|
Law in the Internet Society
|
|
|
Title: Cybersecurity is none of lawyers’ business?
1. Significant importance of lawyers’ duty of confidentiality to clients
A lawyer’s duty of confidentiality is considered “the most sacred of all legally recognized privileges, and its preservation is essential to the just and orderly operation of our legal system.”
Naturally, the need to protect client confidentiality is articulated in doctrines of law, and for example, Rule 1.6 of the Model Rules of Professional Conduct states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client”.
2. Environment surrounding lawyers – serious threat to information security
Use of technology for legal work has been increasing, and lawyers’ large scale remote work in response to a global pandemic is accelerating this trend. In the meantime, due to the trend, legal cybersecurity risk has been increasing. More than 100 law firms have reported data breaches since 2014 and the problem is getting worse. According to the American Bar Association’s (ABA) Tech Report 2020, nearly a third of law firms experienced a data breach in the past year.
Since there are too many causes for the cybersecurity risk, it is impossible to list all up, but the following are (only) some of them:
(1) Government mass electronic surveillance:
Government mass electronic surveillance such as the National Security Agency (NSA) Mass Surveillance program seriously threatens clients’ confidential information (e.g. client-attorney communications). For example, it is known from a top-secret document obtained by the former NSA contractor that the NSA Mass Surveillance program specifically monitored a big US law firm Mayor Brown when it represented Indonesian government in relation to trade negotiations with the US government . The NSA has no filtering procedure for privileged attorney-client information.
(2) Closed-source software/Apps:
While it is unlikely for lawyers to use Facebook, TikTok? , Twitter etc. on their work phones and computers (where service providers fully control all of the users’ information for their commercial purpose), other closed-source software such as Microsoft Applications are often used by lawyers without any doubt. However, although not many people seem to care about such Apps’ privacy policy, for example Microsoft’s privacy policy allows Microsoft employees or its vendors to conduct manual review of personal data. Therefore, the possibility that client-attorney communications are monitored by third parties can’t be ruled out (Isn’t it breach of the Rule 1.6?).
(3) Smart Speakers:
Smart Speakers such as Microsofts’s Cortana and Alexa for Business have been increasingly used as digital assistants by companies including law firms. However, as written in (2) above, confidential information (such as client-attorney communication in an office where Smart Speakers are put) can be monitored by service providers. As a matter of fact, it is said that data from these kinds of speakers are already being used in criminal cases .
3. Then, do lawyers duly protect clients’ confidential information?
I am afraid that simple answer on whether lawyers duly protect confidential information is “Not at all”. According to the ABA Tech Report 2020, more than three-quarters of law firm staff believe employees have accidentally and maliciously put data at risk and “despite the ethical issues and pending challenges…the use of certain security tools remains at less than half of respondents.”.
My personal experience of working with law firms may be a good example. I worked as inhouse counsel in a company in Hong Kong for 4 years before I came to New York. Whenever I requested external lawyers to set up a video conference, they would always say “Sure, Zoom ? Microsoft Teams ? Whatever. Up to your choice”, despite the fact that I was in Hong Kong and the government of the PRC claims extra-territorial jurisdiction under the national security law to monitor Hong Kong people’s expressions…. I always felt that lawyers have professionality and pride with regards to “law” but when it comes to cybersecurity/technology, they think it is “somebody else’s business”, even though they are strictly responsible for confidentiality obligation and are supposed to take the lead in protecting clients’ information from any threat. But, this is understandable taking into account the current legal education.
4. Suggestion:
The following are my suggestion:
(1) Lawyers’ obligation to use end to end encryption:
Use of end-to-end encryption (where only the communicating users can read the messages they send to each other) should be obligation for lawyers in attorney-client communications. This should be very cost effective for cybersecurity planning in the long run.
(2) Lawyers’ obligation to use open source software:
Taking into account the cybersecurity risks above, use of open source software (where users stay in full control over their information) should be obligation for lawyers. For that purpose, ABA or any some legal organization’s initiative of using reliable and uniform open source software is fundamental I believe.
(3) Introduction of new Code in response to the current cyber security issues:
Model Rule 1.6 (as above) itself has not been amended for several years, and the current version is ambiguous. I suggest it be amended to be more concrete and include the obligation of (1) and (2), as the New York State Department of Financial Services has put
new regulations governing cybersecurity fully into effect in 2020.
(4) Cybersecurity Exam/Education:
In order to avoid lawyers from thinking “cybersecurity is none of my business”, I believe lawyers should be obligated to take learning courses and exams to test their knowledge on the latest cybersecurity issues. Now is new digital age and confidentiality obligation is central to lawyers. Lawyers should think such legal cybersecurity knowledge is a part of their legal knowledge.
You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:
|
|
