Law in the Internet Society

View   r3  >  r2  ...
SoichiroKatayamaFirstEssay 3 - 07 Jan 2022 - Main.SoichiroKatayama
Line: 1 to 1
 
META TOPICPARENT name="FirstEssay"
Title: Cybersecurity is none of lawyers’ business?
Line: 26 to 27
 My personal experience of working with law firms may be a good example. I worked as inhouse counsel in a company in Hong Kong for 4 years before I came to New York. Whenever I requested external lawyers to set up a video conference, they would always say “Sure, Zoom ? Microsoft Teams ? Whatever. Up to your choice”, despite the fact that I was in Hong Kong and the government of the PRC claims extra-territorial jurisdiction under the national security law to monitor Hong Kong people’s expressions…. I always felt that lawyers have professionality and pride with regards to “law” but when it comes to cybersecurity/technology, they think it is “somebody else’s business”, even though they are strictly responsible for confidentiality obligation and are supposed to take the lead in protecting clients’ information from any threat. But, this is understandable taking into account the current legal education.

4. Suggestion:

Deleted:
<
<
The following are my suggestion: (1) Lawyers’ obligation to use end to end encryption: Use of end-to-end encryption (where only the communicating users can read the messages they send to each other) should be obligation for lawyers in attorney-client communications. This should be very cost effective for cybersecurity planning in the long run.

(2) Lawyers’ obligation to use open source software: Taking into account the cybersecurity risks above, use of open source software (where users stay in full control over their information) should be obligation for lawyers. For that purpose, ABA or any some legal organization’s initiative of using reliable and uniform open source software is fundamental I believe.

(3) Introduction of new Code in response to the current cyber security issues: Model Rule 1.6 (as above) itself has not been amended for several years, and the current version is ambiguous. I suggest it be amended to be more concrete and include the obligation of (1) and (2), as the New York State Department of Financial Services has put new regulations governing cybersecurity fully into effect in 2020.

 
Changed:
<
<
(4) Cybersecurity Exam/Education: In order to avoid lawyers from thinking “cybersecurity is none of my business”, I believe lawyers should be obligated to take learning courses and exams to test their knowledge on the latest cybersecurity issues. Now is new digital age and confidentiality obligation is central to lawyers. Lawyers should think such legal cybersecurity knowledge is a part of their legal knowledge.
>
>
Even if lawyers don’t “technologically” sufficiently protect clients’ information, this doesn’t mean that lawyers don’t have continuing legal education responsibilities. They know the rules but don’t internalize their understanding and accordingly sometimes feel “cybersecurity is none of my field (but IT people’s)”. Given that, the following are my suggestion:

(1) Get familiar with actual leakage cases: Lawyers should be aware that they are exposed to cybersecurity risk all the time including their daily life. “Cybersecurity” sounds complicated to non-experts, but they should think about it in more familiar context. For example, they should be aware Facebook they are using outside work is spying on them for free all the time in return of providing free platform. They should look at how “their” data is being used by malicious companies in reality. Awareness of cybersecurity threats is half the battle.

(2) Practice in simulated environments: There are many courses where we can practice applying skills using real security tools in simulated environments. As I did, setting up a cybersecurity virtual lab is an efficient way (no need of experience. All needed is to prepare for running into issues, to have patience, and to keep Googling.). Perhaps, practicing ethical hacking is another way to get firsthand experience. In any case, having fun building and learning is key here, I think. Through this process, I believe they will begin to think legal cybersecurity knowledge is a fundamental part of their legal knowledge.

(3) Applying their learning to their work: They should consider what to improve in their workplace in order to protect their and clients’ information. For example, they may begin to think it should be mandatory to use end to end encryption and open source software. Then, introduce the practice. Explain and share the necessity to their colleagues and clients in their words.

(4) Keep having fun building and learning.

 
Lawyers already have continuing legal education responsibilities. Instead of making a rule that people should know things and take exams, why not learn how to teach them? Not one word in this essay is about the learning that other people could be helped to enjoy doing, and even less of it is about learning you have done and enjoyed. One really good way to make this essay better would be to bring it home, inside you. Instead of talking about learning, show learning. Instead of making rules to examine other people, examine yourself. Instead of making learning a burden, write about how you made it a joy. Then what you have made will be value to you and to every reader who cares.

Revision 3r3 - 07 Jan 2022 - 00:04:14 - SoichiroKatayama
Revision 2r2 - 04 Dec 2021 - 15:06:44 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM