Home / All News / Tech conference aims to reboot firms’ security

Tech conference aims to reboot firms’ security

Bytes and bytes of new technology tidbits streamed at the Minnesota State Bar Association Technology Conference on Monday, Oct. 10, as industry leaders from around the country gathered at the University of St. Thomas School of Law.

The conference, billed as “TECHstar,” was part of the MSBA’s “technology month” in October and offered lawyers an opportunity to learn how new trends in technology are disrupting and reshaping the legal profession.

The messages were disparate but had some points in common: that lawyers can and must continue to adapt to technological changes; that client information must be protected; that affordable technology is available for the small-firm practitioner; and that there is no one standard for what precisely lawyers need to know.

Speakers also said that technology poses a way, if not the only way, to address the access-to-justice gap and other fast-changing areas of law, and that our substantive law doesn’t cover every technological issue out there and needs to catch up.

“The rules have changed,” said Todd Scott, vice president of risk management at Minnesota Lawyers Mutual. “We’ve been lacking [in understanding technology] and we’re kind of paying the price for that.”

Scott addressed some of the basics that still bring problems to some lawyers, starting with hacks and fraud. Lawyers have to have a healthy level of paranoia and be wary of opening emails and/or attachments and of taking any action because it is directed in an email. Law firms have been caught in wire fraud because they followed directions from “their bank,” which turned out to be fraud. “You’re a target. Lawyers are notoriously sloppy,” said Claude Ducloux, director of LawPay education, ethics and compliance

Upgrade the computer as necessary and have adequate software, Scott said. Scott referred to an April 2016 lawsuit against the Chicago law firm of Johnson & Bell. Plaintiffs brought a putative class action lawsuit “to put an end to Defendant’s practice of systematically exposing confidential client information and storing client data without adequate security.” It is apparently the first time a law firm has been sued for inadequate cyber security. In February 2017 the court granted a defense motion to proceed to arbitration on an individual basis and to disallow class arbitration.

One of the allegations against Johnson & Bell was using an unsupported version of time tracking software that was about 10 years out of date and termed “End of Life,” or no longer recommended for use because it is insecure. Allegations like this, even if not essential to a lawsuit, make them difficult to defend, Scott said. Many complaints that end up at MLM show that firms have substandard maintenance of computer files, he added

Some judges are willing to order firms to disgorge their fees after a security breach, Duclox said. He warned that there is a “new frontier” in disgorgement of attorney fees where fees can be forfeited just because of the breach of fiduciary duty without the client having to prove damages. He also recommended that firms have a privacy policy that clients acknowledge in their intake documents.

Another essential step for lawyers is to encrypt all client data on all devices, Scott said. He also recommended portable backup for all data and cloud storage, not flash drives. If you must have a flash drive, make sure it is encrypted, he said. Lawyers also may want to consider password manager software to protect their passwords.

The need for encryption may mean that lawyers should have two phones, one only for work, Scott said. For secure client communication some firms use client portals where the client can log in and view documents. It provides top customer service and high security, he said.

As encryption becomes easier to use it will become part of a standard of care that attorneys must meet, Ducloux said. The recent ABA Formal Opinion 477R says that as technology advances, lawyers must determine whether it continues to be safe to send confidential information over the internet or whether additional security methods should be implemented.

Firms and their clients should also prepare for emergencies with a safe location where staff or trusted fiduciaries can disclose passwords or a passphrase to a password manager, he added. Firms should also plan for breaches with prepared mitigation and customer services actions.

On the other hand, Duclox pointed out, insiders are the No. 1 cause of loss of data, whether through mistakes or mischief. The “insider threat” is the most significant risk that companies face, said Ducloux, noting that a disgruntled employee alters or steals company data in one in five attacks all across the country.

Like this article? Gain access to all of our great content with a month-to-month subscription. Start your subscription for as little as $32. 

Leave a Reply

Your email address will not be published. Required fields are marked *