The Risk Manager, Spring 2011
This program began by stressing that the confidential data of law firms is facing security threats as never before. While this risk was once primarily a business risk of corporations, law firms are now a lucrative target of cyberscams. Especially vulnerable firms are those involved with mass class actions, high net worth clients, and the health industry (read personal injury medical records). Firm computer security is breached by tricking lawyers into downloading malware into computers and e-mail that infiltrates a system by bypassing technological network defenses.
Program materials included Cell Phone Spyware Facts that covers both cell phones and other covert law firm espionage techniques. What follows is a brief synopsis of this document and the panelists’ discussion of it. Cell Phone Spyware Facts is available in its entirety on Lawyers Mutual’s Website Home Page at lmick.com.
The technology threat to preservation of client confidentiality is nearly mindboggling. Here are some of these risks:
Cell Phone Vulnerability:
- All cell phones can be bugged – every vendor is at risk.
- The smarter the cell phone is, the easier it is to bug.
- Spyware to bug cell phones is readily available on the Internet.
- It is possible to bug a cell phone remotely without the phone ever being in someone else’s possession.
- Information that spyware programs can collect includes all conversations, contact data, multimedia messaging service, short message service, phone call history, e-mail history, webpage history, pictures, video, GPS location, cell tower triangulation history, and file system information.
- A cell phone can be programmed to act as a bug. For example, a person leaving a hidden cell phone bug in a meeting room can activate the phone to hear meeting conversations. Similarly, a person attending a meeting with a cell phone bug with them can surreptitiously send meeting conversations to an accomplice in another location.
Unconventional Covert Espionage Techniques:
- Devices are concealed in fax machines that copy all faxed documents and download then to a remote location. This device is used to monitor conversations around the fax machine as well.
- A similar device is used in printers and copy machines.
- Shredders are bugged with a hidden digital scanner to copy and download shredded documents. One of these devices prints the document at the receiving location as it is being shredded.
- Tiny cellular bugs that are an entire cell phone are hidden in innocent looking appearing appliances such as a computer mouse, computer keyboard, table clock, and other objects that are connected to a live electric power source.
Is your cell phone bugged?
Cell Phone Spyware Facts lists these indicators that a cell phone may have spyware installed on it:
- Battery warm when not in use.
- Battery life is noticeably diminished each day.
- Some Blackberrys: communication icon on right screen flashing.
- Small pauses of audible communication while talking.
- Light audible tones, beeps, or clicks throughout a conversation.
- Flashing or flickering on display or change of brightness.
- Some spyware programs require the spy to manually mute their phone; therefore, you might hear them in the background at the beginning of conversation or when they tap in.
- Slower Internet access.
- Suspicious third parties have detailed knowledge of your private conversations and locations (GPS).
- You have opened a suspicious e-mail or one from a potential spy (allowing a Trojan Horse to install spyware remotely).
Countermeasures for meeting room security
There are a variety of ways of securing a meeting room. Examples are:
- Use a safe room for highly confidential meetings.
- Have qualified technicians sweep a meeting room.
- Allow no electronic devices in a meeting room.
- Use a cell phone detector.
- Employ a cell phone jammer.
Technical Surveillance Countermeasure Teams (TSCM) are available to audit security in a firm. While Lawyers Mutual does not recommend specific contractors, Cell Phone Spyware Facts includes information on how one TSCM company operates.
Program materials offered this risk management advice for laptops:
- Create firm-wide mobile device security policy and enforce it.
- Don’t take all information with you – just because you can doesn’t mean you should.
- Require strong two-factor authentication.
- Encrypt all confidential data.
- Never leave access numbers, passwords, or security devices in your carrying case.
- Consider using a laptop tracking and wiping program.
- Provide for physical security of laptops, including:
- Always keep your laptop in sight.
- Secure it when not in sight.
- Use a laptop security device.
- Use engraving or an asset tag to identify the owner.
- Be aware that computer bags attract undue attention.
- Watch your laptop when going through airport security.
- Never leave a laptop in view in a parked car.
- Secure your laptop in your hotel room when out of your room.
Developing an effective technology risk management program
Panelist Michael Downey of Hinshaw and Culbertson included his article Serious About Confidentiality (The National Law Journal, October 18, 2010) in the program materials. In the article he offered this advice for getting started in an effective technology risk management program:
- Adopt clear policies and educate all personnel about the proper use and disclosure of client confidences, including to the media and on the Internet, and the consequences of noncompliance.
- Purchase travel laptop computers and flash drives protected by full disk encryption, and insist that lawyers and staff use such protected devices when they travel with client-related or other sensitive information.
- Ensure that all computer systems, scanner/copiers and smart phones that can send and receive data have password protections activated.
- Ensure that people who have access to firm facilities and information can pass reasonable background checks and agree in writing to preserve confidences.
- Keep the most sensitive information off the Internet, or at least secured on document-management systems.
- Provide for secure disposal of confidential information at each workstation, as well as at copiers, printers and the like, and also for secure disposal of any computers (home or office) or data-storage devices that might contain firm-related information.
- Assess whether the firm should purchase additional insurance or equipment to protect against data disclosure.
- Plan now how the firm will respond to any disclosure that may occur, including how notice will be given to regulators, affected clients and the public, and what actions the firm will take to re-establish protection and sanction anyone who caused the disclosure.
What should a competent lawyer do?
If you are balking at the idea that you must implement technology risk management programs to protect confidential information, remember that the Rules of Professional Conduct on competence and confidentiality are more than a prohibition on revealing confidential information without client consent. A lawyer must also take reasonable care to affirmatively protect a client’s confidential information. What may have been reasonable care a few years ago is no longer the case.
No matter the size of a law firm, affirmative action is required to avoid both malpractice and fiduciary breach claims because a firm failed to take reasonable care to protect confidentiality from a technology threat. Use the process recommended above to review your situation. Additionally, you may find these Bench & Bar articles on Lawyers Mutual’s Website helpful in understanding and analyzing your technology risk management needs.