From Public Wi-Fi to Encrypted Emails, Panel Probes Security of Lawyer Communications
One takeaway from a New York State Bar Association discussion centered around data security in a lawyer's day-to-day-practice and related ethical obligations is the importance of using encrypted communication devices for client information.
January 23, 2018 at 05:02 PM
5 minute read
From left: moderator Michael Ross from the Law Office of Michael Ross; Karen Peters, former presiding justice of the Appellate Division, Third Department; Jonathan Stribling-Uss, of Constitutional Communications; James Bernard of Stroock & Stroock & Lavan; Timothy O'Sullivan of the New York State Lawyer's Fund for Client Protection; and William Rashbaum of the New York Times. Photo: David Handschuh/NYLJ
What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?
Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association's annual conference in Manhattan.
One takeaway from the discussion, which was centered around data security in an attorney's day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.
Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.
Some corporate counsel offices even have internal reviews to make sure legal staff are sending encrypted email.
“They get dinged if they don't send out encrypted emails,” Bernard said.
The moderator of the discussion, Michael Ross, whose firm represents other lawyers in ethics and disciplinary matters, said some engagement letters can even set out the standards of encryption that law firms promise to provide.
If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss, a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.
In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.
“That's totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.
Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney's ethical obligations vary depending on the firm.
“Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm's clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate's Court work.
For Peters, who retired in December, the issue of cybersecurity is one that her former colleagues on the bench must now face.
“The question I would think for any judge who has this situation in front of him or her is, 'What was reasonable under the circumstances,' and those change depending upon the kind of business you're in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.
Still, a firm of any size can be targeted.
Timothy O'Sullivan, executive director of the New York State Lawyers' Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.
“Turns out that check was bogus,” but it's not caught right away, said O'Sullivan in describing the scam.
Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?
Stribling-Uss said that firms should be strict, confirming that personal use of office equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don't have to pay a fortune.
“The best types of encryption are actually free,” he said. “You're being fleeced by these security companies,” he added, pointing out encryptions apps such as Signal and WhatsApp.
Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.
Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.
“You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you're transmitting,” Bernard said.
A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllGC Pleads Guilty to Embezzling $7.4 Million From 3 Banks
Luigi Mangione Defense Attorney Says NYC Mayor’s Comments on Case Raise Fair Trial Concerns
4 minute readDistressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250