Law in the Internet Society
Title: Cybersecurity is none of lawyers’ business?

1. Significant importance of lawyers’ duty of confidentiality to clients

A lawyer’s duty of confidentiality is considered “the most sacred of all legally recognized privileges, and its preservation is essential to the just and orderly operation of our legal system.” Naturally, the need to protect client confidentiality is articulated in doctrines of law, and for example, Rule 1.6 of the Model Rules of Professional Conduct states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.

2. Environment surrounding lawyers – serious threat to information security

Use of technology for legal work has been increasing, and lawyers’ large scale remote work in response to a global pandemic is accelerating this trend. In the meantime, due to the trend, legal cybersecurity risk has been increasing. More than 100 law firms have reported data breaches since 2014 and the problem is getting worse. According to the American Bar Association’s (ABA) Tech Report 2020, nearly a third of law firms experienced a data breach in the past year. Since there are too many causes for the cybersecurity risk, it is impossible to list all up, but the following are (only) some of them:

(1) Government mass electronic surveillance: Government mass electronic surveillance such as the National Security Agency (NSA) Mass Surveillance program seriously threatens clients’ confidential information (e.g. client-attorney communications). For example, it is known from a top-secret document obtained by the former NSA contractor that the NSA Mass Surveillance program specifically monitored a big US law firm Mayor Brown when it represented Indonesian government in relation to trade negotiations with the US government . The NSA has no filtering procedure for privileged attorney-client information.

(2) Closed-source software/Apps: While it is unlikely for lawyers to use Facebook, TikTok? , Twitter etc. on their work phones and computers (where service providers fully control all of the users’ information for their commercial purpose), other closed-source software such as Microsoft Applications are often used by lawyers without any doubt. However, although not many people seem to care about such Apps’ privacy policy, for example Microsoft’s privacy policy allows Microsoft employees or its vendors to conduct manual review of personal data. Therefore, the possibility that client-attorney communications are monitored by third parties can’t be ruled out (Isn’t it breach of the Rule 1.6?).

(3) Smart Speakers: Smart Speakers such as Microsofts’s Cortana and Alexa for Business have been increasingly used as digital assistants by companies including law firms. However, as written in (2) above, confidential information (such as client-attorney communication in an office where Smart Speakers are put) can be monitored by service providers. As a matter of fact, it is said that data from these kinds of speakers are already being used in criminal cases .

3. Then, do lawyers duly protect clients’ confidential information?

I am afraid that simple answer on whether lawyers duly protect confidential information is “Not at all”. According to the ABA Tech Report 2020, more than three-quarters of law firm staff believe employees have accidentally and maliciously put data at risk and “despite the ethical issues and pending challenges…the use of certain security tools remains at less than half of respondents.”. My personal experience of working with law firms may be a good example. I worked as inhouse counsel in a company in Hong Kong for 4 years before I came to New York. Whenever I requested external lawyers to set up a video conference, they would always say “Sure, Zoom ? Microsoft Teams ? Whatever. Up to your choice”, despite the fact that I was in Hong Kong and the government of the PRC claims extra-territorial jurisdiction under the national security law to monitor Hong Kong people’s expressions…. I always felt that lawyers have professionality and pride with regards to “law” but when it comes to cybersecurity/technology, they think it is “somebody else’s business”, even though they are strictly responsible for confidentiality obligation and are supposed to take the lead in protecting clients’ information from any threat. But, this is understandable taking into account the current legal education.

4. Suggestion:

Even if lawyers don’t “technologically” sufficiently protect clients’ information, this doesn’t mean that lawyers don’t have continuing legal education responsibilities. They know the rules but don’t internalize their understanding and accordingly sometimes feel “cybersecurity is none of my field (but IT people’s)”. Given that, the following are my suggestion:

(1) Get familiar with actual leakage cases: Lawyers should be aware that they are exposed to cybersecurity risk all the time including their daily life. “Cybersecurity” sounds complicated to non-experts, but they should think about it in more familiar context. For example, they should be aware Facebook they are using outside work is spying on them for free all the time in return of providing free platform. They should look at how “their” data is being used by malicious companies in reality. Awareness of cybersecurity threats is half the battle.

(2) Practice in simulated environments: There are many courses where we can practice applying skills using real security tools in simulated environments. As I did, setting up a cybersecurity virtual lab is an efficient way (no need of experience. All needed is to prepare for running into issues, to have patience, and to keep Googling.). Perhaps, practicing ethical hacking is another way to get firsthand experience. In any case, having fun building and learning is key here, I think. Through this process, I believe they will begin to think legal cybersecurity knowledge is a fundamental part of their legal knowledge.

(3) Applying their learning to their work: They should consider what to improve in their workplace in order to protect their and clients’ information. For example, they may begin to think it should be mandatory to use end to end encryption and open source software. Then, introduce the practice. Explain and share the necessity to their colleagues and clients in their words.

(4) Keep having fun building and learning.

Lawyers already have continuing legal education responsibilities. Instead of making a rule that people should know things and take exams, why not learn how to teach them? Not one word in this essay is about the learning that other people could be helped to enjoy doing, and even less of it is about learning you have done and enjoyed. One really good way to make this essay better would be to bring it home, inside you. Instead of talking about learning, show learning. Instead of making rules to examine other people, examine yourself. Instead of making learning a burden, write about how you made it a joy. Then what you have made will be value to you and to every reader who cares.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 07 Jan 2022 - 00:04:14 - SoichiroKatayama
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM