“Are you encrypting your hard drives, are you encrypting your servers, are you encrypting your data in transit and in storage? the answer should be yes,” Catherine Sanders Reach, Director of the NCBA Center for Practice Management told me recently.
She had just published an article in the NCBA From the Center blog about encryption. In our conversation, we touched on a lot of cybersecurity themes similar to what I recommend to lawyers.
Ethics opinions and the Rules of Professional Conduct are central to the practice of law, and there we find the common denominator with cybersecurity.
“Lawyers should look at the North Carolina State Bar Rules of Professional Conduct Rule 1.6 (Confidentiality of Information), and then read Comment 19 under ‘Acting Competently to Preserve Confidentiality,’” Reach said. “There is kind of a checklist of factors to be considered determining the reasonableness of a lawyer’s efforts to maintain that confidentiality.”
When attorneys apply for malpractice insurance, many of the insurance companies now ask about the firm’s specific cybersecurity practices. The level of security depends on the firm’s practice areas. Firms that handle trust accounts called for more security than other practice areas. There are also base requirements by statute such as HIPAA for firms working with medical records.
“Start looking at what type of information you send and receive electronically with your clients and what information you are storing in your systems. What steps do you need to take to protect it?” said Reach.
It’s logical to reason that an attorney cannot ensure confidentiality to a client if encryption is not being used, because unencrypted data exposes basic Personally Identifiable Information (PII) at a minimum as well as more sensitive information that lives within an attorney’s ecosystem which can include trade secrets, financial transactions, business mergers, etc.
Part of what I’ve learned in 36 years of experience is that cybersecurity needs to be demystified for lawyers as well as for our clients. Attorneys and their clients need to enjoy the confidentiality that is assured between them in a world that is largely online and that directly ties into cybersecurity best practices.
“The Rules do not require impenetrable security. That’s an impossibility. And it doesn’t have to be difficult to use or be incredibly expensive,” said Reach.
Cybersecurity needs to be tailored to the needs of each firm.
With ransomware on the rise, we all know that you want to avoid having your data encrypted by bad actors who then attempt to manipulate you for payment.
Maybe I don’t need to explain all about hashing and encryption algorithms; maybe you just need to know those things exist, so that I can help you practice your own area of expertise.
“Your responsibility to try to prevent a data breach should be scary enough. Then there’s the expense, the exposure and embarrassment … then you’ve got your ethical responsibilities for confidentiality so if that’s not enough to get you to pay attention to cybersecurity I don’t know what it is,” Reach concluded, and I totally agree.