A New Ethics Standard for Client Email?

A long time ago, in a galaxy far, far away the ABA issued Formal Ethics Opinion 99-413, the gist of which was to give law firms a free pass when it came to email encryption. Since 1999, technology has evolved by leaps and bounds, the ABA has updated its model rules, and cybersecurity is a national concern.  Therefore, it should be no surprise the ABA chose to revisit its 18 year-old position on email and electronic communications.

The New ABA Standard

Is email encryption required by the new ABA opinion?  Yes and no.

As Bob Ambrogi reports in his blog:

In this new opinion, the committee declined to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, the committee recommended that lawyers undergo a “fact-based analysis” that includes evaluating factors such as:

  • The sensitivity of the information.
  • The likelihood of disclosure if additional safeguards are not employed.
  • The cost of employing additional safeguards.
  • The difficulty of implementing the safeguards.
  • The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

However, special security precautions may be required “to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” ABA Formal Opinion 477.

The Oregon Standard

The last bit of ABA Formal Opinion 477 may sound familiar to Oregon lawyers.  In this article written by Helen Hierschbiel in 2010, the bar gave us some insight on the topic of electronic communications, including email:

Although use of electronic communications is not a per se violation of the duty of confidentiality, special precautions may be necessary in particular circumstances. For example, if information is particularly sensitive or subject to a confidentiality agreement, a lawyer may need to implement special security measures. Also, if a client requests it, a lawyer may be required to avoid, or be allowed to use, a particular type of electronic communication notwithstanding expectations of privacy in the communication method.

While the article cites to a model rule that was later amended, the parallels between Hierschbiel’s language and that of the new opinion are hard to miss.  Bottom line? Email encryption is required if the circumstances warrant it.

Choosing an Email Encryption App

Fortunately, Bob Ambrogi has come to our rescue yet again.  In his article, Encryption so Easy a Lawyer Can Do It, Bob discusses three incredibly simple solutions that allow lawyers to send encrypted messages.  No more clunky interface requiring the sender to transmit keys before the recipient decrypts the message.  No more need for both parties to use the same software.  (Although a simple plug-in may be needed, depending on the software you choose.)

With secure cloud-based solutions Enlocked, Virtru, or Delivery Trust, Ambrogi concludes:

What all three programs have in common is that they make encryption as easy as the push of a button.  If you use email to communicate with clients or colleagues about sensitive matters – and what lawyer does not? – you have no excuse not to encrypt.

What To Do Next

  • Encrypt all client email, not some client email.  Why?  Mainly to eliminate guesswork, reduce risk, and preserve your sanity.  Not convinced?  Consider how clients might view on again/off again encryption: some messages are worth protecting and other’s aren’t?  Hmmm….
  • Put sensitive content behind a secure client portal.  Many practice management programs have this functionality, but if yours doesn’t, consider Slack.
  • Discuss electronic communication policies with clients and reiterate them in your fee agreement or engagement letter.

All Rights Reserved Beverly Michaelis 2017

7 Steps You Can Take Now to Protect Your Data

lockUnless you’ve been playing ostrich, you’re likely aware that data breaches and ransomware are about as common as Mom and apple pie.  Witness the recent hack of 272 million Gmail, Microsoft, and Yahoo! accounts.

Fortunately, there are simple steps you can take now that will help protect your data.  [With thanks and all due credit to Lane Powell’s Beyond IP Law post, The Scariest Hack So Far, for inspiring this elucidation of their original list]:

Step 1: Start Using Encryption

For your desktop, cloud-based accounts, mobile devices – anywhere or any place you store or transmit confidential or private information.  For a thorough discussion of how to implement encryption throughout your firm, see Encryption Made Simple for Lawyers, now a book available for purchase on the ABA website.  (Non-ABA members in Oregon can save money at checkout by using the OSB Professional Liability Fund discount code: OSBPLF.)

Step 2: Set Up Two-Factor Authentication for Cloud Services

“The concept of two-factor authentication is that a person cannot access another user’s account without something she knows and something she has. In the case of popular services (like Google or Dropbox), the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.”  Catherine Sanders Reach, Set Up Two-Factor Authentication: What Are You Waiting For?  [Read Catherine’s post for step-by-step directions or search Help in your cloud-based service for assistance in setting up two-factor authentication.]

Step 3:  Erect Firewalls

Firewalls sit between you and the rest of the Internet.  They protect unauthorized access to your computer by ignoring or repelling information that appears to come from unsecured, unknown, or suspicious locations.  The best firewall configuration is a one-two punch:  hardware firewall + software firewall.

Setting up a hardware firewall requires no effort on your part.  While you can buy a stand-alone appliance, hardware firewalls are now automatically incorporated into your router (the box in your office or house installed by your Internet Service Provider).

Software firewalls are installed on your computer system like any other application, and are also easy/breezy since they are typically built into anti-virus software.  (See discussion that follows.)

Step 4: Install Anti-Virus, Anti-Malware, Anti-Spyware Programs and Keep Them Updated

This seems pretty explanatory, but let me add some free advice:

  • Don’t disable automatic updates to your virus definition database
  • Run quick scans when prompted
  • Run full scans at least monthly
  • Don’t ignore notifications that your software isn’t running properly

For a list of the best anti-virus utilities for PCs, see this list from PC Magazine.  For a list of the best anti-virus utilities for Macs, check out this MacWorld post.  For other recommendations, run a Google search.

My personal opinion: run far, far away from McAfee.  [I really don’t give a rip that it is “now part of Intel Security.”]  First, McAfee blocked access to my work VPN (virtual private network).  There was no way to set a rule or create an exception and tech support was incredibly unhelpful.  Second, McAfee is notoriously hard to uninstall. Using Add/Remove Programs in the Control Panel is only the first step; you must download a separate application from McAfee to get rid of it.  I mention this because McAfee tends to come pre-installed on laptops or desktops purchased from retailers like Best Buy.  What to do?  If McAfee was inflicted on you (pre-installed), get rid of it.  Follow the link above for the uninstaller.  Next, buy Kaspersky.  I have been very pleased with Kaspersky from day one and it has never interfered with my VPN connection.

Step 5:  Run Operating System and Other Software Updates

This also seems self-explanatory.  Mac and Windows OS ship with automatic updates enabled – don’t fuss with this.  If Microsoft or Apple thinks you need a security patch, a fix, or upgrade, let it run.  The same goes for every application installed on your computer:  Microsoft Office, Acrobat DC, Quicken, QuickBooks – let automatic updates run.  If you’re not sure whether automatic updates are enabled, check Help or search the product’s website.  Some programs also allow you to manually search for updates. Acrobat DC is an example.  In the menu, select Help, and choose “Check for Updates…”

Step 6:  Be Ready to Kill Your System If You Suspect a Breach

In the original post which inspired me to write on this topic, author Jane E. Brown comments: “Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.”

I have known of events that required a kill switch.  One Oregon lawyer was hacked via a phishing email.  The hacker was able to get enough information from the lawyer and the lawyer’s system to contact clients by email and request that they input credit card information to pay their bills. Fortunately, a few clients recognized that this request was outside the lawyer’s usual billing process and called the office.  The lawyer had to pull the kill switch and take other steps, including freezing bank accounts.  This turned out to be a smart move, as within 24 hours the hacker also attempted to withdraw thousands of dollars from the lawyer’s trust account.

Step 7:  Lose Your Device?  Lose Your Credentials.

There are some obvious times when it makes sense to reset or revoke user names and passwords (login credentials):

  • At termination
  • If a network-connected device is lost
  • You experience a security intrusion
  • Your security, privacy, or confidential policies are breached

Final Thoughtsth

None of these steps are difficult, but bouncing back from a security breach is.

 

 

[All Rights Reserved 2016 Beverly Michaelis]

Saving Gmail to PDF Using Zapier

Google Calendar in one hourAre you a Gmail user?  Many lawyers are.

Gmail and Google Calendar [sometimes coupled with Google Apps] is a popular alternative to Outlook.  But there is a key issue with using web-based email that lawyers often overlook: messages stored online simply don’t make it to your client file.  If you prefer web-based email and rebel against the idea of downloading messages to a local program on your desktop or laptop, how can you document your file?

This has been a challenge.  Until now.

The Bad Old Days: Saving Messages as Individual PDF Files

Gmail – as stand-alone web-based email – does not offer an easy way to capture a group of messages labeled or stored in a folder online.  If you want to save client emails, you must do so one at a time by printing each message to PDF (or scanning each message to PDF).  This is so incredibly tedious that most lawyers never do it.  Messages are saved online and nowhere else, resulting in non-cohesive client records.

Today’s solution: Zapier

Zapier is one way to solve this problem.  It automatically files Gmail by moving messages for you.  The only trick is the destination, which must be another web-based service or account.  Google Drive and Dropbox are two examples of locations where mail can be saved.  Here is a simple explanation of how the service works.

If you are paperless and storing your client records at one of the supported online destinations, then Zapier can make your client file cohesive.  Everything is in one location and your records are complete.  One of the most popular approaches is to use Zapier to save client email to Dropbox.

Parting Thoughts

“Zapping” your Gmail to the same online location where you keep your other client records seems like a good way to go.  As with any cloud-based solution, there are ethical concerns.

  1. Is Zapier secure?  Zapier stores the data it is moving on your behalf for 7 days, then purges it.  Your credentials are protected by bank-level encryption.  HTTPS or SSL connections are used whenever possible [If the destination app you are connecting to is not HTTPS or SSLZapier cannot “force” that type of connection.]  Users can monitor the task history of Zapier for the life of their accounts to verify activity and data transfer. Read more here.
  2. Is it a good idea to keep confidential and privileged client records in Dropbox, Google Drive, Box, or One Drive?  Yes, provided you supplement the built-in protection of your online accounts with a private [client side] encryption product like Viivo.  Problem solved.
  3. Won’t I just be safer if I store files on my own computer?  This is another way to go, but you’ll be stuck with the one-at-a-time process of saving email as described above.  Additionally, the tide of expert thought is shifting to the belief that cloud-based solutions are superior.  See The great IT myth: is cloud really less secure than on-premise?

 

All Rights Reserved [2016] Beverly Michaelis

2016 ABA TECHSHOW Keynote

Does NSA or other government surveillance cause you to lose sleep or have you given up on privacy?  Some very interesting thoughts today from Cindy Cohn of the Electronic Frontier Foundation (EFF) in her keynote at the 2016 ABA TECHSHOW.

  • The Apple case isn’t about privacy, it’s about security.
  • Neither legally nor technically was it ever correct that the government wanted access to only one phone [referring to the Apple case].
  • Apple’s security backdoor: If you build it, they [hackers, foreign governments, law enforcement] will come.
  • Encryption is just applied math.
  • Everything old is new again. We’ll be here 20 years from now when this fight is still going on [on EFF’s mission].
  • We are moving into to a world where devices are deeply embedded in our lives. We have to get the balance right.
  • Stand up for strong security at Savecyrpto.org.

For an excellent recap of Cindy’s speech, click here or on the image below.

2016-03-18_12-24-21