Avoiding the worst case scenario: BYOD, gaming and trade secrets
Is it more important to provide around the clock, mobile service or is it best to wait a few hours for a response so the data can stay housed in a secure environment?
November 08, 2013 at 03:00 AM
6 minute read
The original version of this story was published on Law.com
While “cybersecurity” is a term frequently thrown about, most attorneys from both inside and outside counsel close their eyes and catch some zzz's when it is mentioned. Well, it is time to wake up. It is no longer acceptable to completely pass this onto IT folks while we stare into space. As presented in scenario 1 and scenario 2, attorneys need to open their eyes, as a security breach can have major ramifications. Not only can data breaches lead to leaks of privileged data, trade secrets and other extremely sensitive information can be exposed. Corporate clients who do not insist their firms have strict security standards open themselves up to these leaks and outside counsel who does not ensure their firms' networks are secure risk losing their largest corporate clients and opening themselves up to ethical violations. Below is the third real world scenario that could happen to any attorney who represents a corporation.
Scenario 3 – Bring Your Own Device (BYOD)
You work as inside counsel for a major manufacturer of pharmaceuticals. Your company spends millions of dollars each year protecting their many patents and trade secrets.
Your outside counsel recently adopted a policy that permits all attorneys to buy and use their own devices on the firm's network. Outside counsel's CIO assured you that their firm's network is safe, that they have a policy of cyber hygiene in place to protect your data against attack. Not knowing much about technology, his assurances make you feel confident that your data is safe. You do not follow-up on this conversation or ask for specifics on their security measures.
One of the partners, John Smith, who works on several of your trade secrets cases, decided to buy himself a new iPad when this policy went into effect. He immediately has the IT department set it up to the firm's network so he can easily work on your cases from home. From his iPad, John can access your data, such as emails and spreadsheets that may be housed in a document repository, along with all attorney work product including privileged communications.
John has a teenage son who is a huge gamer. As a way of bribing his son to do his chemistry homework, John allows him 1 hour on his iPad when his homework is complete. John's son frequently borrows his dad's iPad and accesses his favorite unsecured gaming site which has operations in Antigua, management in Amsterdam and ownership in China. There were many times when he played on the gaming site that John was still logged into his firm's network. Every time John's son logged into his gaming portal, he exposed the law firm's network, containing your most sensitive data, to hackers across the globe without potentially any repercussions for their actions.
The CEO has just brought to your attention that one of the prescriptions your company produces and is still under patent is now being mass produced in China. After hiring forensic specialists and spending a ton of money in investigations, you find out that the leak came from a hacker breaking into your outside counsel's network. You remember the new policy BYOD they told you about, but they assured you it was secure. You immediately call outside counsel and ask them to get to the bottom of this.
The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The law firm, when it put the BYOD policy in place, owed a duty to keep your data safe. So that begs the question, how did outside counsel implement the new policy? What training did the firm provide regarding the use of its network on personal devices? Who's responsible for establishing remote accessibility for the attorneys' devices and what is the procedure for approving the use of personal devices on the firm's network? Were tighter restrictions placed on those practices that handled more sensitive data such as trade secrets? Are periodic tests, also known as spear-phishing, occurring to continually test the security of your network to expose any vulnerability that may arise?
This scenario points to several problems in implementation. First, John was an attorney who handled extremely sensitive data, but was allowed to do that on his own device on his own network. This data should have been locked down and only viewable in an extremely secure environment. Second, since the John left his network connection on even while his son used his iPad, which leads to the question as to whether proper training was given on using personal devices. Third, what was done to ensure that sites being logged into from the personal devices were secure? If any site can be accessed, that increases the chances of being hacked.
In this situation, outside counsel probably violated its ethical duties to you, but more importantly, exposed you to a huge financial loss. It is difficult enough to deal with patent infringement in the US, but to go after a Chinese company doing such is even more complicated and expensive. So outside counsel immediately gets fired, but what could you have done different? As inside counsel, once you found out about this new BYOD policy, you should have asked more questions. The Model Rules understand that lawyers are not going to be experts in technology, but brokering a conversation between someone in your IT staff and the CIO of the law firm would have alerted you that this new policy opened the door to hacking. It is your obligation to ensure that your data is as safe with outside counsel as it would be in your IT environment.
BYOD is a great way of providing 24/7 service to clients, but if not properly implemented, it opens the door to a breach in security. There are serious vulnerabilities with this policy, and it up to both outside and inside counsel to ensure these are minimized. This scenario begs the question as to whether it is more important to provide around the clock, mobile service or whether it may be best to wait a few hours for a response so the data can stay housed in a secure environment. While our data should all be safe and snug on a secure network, we need to wake up to the realities of a data breach.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Lawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute read
Why ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
- 1SDNY US Attorney Damian Williams Lands at Paul Weiss
- 2Litigators of the Week: A Knockout Blow to Latest FCC Net Neutrality Rules After ‘Loper Bright’
- 3Litigator of the Week Runners-Up and Shout-Outs
- 4Norton Rose Sues South Africa Government Over Ethnicity Score System
- 5KMPG Wants to Provide Legal Services in the US. Now All Eyes Are on Their Big Four Peers
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
