You Are Not Paranoid If They Really Are Watching You
Attorney-Client Privilege, Confidentiality and Cybersecurity in the 21st Century
By Jim Calloway
Originally published in the Oklahoma Bar Journal -- April 16, 2016 -- Vol.
“The government is watching me all the time. They have implanted devices to eavesdrop on me.” It used to be when a client or friend made this type of statement to you, it was time to gently steer them toward a mental-health evaluation.
After sitting through multiple sessions at ABA TECHSHOW 2016 on privacy and surveillance, I now think these thoughts could be a bit more rational than I might have considered.
“Can They Hear Me Now? Practicing Law in an Age of Mass Surveillance” was the title of a fascinating presentation at ABA TECHSHOW 2016. The panel, moderated by Above the Law’s David Lat, included the principal technologist with the ACLU Speech, Privacy and Technology Project Director Chris Soghoian, digital rights attorney Marcia Hoffman and Ben Wizner, the lead attorney for NSA leaker Edward Snowden. If you are Edward Snowden’s attorney, it is fair to assume that everyone at NSA knows your name.
But concerns about eavesdropping and communication security are certainly not limited to United States government agencies.
“When it came to Snowden, we had to assume that the threat model is almost universal,” Wizner said. “You have to think that every sophisticated government in the world has an interest into having visibility into Edward Snowden’s communications. So you can’t assume there’s anyone out there who’s not trying.”
The panelists all believe lawyers should step up their cybersecurity awareness and practices. Maybe you believe there is no possible scenario where your business client would be the target of governmental espionage, but there have been reports of intrusion attempts where the purpose was to steal a valuable intellectual property or to otherwise compromise a business’ systems. Most of us recall the embarrassment suffered by Sony executives when employees’ emails were hacked and then published online. A law firm would certainly not want to be the weak link that damages its client’s business in that way.
An observation that took most of the sophisticated TECHSHOW attendees by surprise was Soghoian’s statement that if you can reset your lost or forgotten password, then it’s not safe for attorney-client data. I’m still digesting this observation as I have always believed it was more likely a lawyer would lose a password then suffer an intrusion because of password recovery. If we have truly reached the point where one cannot use a service that allows the user to reset a password, that is a significant shift. I’m still not willing to discount the danger of law practices being devastated when a lost password locks up critical client information or all client files.
Whatever your personal opinion may be (and everyone seems to have an opinion) on the recent attempts by the U.S. Department of Justice to obtain a court order to require Apple to unlock an iPhone used by one of the San Bernardino shooters, it is clear that encryption of confidential information is a topic we will be dealing with for some time. Lawyers have compelling reasons for having the ability to encrypt information and keep it hidden and secure.
Cindy Cohn, executive director of the Electronic Frontier Foundation, gave the keynote address at ABA TECHSHOW, which included many remarks on the FBI versus Apple litigation. She also discussed in detail the Jewel v. NSA case where the EFF sued the NSA over data collection efforts on AT&T users. She said the practices there amounted to the government collecting everything and then sorting things out to see what it needed. She further commented that such practice “…turns the entire Fourth Amendment upside down.”
Some of the information noted above is controversial and can be the subject of intense debate. But lawyers are duty bound to protect their client confidences. So let’s discuss basic security practices to improve the security of your client’s digital data and your personal information.
BASIC SECURITY PRACTICES
The mass surveillance panelists agreed that use of password managers, such as 1Password or LastPass, is a very important security measure. The cost of these tools is relatively nominal compared to the benefit they deliver, and they allow us to create very long passwords that could be almost impossible to crack. Left to our own devices (and relying on our fallible memories) we create passwords that are short and easy to remember and also very insecure.
There was an interesting discussion during the panel over biometric password tools like a fingerprint scanner. Lawyers are reminded that one may have a Fifth Amendment privilege not to disclose statements like a password, but many opinions stand for the proposition that being forced to give up fingerprints for identification purposes is not a violation of the Fifth Amendment. Would the same logic apply to a fingerprint being used to open an encrypted phone or laptop computer? One Virginia circuit court has ruled that it does.1
The easiest security improvement would likely surprise and scare some lawyers, particularly those who have children using computers at home. It was suggested that a Band-Aid placed over the camera on a laptop was an easy security fix, particularly if it was a laptop used by a child. There are many hacks that allow an intruder to operate a laptop camera remotely without the camera’s “in use” light being activated. Using another kind of sticker may cause adhesive to impair the camera lens when it is needed, but the Band-Aid can be positioned so no adhesive adheres to the lens.
Some of the security experts indicated that all lawyers should be making encrypted phone calls. I’m sure many of us have never thought about encrypting calls. One easy way to make an encrypted phone call is to use an iPhone’s FaceTime app to call another iPhone. The FaceTime call is encrypted. FaceTime has an audio only function if for some reason you don’t want to do a video call. The iMessages app for the iPhone allows for encrypted text messaging. Although if the receiving phone is not an iPhone, the message will not be encrypted. It is easy to tell the difference. If the text is a secure iMessage the bubble containing the words is blue in color. If not, messages are being communicated using the old Short Messaging Service, which displays a green color.
If you want to start having encryption for all of your text messages no matter what type of phone is used, the app Signal is one that can be installed to provide for secure messaging. The Electronic Frontier Foundation provides a secure messaging scorecard online if you wish to do further research or look at other apps. Even if you are not concerned about the issue, the chart is quite interesting.
My podcast teammate Sharon Nelson, president of Sensei Enterprises Inc., indicated her favorite cybersecurity tip for small law firms concerned about their security was to visit the National Institute of Standards and Technology to download its publication, Small Business Information Security: The Fundamentals. She says the publication is short (only 24 pages in length) and easy-to-read.
CONFIDENTIAL DATA IN THE CLOUD
Some lawyers have had concerns about storing data in the cloud. But many experts caution that data is more likely safer in secure cloud-based sites than on a computer or network that is not managed by an IT professional. I’ve always believed there was more attention paid to security by providers of cloud-based services designed for the legal profession; however, it has been hard to find an objective standard supporting that belief.
At ABA TECHSHOW, the Legal Cloud Computing Association released the first set of cloud security standards crafted specifically for the legal industry today. These 21 standards were developed by the participating members of the association and then reviewed by a team of outside expert advisors. This should be an enormously helpful tool for lawyers seeking a cloud-based service provider for services ranging from practice management to e-discovery.
BACKUP IS A PART OF SECURITY
If you lose your computer data, then your ability to serve and protect your clients is impaired. Therefore, good backup procedures are essential. Backup is so important these days that many smart lawyers are employing duplicate methods of backing up their data, often with one off-site automated provider and with another process of copying important files to a portable hard drive. Since there will be so much client information contained on the portable hard drive, it is important that this be a drive capable of being password protected. Many lawyers just keep the portable hard drive connected to their computer at all times so backup happens concurrently.
However, with the advent of ransomware malware like CryptoLocker, keeping a hard drive attached to your computer at all times provides no protection. Should your computer or network be infected by this type of ransomware, the portable hard drive will be encrypted along with the rest of the files on your computer and network. A better plan is to attach the hard drive for periodic backups and keep it disconnected from any computer the rest of the time. Don’t forget that your best protection against ransomware is careful and repeated staff training stressing that personnel should be highly cautious about clicking on any email attachments or links contained in an email from any source except very trusted sources. If you have a concern, don’t hesitate to call someone and ask, “Did you really send this?”
A cloud-based backup is usually your best defense against ransomware, assuming there is more than one version of the data in the cloud. John W. Simek, vice president of Sensei Enterprises Inc., gave presentations on data security at ABA TECHSHOW. He says law firms doing their own in-house backup should avoid a backup process that includes drive information because ransomware now attacks data associated with letter drives and network shares. Agent-based backups are Simek’s preferred method of backup now. In his view, attorneys and IT departments should be having discussions about these topics. Smaller firms with no in-house IT staff are encouraged to use at least one cloud-based method of backup.
ENCRYPTING A LAPTOP COMPUTER
I had a chance to learn more (and teach) about the Health Insurance Portability and Accountability Act (HIPAA) data protection at ABA TECHSHOW. I’ll be doing a short update on this topic at the OBA Solo and Small Firm Conference this summer. If you represent a health care provider you may be covered under HIPAA, and if Protected Health Information (PHI) is inadvertently disclosed you may incur breach notification obligations that are both onerous and embarrassing. But if the PHI is encrypted, that qualifies for a safe harbor to the HIPAA breach notification rule.
One of the more common HIPAA inadvertent disclosures is the loss of a laptop computer. At a basic level all laptop computers should be password protected. Encrypting a laptop computer is a very important best practice if you are dealing with HIPAA-covered PHI and a good idea for all types of confidential information.
BitLocker has been a part of the Windows operating system since it was included in select editions of Windows Vista. It can be used to encrypt an entire laptop hard drive or set up a single encrypted folder.
Encrypting a laptop computer is not without risk.
A January 2015 PCWorld post titled, “You Can Encrypt Your Hard Drive, But the Protection May Not Be Worth the Hassle,” provides a short summary of the methods to encrypt your computer. The author, while acknowledging that full-disk encryption is the most secure measure and outlining the use of Bitlocker in Windows or third-party programs such as Veracrypt, states, “Encrypting the entire drive can brick your PC. Make an image backup first, and make sure you have emergency repair drives for both the encryption software and your image backup program. . .That’s not all. Should your computer or hard drive crash, your chances of successfully recovering lost files drops considerably.” Further, the post cautions that using Bitlocker requires users to “know what you’re doing.” As such, the recommendation is that a single encrypted folder may be sufficient for many users.
Taking note of statistics regarding the number of lost and stolen laptops, the 2016 Solo and Small Firm Legal Technology Guide: Critical Decisions Made Simple, further recommends “whole-disk encryption.”2 However the guide does not detail the means for accomplishing such encryption.
For Windows 10, a How-To Geek post provides more detailed instructions on how to accomplish encryption using Bitlocker or third-party setups.
The best and most obvious advice is to not lose your laptop. Personally, I never leave my laptop in my vehicle unless it is locked in the trunk.
Sadly, perfect digital security is not only a moving target but also perhaps unattainable. You should follow best practices to have your computers and networks as secure as you possibly can, but experts still say an essential part of security is having a plan to recover data and files in case there is a breach. Hopefully this article did not cause too many readers to have their eyes glaze over or decide to give up in frustration.
Whether your primary concerns are government surveillance or protection from online “bad guys,” it is important to be aware of security issues and to protect your data so you can recover it. If you ever encounter a problem, whether it is a crashed hard drive, a limited online intrusion or a full-blown attack by a hacker, your obligation to represent your client is unaffected by the technology issue, and you should always take reasonable steps to avoid such occurrences.
Mr. Calloway is OBA Management Assistance Program Director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 1-800-522-8065 or firstname.lastname@example.org. It's a free member benefit!
1. Commonwealth v. Baust is89 Va. Cir. 267 (Va. Cir. Ct. 2014)
2. 2016 Solo and Small Firm Legal Technology Guide: Critical Decisions MadeSimple, pg. 192
87, No. 11