The Covid-19 pandemic forced lawyers and judges to practice outside of their physical facilities, and continue professional services from their home offices. That same period was the worst on record for cyberattacks:
- The Sodin (a.k.a. REvil and Sodinokibi) ransomware gang infiltrated a group of law firms and published directories, customer lists, contracts and credentials to the dark web.
- Gootloader offered free resources and templates for professionals (lawyers, doctors and engineers) which were infected and used to establish initial access
- Attackers posed as law students to establish a mentor relationship with senior partners and judges and then sent a link to a survey which deployed payloader malware.
In response, the American Bar Association (ABA) published Formal Opinion 498 (FO498) to address practicing law outside of the traditional brick-and-mortar office environment. It reminds lawyers that while the ABA Model Rules of Professional Conduct permit virtual practice, these Rules provide minimum requirements and recommendations for virtual practice, particularly in the areas of competence, confidentiality, and supervision.
ABA FO498 is more aspirational than prescriptive. Let’s take a look at how eSentire can help you operate a secure virtual law practice in the areas of:
- Managing software and hardware
- Accessing client data and transferring documents
- Securing virtual meetings
- Addressing listening devices
Managing software and hardware
In the wake of massive software and vendor exploits (SolarWinds Orion and Microsoft Exchange), FO498 reminds lawyers of their obligations to review vendor terms and conditions (T&Cs) to ensure that client confidentiality is protected. But vendor management goes beyond T&Cs. Lawyers are required to ensure these systems are up to date with service patches which are often deployed to eliminate security vulnerabilities.
Accessing client data and transferring documents
When working remotely, it’s tempting to use personal services, like email and file sharing, to quickly distribute information to clients. Of course, these services are not necessarily secure enough to meet confidentiality requirements. And even commercial systems are vulnerable, as was the case with Jones Day when hackers claimed to have accessed Jones Day client files from their file sharing service, Accellion.
In addition to the protocols noted earlier (e.g., reviewing the terms of service and any updates to those terms), lawyers must confirm that documents in virtual document and data exchange platforms are appropriately archived for later retrieval and that the service or platform is and remains secure. For example, if the lawyer is transmitting information over email, the lawyer should consider whether the information is and needs to be encrypted (both in transit and in storage). And, avoid using personal email and file sharing services.
FO498 requires that lawyers prepare for the eventuality of a data breach, with policies that include client notification. It also requires lawyers to employ data back-up systems to create resilience, and assume the likelihood of data theft or destruction with specific data breach policies. In this regard, FO498 augments 2018 Formal Opinion 483 which outlines a lawyer's obligations after an electronic data breach or cyberattack.
Virtual meeting platforms
The term, Zoombombing, joined the popular lexicon as unwanted criminals joined meetings and took over screen sharing to display pornography or hate speach. And as the firm doubled-down on security measures, the FTC investigated the firm’s claims, resulting in a rapid settlement. And it wasn’t only Zoom; Citrix and Microsoft Teams also had their issues and vulnerabilities.
Much like any other software, these systems must be updated and operating on the latest versions to prevent exposure to known vulnerabilities, and rely on controlled access (passwords and other security measures) to restrict unauthorized access. Beyond the FO498 requirements, there are a few best practices that reduce the risk of abuse:
- Enforce corporate account access for employees.
- Avoid using personal accounts to log into firm meetings.
- Enable waiting room features that prevent guests from entering the meeting before the host.
- Disable the ability for guests to re-enter once intentionally disconnected.
- Disable guest ability to share their screen without the host’s permission.
Smart speakers, virtual assistants and other listening devices
Lawyers understand that the need to protect client confidentiality extends beyond the confines of the law firm, but think in terms of overheard conversations in elevators, public spaces or restaurants. But few consider what their smart speakers, virtual assistants or even watches are overhearing. These devices are generally used under consumer T&Cs which create risk when it comes to how these devices listen (passively or actively), what they capture, the purpose of the collected information, and how it is protected. Unless the technology is assisting the lawyer’s law practice, the lawyer should disable the listening capability of devices.
How we can help
- Our Vulnerability Management service identifies and prioritizes vulnerabilities, and our Risk Management team can assist with full life-cycle remediation to avoid the most dangerous exploits.
- Our Managed Detection and Response services for Endpoint and Behavioral threats actually detected the Microsoft vulnerability before it was reported, and proactively blocked the deployment of malicious web shells.
- Our Virtual CISO program can help you build a comprehensive cyber-risk management program that includes acceptable usage policies (AUP) and user awareness training that cover even the most peripheral of risks like listening-enabled devices.
Learn from the past to invest in the future
One lesson to learn is that tectonic events like the Covid-19 pandemic wasn’t the first event to shape security practices, and it certainly won’t be the last. Many security events can be avoided by simply adhering to basic cyber hygiene: use strong passwords, multi-factor authentication, secure WIFI and VPNs. And vendor risk can be reduced by keeping up on patching, and avoiding accessing corporate services from personal accounts. We can help.
