Bytes and bytes of new technology tidbits streamed at the Minnesota State Bar Association Technology Conference on Monday, Oct. 10, as industry leaders from around the country gathered at the University of St. Thomas School of Law.
The conference, billed as “TECHstar,” was part of the MSBA’s “technology month” in October and offered lawyers an opportunity to learn how new trends in technology are disrupting and reshaping the legal profession.
The messages were disparate but had some points in common: that lawyers can and must continue to adapt to technological changes; that client information must be protected; that affordable technology is available for the small-firm practitioner; and that there is no one standard for what precisely lawyers need to know.
Speakers also said that technology poses a way, if not the only way, to address the access-to-justice gap and other fast-changing areas of law, and that our substantive law doesn’t cover every technological issue out there and needs to catch up.
“The rules have changed,” said Todd Scott, vice president of risk management at Minnesota Lawyers Mutual. “We’ve been lacking [in understanding technology] and we’re kind of paying the price for that.”
Scott addressed some of the basics that still bring problems to some lawyers, starting with hacks and fraud. Lawyers have to have a healthy level of paranoia and be wary of opening emails and/or attachments and of taking any action because it is directed in an email. Law firms have been caught in wire fraud because they followed directions from “their bank,” which turned out to be fraud. “You’re a target. Lawyers are notoriously sloppy,” said Claude Ducloux, director of LawPay education, ethics and compliance
Upgrade the computer as necessary and have adequate software, Scott said. Scott referred to an April 2016 lawsuit against the Chicago law firm of Johnson & Bell. Plaintiffs brought a putative class action lawsuit “to put an end to Defendant’s practice of systematically exposing confidential client information and storing client data without adequate security.” It is apparently the first time a law firm has been sued for inadequate cyber security. In February 2017 the court granted a defense motion to proceed to arbitration on an individual basis and to disallow class arbitration.
One of the allegations against Johnson & Bell was using an unsupported version of time tracking software that was about 10 years out of date and termed “End of Life,” or no longer recommended for use because it is insecure. Allegations like this, even if not essential to a lawsuit, make them difficult to defend, Scott said. Many complaints that end up at MLM show that firms have substandard maintenance of computer files, he added
Another essential step for lawyers is to encrypt all client data on all devices, Scott said. He also recommended portable backup for all data and cloud storage, not flash drives. If you must have a flash drive, make sure it is encrypted, he said. Lawyers also may want to consider password manager software to protect their passwords.
The need for encryption may mean that lawyers should have two phones, one only for work, Scott said. For secure client communication some firms use client portals where the client can log in and view documents. It provides top customer service and high security, he said.
As encryption becomes easier to use it will become part of a standard of care that attorneys must meet, Ducloux said. The recent ABA Formal Opinion 477R says that as technology advances, lawyers must determine whether it continues to be safe to send confidential information over the internet or whether additional security methods should be implemented.
Firms and their clients should also prepare for emergencies with a safe location where staff or trusted fiduciaries can disclose passwords or a passphrase to a password manager, he added. Firms should also plan for breaches with prepared mitigation and customer services actions.
On the other hand, Duclox pointed out, insiders are the No. 1 cause of loss of data, whether through mistakes or mischief. The “insider threat” is the most significant risk that companies face, said Ducloux, noting that a disgruntled employee alters or steals company data in one in five attacks all across the country.