Avoiding the worst case scenario: BYOD, gaming and trade secrets
Is it more important to provide around the clock, mobile service or is it best to wait a few hours for a response so the data can stay housed in a secure environment?
November 08, 2013 at 03:00 AM
6 minute read
The original version of this story was published on Law.com
While “cybersecurity” is a term frequently thrown about, most attorneys from both inside and outside counsel close their eyes and catch some zzz's when it is mentioned. Well, it is time to wake up. It is no longer acceptable to completely pass this onto IT folks while we stare into space. As presented in scenario 1 and scenario 2, attorneys need to open their eyes, as a security breach can have major ramifications. Not only can data breaches lead to leaks of privileged data, trade secrets and other extremely sensitive information can be exposed. Corporate clients who do not insist their firms have strict security standards open themselves up to these leaks and outside counsel who does not ensure their firms' networks are secure risk losing their largest corporate clients and opening themselves up to ethical violations. Below is the third real world scenario that could happen to any attorney who represents a corporation.
Scenario 3 – Bring Your Own Device (BYOD)
You work as inside counsel for a major manufacturer of pharmaceuticals. Your company spends millions of dollars each year protecting their many patents and trade secrets.
Your outside counsel recently adopted a policy that permits all attorneys to buy and use their own devices on the firm's network. Outside counsel's CIO assured you that their firm's network is safe, that they have a policy of cyber hygiene in place to protect your data against attack. Not knowing much about technology, his assurances make you feel confident that your data is safe. You do not follow-up on this conversation or ask for specifics on their security measures.
One of the partners, John Smith, who works on several of your trade secrets cases, decided to buy himself a new iPad when this policy went into effect. He immediately has the IT department set it up to the firm's network so he can easily work on your cases from home. From his iPad, John can access your data, such as emails and spreadsheets that may be housed in a document repository, along with all attorney work product including privileged communications.
John has a teenage son who is a huge gamer. As a way of bribing his son to do his chemistry homework, John allows him 1 hour on his iPad when his homework is complete. John's son frequently borrows his dad's iPad and accesses his favorite unsecured gaming site which has operations in Antigua, management in Amsterdam and ownership in China. There were many times when he played on the gaming site that John was still logged into his firm's network. Every time John's son logged into his gaming portal, he exposed the law firm's network, containing your most sensitive data, to hackers across the globe without potentially any repercussions for their actions.
The CEO has just brought to your attention that one of the prescriptions your company produces and is still under patent is now being mass produced in China. After hiring forensic specialists and spending a ton of money in investigations, you find out that the leak came from a hacker breaking into your outside counsel's network. You remember the new policy BYOD they told you about, but they assured you it was secure. You immediately call outside counsel and ask them to get to the bottom of this.
The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The law firm, when it put the BYOD policy in place, owed a duty to keep your data safe. So that begs the question, how did outside counsel implement the new policy? What training did the firm provide regarding the use of its network on personal devices? Who's responsible for establishing remote accessibility for the attorneys' devices and what is the procedure for approving the use of personal devices on the firm's network? Were tighter restrictions placed on those practices that handled more sensitive data such as trade secrets? Are periodic tests, also known as spear-phishing, occurring to continually test the security of your network to expose any vulnerability that may arise?
This scenario points to several problems in implementation. First, John was an attorney who handled extremely sensitive data, but was allowed to do that on his own device on his own network. This data should have been locked down and only viewable in an extremely secure environment. Second, since the John left his network connection on even while his son used his iPad, which leads to the question as to whether proper training was given on using personal devices. Third, what was done to ensure that sites being logged into from the personal devices were secure? If any site can be accessed, that increases the chances of being hacked.
In this situation, outside counsel probably violated its ethical duties to you, but more importantly, exposed you to a huge financial loss. It is difficult enough to deal with patent infringement in the US, but to go after a Chinese company doing such is even more complicated and expensive. So outside counsel immediately gets fired, but what could you have done different? As inside counsel, once you found out about this new BYOD policy, you should have asked more questions. The Model Rules understand that lawyers are not going to be experts in technology, but brokering a conversation between someone in your IT staff and the CIO of the law firm would have alerted you that this new policy opened the door to hacking. It is your obligation to ensure that your data is as safe with outside counsel as it would be in your IT environment.
BYOD is a great way of providing 24/7 service to clients, but if not properly implemented, it opens the door to a breach in security. There are serious vulnerabilities with this policy, and it up to both outside and inside counsel to ensure these are minimized. This scenario begs the question as to whether it is more important to provide around the clock, mobile service or whether it may be best to wait a few hours for a response so the data can stay housed in a secure environment. While our data should all be safe and snug on a secure network, we need to wake up to the realities of a data breach.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Utterly Bewildering': GCs Struggle to Grasp Scattershot Nature of Law Firm Rate Hikes
GCs Jettisoning Zero-Based Budgeting in Quest to Be Nimble, More Efficient
3 minute readFoley & Lardner Litigator Joins Brewers Roster as Legal Chief
Mary O'Carroll on Her Move to Goodwin: Law Firms Are at the Heart of Industry Disruption
Trending Stories
- 1A&O Shearman Adopts 3-Level Lockstep Pay Model Amid Shift to All-Equity Partnership
- 2A RICO Surge Is Underway: Here's How the Allstate Push Might Play Out
- 3The Law Firm Disrupted: Playing the Talent Game to Win
- 4Data-Driven Legal Strategies
- 5Preparing Your Law Firm for 2025: Smart Ways to Embrace AI & Other Technologies
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250