Information Security: A Critical Issue for Attorneys
Protection of information relating to clients has always been at the foundation of the attorney-client relationship. Computers and networks, including those used by attorneys, face greater security threats today than ever before. There are hackers, viruses and worms, Trojan horses, spyware, rootkits and more. Many of them can compromise confidential information.
Two current threats which need to be addressed by attorneys, as well as others, are rootkits and targeted spyware. Rootkits are a particularly dangerous form of malware which manipulates the operating system to avoid detection and is very difficult to detect and remove. Rootkits have received a lot of publicity in recent months after it was discovered that Sony BMG’s digital rights management technology for CDs used code which has the characteristics of a rootkit. Targeted spyware is designed to steal confidential information of a particular type, such as credit card data or information, from specific victims. Last year, a group of private investigators in Israel were arrested for using spyware for industrial espionage. It was targeted to capture and report back confidential information from specific companies. Compromise of confidential information through this kind of targeted spyware could be devastating to a law firm.
Attorneys have an ethical obligation to act competently and reasonably to safeguard client information and confidences, including information on computers and networks. Beyond the ethical obligations, attorneys have common law and contractual obligations to protect client confidences and information security is a key element of sound business and professional practice.
Information security is a process which includes people, procedures and technology. It is sometimes viewed too narrowly as only a technology issue. The goal of information security is to protect the systems and the data in them, in order to ensure availability, integrity and confidentiality.
The following are the basic steps in an organized approach to developing and implementing an information security program:
Step 1: Conduct a Risk Assessment
Step 2: Create a Security Policy
Step 3: Implement a Secure Network Design
Step 4: Monitor and Protect the Network
Step 5: Secure the Hosts (servers, desktop PCs and laptops)
Step 6: Secure the Data
Step 7: Plan for Incident Response
Step 8: Review, Audit and Update the Security Program
The challenges for attorneys, in practice, are determining what information security measures are reasonable and necessary to protect their clients and practices, and then implementing them. While most attorneys rely on IT staff and consultants to address information security, it is attorneys who have the ultimate responsibility to make sure that the information is protected.
Attorneys, law firms and bar groups have recently been devoting increased attention to information security. This year’s ABA TECHSHOW will have three sessions on information security. In addition, the American Bar Association is publishing a new book on information security for lawyers and law firms that is scheduled to be released in time for ABA TECHSHOW 2006.
ABA TECHSHOW 2006 information security sessions will address the full range of security issues faced by attorneys today, including:
“The Weakest Link: Security in a Wired and Wireless World”
This session will focus on security for solos and small firms, including the latest threats and protection for wired and wireless networks.
“Ask The Information Security Experts”
This roundtable session will feature most of the authors of the new ABA book on information security for lawyers and law firms. They will be available to respond to questions from the audience and to further discuss current security issues.
“Information Security for Lawyers and Law Firms”
This session will explore current security threats, including a live demonstration of an attack using a rootkit. It will then explore defenses through best practices from the new ABA information security book.
In addition to these information security sessions, there will be sessions on the related topics of ethics considerations and malpractice prevention in lawyers’ use of technology, including “This Way Be Dragons – Malpractice and Ethics Issues in an E-Lawyering World,” “The Top Ten Causes of Malpractice – and How You Can Avoid Them,” and “Strange Bedfellows – Ethics and Technology.”
ABA TECHSHOW 2006 will offer attorneys the opportunity to learn about critical issues in information security, as well as current developments in a wide range of other areas of legal technology.
Dave Ries is a partner in the Pittsburgh office of Thorp Reed & Armstrong, LLP where he practices in the areas of environmental, commercial and technology litigation. He has used computers in his practice since the early 1980s and chairs his firm’s Technology Committee. He is a contributing author to the new ABA book on information security for lawyers and law firms.