2017. It had been around for a while attacking individual computers, but then attackers, you know, the light bulb goes off and they're going, hey, wait a second. Instead of charging that guy 300 bucks, we can hit that organization and charge him 3 million. Hey, which is exactly what happens now. Large organizations get hit with ransomware and frequently the demands are in the seven, eight figure range. So it's pretty big and profitable. Sorry, I digress.

Kara Wenzel - No, that's good to know.

Scott Aurnou - It's all happening for me.

Kara Wenzel - Yeah. We should all sign up for one of your training courses to learn more, right?

Scott Aurnou - Always happy to help.

Kara Wenzel - So we know that if you violate one of the model rules that could leave you susceptible to, you know, some sort of attorney discipline leading up to even disbarment depending on how egregious it might be, but what other potential legal consequences might arise from violating one of these rules?

Scott Aurnou - It's an excellent plan Kara. It's funny, you know, in terms of actually looking at this as like, well, is a grievance committee really gonna come after me for this? I can tell you honestly I don't know for sure that they would. However, where this could be used very, very successfully against an attorney would be is something underlying a different type of claim. The two I would look at would be breach of contract or legal malpractice. And with breach of contract, it's increasingly common for clients to require particular security measures in their agreements with law firms. This is especially true in regulated industries such as healthcare and finance. Now with that, we'll come something like questionnaires which you'll get from clients. I would imagine if you're in private practice, you've probably seen these. And you may, even if you're just in house as well, and in fact, it'll literally be dozens or sometimes even hundreds of questions asking about specific aspects of network security for your firm or organizational network. And this can actually eat up a lot of time trying to respond to these. It's one of the fun parts of third party risk management, is dealing with these questionnaires. It's tempting to just write yes to everything. Yeah, we got it all. We got it all. We got it all. And then later if something comes up, but it turns out your yes really should have been a not really. That could be a big problem because if you're found in breach, of course, life gets interesting. Risk assessments are basically breakdowns where in effect either all or part of your network is looked at in terms of where's the risk.

You first have to understand what are you looking at? What are you trying to protect? So get sort of a base inventory and then look at what are the possible things that could go wrong here. What we call vulnerabilities and then what are the potential threats which could take advantage of those vulnerabilities? An example I always give is something like let's say you have an open window in a building and that's the vulnerability of the threat would be something like a cat burglar. And then you're looking at likelihood after that, which would be where's the window. Is it on the first floor or is it on the 41st floor? That's a big difference. And then beyond that you're looking at the potential impact. If this thing goes wrong, what could happen? And then beyond that, on the other end of it, you have security audits where a lot of times your client will ask for a third party to literally audit you and look at your, what are called your controls like we mentioned. And what's in place, what's actually protecting the data. And those can be great opportunities in terms of seeing what you need to fix. But of course, if it's done for a client, that can also reflect pretty poorly upon the firm and could even cost your business.

I should mention the risk assessments are both an internal thing and an external thing that can be formed by a third party. It's just a matter of looking at a given situation or a class of information and seeing what the risk related to it is. Now with respect to legal malpractice, in effect that's an attorney's failure to use a minimum adequate level of skill care or diligence while representing a client causing harm to the client. In effect, it's a negligence claim. Now the elements of legal malpractice sounding and tort are, one, an attorney-client relationship, two, a deviation from good and accepted professional practices. And mind you, that's where this comes in. The good and accepted professional practice as you could point to, well, you know, the attorney competence under rule 1.1 and then tie it into one of these security frameworks which we will mention shortly I promise. Be something like the NIST Cybersecurity Framework, something like that. Pointing out that if you don't meet this, which is laid out as a simple thing, then your conduct is not, you know, in keeping with what it should have been. And then of course, third element is, but for the deviation there would've been a better or different result. And then finally actual damages to the client and typically legal malpractice. Lost and have a three-year statute of limitations if that's helpful.

Kara Wenzel - Definitely helpful to know. Can you explain to us in a little bit more of a practical way how the updated model rules would be applied to cybersecurity?

Scott Aurnou - Absolutely. I guess in a practical sense says, what do you do to secure client and firm data? Those of you watching at home, this is a good time to pause, get some popcorn. Okay. So we'll talk about some basic security controls, usually overriding. You'll have something known as a security program. That's sort of the overarching thing that keeps you all on the same page 'cause in security, that's actually a hugely important thing to make sure that what you're doing is consistent and in effect trackable, recordable, et cetera, because God forbid something goes wrong and you don't know what it was or where it was because everything in your system is running in an ad hoc fashion. So yeah, I think something happened out of the Toronto office maybe. You know, and that's really problematic because if they can't figure out what it is, they can't really nail it down. Now security program will cover a lot of different things. There are different types of, again, the controls.

Controls are generally broken into three categories. There's physical, technical and administrative. Physical controls are thing like gates, locks, cameras, security guards. Technical controls are some things you may or may not have heard of, firewalls, intrusion detection system, antivirus systems, encryption, things like that. And finally, administrative controls. Actually lawyers tend to overlap with this quite a bit. This could be something like policies, written procedures, cyber liability, insurance contract terminology which sort of spell out what needs to be done. And you tie all of these together and basically within a security program you have what's controlling everything. How are people supposed to act? Who's supposed to do what? And in fact, what is the scope of what this covers? What are you responsible for? That's important to know because security does impact everybody. One of the worst things you can do is to decide, well, we've got an IT department. They've got it. 'Cause attackers don't tend to target the IT department very often. They're usually going after you. The main way to get into most systems is to attack the people using it and then use them as a beachhead and get into the system, quietly around and do bad things. Unfortunately unlike TV, attacks don't tend to make a lot of noise when they come in the door. It's not like an alarm goes off or anything. It's mostly business as usual. This is why when you see, there's a report from the ABA. I think on last year for 2021, they were looking at I believe how many law firms were aware of a brea

ch? It was only about 25%. I'm happy I wasn't drinking anything 'cause I'm sure I would've spit it out all over my screen like as if. Yeah, no, no, no, no. It's way, way higher than that. It's a combination of, in many cases people simply don't know that their network has been compromised. They don't realize bad guys are floating around in there or the other end of it which I've seen and don't particularly like which is where they know, but they figure they can kind of keep it hush hu. So I mention it because if their clients find out it might be bad. And that's never good. I mean, I digress. I'll go off on a tangent here for like 10 minutes, I promise. Anyway, moving along. So we mentioned as part of say a risk assessment, you wanna do basically an inventory. So assets and data being inventoried, it sounds like really? Yes, absolutely. So you wanna know what data you're protecting. You wanna know what is connected to your network. It's called network enumeration. Okay. What phones are being used? What's software are they using? What's on there? What's on each phone. Who's got access to it. You know, while this sounds like really exciting stuff, those are your openings. That's what creates what's called an attack surface for an attacker. And you always wanna reduce that. The analogy I was like is a snowball fight. Can you tell what part of the country I grew up in? So basically if you're in a snowball fight and you're squared up, guess what's gonna happen? You're gonna get clocked. If on the other hand you have the good sense to, you know, hide behind a tree or something. You're, presenting a much lower attack surface. You're less likely to get pelted with a snowball. It's a little bit li

ke that when you're talking about a network. When you got things that are potentially exposed, you wanna lock them down. There's a term called system hardening, big fan over here. Basically anything that could potentially be used for an attack but you're not using it, shut it down. So that means old applications. It could mean something as simple as oh yeah, like last year, right? The IT guys came into my system to actually like update stuff. There might still be a connection there. And even though IT is not using it and you're not using it, an attacker can use it and will get into your system that way. Older versions of software should be gotten rid of. And for that matter, one thing that's also important here is keeping that software up to date. Reason being that the vast majority of attacks will attack things that have actually already been fixed. 'Cause what happens is when something is fixed through software being updated, what'll happen is often they'll put out a little more detailing what they did. Which is, you know, the classic manner from heaven for an attacker 'cause they're going, ha ha ha. Okay.

Here's what's fixed. That's basically identifying places for them to attack because a lot of systems don't do the update in a timely fashion. So attackers will look and go after it. There are rare occasions where something called a zero day is used and those are things that have not been updated yet, but they're hard to find and expensive to buy and use. So most attackers won't go anywhere near those. They'll just use older stuff. So if your system is up to date, that's one of the first steps right there that makes it much, much more easy to defend. And for that matter and a related note, software after a certain point stops being updated, it's called going out of support. And you never wanna have unsupported software on your system for example. If you're running a computer right now and when you boot up, it says Windows XP, yeah, you don't want that. That hasn't been supported in years. That's not the only one, Windows Seven too. There are a bunch of other ones which are common but no longer get security updates and that's really, really dangerous because that means if a new problem is found, it's never gonna get fixed and your system will forever be open to attack through that. Now we mentioned a little bit about policies earlier. Those are key. Because again, they sort of give you the lanes of the racetrack you're going down. They keep you focused.

 And there they come down three basic things. You wanna have an understanding of what are you looking to do? What's its purpose? Then what's its scope. Okay. We wanna secure this type of system. Okay. What type of systems are those scope? And then who's responsible for what under each policy. And on a related note, I mentioned written procedures earlier. Procedures are step by step guides that things are done in a consistently secure fashion. Think for example if someone's coming on brand new to your firm. You're gonna have sort of an initial procedure to start accounts for them and make sure that they're securely put on the system, set up passwords, et cetera. By the same token and when someone leaves, you wanna have a system to deprecate their credentials. In English, get rid of all the stuff they had for sign-ons and the access they had to the network. Because if somebody leaves and they still have access, that's part of your attack surface. Once again, you don't want that. Now in particular, oh, one of the things to mention 'cause like I say, there's lots of control services for sort of touching them. One of the other basic ones, defaults. That's part of system hardening. You may have noticed when you get most pieces of software, they're pretty much work out of the box. And the reason for that is they're all set up with default settings that work.

So if you have something out of the box like, you know, be it a router or something like that or firewall or whatever else, it might work out of the box because it has those defaults set up. One little problem, those defaults are really, really easy to look up. There's actually a website literally called routerpasswords.com where, I'm not kidding. You can look up basic router settings. Now you might be saying, that's insane. The point is you can change those settings pretty easily. What this is for theoretically is in case God forbid, you lose something and you're resetting it, gives you a place to start from. But, if you don't change those default settings, that's wide open for attack from bad people. So always make sure you're getting rid of any default settings you have 'cause again, wide open. So in terms of getting on a system, one of the key things to look at is something called access control. Now access control relates to someone trying to get in and to the extent they can what they can use. It comes down to four basic concepts, identification, authentication, authorization and accountability or auditing. The identification would be okay, you're logging in, what is your username? So let's say your user name is like KaraW. That's your username. Then you need a password. That's your authentication. So you're authenticating that it's really you. And then the authorization is once you're in the system, what are you allowed to use? And then, like I say, auditing or accountability is basically making sure that that's tracked within the system. So that later if there is an issue, your security folks actually have something to go back and look at and say, okay, what happened here? These are each key.

And related concept especially as it goes to authorization is something called the principle of least privilege. This is an important thing in security. The idea with that principle is that you should only be able to access what you only need to use and no more. I guess you could think of it as something related like the need to know idea. 'Cause at the end of the day, if somebody has more access within a network, if an attacker gets control of that account, they have that same access. So the more it's limited, the safer it is. And of course someone within your network actually does need more. It's pretty easy to just say, okay, talk to your IT department or your, you know, network administrator and ask for, okay, I temporarily need access to this area of the network. They can give that. And then of course, when they're done, they should also resend it so that you don't just have it up. Now in terms of the network itself, there are some basic security tools you wanna have up and running. I mean, you probably heard of antivirus software. On a related note, there's anti spyware software. So that's people literally break in and are literally reading what you're writing. And that's never good obviously. You've probably heard of a firewall. Firewall is dealing with network traffic that's moving around. Basically traffic moves from place to place. It's broken up into little pieces called data packets. Sends to the other side of wherever you're sending it, reassembled in order.

 Think of it like a Star Trek transporter. You're breaking it down, sending it over in little pieces, goes through the internet in various parts, arrives at its destination, reassembles. Now firewall will be something that it would see or theoretically filter through. There are different types of firewalls, but effectively what they're doing is they're analyzing these pieces or packet of data to see if there's anything in this. Now, one thing that's related to it is something called an IDs or IPS system. That stands for intrusion detection system or intrusion prevention system. There are somewhat similar concepts. Detection is sort of more like a red stop light camera where it lets your security team know something's out of the ordinary here and intrusion prevention system is more like a DWI checkpoint where they try and put a stop to it. They come on again on different levels. There are some basic ones and some much more complicated ones which are much more involved and expensive. Obviously assuming your firm uses email and you're in the 20th century or 21st century as opposed to the 19th century, you want spam filters. Luckily the vast majority of email provider do include those. So that shouldn't be too hard to get a hold of.

Now, our one thing to also realize and a good sense if you're listening to this going, wow, my phone is nowhere near big enough to afford all this. Totally get it. A lot of vendors offer what are called security suites which will combine a number of these controls together. So you won't just get, say, just antivirus. You get antivirus, anti spyware, you'll get what's called a software based firewall as opposed to like a physical thing put in your system. And you also get like the IDs, IPS controls like extra things will be there. And one place to look at for a lot of reviews I guess that would make a lot of sense in plain English might be a PC Mag actually has good reviews for a lot of security software, but I digress. So one of the thing we mentioned, encryption and passing. Encryption is basically using an algorithm which is effectively just a set of steps to alter change or analyze data, to take data and turn it into what looks like gibberish. And the idea behind that is so if someone who's unauthorized gets ahold of it, they can't actually read it. And that's useful. There are different ways to do it. First off you're looking at two different places for it. One, is it in storage, which is referred to as at rest. The other one is it in transit from place to place? Like if you're sending me an email or vice versa, you want that encrypted. Especially if I'm a client or something because if it gets intercepted on the way and it's not encrypted, then you have a real problem there because what'll happen is they get it, they can read it. As opposed to they get it and it's gibberish and then it's not stolen.

One thing to realize about this is that data that's been compromised, stolen, data breached, whatever you wanna call it. If it's encrypted under the vast majority of laws, it's considered secured data. So a reportable data breach is generally unsecured data. So if an attacker breaks into your system and steals something and the data they steal is encrypted, it's generally not viewed as a data breach legally. Just a consideration. And also in terms of encryption, basic types are full disk encryption and file-based encryption.

Now we won't go into the details of every specific type because A, it would take a while and B, I guarantee you'd be snoring by the end of it. File-based encryption is kind of what it sounds like. If you've got an individual file, things look kind of like, I think I should make sure this is locked down. You can literally set a little password for just that file and encrypt it. Not hard to do. Full disc encryption is something that most systems have by nature. The two different systems you typically see for Windows and for Apple are, I believe it's FileVault two and Bitlocker. And those you literally just turn it on. What it does is it encrypts the entire drive? Why would you wanna do this? Well, theft. Your phones generally tend to be encrypted. Modern phones tend to be encrypted by default, but if let's say you have a laptop, you lose it in airport or train or wherever it is, it gets stolen and compromised. If the full drive is encrypted, as soon as that machine is turned off, it's encrypted. So as long as the machine wasn't say asleep, sitting in your bag, that's not considered a data breach legally speaking, plus just generally, it's more protective. So that's always a good thing.

One other thing to look at is third party risk management. We touched a little bit upon the idea of vendor due diligence. There is a bit more to it than that but effectively what it comes down is you need to know what sort of access your vendor has to both your firm and your client data, understand where it is, understand how it's protected, to what extent do they have access to your own network? And of course once your relationship with them is terminated, have you spelled out specifically how that data will be disposed off and hopefully permanently off their systems and keep in mind the poster child for a third party attack is probably target which got hit some years ago through an HVAC vendor, which had way too much access to its network and shouldn't have but they were connected and it wasn't locked down properly. So the attacker came in through the, basically through the side, if you will. So to think of it as like an open window on the side of an otherwise very secure building. A couple of the things to look at are backups. This is important because things can and will go wrong. Sometimes it's something as simple as, oops, there was a mistake. Sometimes it could be a hurricane blast through town. Quite literally it could be an attack. And the idea with the backups is you can restore from them. Now it's important to make sure that your backups are not always connected to your network because certain types of attacks like the ransomware we mentioned often tends to go out of its way to target backups and encrypt them too so that you can't read them. Now, backups should have a few different aspects.

They should be what we call multi-tiered. Meaning you have different types of backups in different places. For a lot of places, it'll literally be just an external disc. You can also do it Cloud based. There are a lot of different ways you can do it. There are specific setups that'll specifically back it up. It's also important to have it offsite. Reason for that, let's say the incident in question rather than an attack is a fire. And your backups are about a foot away from your computer and everything burns. Well, that's not a lot of help. So you wanna make sure you've got a few different aspects to them. And one last thing about backups, test them because backup technology is usually pretty good, a few different types do. However, if something has gone wrong and you haven't tested them, you're gonna find out exactly when you need it to work that it doesn't. So, another thing to look at is cyber liability insurance. Generally the CGL policies, commercial general liability policies, since about 2014 have expressly not covered anything due to security incidents and data breaches, et cetera. So you wanna make sure you've got separate and distinct cyber liability insurance. However, there is no sort of distinct singular template for this stuff.

 So you really have to keep an eye on it. It's a good idea to go over it with people in your organization who are technically adept so that you can discuss it with them. Because sometimes there'll be things in there where it looks and sounds reasonable, but once you sign it, you're immediately in breach because you're being asked to do something that your system won't support properly. An example of this might be some something as simple as maybe there's a requirement in there to do something called a pen test quarterly. A pen test requires basically an outside attacker who you hire to attack your system, break in and then tell you how they did it so you can fix what the problem was. You really don't get those quarterly typically. But let's say you agreed to it. And then what'll happen is you have an incident, they'll come in and say, gosh, we're sorry to hear that but, hey, can we see your last couple of pen test reports? And of course they're not from under three months ago so, gosh, we're sure sorry, but we have to deny coverage. And of course being on the receiving end of that kind of stinks. One other thing to keep an eye on is often what they will do is they'll have a bit of backwards looking coverage because like I say, sometimes attackers get in the system and don't make any noise. So you can have someone who's sitting in your system for quite a while and you won't know. So if you have cyber liability insurance that goes back six months, that might not cover it. 'Cause if they cover six months and you've got someone who's been in there for 19 months, again, gosh, for sure sorry, but they won't cover it. I would recommend if you're signing onto a policy minimum 18 months, realistically at least two years. And one last thing to talk about here. Well, who am I kidding? A couple more.

Incident response. One thing you probably heard of is something called an incident response plan. If you haven't, you need to look it up and get on that. There are resources available both through the ABA and other free resources. I can give you those if needed. In effect, what that is is once an incident has happened, you need to have a game plan mapped out for how to respond to it. Because if you don't, things are gonna go South in a really bad way because while you're busy trying to figure out, you know, who am I choosing for your team? The other team already has the ball and they're heading towards the goal. And you're still on the sidelines going, Susie, you wanna play net? Fred, you look like a good halfback. You know, you don't wanna be in that position. And obviously when an attack happens there tends to be quite a bit of panic in the first place. So, with internet response plan, it's a step by step what to do. It's who's in charge of what. You'll generally have people from different areas of your organization being part of it. That would be obviously legal. Obviously your technical folks, marketing, HR, you name it, communication certainly because if there's a large enough crisis that it gets out in the news, you have to be able to communicate about it in a fashion that doesn't make your organization look ludicrous. Please see Experian from a couple of years ago, but I digress. And there are parts to that. The incident response plan itself is seen as sort of a, not the main thing there. The main thing there is something called the business continuity plan. The idea there is after whatever it is that hits, be it something minor or something major that you have a plan to restore full functioning to your business. That's business continuity. In a smaller sense, there's something called a disaster recovery plan. That's for dealing with getting your technical assets back up and running in a rapid enough fashion so that you're still moving while fully restoring to the extent the business continuity plan lays out. And then like I say, the incident response plan which is loaded, sort of lays out the step by step and who's supposed to do what and all very valuable things.

Finally, you also wanna make sure that you have security awareness training. This is important just in terms of making sure that people understand what it is that the threats are, what they're looking at, how they might come up and also make sure that folks understand. Oh yeah. so if I click on this, the entire network might go down. Okay. That's good to know. Sometimes related to this, you might get phishing testing. One thing I would just recommend in passing here, make sure your senior folks do it too because attackers often deliberately target people who are more senior in an organization because at the end of the day, senior folks tend to have more access to things. And maybe aren't giving a lot of thought to security. Not every single person but that tends to be a way attackers tend to approach it. Now I mentioned the idea of security frameworks and standards earlier. Basically these layout sort of here are the controls in different areas. 'Cause I mentioned like I said, there are hundreds of these things.

This is sort of like a summary of a summary we're going through now. One of the main ones is something called the ISO 27,000 series. Smaller organizations are not gonna really deal with this unless you're interacting with a very large organization. It has different levels of security. Again, hundreds of different security controls. And there is actually certification involved with that. The ISO 27,000 cert, which again, you might see with a larger organization because it is so detailed and so tech heavy. But just, you should be aware of it. For a more I guess, I dunno if I wanna say reasonable, not quite as involved standard framework, the NIST Cybersecurity Framework. It's currently on version 1.1 laser. Well, what to do and how to do it in a safe fashion in English. You can actually read this. And it's not super long either. It's not hundreds and hundreds of pages. Definitely worth reading. It's available for free. And while it's basically viewed as a voluntary standard specifically for infrastructure organizations, any organization can use it and it is functional and very, very helpful. One of the thing to look at is it's called the CIS critical security controls. That's a Center for Internet Security. I believe they're on version eight now. They're great. Again, there's like a hundred, some odd controls. They spell them out in English, what it does, why it helps and they have different levels sort of like, okay, here, you're relatively secure. There you're a little more secure, a little more. There you're very secure. That type of thing. So it lets you what you need to do.

Now I know this sounds like an awful lot so far, but honestly it's the basics.

Kara Wenzel - Okay. That's not scary at all. Thank you for being so comprehensive. I'm curious though. Has the ABA spoken more about cybersecurity? Have they provided additional guidance on these topics?

Scott Aurnou - They actually have. There are a few formal opinions that have come out since the updating of the model rules. The first one was 477. The actual formal one is 477R. I guess they revised it slightly a few days later. And that's securing communication of protected client information. That came out in May of 2017. There's also guidance 483 which is lawyer's obligation after an electronic data breach or cyber attack that came out in October of 2018. And then more recently, just under a year ago was 498, virtual practice which came out in March of 2021.

Kara Wenzel - So starting with 477, you said that was securing communication of protected client information.

Scott Aurnou - Little mouthful.

Kara Wenzel - Does that happen to clarify the duties arising under rule 1.6 C?

Scott Aurnou - It does. It's funny. That one came out from the ABA standing committee on ethics and professional responsibility and it updates a formal opinion which dates back to 1999 which of course was before you really had heavy usage of the Cloud or tablets or smartphones or a lot of the things we think of as normal now. So the updated the rule. Basically it offers guidance on what constitutes "reasonable efforts" under 1.6 and comment 18. It also adopts language straight out of a book I actually have, "The ABA Cybersecurity Handbook" giving sort of a reasonable standards standard if you will. I'll quote from this if you'll forgive me. "Reject requirements for specific security measures such as firewalls, passwords and the like and instead adopt a fact-specific approach to business security obligation that requires a process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented and ensure that they're continually updated in response to new developments." Again that's "The ABA Cybersecurity Handbook." Came out in 2013 if you're curious. Now what it breaks down is it gives you seven factors to consider when you're determining an appropriate electronic communications method or technology to use regarding client matters. I'll go through and I'll just give you a little detail on each one.

First is to understand the nature of the threat. So what's the sensitivity of a specific client's data. What's the underlying matter at issue? How might that increase the risk? For example if your client is a celebrity. Yeah, people might be trying to get that from gossip magazines. As ridiculous as it sounds, think about the cases that came out, I guess it was a year or so ago against I think it was the son and the mayor in the UK, 'cause their gossip places were literally breaking into people's computers. And in many cases what they'll target will be the attorney computer because they figure out, oh, they're not as secure. And then also what if you've got something like particularly high value non-public information like a patent that hasn't been fully done yet? Something like an upcoming merger that's going to be enormous once the news breaks. They can get into it first. There's obviously a lot of motivation for that.

Two, understand how client confidential information is transmitted and where it is stored. So you wanna factor in the technology a given lawyer is using to communicate with his or her client electronically as well as where's that data stored, how is it being accessed? So in effect if you've got it in a place where it's easy to get to, yeah, that's gonna be a problem. If you've got it properly locked down, that's a lot better and that's always going to be a bit safer.

Three, you wanna understand and use reasonable electronic security measures. And there you wanna use secure tools to communicate, store and protect client data. For example, secure network design. Like when we were talking about the various things before, I don't even think I touched upon that one. That's something like what we called network segmentation, plain English. Breaking network into pieces. So if something bad happens, it stays in a network segment. Think of it like a water type compartment on a ship. So if thing punctures the hole, the only thing that floods is that compartment of compartments right next to the hole as opposed to the entire ship flooding, rolling over and sinking which we've got on film if you're curious.

 You also wanna have like I say up to date software, you wanna have encryption and also procedures to make sure that data is handled in a secure fashion. Now one thing we didn't touch upon before are passwords. You wanna make sure that passwords are "complex." Meaning they're not super simple. You don't want your password to be password or welcome123. You want a longer password because length makes a password much more difficult to guess. For example, an eight character password versus a 12 character password. The 12 character password is 81 million times as many combinations possible. So, that's hugely different because often what's trying to guess these things is a computer system trying to break it through and they'll make, you know, thousands of guesses a second. Meantime, the more likely, the more guesses out there, the much more slower this system will work. And you also wanna have things that mix it up. You can use what's called a pass phrase. Something like IlikehikingonSundays33. Okay. Very exciting. Means something to you, but it's nice and long. So that way it's very, very hard for a system to just guess. One of the thing you wanna look at is something called multifactor authentication. That's related to passwords. You've probably seen this in some extent where like they'll send you a little code after you go signing in. The idea is that it's instead of the one quote factor, what you know a password, it's what you are, say your fingerprint or what you have. Something like this little security token. And that extra step is good because then an attacker doesn't get away with just the one. They have to have either of the second or somehow get knowledge or access to the second. But I digress. So four, determine how electronic communications about client matters should be protected. So in fact 477 and 477R advocates discussing appropriate measures to secure communications with your clients directly. I'm up and down on that one. We'll talk about that one in a second, just because if you're doing it on a case by case basis, that's just wildly unrealistic.

Next you wanna label client confidential information. Basically you wanna actually mark things that are privileged and confidential as such. Obviously that's not gonna deter an electronic attack. I think that's sort of a covering your behind kind of move for later. So, well look, we mentioned it. That's nice. Six, you wanna train lawyers and non-lawyer assistance and technology and information security, sort of the security awareness we mentioned before. The more they know, the better steps they'll take, the more likely they are to protect data. And finally, seven, conduct due diligence on vendors providing communications technology. We discussed that a little bit before. The more you know about what they're doing and how they're doing it, the more likely they are to be limited in what they're doing and handle the data in a protected fashion. Now, the ABA seems to be advocating a case by case approach to secure communication as I understand it. Just to be blunt, I don't agree with that just because that's unrealistic. You can't go client by client. It's not gonna work. What you wanna do realistically if you're in a real law firm in the real world, look at what your clients actually need. Preferably the ones that need more secure technology and level up to that and make that your standard. There might be an individual somewhere in there who needs something more. And yes, on that case by case basis, you can discuss it with them, but generally the most secure practices that you could manage to do in a fashion and keep your firm, you know, affordable working and getting its job done. That's where you should go.

Now, for example, one thing that's related to that, let's say, I mentioned encryption. Encrypted email and messaging apps are really easy to find nowadays and they're pretty easy to use. So as a default, yes, you wanna use those. And there's no, basically, as a result, then you would have to worry about explaining later. Yeah, I guess we should have, oops. You don't wanna be in that position. And the thing is most enterprise security packages now will include an option for encrypted emails as part of it. If you're not using one of those private service that's free available and encrypted is something called proton mail. Really easy to use. For secure messaging apps, I would go with probably Signal, is the best one I would say. There's another one called Threema based out of Switzerland. The laws are good for keeping things secure. Other ones, consumer apps like Vibra or WhatsApp. They will point out that they feature what's called end to end encryption. That's where let's say Kara and I are emailing each other. When Kara hits send, it encrypts. And then it doesn't decrypt until I open it up to read it. So that's end to end encryption. While that sounds good, again, there're consumer apps, they're just not as secure. I wouldn't recommend doing any client data with that. One other one that's become popular in recent times is Telegram. But it's mostly become popular for first amendment issues. Using that as a secure way to communicate with the client is really risky. So I definitely steer clear with that.

Kara Wenzel - Okay, good to know.

Scott Aurnou - I'm all good news. It's what I do.

Kara Wenzel - Yeah. You continue to scare me Scott, but thank you.

Scott Aurnou - To have a drink before these programs. That's what it is.

Kara Wenzel - So you had mentioned ABA formal opinion 483. And I believe that one was related to incident response. Can you tell us about that and what...

Scott Aurnou - Yeah that's lawyer's obligations after an electronic data breach or attack. Again, it came out in late 2018. And that concerns, for one thing, lawyer's obligations to notify clients of data breaches involving confidential data. That's what we talked about before with rule 1.4. You can't leave your clients in the dark. If something's happened, you need to tell them. And then effectively beyond that, it advises attorneys to pretty much follow what would be best practices used in other industries for incident response. You wanna have an incident response plan prepared ahead of time. I feel like we just talked about this. You also wanna make sure you've got an actually use secure internal policies and procedures. Again, this is just making sure that what's being done day to day is done in a fashion that is consistent and secure. 'Cause that's underlying day with the people who are using a network. That's what keeps it safe.

You wanna use network monitoring and detection tools, kind of what we talked about earlier. Firewalls, intrusion detection systems, et cetera. And you wanna train and manage lawyers and non-lawyer staff on the secure use of technology. Again, this ties into the security awareness training we mentioned. And these things do actually overlap quite a bit. It's just, it goes into more and more detail the deeper you go. And then obviously if and when, well, realistically when a security incident occurs, the affected firm should immediately take steps to contain the incident, mitigate potential damages because when you do that, additional things don't happen. Because if you ignore it for a while, sometimes that thing just keeps moving through your systems. It's rolling around breaking stuff. And you wanna stop that as quickly as you can. And then obviously you wanna investigate the matter in a timely fashion.

Scott Aurnou - Okay. That seems fairly straightforward.

Kara Wenzel - Yeah. I figured I've been mean enough. I'll try and cut to the chase a little.

Scott Aurnou - So the third ABA opinion, formal opinion that you noted was 498. Can you tell us a little bit more about what that one covers?

Kara Wenzel - Yeah. Oddly timely one. That one came out in March of 2021. And it's about virtual practice. Essentially it's noting that practicing virtually doesn't diminish your obligations under the model rules. So the confidentially of client communications under rule 1.6, that's still there. It also relates to the supervision of subordinate lawyers and non-lawyers 5.1, 5.3. And it mentions specific measures to keep systems secure. And again, it's stuff that's gonna sound familiar. Keeping software up to date, using strong passwords, anti malware and anti spyware tools. It does actually mention VPNs in passing which I'm always kinda like hmm. A VPN is basically what's, it's called a virtual private network. It's sort of like an encrypted tube through the internet. Let's say you and I are standing on opposite ends of a lake and the lake water is polluted. You have portable water. I'm really thirsty. You're nice. You wanna get me some water so I don't die on the other end of the lake. So how do you get this not polluted water to me through there this polluted lake and get it out the other side? Well, if you have a pipe there, which keeps out all the dirty water in this polluted lake, you can actually send the portable water into the other side. So I dunno if that's a helpful analogy, but the idea is you can and get it from place to place without pollution from say, a dicey neighborhood. Like your internet, which is a dicey neighborhood. But in effect that's what a VPN is.

Modern computer systems though, if you're dealing with websites that are secure, normally what you'll see is if you're looking at the top bar on your screen, there'll be like an address name. Something like quimbee.com. You'll see on the upper left of that address bar, there'll be a little padlock. That padlock indicates that the site is encrypted. And at this point due to recent efforts by the Electronic Frontier Foundation, Google, Let's Encrypt and others, that 80% of net traffic is encrypted now, which is great because that's much safer. So what a VPN does on top of that is it encrypts a little bit on the ends of it where you're sort of indicating what exact site you're going to, but the data in the middle now is already encrypted in many cases. And that's good. A VPN helps. It doesn't hurt by any means, but at this point it's not quite the security cure all it tends to be painted as. I think a lot of people use them so that if you're in one country that doesn't have access to, say sports in that country, you can use a VPN so you can appear to be somewhere else. And thus you can watch the game. That kind of thing. I digress, sorry. Long answer. So also obviously what you're gonna wanna look at with a virtual practice or things like virtual meetings and video conferencing. Not that we would have any idea what that's like, not us. No. You wanna actually review the terms of service with service you're dealing with to make sure they're in compliance with the rules. And specifically, are there secure options available because you can have an encrypted video conference. And also you wanna have something where someone can't just log in. This was a big problem with something called the Zoom bombing which most people became aware of pretty early on in the pandemic. And again, there are ways to shut this down.

You just wanna make sure those are in place. For that matter, if you're in a place where you're broadcasting like this, like let's say, you and I are sitting in this room, someone who is, let's say we're having an attorney-client conversation right now. And someone is behind either you or me who's not a party to that conversation and they listen in, that could jeopardize attorney-client privilege. You always wanna make sure that when you're having that conversation, it's direct and limited. Like you're not having an attorney-client conversation in a crowded train station or something like that. That might not work so well. And also in a related note, you wanna probably disable listening enabled devices. These are like smart speakers, virtual assistance, et cetera. You know, if you're saying like, you know, hello Google or something like that. It's like, well, since we're recording this, you know, then it becomes, well, what does that do to client privilege? And just a consideration, you know, it's like those little things which can have a big effect and also with respect to supervision of subordinate attorneys and non-lawyers. You wanna make sure that the policies around that are actually helpful.

In particular, something called BYOD which is bring your own device. Even if you don't know the name, it's probably something you deal with a lot where instead of having say, an organization issued smartphone, you're bringing yours and hooking onto to the organization. Well, there are a few things you need to do before you hook phones on. For example you've gotta make sure all the phones are using up to date software. You wanna make sure that they're not what's called rooted or jail broken. In English, rooting is for Android phones, jail breaking is for Apple phones. And basically what that comes down to is if say you have your Droid or your iPhone and you've overridden the security settings so that you can do other fun stuff with it, downloaded legal apps or whatever else, that's super cool if you're in your 20s. If you're managing a network, not so cool. Because that stuff is no longer secure and can get the entire network defended. Plus the social ties back to the hardening thing we mentioned before. Anything on there you don't need, get it off the phone. It'd always be locked down as much as possible. And one of the thing related to video calls, you wanna have what you referred to as a clean desk policy as it relates to a video call. So if someone is chatting, having a video conversation and you've literally got open confidential information from another case sitting on your desk, that's never a good idea.

Also, just generally speaking when you are dealing with various vendors for this area, confidentiality agreements might actually be really helpful. It just depends on what you're dealing with and what your specific situation requires. Now of course there are possible limitations to virtual practice in that you need to be able to do some real world things like you need to be able to actually write and deposit actual checks that might come up. You might have to be able to follow trust accounting rules. You might have to be able to process paper mail, be, you know, receiving deliveries or pleadings or something. And of course, you might need a physical office now and again for actual appointments but again, that's your practice. You would know what works best for it, but just that availability should be there.

Kara Wenzel - Wow. Yes. A lot to think about.

Scott Aurnou - Like I say, all good news. All good news.

Kara Wenzel - So just to throw this out there, if you had to sum up one key piece of advice or thing to think about when you wanna stay on the right side of ethics requirements with regard to cybersecurity, what would you tell someone who's worried about it?

Scott Aurnou - Well, if you the cliche, err on the side of caution. At the end of the day, there are places where you can get some basic security controls and the more you can get, the better. There are actually a lot of different avenues you can go to to get information. I mentioned NIST a bit earlier. They actually have a number of different resources available for people to get basic, how to lock down your practice type of information. Larger networks, I would hope that's not as much of an issue, but it can be. And obviously make sure everyone is trained. That's such a key thing because attackers don't tend to go for technological based attacks outside of James Bond movies. In the real world, they attack people. They try to trick you. They'll send you something that looks like it's coming from a friend of yours or from a colleague and like, oh, open here and you click on it. And it looks normal, but bad things are happening in the background. That's the thing. And in the world of hacking and attacking and such, there are no rules. So they're never gonna be nice to you. They're always just gonna come after you however they can.

Kara Wenzel - Yes, yes.

Scott Aurnou - Yeah. Again, it's it's all happy. Good news. My apology. I'm literally thinking I should have like a picture of an adorable little bunny to go with this. You know, like, hey, feel better. It's a little bun bun.

Kara Wenzel - We'll work on that for you.

Scott Aurnou - Yeah. Yeah. I do like bunnies.

Kara Wenzel - Well, Scott, we are out of time sadly. It flew by though and I really appreciate how comprehensive you've been. It was super, super helpful.

Scott Aurnou - Yeah. Time when you're sharing bad news, I think.

Kara Wenzel - Yeah. Yeah. Do you wanna tell people how they can find you on?

Scott Aurnou - Sure. If you like, I'm certainly available on LinkedIn, please feel free to drop by. Say hello. Aside from that. Oh gosh, we dying to look at landscape pictures. I'm on Instagram too but, yeah LinkedIn is a good way to get ahold of me.

Kara Wenzel - Great, great. Yes. So we'll post your bio and a link to how to contact you there on our site for this course as well. Thank you.

Scott Aurnou - Pleasure is mine.

Kara Wenzel - All right. Thanks again Scott. It was so fun and we'll catch you next time.

Scott Aurnou - Thank you.