The COVID-19 outbreak is forcing lawyers to work at home, and the threat of being "hacked" at home, where the regimen of a law firm's policies and costly IT infrastructure do not exist, remains even greater than at the office. The fact is that attorneys have an ethical obligation to protect law firm and client confidences, and doing so when working remotely is not so easy. The virus outbreak has exposed chinks in the amour of the confident legal profession where vulnerabilities exist.

Lawyers cannot let their guard down when they are using the shared family laptop while working from home in sweats. This is just what the "bad guys" are relying upon when they seek to "hack" into your unsecure home system or compromise your Gmail account or "phish" you with malignant links enticing you to click on them to find out the current status of court closings or the spread of the virus in your neighborhood.

Realizing lawyers' weakness in this area, the Committee on Technology and the Legal Profession of NYSBA last week issued a report titled Cybersecurity Alert: Tips for Working Securely While Working Remotely focusing on providing practical, understandable cybersecurity advice designed to provide attorneys with a checklist of tips to help them work securely when working remotely. In fact, on Wednesday, March 18th, NYSBA will be streaming out a webinar titled "Cyber-Protect Your Firm When You Work From Home." The implications of the COVID-19 outbreak only further demonstrates why it is so important to understand how to protect client confidences and the reason why the Committee has recommended that NYSBA support a proposal to include one credit of cybersecurity education to an attorney's biennial CLE ethics requirement.

Below is a summary of the Committee's cybersecurity checklist to follow while working from home:

(1) Have a remotely secure accessed digital workspace. It should enable access to email, documents and billing applications. Make sure every attorney and staff member knows how to use it to access needed information.

(2) Consider providing attorneys with the ability to conduct telephone and video conferences from home.

• Attorneys may be tempted to use free services, which may not be

secure, or use services that keep recordings of conversations and meetings by default. Leaving those recordings out of the firm's control and protection is not prudent.

(3) Properly prepare attorneys and staff for work-from-home.

• Make sure they know how to access their work voicemail (and know their passcode)
• Verify that they have access to a laptop, iPad or other devices so that they can work effectively from out of the office
• Encourage them to check that their devices have all recommended system updates and patches installed
• Advise them that devices should require strong passwords and, if possible, segregated with separate passwords for separate access for family members Consider requiring all attorneys and staff to change their passwords frequently during the course of the remote-working period
• Verify they all have the digital workspace properly installed on their out of- office devices
• Educate attorneys and staff on the dangers of linking to the firm's systems using insecure publicly-available Wi-Fi, or using a home Wi-Fi connection that lacks strong password protection

(4) Prepare for the cybersecurity risks of remote working.

• Understand that all of the firm's efforts to prevent malware from entering the IT system have not been applied to attorney and staff personal devices
• Personal devices may already be infected with malware, particularly if used by children or other family members who click unsafe links sent by hackers
• Personal devices likely do not have the perimeter controls and virus detectors installed on firm systems, and often lack required patches to security flaws in their operating system and applications
• Warn against using personal devices that are not secure
• Beware of attorneys and staff who send copies of emails and documents through their personal email accounts
• Set a policy forbidding saving of client confidential emails and documents directly on personal devices (they should be stored only on the firm's system, using the remotely-accessed digital workspace/VPN)
• If client confidential data is saved to the devices' hard drives, it should be deleted as soon as practicable
• Instruct attorneys and staff not to store or transfer confidential data using unapproved personal cloud service accounts

(5) IT security should go on high alert.

• Watching closely for anomalies in activity on your system and evidence of hacking during this time of vulnerability
• Keep better logs of network activities to enable better information about threats
• Keeping a particular eye on remote access
• Considering "stress-testing" your security protocols, perhaps randomly, to determine where vulnerabilities lie and plug them before bad guys can get into your firm's network

Mark A. Berman is a commercial litigation partner at Ganfer Shore Leeds & Zauderer. He is a past chair of the Commercial & Federal Litigation Section of the New York State Bar Association (NYSBA) and the current co-chair of NYSBA's Committee on Technology and the Legal Profession.