On demand 1h 58s Basic

Understanding the Ethics of Legal Technology

Start your free 7-day trial
Access Quimbee's CLE library for free with a 7-day free trial membership.

Understanding the Ethics of Legal Technology

In this course, attorney Michael Overly of Foley & Lardner LLP, will provide an overview of cybersecurity risk and response. This course will explore the ethical implications of attorney duties in regards to data breaches, virtual practice, and competence in the use of technology. when We will discusses the sources of cyber risk and how to manage them, including the human factor involved as both the greatest risk and first line of defense. Finally, this course will review the basics of developing a cybersecurity program.

Transcript

Welcome, everyone. This is Mike Overly from Foley and Lardner. And today we're going to be talking about the ethics of using technology as lawyers, paralegals, etcetera. Just a quick word about my background. I'm an information technology and outsourcing lawyer at Foley and Lardner. All I do is work with technology all day long, every day, primarily negotiating drafting agreements involving the use of technology. And in particular, most of what I do involves sensitive industries like health care or financial services. Or in the case that we're talking about today, the legal profession, meaning that we all have data as lawyers which need to be protected of our clients. And today's discussion is going to focus on elements related to what are our ethical obligations when it comes to the use of technology in a law practice? And so with that, I'm going to cover our agenda. Please understand, though, that we do want to make sure that you feel comfortable asking questions, and hopefully I'll be able to answer them during the pendency of the program. But also, if you are viewing this presentation after the fact, or if you simply have something that occurs to you later, my contact information is at the end of the presentation. Do not hesitate to reach out. Happy to respond. One other sort of housekeeping matter is the following. We've got a lot of content in these slides today. It is unlikely that we will finish all of it, but we will get through all of the main points that we want to cover. But there'll be some additional detail that will help you. And you can refer to this detail to give you a better handle on things. An easy example of this is that we're going to be talking about cybersecurity programs for your own law firm and or practice, and what would go into one of those programs. Is it truly difficult or is it something anyone can do? And in fact, pretty much anyone can do it. It's a matter of just documenting your security practices and have appropriate policies and procedures in the event of a potential compromise, those sorts of things. All right. With those housekeeping matters taken, care of, let's start with our agenda. I'll quickly step through this. We've got sort of the introduction that we're talking about now. And then we'll lead into ethics obligations. We won't spend a lot of time talking about the various rulings that have been made by state bars in this area, but we'll touch on the big themes that you need to be familiar with, and those themes are pretty much what you could guess, even if you did no research in this area, which is if you're using technology, exercise a reasonable degree of care, inform yourself of why there is potential risk in the use of technology in a law practice. These things tie into the rest of the the rest of the discussion today. So initially we're going to lay the groundwork. Why are we having this conversation? And of course, it's not only your ethical obligations, but let's face it, every law firm works based on its reputation in the community. If it's the subject of a potential hack or data compromise, it's going to hurt your business reputation. So separate and apart from your ethical obligations simply as a business owner, you want to be careful about understanding how cybersecurity works and what you can do to try and reduce potential risk. And that's sort of leading us into the next part of our discussion today, which is getting a handle on cybersecurity. What is it? Why is it such a problem today in particular? Why is it going to continue to be a problem for the very foreseeable future? We'll talk about sources of risk when it comes to cybersecurity, and some of these things may surprise you. One of those being that you're likely sitting at a computer right this second in order to watch this particular presentation, believe it or not, in some instances computers come from the manufacturer with malware installed, no extra charge. And we're going to talk about that. We'll talk about the human factor. And if you were to ask most cybersecurity experts, what are the what are the top 2 or 3 potential risks to any business relating to cybersecurity? And cybersecurity is simply a broad term which describes how a business's systems and data might be placed at risk and how they might be protected from potential threats. That's cybersecurity. And if you were to ask pretty much a dozen cybersecurity experts, and they would come back with in the top three the human factor that is your own personnel potentially putting your systems at risk. We have likely all heard stories of malware attacks on law firms, things like ransomware, things like targeted phishing. And we're going to talk about those things. It is remarkably easy today, particularly now with the advent of generative artificial intelligence, which is just a very fancy word for using computers to help take advantage of somewhat gullible individuals. And I don't mean gullible in the sense that someone isn't well trained. Some of the smartest people, in fact, some cybersecurity professionals, have been taken advantage of using these techniques. And so please don't think that we're saying that someone isn't well trained or isn't intelligent enough. The fact of the matter is, almost anyone can be taken advantage of. The only way to protect against that is to educate, to train. Then we're going to talk about incident response, which is nothing more than God forbid, we have a situation where we believe or we have established either one believe or establish suspect or establish that an actual security incident has occurred. A security incident would typically be an unauthorized access to or use of your systems or data. Then we're going to take a step back, actually quite a step back and just maybe 2 or 3 minutes, sort of summarizing all of the data privacy laws, etcetera, that might apply in the world today. And we're going to do that by looking at three common threads that run through most information security and privacy laws and regulations, and even standards for that matter. And finally we're going to touch on what does a good cybersecurity program have. If you are a legal practice of any real size, and I would suggest that that's more than just one lawyer. But even in the case of one lawyer, you might be concerned about these things. You're going to want to have cyber security policies and procedures for your particular law firm. Does this mean that you need to spend hours and hours and hours working on this? No. Why is there an advantage to using this even in very small firms if there is a security incident? Having thought through and deployed, a cybersecurity program can be used to show that you tried to act reasonably in addressing these risks. And that can be very important when it comes down to liability or being found to have complied with or have violated an ethical standard. So that's our agenda. And now we'll turn to the meat of our program. And I don't see any questions and answers thus far. So let's move on to the ethics obligations. Law.com great source of information. Did an investigation not too long ago, about four years ago, and found that law firms are falling victim to data breaches and an amazingly alarming rate exposing sensitive data, attorney information, information about upcoming mergers and acquisitions, you name it. Trust and wills. And these incidents, unfortunately, have not really been publicized. They've been kept secret. Law firms are very careful about admitting that they have potentially been hacked. And so we believe that this is just the tip of the iceberg. And certainly our information in the industry is exactly that, that a lot of these breaches are going unreported and that the numbers can be, in fact, quite surprising. So that is the reality that we operate in today. Let's turn to the actual standards, if you will. The foundation of any discussion like this would be the ABA model rule 1.1, which is competence. And that doesn't just run to how competent are you as a lawyer, but also how competent you are in keeping abreast of the benefits and risks associated with technology. Very important to understand that right in the rule itself for competence, it goes well beyond I need to be a great lawyer. You need to be able to show that if you're using technology in your in your practice, that you're doing so in a thoughtful and appropriate manner. Note that we are not today talking about, and no one is suggesting that the use of technology in a law practice is something to be avoided. In fact, if anything, it's something to be embraced. It just needs to be done in a thoughtful manner. An example of this is that a lot of law firms may use. For example, if you do litigation, you may have a document repository vendor or someone that will summarize or at least index, you know, thousands and thousands of pages of documents in connection with a lawsuit. Excellent. The question is, what does the law firm's contract say with regard to those engagements about the protection of the information? All too often those contracts are won, not negotiated, if at all, to. They include very little in the way of actual protections. And so you could have a situation where your law firm is entrusting to one of your partners, if you will, in a broader sense, that is providing you with some sort of technology service. Like let's talk about, say, indexing of documents. So you will be sending them all of these documents and they will be processing them. The question is, what about if they're breached? What about if they lose the documents? What happens in most cases when you look at the law, the the agreement itself, even though they're getting highly sensitive information. Their obligations with regard to information security may be trivial at best, or even if you have excellent security obligations. If you run your finger down to the limitation of liability in that contract, you'll find that the vendor assumes virtually no real responsibility. If there's a data breach that could seriously damage your law firm, your law firm's relationship with its client, and potentially expose your you to some sort of enforcement action as a result of violation of your ethical obligations. Please keep these things in mind. Okay. The next is ABA model rule 1.6 confidentiality, and it simply goes to you using reasonable efforts to prevent unauthorized access to your client information. Again, if you were entrusting. A lot of client information to a third party that your vendor and your contract with the third party. One has little in the way of information security and to virtually no liability on the part of the vendor. Are you really using reasonable efforts to protect that information? And a lot of contexts. Regulators have found absolutely not that you have not fulfilled your obligations. So it is something that you definitely want to think about. There have been a growing number of ABA and state ethics opinions regarding use of technology and the problems with protecting client data. As I mentioned, we won't spend a lot of time on these sorts of things, but we do want to sort of bring up ABA formal opinion 483, which talks about if you in fact, have a data breach, that there are sort of three baseline obligations on the part of the law firm, the obligation to monitor for breaches. This means that before a breach occurs, you can't simply stick your head in the sand and hope that at some point you may discover if something goes wrong with your systems. Let me let me put it another way for you. There have been a couple of very interesting studies and surveys done in the information security industry. What they have found is on average, in many situations, after an actual compromise occurs, that is, a third party is accessing your systems and data. It can take up to six months or more for the business to actually discover that a breach has occurred. Think about that. For six months. A third party has been walking around your systems doing whatever it is they want. Potentially even corrupting your data as opposed to stealing it. And you have no notice. And so what the ABA is saying is, look, you need to deploy reasonable systems to ensure that if a breach or a potential breach has occurred, that somehow you've got a detection method for it. And there are lots of technological solutions to this that will give you a heads up when a suspected breach has occurred. Are they foolproof? No. Absolutely not. But are they more or less with the rest of the industry uses? Yes they are. And so you may do things like deploy those systems. You may do other things like engage a third party to come in and routinely audit your systems to make sure that no potential incident has occurred. The next thing is that if you do discover a breach, that you try to stop that breach straight away and restore your systems. Let me give you a further example. If you discover that someone's accessing your systems, you need to have the expertise either in-house or if you're a small firm, you need to have probably a contract that you use at least on demand with a security consultant that you can call them up at Friday, on Friday at 5:00 in the evening and have them come out and help you identify. Has a breach occurred? Has it not? How do we stop it from getting worse? That is job one. The next is if, in fact, this breach has in some way impacted the operation of your systems, think ransomware, for example. Then you want to be able to restore those systems. Here again, we need to think about reasonableness. If you have a very few law firms do, unless they're potentially quite small. If you have only a production server, if you will, that's the server that you work on every day and you don't have offsite or separated, if you will, in the cloud, backup copies of all of your information and your primary server goes down and you have no way to fail over to a backup copy of your data, that would be considered likely a failure. Everyone today knows that if there's a ransomware attack on your primary systems, you need to have a means by which you can get backup data. That is not also subject to that ransomware attack and that you can continue to work. Last is the duty to determine what happened. So you note that the first two items on this page are written in terms of watch. If you see something, stop it. And then only then once you've you've stopped the problem and you're back up and running. Do you really look at carefully what actually happened? Do a postmortem of you, if you will, how much data was impacted? Whose data was it potentially give notice as required by various state laws. Those are the things that you need to worry about. How can I prevent this from happening in the future? Did the incident occur because you had an improperly configured piece of technology like a router, or did this incident occur because you had a assistant click through a PDF? Pdfs are known for translating transmitting malware and that that's how your systems got infected, that someone click on a URL, a link in an email even though they didn't know what it was and that caused your systems to be attacked. These are the things you want to identify, and these are the things that you want to make sure don't happen again in the future. Okay. Moving on. I think another important formal opinion is 498 of the ABA, which deals with virtual practice. And essentially it's saying the same thing that we've been talking about all along, which is as lawyers start to virtually practice. And all that means is that you've got your laptop, law firm will travel, you can work anywhere in the world. Fantastic. And you can get access to whatever you need Westlaw, Lexis, etcetera. You can get access to cloud storage systems, and therefore you can operate essentially without a physical office if you needed to. And it's saying, once again, as you can see, you got to use reasonable efforts to prevent unauthorized, inadvertent or unauthorized disclosures of information. And this is a very broad requirement. We've all had situations where we're sitting on a plane or we're sitting in a Starbucks, and we're very close to other people sitting next to us, and we inadvertently see what they have on their computer screen. It's almost human nature. Well, that may be fine if you're a random individual with that computer, but if that's a lawyer typing on their screen, you can see that having people be able to view that screen could be a problem. They could see that a upcoming corporate event is going to occur, a merger or acquisition, stock sale, you name it, a lawsuit that's pending a criminal prosecution that you're defending. You want to make sure that you don't have people looking over your shoulder, both physically in the airplane or in a Starbucks, but you also want to do so technologically that you don't have hackers, if you will, or unauthorized third parties looking over your shoulder as well. So please keep these things in mind. With those sort of introductory comments in place, I'd like to turn to the portion of our our seminar discussion that really goes through. Okay. What is it that we are worried about? How did we get here at this point in history, and why is it so painful for me to protect my systems and data? So let's begin with that. Why are cyber attacks so insidious? And particularly, why are they so insidious at this time? And there really are a number of factors. And let me just try and talk you through them first of all. If you think about it, if I were to walk into a law firm and pull out a weapon and say I'm one, access to your records, likely I would be caught by the time I made it to the mail room. Whereas with these types of attacks online, they can be conducted from anywhere in the world. They frequently leave no traces, and it is almost impossible to find the individual that's perpetrating the attack. The arrest rate here is absolutely horrible. It is frequently impossible to even get even get law enforcement involved because of limited resources in tracking down a potential perpetrator. And even with sophisticated law enforcement engaged, it may not be possible to identify who caused this problem. So frequently leaves no traces, its easy for the attacker to hide. Many times they, you know, are offshore somewhere. In fact, usually there's no need for that physical contact with the victim. They don't have to walk into your firm and try and hold you up. Another thing is that there's a very small investment in hacking, yet it can cause dramatic harm. In general, if someone owns a computer, a laptop, or they simply walk into an internet cafe that provides laptops or computers, that's all they need to potentially perpetrate these attacks. And probably the most interesting thing is at 6:00 on this globe clock, if you will, it's easy to learn attack techniques and acquire hacker tools. Likely you have all heard of the Dark Net, which is nothing more than an area of the internet that's a bit harder to find, but that has a variety of, shall we say, illegal matters that are available. One of the things that you can find is tools to help you be a hacker. Some of them are rudimentary. Others are quite sophisticated. Some come with documentation to tell you exactly how to do it, even if you have no experience. In fact, there is a book that was written some years ago called The Happy Hacker, and in it was a paragraph or a chapter that said How to be a hacker in 30 minutes with absolutely no training whatsoever. Can't even spell computer. You could read that chapter and turn around and do harm, potentially to some of the largest law firms in the world. That's concerning. And so these tools are readily available. You don't need to be a computer genius to do this. Being a computer genius just simply makes you more dangerous. There are many networks and countries involved. If you're aware of something called the Onion Browser. This is something that's as simple as your standard internet browser, like Microsoft Edge or Google Chrome or Mac Safari, Apple Safari. It's a browser, and as you interact with the internet through it, it is automatically routing your traffic all around the world through various midpoints or waypoints, so that if anyone tried to trace back your traffic to your computer, they'd be going through a Warren of places all over the world. And these are constantly changing as well. And so I could be located in California. I could be engaging with a computer in New York. Yet my traffic, that is, my signals might be routed first to Russia, then to China, then to South America, then from South America to Canada, and then back again to New York. Very difficult to track this down. The last thing is that a number of countries in the world either have no real laws in this area, or have no real interest really, in enforcing them. That could be for one reason or another. And so again, the likelihood, if you engage in this activity of your actually being tracked down and prosecuted is pretty darn low. In fact, I wouldn't analogize it to getting struck by lightning, but you could definitely be in the vicinity and not worry. So that's why we have this problem. There are no start up costs. You don't really need to be a computer expert. You can be anywhere in the world and you can start making money by, say, launching ransomware attacks on law firms. Think through this very carefully. Let me give you a couple of quick examples of tools that are just simply generally available. Likely everyone here has used Google or Microsoft, Bing or some other search engine. Well, Shodan is a search engine that focuses on security vulnerabilities in all kinds of things, like webcams or routers or wind turbines or traffic lights or cell phones. And it's used by professionals to find out. Okay, I just bought a model X, Y, Z nuclear reactor power converter, and I want to make sure there aren't any known vulnerabilities in that power converter. I would type in the model number, etcetera into Shodan and I would get information about it. I could be a engineer at that nuclear power plant, or I could be a hacker trying to get unauthorized access to machines inside that power plant, and know that they have a particular model of something there, and find out if there any vulnerabilities. You can literally type in the model of a traffic light and see if it has any technological vulnerabilities. And so whereas a lot of people use this for security research, they can also use it to find out known vulnerabilities and potentially exploit them. Another interesting thing is a company or not a company, but a website called wiggle wiggle dot net. And you have this very confusing looking graphic on the screen here. And all this is, is a map of a particular area of Grand Rapids, Michigan. What wiggle can do is and you could certainly test it out yourself, is to type in the address of your law firm, one of your offices. If there are more than one, or type in your home address, or if you want to be a little more careful, the address of your neighbor and what wiggle will come back to do or provide you is whether or not anyone's running a Wi-Fi network, which has a vulnerability that could be exploited. And this data is collected through a whole wide range of means, and you can literally use it as a map of where there might be a wireless network that you could exploit, and then get access to the computers that are connected to that network. A somewhat scary thing. Just two examples. Let me give you a few myths about information security. And I think each of these is very, very telling. So the first one is it's all about data. If I'm a law firm, it's all about protecting my client data. And that is certainly true that it's very important to protect your data. If you're a health care provider, it's very important that you protect the protected health information of your patients. But you also need to understand that information security goes beyond data, and it goes to the systems on which that data resides. And here's an example perfectly of the use of ransomware, where it's really not directed at stealing data, but rather shutting down your access or to that data, or shutting down the use of the systems on which the data resides. And so. You know, while data is quite important, you want to realize that. You also want to make sure that you can continue to run your business. If you can't send out bills at the end of the month, even though no data has been compromised, that could be seriously damaging to your law firm. Myth number two is that information security is all about confidentiality. I'm worried about keeping my data confidential, away from unauthorized access or use by a third party. Absolutely true. But if you look at security standards, if you look at treatises on information security, best practices, if you look a lot, look at a lot of laws and regulations involving security. You actually see, however, that information security is defined as three separate things, and you must have all three in order to have a secure system. It's the acronym CIA. And again, if you look at this, you will find it virtually everywhere in the information security industry as well as the regulatory aspects. Cia stands for confidentiality, integrity and availability. Let me sort of highlight these to you with a quick example. There's been a horrible traffic accident. A patient is brought in to an E.R. at a hospital. Now they're trying to treat that patient. The doctor comes in, pulls up the computer terminal, which is available next to the bed. Of course, everyone there is concerned about keeping the information that's displayed confidential to that patient. But right now, I'm trying to save that patient's life. So, for example, when I bring up that patient's medical record and I look on the right side of the screen in the corner, and it gives me a list of any of their medical allergies or whether or not they have any such allergies. That's critical information for me. Or if I look up that patient's blood type before giving them a transfusion, I want to be darn sure that I know that that blood type is accurate. Integrity goes to that point. That is, can I rely on the information being displayed to me as being accurate? And this is something that people don't really think about. People very much think about data breach in terms of breach of confidentiality. But what about if you're relying on this information and making decisions? What about if your accounting system suddenly had incorrect addresses for every one of the contacts you have for mailing out bills or invoices, that could be a problem. It sounds like integrity is not something that comes up quite often. In fact, it does. There's a hacker magazine called 2000 602,600, relates to an old way in which people used to hack touchtone phones. Well, 2600 magazine ran an entire article, and it was all about talking or suggesting ways that individuals could harm their employers. That's the context that was given in by going to the integrity of the data that that employer has and rendering it unreliable, changing account numbers by a single digit, changing mailing addresses, that sort of thing so that it's no longer reliable. That's integrity. The last thing is availability. Another thing that people don't really think about. But consider what's the type of hacking that you typically see on the front page of the business section every other day? It's a ransomware attack. Does that go to confidentiality? No. Does it go to integrity? No. What it goes to is the availability of the data when you need it. If we go back to the E.R. situation, we want to make sure that the patient data is confidential. We want to make sure that the integrity of the data has been maintained. And then when I'm making medical decisions based on the information I see in that medical record, I know that I can rely on it being accurate. The last thing, however, is that when I go to that terminal and type in that patient's name, I better see their medical record and I better see it fast, because that may be all the time that we have in treating this patient. And so once again, not just confidentiality, not just integrity, but the data or the systems on which it reside need to be available to me. In the context of a law firm. If you're sitting in court and you have all of your extensive documents for the case exhibits in the cloud, on a computer system that's provided to lawyers to essentially help them manage and real time those documents while they're sitting in the courtroom. And that system goes down and you can no longer access that cloud service. That would certainly be a problem. So that's myth number two. Let's go on to just a few others. This is one that I mentioned previously when we looked at that globe image. To be your hacker, you need to be a technology genius. No. Anyone can really be trained up in very short order to cause to be a hacker, to cause harm to a law firm. Easy example, most everyone uses Microsoft Outlook or something similar to it for their email program. It is possible in the span of just a few minutes to make outlook. Essentially configure outlook to make it look like your email address is anyone you desire. If you want to be Bill gates at Microsoft.com, you can be Bill gates at microsoft.com. And unless you are really, really astute, that is the recipient. You'd have a hard time figuring out that it didn't come from Bill gates at Microsoft.com. Imagine just that one technique, which can be implemented in just a couple of minutes and can be done following a few steps on YouTube. You can make yourself look like anyone. In. One of the uses of that might be that we go to a law firm's website, find out their largest clients, contact the law firm as one of those clients, their accounts payable department, and say that we're changing our routing numbers for payment. And would you please use the following. And you've automatically changed the records of the law firm. Myth number four. It's an IP department issue. These types of things are frequently thought of. It's a tech problem. I don't want to hear about it. But as I mentioned, it's frequently a compliance problem. It's an ethics problem. And these are things that your IT department, whether it be one individual or 100, may not be trained on and likely aren't trained on. Also, it's an individual problem that everyone needs to be trained and needs to know what to look at to make sure that you're complying and that you're not putting the law firm at risk. Another myth is that you can achieve 100% security. That is impossible to budget or to use. Will illustrate that on the next slide. Basically without spending too much time here, it literally is impossible to get 100% security. The only way you can do that is if you disconnect all of your systems and all of your telephones, and essentially work in an isolated environment. As you and this this scale on the right side really illustrates this. As you increase security, you decrease usability. As you increase usability, you can decrease security. You got to get a certain balance as opposed to using one over the other. And so don't let anyone tell you that you need to achieve 100% security. Here's something that we discussed just a few moments ago, which is myth number six. I'm safe. I have great security, and we've never had a breach. Unlikely. As I mentioned, a number of studies have shown that either from Verizon or Trustwave, two very reliable entities, that after a compromise has occurred, it typically takes weeks or even months to discover that it's happened. And during that time, you have no idea what they're doing with your systems and data. So please don't think that the mere fact you don't have access and don't have knowledge means that, in fact, you don't have a problem. All right. Next, we'll move on to sources of risk. And there are many sources of risk to a law firm. And when we say sources of risk, we're simply talking about who might be behind one of these problems that you have. And the very first one is the insiders. This is your own personnel. This is your contractors that you bring in. This is your vendors that you use to manage your documents or manage your HR system, or that manage your billing system. They generally are at the top of the list, as I mentioned, as posing the greatest risk because through social engineering and other means, they can be taken advantage of, taken advantage of rather easily. The next on the list is script kiddies, and this is sort of a pejorative term that simply means someone that really doesn't have any true computer knowledge, but is simply someone that went out and read that book I mentioned that has the chapter about become a hacker in 30 30 minutes, or they've gotten on the dark net and downloaded some tools and now are using those to potentially access a law firm's records. Then you have sort of the true hackers. And I will tell you that the true hackers, if you will, are decreasing in number. And rather what we're seeing is an increase in the next few bullet points. In fact, the remaining bullet points on this slide, spies like those from other countries who may have interest in, say, the patent filings that may be under development for a particular entity. How would a hacker know or a spy know, that you're working on potential filings that may not be ready for some time, that for a particular client? Because likely there'll be some information on your website, some kind of joint presentation with a client where they identify that one of your clients is, say, a large aerospace company. Organized crime by far has become the most active. Organized crime. Frequently they're very smart and they can simply do the math. I don't have to take on any risk. I am the likelihood of getting arrested is close to zero. There is no investment for me to make, and I can have my personnel anywhere in the world doing these attacks. And in particular, organized crime is responsible for a lot of ransomware attacks. That is, who is you're paying these fines to or these extortion amounts to. Cyberterrorists and hacktivists have been known to attack law firms. You represent some particular industry which is potentially objectionable, at least in their eyes, and so they decide to target your law firm. A lot of times that means defacing your law firm's primary website or doing something along those lines. But that's a partial list of those that may decide to cause harm to you. As I mentioned though, at the beginning, even the very computer that you're using or your vendors may pose a threat to you. You want to make sure that when you're entering into contracts to back up your data, to run certain critical systems, etcetera, that you have appropriate contracts with those third parties to make sure that they are at least reasonably responsible. In general, you likely want to make sure that those contracts have some kind of acknowledgment of attorney client privilege and the work product doctrine. You need to make sure that if you're signing agreements that have no protections along these lines, that you are potentially creating risk, not only an ethical risk, but also a business risk for your firm. So be very careful in this regard. Now, one of the problems that you'll face is that vendors, particularly vendors to law firms, are very risk adverse. And so what we're finding is that they're unwilling to sign up to material responsibilities. And again, remember that that acronym I gave you. Confidentiality integrity and availability. They're not offering. Well, they might offer very good confidentiality language. Their liability for breach of confidentiality can frequently be de minimis. They're not offering any protections with regard to data integrity. In fact, they somewhat foolishly include language frequently that says you are responsible for ensuring the integrity of data stored on their systems. I got to tell you, I have a couple of engineering degrees, yet I don't understand how you could do that. The only way to monitor integrity would be every time you download a record from or download data from the cloud provider, you'd have to compare it with what you uploaded, which would be a laborious process. Be careful about those sorts of things. There are other terms here that we won't get into today, but we could actually spend a whole session and negotiating these types of contracts. Moving on. I want to give you at least these ten key elements for a cybersecurity or risk management program. And we're going to talk a bit more in detail about these things in a bit, but let's just touch on each individually right now. Incident management. What is that that you sense or you have determined or you suspect that there is some issue with your systems that they may have been. You know that someone has access to them in an unauthorized fashion, and that could even be, mind you, one of your own employees using them for an unauthorized in an unauthorized fashion. What do you do to manage this problem? There should be a policy that says if a particular element or individual on your staff suspects, who do they call to report this? If that person isn't available, who do they have? As a follow up, what is done next? What committee is potentially gathered? Do you have a relationship with, say, a security expert, generally on the outside of your law firm? That you can call it a minute's notice 24 hours a day, seven days a week, and they will help you in diagnosing a problem or an incident. That's incident management, even down to things like if you have to make a communication to a governmental entity, say like a state entity about a potential compromise, or if for some reason you need to start notifying clients, how might you do that in the most effective way, managing those communications, potentially having a publicity person involved? You have user education and awareness. That's number two. And perhaps that should be number one, because it is probably the most important and least expensive thing you can do to maximize the security of your organization. Let me tell you, it is very easy and we'll touch on this in just a moment. To use social engineering to have individuals believe that they are, you know, following instructions of a senior partner or following instructions of a client, when in fact it is a third party attempting to gain unauthorized access to systems or information. You want to manage user privileges. That's number three. There are lots of principles and tech names for this, like least privilege. All this really means is that. If I'm someone working in your mail department and have an account on your computer system, I shouldn't be able to access the entirety of what's on your your system merely because I have, say, a document number that I shouldn't have reason to be accessing merger and acquisition files. I should not have a reason to access a trust and wills information or tax information of clients. That's not within my the purview or the scope of my employment. Home and mobile computer working. And this is certainly bloomed in the age of Covid with people working remote. What kind of policies and procedures do we have in place to ensure that if people are working remotely, that security is being observed? Things like if they're using a firm laptop, that the the connections on the laptop are such that it cannot connect to an external printer when it's working remote so that an employee can't simply or a lawyer can't simply print voluminous documents in an uncontrolled environment. Things like if a laptop is stolen or lost, that it could be remotely wiped. That things like the information and access to the computer itself is controlled by biometrics and encryption. Those are the kinds of things that we worry about. Removable media controls. And this is something that some regulators have specifically called out, that you can't have a work computer where someone could walk in or get access to that computer. If it's remote, stick a USB drive in it, or even a entire hard disk and essentially copy everything on the computer. Malware protection goes without saying that you want to have updated anti malware protection against viruses and ransomware and other things of that nature. Monitoring to make sure that the systems. This goes right back to the ABA's suggestions. This goes right back to the idea of trying to be informed about what's going on on your systems. Secure configurations, making sure that a security professional has helped you configure your technology so that it is not readily accessible to others. The easy example of this, and yet the one that is so frequently occurring, you buy a router so that you can connect your server at your law firm to, say, the internet. And that router, you plug it in, you go live and you never change the default factory password. That's something that hackers know. That's something that hackers will try first. You always want to do things like that. Network security securing your own network. And this goes not only for wireless, but not only wired but also wireless networks that if you have a Wi-Fi network, that you're not appearing on that wiggle chart that I showed you a little while ago with a red dot, meaning that your system doesn't use proper security for their Wi-Fi and that it could easily be hacked. And finally, you might look into cybersecurity insurance. Cybersecurity insurance is getting more and more difficult to get. It is getting more and more expensive, and it is taking a greater showing that you are addressing information security in a mature fashion before they'll issue a policy. But these ten elements sort of form the foundation for a good risk management program. Okay, we'll turn to that human factor that I've been talking about. Pretty much since the beginning of our presentation. Two statistics. That ought to be interesting. Two thirds. Of security compromises arise from human error. Let me say it another way. Without investing a penny in technology. If you were simply to have personnel who were adequately trained. And I do understand there is a cost in doing that. But if the personnel are adequately trained that you might be able to avoid two thirds of security incidents that might impact you. That's a lot of bang for your buck. We're seeing. And this is really a statistic that should be updated and increased. But there's been, you know, a almost 800% increase in email phishing attacks that contain malicious code, including ransomware. Let me give you a quick example of this. Suppose I were to come into your office, sit and look at a magazine for a few minutes. Say that I'm there to see one of your lawyers. And while I'm sitting there, I happen to drop a USB fob. On the table next to the magazines, and there's a label on it that says the Schwartz case. And then I simply walk out. I can almost guarantee you that someone at the law firm will, by end of day, find that USB and plug it into an office computer to see what it is. And in doing so, they could load a virus into your systems. This happens all the time. Another way this can be done is you simply open a hacker could simply, or someone that's looking to engage in social engineering could open up the ABA Journal. Look for, say, someone who heads up one of the publications. You spoof an email from that person. And remember, spoofing is nothing more than just simply making it look like the email came from them. And as I mentioned, that's very easy to do. And send a lawyer at a particular law firm, or more likely, send it to 10,000 lawyers at 10,000 law firms that all practice IP. And say something like, we are working on a survey of changes in patent law over the last year. Attaches a rough draft. If you wouldn't mind investing an hour or two in reading this and providing your comments, we will list you as an additional author. Attached to the email might be a PDF. If you don't know, PDFs are famous or infamous for transmitting viruses, and by clicking on that PDF, sure enough, you're loading them. You're loading malware into your systems once again. Will you have every one of those lawyers you sent the email to opening the PDF? No. Certainly not. But are you going to have a goodly number? Yes you will. And did that take very long to put together? No, only a few minutes. And you might be able to essentially bring a law firm to its knees with a ransomware attack. This is the kind of thing that true training is necessary to address. We talked about social engineering, which is the example I just gave you. It's it's increased exponentially. The the clear trend in the industry is to start targeting executives and management, which means senior personnel at your law firm, both lawyers and non-lawyers. But right now, large law firms or large enterprises stand a chance of 1 in 2 of actually being targeted. And just very quickly, phishing is attempting to get, as a hacker, attempting to get someone to respond by clicking through a link or opening a PDF, or doing some other action by just sort of sending out general email. Let me give you an example of fishing. Every October or thereabouts, people are looking to set their benefits or reevaluate their benefits and potentially change them. Hackers know this. And so if I were to send out a spoofed email from the HR department saying that you have until tomorrow, sorry about the late notice to check and make your benefits elections, and then you send in that email, a website or URL or hyperlink, which makes it look like in fact, it's on your company's part of your company's network, when in fact it's not. You're likely going to have lots and lots of employees clicking through it. That's just one example of sort of a general phishing attack. The spear phishing attack is more in line with the example I gave you of the ABA IP editor who is sending something out, sort of targeting IP lawyers, but this can be taken many steps up. It's now possible even to use things like ChatGPT or other AI to look at an individual's website that is the firm website, and then look at the social media for a particular lawyer and see what their postings are, and then to create a potential very targeted attack for that individual. It can be really specific. Incident response. I'm just going to touch on these things for a few minutes, because we only have about three minutes to to end. I don't see any questions, so we'll just keep going. Um, really, I'll just linger here for a moment or two to talk about the first 24 hours following knowledge of a data breach. And again, you want to start this procedure if there is a suspected breach or an actual proven breach, because if it's suspected, it might well be an actual breach and you don't want to delay. And so we really have just six things that sort of go around this wheel here. You want to mobilize and get all the right people talking. You want to identify the extent of the breach, and this is why you generally want to have an established relationship with a computer forensics company. I honestly don't care how large your law firm is. You may have people skilled in doing computer forensics, but you likely don't have people that are skilled in doing this specific thing, this sort of post mortem, to find out what's happened. Also, if in fact, this really gets out of control and that person needs to testify in court about the extent of the breach, you likely don't want to have one of your own people testifying, but rather an independent third party who does this for a living. You want to detect things you want to see based on incoming intelligence, to really define the scope of what you're going to investigate, what could possibly be done. These are the things that you do to really get moving. And as I mentioned a little while ago, you don't want to create a relationship with a publicity firm with a that's a spokesman, potentially, or spokesperson for your company or help with writing press releases. You don't want to create a relationship with a computer forensics company at 5:00 in the evening on a Friday. You want to look at identify who you want to use, and have that person or persons or their law or their their company on some kind of contract with you, that you can get them immediately. You want to be able to figure out exactly how you're going to respond, how you're going to quarantine various elements of your your network so that other elements are not infected. You want to go back and evaluate how you could have potentially avoided this, or at least mitigated damages. You need to look at all of these things. And in the remainder of the slides that we have here, we just sort of have an expansion of all of these things. And please don't get seasick as I go through, but it's more or less summarizing exactly what I just talked about. And then these last couple of slides talk about what kind of policies you should have in your policy library. You do not have all of these, but they're described in some detail, and they may be of value to you to look at. And some of these policies can be as simple as 2 or 3 paragraphs. Others might be 5 to 10 pages long. It just depends on what it is that we're talking about and how large your law firm is. And with that, I believe that we are at the top of the hour. And I'll thank you so much for your time and consideration. And once again, do not hesitate to reach out if you have any questions in the future. Thanks very much.

Presenter(s)

MO
Michael Overly
Partner
Foley & Lardner LLP

Course materials

Handout

Credit information

Jurisdiction
Credits
Available until
Status
Alabama
    Pending
    Alaska
    • 1.0 ethics
    October 18, 2025 at 11:59PM HST Available
    Arizona
    • 1.0 professional responsibility
    October 18, 2025 at 11:59PM HST Available
    Arkansas
    • 1.0 ethics
    October 18, 2025 at 11:59PM HST Approved
    California
    • 1.0 ethics
    October 18, 2025 at 11:59PM HST Approved
    Colorado
      Pending
      Connecticut
      • 1.0 ethics
      October 18, 2025 at 11:59PM HST Available
      Delaware
        Pending
        District of Columbia
          Not Offered
          Florida
            Pending
            Georgia
            • 1.0 ethics
            Unavailable
            Guam
            • 1.0 ethics
            October 18, 2025 at 11:59PM HST Available
            Hawaii
            • 1.0 ethics
            October 18, 2025 at 11:59PM HST Approved
            Idaho
              Pending
              Illinois
              • 1.0 professional responsibility
              October 21, 2025 at 11:59PM HST Approved
              Indiana
                Pending
                Iowa
                  Pending
                  Kansas
                  • 1.0 ethics
                  January 9, 2025 at 11:59PM HST Approved
                  Kentucky
                    Pending
                    Louisiana
                      Pending
                      Maine
                        Pending
                        Maryland
                          Not Offered
                          Massachusetts
                            Not Offered
                            Michigan
                              Not Offered
                              Minnesota
                                Pending
                                Mississippi
                                  Pending
                                  Missouri
                                    Pending
                                    Montana
                                      Pending
                                      Nebraska
                                        Pending
                                        Nevada
                                        • 1.0 general
                                        December 31, 2026 at 11:59PM HST Approved
                                        New Hampshire
                                        • 1.0 ethics
                                        October 18, 2025 at 11:59PM HST Available
                                        New Jersey
                                          Pending
                                          New Mexico
                                            Pending
                                            New York
                                            • 1.0 ethics
                                            October 18, 2025 at 11:59PM HST Available
                                            North Carolina
                                              Pending
                                              North Dakota
                                              • 1.0 ethics
                                              October 18, 2025 at 11:59PM HST Available
                                              Ohio
                                              • 1.0 professional conduct
                                              Unavailable
                                              Oklahoma
                                                Pending
                                                Oregon
                                                  Pending
                                                  Pennsylvania
                                                  • 1.0 ethics
                                                  January 16, 2026 at 11:59PM HST Approved
                                                  Puerto Rico
                                                    Pending
                                                    Rhode Island
                                                      Pending
                                                      South Carolina
                                                        Pending
                                                        South Dakota
                                                          Not Offered
                                                          Tennessee
                                                          • 1.0 ethics
                                                          October 19, 2024 at 11:59PM HST Approved
                                                          Texas
                                                            Pending
                                                            Utah
                                                              Pending
                                                              Vermont
                                                              • 1.0 ethics
                                                              October 18, 2025 at 11:59PM HST Approved
                                                              Virginia
                                                                Not Eligible
                                                                Virgin Islands
                                                                • 1.0 ethics
                                                                October 18, 2025 at 11:59PM HST Approved
                                                                Washington
                                                                  Pending
                                                                  West Virginia
                                                                    Not Eligible
                                                                    Wisconsin
                                                                      Not Eligible
                                                                      Wyoming
                                                                        Pending
                                                                        Credits
                                                                          Available until
                                                                          Status
                                                                          Pending
                                                                          Credits
                                                                          • 1.0 ethics
                                                                          Available until

                                                                          October 18, 2025 at 11:59PM HST

                                                                          Status
                                                                          Available
                                                                          Credits
                                                                          • 1.0 professional responsibility
                                                                          Available until

                                                                          October 18, 2025 at 11:59PM HST

                                                                          Status
                                                                          Available
                                                                          Credits
                                                                          • 1.0 ethics
                                                                          Available until

                                                                          October 18, 2025 at 11:59PM HST

                                                                          Status
                                                                          Approved
                                                                          Credits
                                                                          • 1.0 ethics
                                                                          Available until

                                                                          October 18, 2025 at 11:59PM HST

                                                                          Status
                                                                          Approved
                                                                          Credits
                                                                            Available until
                                                                            Status
                                                                            Pending
                                                                            Credits
                                                                            • 1.0 ethics
                                                                            Available until

                                                                            October 18, 2025 at 11:59PM HST

                                                                            Status
                                                                            Available
                                                                            Credits
                                                                              Available until
                                                                              Status
                                                                              Pending
                                                                              Credits
                                                                                Available until
                                                                                Status
                                                                                Not Offered
                                                                                Credits
                                                                                  Available until
                                                                                  Status
                                                                                  Pending
                                                                                  Credits
                                                                                  • 1.0 ethics
                                                                                  Available until
                                                                                  Status
                                                                                  Unavailable
                                                                                  Credits
                                                                                  • 1.0 ethics
                                                                                  Available until

                                                                                  October 18, 2025 at 11:59PM HST

                                                                                  Status
                                                                                  Available
                                                                                  Credits
                                                                                  • 1.0 ethics
                                                                                  Available until

                                                                                  October 18, 2025 at 11:59PM HST

                                                                                  Status
                                                                                  Approved
                                                                                  Credits
                                                                                    Available until
                                                                                    Status
                                                                                    Pending
                                                                                    Credits
                                                                                    • 1.0 professional responsibility
                                                                                    Available until

                                                                                    October 21, 2025 at 11:59PM HST

                                                                                    Status
                                                                                    Approved
                                                                                    Credits
                                                                                      Available until
                                                                                      Status
                                                                                      Pending
                                                                                      Credits
                                                                                        Available until
                                                                                        Status
                                                                                        Pending
                                                                                        Credits
                                                                                        • 1.0 ethics
                                                                                        Available until

                                                                                        January 9, 2025 at 11:59PM HST

                                                                                        Status
                                                                                        Approved
                                                                                        Credits
                                                                                          Available until
                                                                                          Status
                                                                                          Pending
                                                                                          Credits
                                                                                            Available until
                                                                                            Status
                                                                                            Pending
                                                                                            Credits
                                                                                              Available until
                                                                                              Status
                                                                                              Pending
                                                                                              Credits
                                                                                                Available until
                                                                                                Status
                                                                                                Not Offered
                                                                                                Credits
                                                                                                  Available until
                                                                                                  Status
                                                                                                  Not Offered
                                                                                                  Credits
                                                                                                    Available until
                                                                                                    Status
                                                                                                    Not Offered
                                                                                                    Credits
                                                                                                      Available until
                                                                                                      Status
                                                                                                      Pending
                                                                                                      Credits
                                                                                                        Available until
                                                                                                        Status
                                                                                                        Pending
                                                                                                        Credits
                                                                                                          Available until
                                                                                                          Status
                                                                                                          Pending
                                                                                                          Credits
                                                                                                            Available until
                                                                                                            Status
                                                                                                            Pending
                                                                                                            Credits
                                                                                                              Available until
                                                                                                              Status
                                                                                                              Pending
                                                                                                              Credits
                                                                                                              • 1.0 general
                                                                                                              Available until

                                                                                                              December 31, 2026 at 11:59PM HST

                                                                                                              Status
                                                                                                              Approved
                                                                                                              Credits
                                                                                                              • 1.0 ethics
                                                                                                              Available until

                                                                                                              October 18, 2025 at 11:59PM HST

                                                                                                              Status
                                                                                                              Available
                                                                                                              Credits
                                                                                                                Available until
                                                                                                                Status
                                                                                                                Pending
                                                                                                                Credits
                                                                                                                  Available until
                                                                                                                  Status
                                                                                                                  Pending
                                                                                                                  Credits
                                                                                                                  • 1.0 ethics
                                                                                                                  Available until

                                                                                                                  October 18, 2025 at 11:59PM HST

                                                                                                                  Status
                                                                                                                  Available
                                                                                                                  Credits
                                                                                                                    Available until
                                                                                                                    Status
                                                                                                                    Pending
                                                                                                                    Credits
                                                                                                                    • 1.0 ethics
                                                                                                                    Available until

                                                                                                                    October 18, 2025 at 11:59PM HST

                                                                                                                    Status
                                                                                                                    Available
                                                                                                                    Credits
                                                                                                                    • 1.0 professional conduct
                                                                                                                    Available until
                                                                                                                    Status
                                                                                                                    Unavailable
                                                                                                                    Credits
                                                                                                                      Available until
                                                                                                                      Status
                                                                                                                      Pending
                                                                                                                      Credits
                                                                                                                        Available until
                                                                                                                        Status
                                                                                                                        Pending
                                                                                                                        Credits
                                                                                                                        • 1.0 ethics
                                                                                                                        Available until

                                                                                                                        January 16, 2026 at 11:59PM HST

                                                                                                                        Status
                                                                                                                        Approved
                                                                                                                        Credits
                                                                                                                          Available until
                                                                                                                          Status
                                                                                                                          Pending
                                                                                                                          Credits
                                                                                                                            Available until
                                                                                                                            Status
                                                                                                                            Pending
                                                                                                                            Credits
                                                                                                                              Available until
                                                                                                                              Status
                                                                                                                              Pending
                                                                                                                              Credits
                                                                                                                                Available until
                                                                                                                                Status
                                                                                                                                Not Offered
                                                                                                                                Credits
                                                                                                                                • 1.0 ethics
                                                                                                                                Available until

                                                                                                                                October 19, 2024 at 11:59PM HST

                                                                                                                                Status
                                                                                                                                Approved
                                                                                                                                Credits
                                                                                                                                  Available until
                                                                                                                                  Status
                                                                                                                                  Pending
                                                                                                                                  Credits
                                                                                                                                    Available until
                                                                                                                                    Status
                                                                                                                                    Pending
                                                                                                                                    Credits
                                                                                                                                    • 1.0 ethics
                                                                                                                                    Available until

                                                                                                                                    October 18, 2025 at 11:59PM HST

                                                                                                                                    Status
                                                                                                                                    Approved
                                                                                                                                    Credits
                                                                                                                                      Available until
                                                                                                                                      Status
                                                                                                                                      Not Eligible
                                                                                                                                      Credits
                                                                                                                                      • 1.0 ethics
                                                                                                                                      Available until

                                                                                                                                      October 18, 2025 at 11:59PM HST

                                                                                                                                      Status
                                                                                                                                      Approved
                                                                                                                                      Credits
                                                                                                                                        Available until
                                                                                                                                        Status
                                                                                                                                        Pending
                                                                                                                                        Credits
                                                                                                                                          Available until
                                                                                                                                          Status
                                                                                                                                          Not Eligible
                                                                                                                                          Credits
                                                                                                                                            Available until
                                                                                                                                            Status
                                                                                                                                            Not Eligible
                                                                                                                                            Credits
                                                                                                                                              Available until
                                                                                                                                              Status
                                                                                                                                              Pending

                                                                                                                                              Become a Quimbee CLE presenter

                                                                                                                                              Quimbee partners with top attorneys nationwide. We offer course stipends, an in-house production team, and an unparalleled presenter experience. Apply to teach and show us what you've got.

                                                                                                                                              Become a Quimbee CLE presenter image