While “cybersecurity” is a term frequently thrown about, most attorneys from both inside and outside counsel close their eyes and catch some zzz’s when it is mentioned. Well, it is time to wake up. It is no longer acceptable to completely pass this onto IT folks while we stare into space. As presented in scenario 1 and scenario 2, attorneys need to open their eyes, as a security breach can have major ramifications. Not only can data breaches lead to leaks of privileged data, trade secrets and other extremely sensitive information can be exposed. Corporate clients who do not insist their firms have strict security standards open themselves up to these leaks and outside counsel who does not ensure their firms’ networks are secure risk losing their largest corporate clients and opening themselves up to ethical violations. Below is the third real world scenario that could happen to any attorney who represents a corporation.
Scenario 3 – Bring Your Own Device (BYOD)
You work as inside counsel for a major manufacturer of pharmaceuticals. Your company spends millions of dollars each year protecting their many patents and trade secrets.
Your outside counsel recently adopted a policy that permits all attorneys to buy and use their own devices on the firm’s network. Outside counsel’s CIO assured you that their firm’s network is safe, that they have a policy of cyber hygiene in place to protect your data against attack. Not knowing much about technology, his assurances make you feel confident that your data is safe. You do not follow-up on this conversation or ask for specifics on their security measures.
One of the partners, John Smith, who works on several of your trade secrets cases, decided to buy himself a new iPad when this policy went into effect. He immediately has the IT department set it up to the firm’s network so he can easily work on your cases from home. From his iPad, John can access your data, such as emails and spreadsheets that may be housed in a document repository, along with all attorney work product including privileged communications.
John has a teenage son who is a huge gamer. As a way of bribing his son to do his chemistry homework, John allows him 1 hour on his iPad when his homework is complete. John’s son frequently borrows his dad’s iPad and accesses his favorite unsecured gaming site which has operations in Antigua, management in Amsterdam and ownership in China. There were many times when he played on the gaming site that John was still logged into his firm’s network. Every time John’s son logged into his gaming portal, he exposed the law firm’s network, containing your most sensitive data, to hackers across the globe without potentially any repercussions for their actions.
The CEO has just brought to your attention that one of the prescriptions your company produces and is still under patent is now being mass produced in China. After hiring forensic specialists and spending a ton of money in investigations, you find out that the leak came from a hacker breaking into your outside counsel’s network. You remember the new policy BYOD they told you about, but they assured you it was secure. You immediately call outside counsel and ask them to get to the bottom of this.
The ABA Model Rules now require that all lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The law firm, when it put the BYOD policy in place, owed a duty to keep your data safe. So that begs the question, how did outside counsel implement the new policy? What training did the firm provide regarding the use of its network on personal devices? Who’s responsible for establishing remote accessibility for the attorneys’ devices and what is the procedure for approving the use of personal devices on the firm’s network? Were tighter restrictions placed on those practices that handled more sensitive data such as trade secrets? Are periodic tests, also known as spear-phishing, occurring to continually test the security of your network to expose any vulnerability that may arise?
This scenario points to several problems in implementation. First, John was an attorney who handled extremely sensitive data, but was allowed to do that on his own device on his own network. This data should have been locked down and only viewable in an extremely secure environment. Second, since the John left his network connection on even while his son used his iPad, which leads to the question as to whether proper training was given on using personal devices. Third, what was done to ensure that sites being logged into from the personal devices were secure? If any site can be accessed, that increases the chances of being hacked.
In this situation, outside counsel probably violated its ethical duties to you, but more importantly, exposed you to a huge financial loss. It is difficult enough to deal with patent infringement in the US, but to go after a Chinese company doing such is even more complicated and expensive. So outside counsel immediately gets fired, but what could you have done different? As inside counsel, once you found out about this new BYOD policy, you should have asked more questions. The Model Rules understand that lawyers are not going to be experts in technology, but brokering a conversation between someone in your IT staff and the CIO of the law firm would have alerted you that this new policy opened the door to hacking. It is your obligation to ensure that your data is as safe with outside counsel as it would be in your IT environment.
BYOD is a great way of providing 24/7 service to clients, but if not properly implemented, it opens the door to a breach in security. There are serious vulnerabilities with this policy, and it up to both outside and inside counsel to ensure these are minimized. This scenario begs the question as to whether it is more important to provide around the clock, mobile service or whether it may be best to wait a few hours for a response so the data can stay housed in a secure environment. While our data should all be safe and snug on a secure network, we need to wake up to the realities of a data breach.