For the Defense - Vol. 6 Issue 3 - 10

to prevent the inadvertent or unauthorized disclosure of,
or unauthorized access to, information relating to the
representation of a client. "
The " reasonable efforts " that an attorney must take to
protect confidential information have evolved through
the years as technology has advanced. Ten years ago, the
Pennsylvania Bar Association issued a Formal Opinion
on the Ethical Obligations For Attorneys Using Cloud
Computing/ Software As A Service While Fulfilling The
Duties Of Confidentiality And Preservation Of Client
Property, Pa. Bar. Assoc. Formal Opinion, 2011-200. While
the advice in that Opinion is still timely and helpful, as
ransomware attacks grow more frequent, the duty to
prevent them becomes more urgent, and the failure to
do so borders on negligence or even malpractice.1
The use of phishing emails to install malware that
deprives a user from accessing their computer files has
been at the center of demands for " ransomware " in many
of the most notorious ransom schemes. In 2020 alone,
victims paid nearly $350 million worth of cryptocurrency
in ransom. Again, and again, sophisticated organizations
have been subjected to demands for payment of " ransom "
after an employee unwittingly opened an attachment to
an email leading to an infection of the company's network
and spreading all through the company's systems.
Most solo attorneys and small firms are aware of
cybersecurity threats, but they tend to overlook the
severity or likelihood of an attack. However, even the
solo criminal defense lawyer is holding confidential and
sensitive information on their computer and is at risk. The
danger has increased with our dependence on employeeowned
hand-held devices and our expanded use of
remote work. Each new location and separate device
becomes an opportunity for infiltration.
What's a solo or small firm lawyer to do in the face of this
wave of cyber-crime? Here are some simple suggestions
for a basic cyber-security program:
1. To see where your vulnerabilities are, and
how to fix them, start with a cyber-security audit.
There are cyber-security experts who will review
your software and hardware, assess how secure
you are and what you need to do to improve your
security. For solo and small firms, this can be very
cost-effective, as the scope of your systems are
likely not complex.
2. Change your passwords frequently and
be sure to reset the default password on any
new hardware. Wherever possible use two-step
authentication to access important websites,
especially when accessing online IOLTA accounts.
Keep your passwords in a secure " passport vault "
like 1Password, Dashlane or bitwarden (free).
3. Train your staff. As discussed above, opening
an infected email, clicking on a phishing link,
visiting an infected web site with no browser
security, or using a public internet access point
without adding your own VPN security, are all
examples of conduct that creates the greatest
risk, but is easily avoidable with the proper staff
training.
4. Keep all your software updated. Make sure
that you are installing the latest security patches.
5. Install Antivirus/Malware protection
software, such as Next-Generation (NGAV).
6. Include a provision in your engagement
letter that both parties agree to the use of
email to communicate, despite the known
risks. Discourage a client from resorting to text
messages to communicate on substantive issues.
(This is as much for counsel's sanity as it is security.)
7. Use an email filtering solution designed to
prevent phishing or ransomware attacks (e.g.,
Microsoft Advanced Threat Protection or Office
365 Microsoft Defender).
8. Be careful with thumb drives. Only use
removable drives that you are familiar with or
that come from a trusted source. If a drive has
been used in publicly accessible devices, like
10 For The Defense l Vol. 6, Issue 3
https://www.lifewire.com/disable-windows-remote-desktop-153337
For the Defense - Vol. 6 Issue 3

Table of Contents for the Digital Edition of For the Defense - Vol. 6 Issue 3
