The Risk Manager, Summer 2014
Cloud computing is the technology that permits law firms through the Internet to access software or store files on computers that are not at the firm’s physical location or even within the firm’s physical control. As the invention of the Colt .45 was the great equalizer for the little guy in the Wild West, the Cloud is the great equalizer for small law firms to compete with large firms in the technology driven age in which we practice.
We first wrote about Cloud computing in our Summer 2012 Newsletter in the article What Kentucky Lawyers Need to Know about the Ethics and Risk Management of Cloud Computing. That article provides an overview of Cloud computing including the benefits of Cloud computing, the risks of using Cloud computing providers, the professional responsibility rules Cloud computing invokes, and reasonable care in selecting a Cloud service provider. That article remains a good place to start in reviewing your use of Cloud computing. It is available on Lawyers Mutual’s Website at lmick.com – click on Resources, Subject Index, Internet, and select the article.
Late last year the New York City Bar issued the report The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations. Given the large number of small firms in Kentucky this report could not have come out at a better time. The report describes the significance of Cloud computing for smaller firms as follows:
By leveraging this new technology, small law firms could afford the tools needed to grow their practices and compete on a level playing field with large law firms. Small firms or solos who previously could not afford physical storage space could now store their numerous client related documents on the Cloud, without having to worry about the cost and feasibility of hiring an IT department. More importantly, through the Cloud and wireless computing, small firms and solo attorneys could have constant access to client documents and communications whether they are travelling, in court, at a coffee shop, or at home. This increased availability to respond to their clients will give small firms an advantage that in the past they may have ceded to big firms with armies of associates and support staff.
The 29-page report includes this scope statement:
This paper will explore the landscape of what is reasonable care. It will analyze required safeguards for client and firm electronic information in the context of law firm practicalities, and the business case for moving to the Cloud and using portable devices. It will also outline ways in which lawyers should carefully evaluate all service providers to ensure that they employ sufficient procedures to protect clients’ confidences and electronic information and how best to employ appropriate precautions when using portable media. Finally, the paper will propose practical ways to mitigate risk as information technology advances. It will offer ways in which lawyers can, and must, become educated regarding the technologies, and it will outline procedures required when contracting with Cloud providers and utilizing portable devices in order to safeguard client and firm data, thereby minimizing ethical and malpractice risks.
The report concludes with these suggested guidelines:
Guideline 1 – Only Use Reliable Providers
Only use reliable providers and, even with well-established providers, keep up to date on their business condition and prospects.
Guideline 2 – Document Due Diligence
Spend time performing due diligence on a proposed provider and its contract (Service Level Agreement, or “SLA”) and document the process, including your review, any negotiations with the provider and the reasons why you concluded that your client’s information is going to be secure.
Guideline 3 - Read the Contract, then Decide Your Risk Tolerance
Never just click “Agree” to a provider’s “Terms and Conditions of Use.” Obtain, and review, the complete Service Level Agreement and all Addenda and Attachments. Read all website information referenced in links in the SLA.
Guideline 4 – Key Contractual Terms
Get promises from a prospective Cloud provider, in the SLA, that it will meet your key requirements, and check the provider’s track record of meeting them with reliable references.
Guideline 5 - Get Client Consent
Obtain your clients’ consent before storing their information in the cloud or relying on cloud-based software for client-critical functions.
Guideline 6 - Understand the Technology
Be sure you know the technology or engage an expert to assist you.
Guideline 7 – Keep Data Encrypted
Guideline 8 – Establish Data Management Policies and Procedures
The New York City Bar report The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations is an outstanding treatment of Cloud computing for any law firm, but especially smaller firms. We recommend that you refer to it extensively in using and risk managing Cloud computing. All you have to do to obtain it is to Google The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations. (last viewed on 6/23/14)
Keeping Up With Lawyer Scams
Cryptolocker is a ransomware virus threat to lawyer files and wallets. It is estimated that law firms and businesses have lost millions of dollars to this scam. The December 2013 LAWPRO Magazine featuring “Cyber Crime and Law Firms” describes ransomware as follows:
Ransomware infections are becoming much more common recently and are usually spread by infected email attachments or Website links that trigger a download. The most common type, Cryptolocker, will scramble all the data files on your computer with virtually unbreakable encryption. You learn you are infected when a pop-up window tells you that your data has been scrambled and will be deleted unless you pay a ransom within a very short period of time, typically 48 hours or so. The ransom is typically in the range of $100 to $300 and payable only in Bitcoins, a type of virtual currency that makes payments untraceable. It is a relatively low amount so you have an incentive to pay it as a nuisance; but as you are dealing with criminals, paying it does not guarantee that you will get your data back.
A North Carolina firm was victimized earlier this year by Cryptolocker. The firm was targeted using email with an attachment. Upon opening the attachment the virus immediately began encrypting thousands of documents making them inaccessible to the firm. The hackers demanded $300 within three days to provide the code to unlock the files. After trying to solve the problem without success, the firm attempted to pay the ransom but time had time ran out and could not get the release code. Fortunately, the firm had backup systems.
We are unaware of any Kentucky lawyers victimized by Cyberlocker, but the chances are good that there are some. Given the great variety of computer systems used by lawyers we can only give the following general risk management advice gleaned from several sources. For a comprehensive treatment of computer security risk assessments for law firms see Cybersecurity Standards and Risk Assessments for Law Offices: Weighing the Security Risks and Safeguarding Against Cyber Threats by David Z. Bodenheimer and Cheryl A. Falvey. Just Google the article title. (last viewed 6/23/14)
Cyber Attack Risk Management Considerations:
- Use computer-security software to block suspicious emails – be sure to update regularly.
- Never open attachments from a source you don’t recognize.
- Require all firm members to be especially vigilant before downloading photos or PDF files even if apparently from known sources to avoid downloading an executable file that could download malware.
- Establish off-site data backup systems and procedures for alternate access to the network.
- Back up and archive all files nightly in an off-line system that is not connected to the vulnerable main office system. Some firms nightly back up all files on tape and lock the tapes in a fireproof safe in the office. They then further back up the files in off-site storage– usually in the Cloud.
- Include home computers, laptops, and smart phones in office cyber security programs.
- Review computer system backup architecture and file-sharing architecture to assure that a single event of a malware download cannot infect both the main system and backup systems.
For additional risk management considerations for Cyberlocker and other malware read The LAWPRO Magazine: December 2013 at: (http://practicepro.ca/lawpromag/LawproMagArchive.asp) (last viewed 6/23/14)
It is an excellent source for reviewing the cyber risks of your firm. It contains useful guidance for protecting your practice from being held up for ransom.
Editor’s Note: Federal authorities recently stopped the primary hacker using Cryptolocker, but as the following paragraphs show ransomware remains a major risk.
Ransomware Hits iPhones and iPads in Australia
ABC Internet News reported on May 28, 2014 that a hacker with the name “Oleg Pliss” locked up iPhones and iPads in Australia and sent ransom messages demanding payment to unlock them. Especially alarming is that hackers may now be able get iCloud credentials from these devices and get to data stored or backed up on the Cloud by the device owner.
This new development in cyber crime reinforces the urgency required in establishing risk management procedures that protect firm backup systems from penetration through any office or home computer or electronic device used by a firm for communication.