♫ Beware of pretty faces that you find
A pretty face can hide an evil mind...♫
– Music and Lyrics by . P. F. Sloan and S.Barri, recorded by Johnny Rivers
The Law Society of BC is moving ahead with a practice management self-assessment process for all firms, including solo lawyers. The process is educational and aimed at identifying issues before they become problems. This is based on the Law Firm Regulation Pilot Project from October 2019. The Pilot Project touches on many practice management issues but here I am concentrating on confidentiality, privacy (and, in particular, privacy breaches), technology and electronic data matters. This work by the Law Society is far-reaching, laudatory, timely and addresses one of the biggest concerns in 2020, namely cybersecurity. According to Dan Lohrmann (a Computerworld Premier 100 IT Leader): “We also see cybersecurity continue as the top priority for chief information officers (“CIOs”) in 2020, just as it has been for most of the past decade.” Since many lawyers happen to wear the hat of CIO’s at their own law firms, this means that cybersecurity remains a top priority for lawyer firms in 2020.
The fact is lawyers underestimate their vulnerability to cyberattacks and fail to put into place protections that may have safeguarded their systems. All too often I received calls from lawyers who had fallen victim to ransomware, had their computers (containing unencrypted client information) stolen or who had fraud attempts on their trust accounts (some of which were successful). Precautions against these and other cyber-threats fall into two classes. The first group involves putting into place proper management policies (such as a privacy policy that mandates a strong password policy; HR policies that mandate revoking all IT access for someone who leaves the firm and the like). The second group involves enabling strong software protections (such as robust backups and the use of strong Internet security and data protection software).
WHAT TYPES OF CYBERATTACKS TARGET LAWYERS?
Spear phishing (per Oxford): “The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. The Digital Guardian states: “This is the most successful form of acquiring confidential information on the Internet, accounting for 91% of attacks.” An example of a successful attack was reported by Canadian Lawyer magazine: “a Dentons Canada Vancouver associate was tricked into transferring more than $2.5 million of client money held in a trust account to a fraudster’s account in Hong Kong.”
Another type of attack aims at introducing a virus into your system that then transmits confidential information back to the fraudsters. The Law Times reported “a Toronto-area law firm lost ‘a large six figure’ after a virus gave hackers backdoor access to its bookkeeper’s computer.”
According to Dan Pinnington, LawPRO’s VP of claims prevention: “The level of sophistication of this one was unbelievable.”
The virus tricked the bookkeeper into giving the trust account’s password to the fraudsters, allowing them essentially full access to the trust account, including the ability to go in, monitor it, and wire money to foreign countries shortly after deposits were made, according to Pinnington.
These threats and others are the focus of the Law Society’s Workbook. It asks such questions as: “Is training provided pertaining to preserving the duties of confidentiality, solicitor-client privilege, privacy and the consequences of privacy breaches?”
The Workbook continues: “Lawyers and staff are provided with up-to-date technology training relating to issues of confidentiality and privacy pertaining to electronic data, including training on the importance of password protection and awareness of the risks associated with, suspicious emails, links and attachments.” And, “Lawyers and staff receive education and training regarding the principles of confidentiality and solicitor-client privilege, including… in relation to electronic communications (email, texting, e-documents).”
Lawyers are well-advised to read the Pilot Project report, and start to work through the Workbook early in 2020, not just to prepare to complete the mandatory Self-Assessment report but also to take action in hardening their systems, policies and protections against cyber-threats.