Lawyer - Attorney - Law - Justice - Using Mobile Phone - Smiling - Man in Suit

Why Lawyers Should Care About Privacy & Security

On October 1, 2015, attorney Karla Salas received a highly-personalized text message about a wake for her friend’s deceased father. This message contained a link, which she clicked on. It was a targeted attack. In an instant, her phone had been hacked by a sophisticated spyware tool called Pegasus. She is not alone. In an unrelated incident, an anonymous UK attorney was targeted by the same spyware, this time through WhatsApp messages.

If you’re thinking, “I’m not a high-profile lawyer working on a high-profile case, so I’ve got nothing to worry about.”, you’re mistaken. According to the Coveware, small and medium sized law firms are set in the crosshairs of cyber criminals. They state, “The most notable change in industries impacted by ransomware attacks in Q1 [2021] was the professional services industry, specifically law firms. Small and medium sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks. Unfortunately, the economics of many small professional service firms do not encourage or enable adequate cyber security.”

Beyond security, the use of many popular services (Gmail, Outlook, Yahoo, etc.) put attorney-client privilege and 4th amendment protections at risk.

Whether we like it or not, all industries, including legal, are being transformed by technology. Lawyers need to understand and appreciate the privacy and security implications of this new reality so they can protect themselves and especially their clients.

Please note that nothing in this post shall be interpreted or misconstrued as legal advice (see Disclaimer for more details).

Taxes - Shakedown - Theft - Mistake - Tax-inefficient Estate Planning

Lawyers and Law Firms are Attractive Targets

In the legal world, lawyers know the phrase “deep-pocket defendant” well. In the digital world, lawyers and law firms are “deep-pocket targets.” This is amplified by the fact that attorneys’ profession, license status, and other information is public record. Lawyers tend to prefer cases with a higher change of a large settlement. By the same token, criminals target those who are likely to yield high value – money and/or data.

Lawyers also have a reputation to protect, making them an attractive target for extortion and doxing. With social media and the never-ending stream of data breaches we’re experiencing, you can find more about any given person than you probably imagine.

Cybersecurity - Security - Hacking - Security Alert

The Law Won't Protect You from Digital Threats

We aren’t lawyers, but we imagine that being educated on the law and having access to extensive legal resources is a privilege most lawyers enjoy. However, this may give attorneys a false sense of security. No amount of law, lawyers, or paper will protect you from digital threats. Today’s cyber miscreants will target anyone: Lawyers, journalists, charities, hospitals, police, grandma, your children, et al. Even the NSA has been allegedly hacked by a group known as The Shadow Brokers. Bear in mind that many cyberattacks originate from overseas. In this case, even if you can determine who’s responsible, what are you going to do about it?

A Hack or Breach Could Ruin Your Career or Business

What's the Big Deal?

Warren Buffett wisely said, “It takes 20 years to build a reputation and 5 minutes to destroy it.” At any time, you, your firm, and your clients may be one click away from a catastrophic hack or data breach.

Remediation from a single ransomware attack costs businesses ~$2 million on average. This is bad news for law firms, as they tend to be attractive targets for ransomware gangs because they have money and privileged information. Ransomware used to be a matter of paying the ransom or losing your data. Today’s ransomware often sends your data to attackers before encrypting it. If you refuse to pay, you’re then threatened with the public disclosure of your/your clients’ data. Imagine telling your clients that all of their files are now freely and publicly available because you got hacked. Imagine being unprepared for a case because your files are locked. What would that do to your business and reputation?

A Rock and a Hard Place

If or when you get hit by ransomware, this will leave you stuck between a rock and a hard place. At a minimum, you’re looking at spending time and money on ransom payments, outside consultants, IT overtime, working with law enforcement, not serving clients, etc. No matter how you handle this situation, there may be liability on your part and other long-term effects:

  1. You may lose clients. Would you give your sensitive information to an attorney or law firm that leaked their clients’ data? We certainly would not.
  2. Your data may never be recovered. It’s not unusual for hackers to refuse to decrypt your data even after ransom payment(s) are received. Also bear in mind that modern ransomware is increasingly targeting data backups, so you may find those encrypted as well.
  3. Victims are often the target of repeated hack attempts and demands for additional ransom payments
  4. It may be illegal to make ransomware payments in your jurisdiction. If you feel the need to make the payment(s), you may be breaking the law.
  5. You may be required to notify your clients. Depending on what you disclose and how quickly you disclose it, you may be exposed to liability here as well.
  6. If your clients suffer as a result (e.g. identity theft), you may be sued for damages
  7. If you’re the employee who opened the malicious email attachment or fell for the phishing scam, you better start polishing that resume

Real-world Examples

In 2016, law firm Mossack Fonseca was hacked. As a result:

  1. ~11.5 million documents were leaked
  2. At least 300,000 people were impacted
  3. The firm closed its business in 2018

Also in 2016, law firm Moses Afonso Ryan Ltd. was hit by a ransomware attack, resulting in:

  1. ~$700,000 in lost billings alone
  2. Undisclosed ransom payment(s)
  3. Months of lost productivity due to files being locked, infection remediation, negotiation, etc.

Read this article if you want more examples and details.

Attorney-Client Privilege & the 4th Amendment

1st-Party & 3rd-party Threats

If an attorney takes notes on a client’s case and locks those in his file cabinet, those notes are protected by attorney-client privilege and the 4th amendment. However, these protections become dubious when those notes are digitized and handed over to 3rd-parties (i.e. Google, Microsoft, et al.). Cornell Law School writes, “Communications made to and by a lawyer in the presence of a third party may not be entitled to this [attorney-client] privilege on grounds that they are not confidential.” Do lawyers read the terms and conditions for these services? If they did, would or should they still use them? These services expose them and their clients to critical 1st-party and 3rd-party threats.

When you use Gmail, Outlook, Yahoo, and other non-end-to-end encrypted email services, your and your clients’ emails are property of those providers. They, and their contractors in some cases, can and do read users’ emails for various purposes. They could compile your emails into an e-book and sell them on Amazon if they wanted to. Even if their terms and conditions don’t “allow” them to, they can still technically do this, as well as change the terms and conditions at any time. Microsoft once admitted to reading through a non-employee’s emails to track down the source of an internal leak. This was one case, but for all we know, this could be going on every day.

If your emails and attachments with clients are directly accessible by Google et al., are they still protected by attorney-client privilege and the 4th amendment? There is much debate about this, but we don’t believe using these services is worth the risk. Believe it or not, there are email providers (Proton Mail, Tutanota, et al.) with a moral compass that don’t scan, read, or have direct access to your emails.

Real-world Example

Let’s suppose you’re an attorney using Yahoo to email clients. Are your emails private? Let’s discuss who may have access to your emails:

  1. Yahoo employees and contractors to some degree
  2. Law Enforcement: Law enforcement doesn’t necessarily need a warrant to obtain information you give to 3rd-parties. In some cases, they can:
    1. Obtain your data without a warrant using an Emergency Data Request
    2. Simply ask, and the provider may comply without a warrant (although forcing disclosure usually requires a warrant)
    3. Buy your data (e.g. Fog Reveal for location tracking). Although we aren’t aware of any service that allows you to buy emails, you should be aware of this because emails aren’t the only information exchanged between lawyers and their clients.
    4. Buy hacking tools and hack your phone, depending on your jurisdiction and the circumstances (e.g. Pegasus spyware used by government to hack journalists, lawyers, et al.)
  3. NSA, internet service providers (ISPs), and others in the internet infrastructure: Email wasn’t designed to be secure. Depending on what services your clients use, some of your emails won’t even be encrypted in transit. This would expose them in plain-text to anyone with access to the internet infrastructure, your network, and your clients’ networks. The NSA parses all US internet traffic and even has a handy tool called XKeyscore that allows them to query and read emails and other communications.
  4. Hackers and anyone they leak data to: Yahoo has suffered data breaches affecting billions of people

As you can see, what you and your clients thought were private email conversations aren’t actually the case.

A Tech-savvy Lawyer May Better Serve Clients

Being familiar with technology, especially pertaining to privacy and security, may allow an attorney to better serve clients. For starters, it may be prudent to educate your clients to prevent torpedoing a case by blabbing about it on social media. Conversely, conducting or hiring someone to conduct open-source intelligence (OSINT) operations may make a case. We once heard a story of a landlord being sued by a tenant alleging a serious injury on the landlord’s property. Defense eventually found evidence on the plaintiff’s social media that the injury was caused by a skiing accident. A tech-savvy lawyer may also be able to attract higher-profile clients as well as identify and question the admissibility of digital evidence that has been obtained inappropriately.

A Better Path Forward

For Lawyers

Client Consent is Insufficient for Invasive Services

For the purposes of this post, we define an invasive service as one that exposes users’ data to the service provider, harvests users’ data for various purposes (e.g. advertising), collects extraneous user data, and/or has a poor security track record. This includes many popular services – e.g.:

  1. Email: Gmail, Outlook, Yahoo
  2. Text messaging: SMS, Facebook Messenger, WhatsApp
  3. Teleconferencing: Zoom, Skype, Teams
  4. Cloud storage: Google Drive, OneDrive, iCloud, Dropbox, Box

We’ve read others’ opinions on the use of invasive services by attorneys. Some suggest that this is acceptable as long as you have express client consent. This may be the case from a legal standpoint, but what about a moral one?

In order to give proper consent, a client must understand what the ramifications of the use of a service are. This is akin to minors being unable to give consent for certain things – it’s presumed they don’t fully understand what they’re consenting to. If a lawyer asks a client for consent to store their case files in Google Drive, for example, is that sufficient? How many clients actually understand what they’re consenting to, considering some attorneys can’t understand the terms of service for many of these services? How many clients are aware that doing so gives Google, and potentially others (contractors, law enforcement, et al.), access to their documents?

Best Practices

Below is a very abbreviated list of best practices for lawyers to improve their privacy and security:

Basics
  1. Always bear in mind that your clients are trusting you to secure their sensitive data. A breach of that trust might mean a loss of income for you, but can quite literally be devastating for your clients. Even if privacy and security aren’t a concern for you, it should at least be for the sake of your clients.
  2. Use devices, software, and services that respect the privacy and security of you and your clients (see below)
  3. Use a password manager and implement good password practices
  4. Implement multifactor authentication (MFA) everywhere it’s available
  5. Don’t store data for longer than is required or extraneous data. Old and extraneous data is a liability. Do you really need to store your clients’ Social Security numbers, or can you just request and use them on-demand. Minimizing the data you collect and retain mitigates the damage caused by a hack or data breach.
Behavior & Policy
  1. Use encryption everywhere. Force all web traffic through HTTPS and use full disk encryption on all storage devices. This also means avoiding faxing as faxes are unencrypted.
  2. Keep your personal and professional lives separate. Lawyers understand this concept well from an asset protection standpoint, but what about from a digital one? This goes for phones, PCs, email addresses, and online accounts. Keeping these separate will mitigate the risk and damage of a hack or data breach. Imagine telling your clients that their information is publicly available on the dark web because you installed a malicious Chrome extension to watch Netflix with your friends. Imagine getting canned or extorted after someone discovered you used your professional email address for a service like Ashley Madison.
  3. Treat all emails and text messages with suspicion. Phone numbers and email addresses can be spoofed, making it difficult to even verify who a message is coming from. Phishing emails and text messages are one of the most common ways to get hacked.
  4. Maintain a policy of least privilege. Coworkers and employees should only have the minimum access to systems, accounts, and data that they need to perform their job. This will mitigate the damage caused by social engineering, insider threats, and wormable malware.
  5. Avoid USB devices. Malware can use USB devices to spread from machine-to-machine. For specific high-value targets (e.g. a law firm), criminals are known to drop infected flash drives in/around their target. Would you, an employee, or coworker plug a found flash drive into a work device to see what’s on it? Many would, which may lead to a serious infection. A client may also unknowingly hand you an infected flash drive. As an alternative, transfer files through an end-to-end encrypted channel.

Software & Services

Below is a list of some of the software and services we recommend for serving and interfacing with clients:

  1. Email: Use end-to-end encrypted email providers that don’t make money by violating your privacy. Proton Mail and Tutanota are good options. If you must use Oulook, Gmail, Yahoo, or similar service, at least consider using PGP encryption.
  2. Text message: SMS is comically-insecure. We recommend texting via end-to-end encrypted apps such as Signal, Session, or Briar to keep your messages private and secure.
  3. Web meetings: Use end-to-end encrypted teleconferencing software like Jitsi, Brave Talk, or Signal. We recommend avoiding Zoom at all costs, which has an atrocious privacy and security track record.
  4. Web browser: We recommend Firefox and Brave for privacy reasons. Google Chrome does score highly for security, but is a privacy nightmare.
  5. Office suite: We recommend LibreOffice over Microsoft Office for improved privacy and security (and it’s free!)
  6. Cloud storage: Consider Proton Drive, Tresorit, or NextCloud as a replacement for Google Drive, OneDrive, or iCloud
  7. File transfer: Use end-to-end encrypted apps and services for transferring files. Proton Mail (if used properly), Signal, Onion Share, and Syncthing are worth considering.
  8. Mobile OS: We recommend GrapheneOS. If this doesn’t work for you, we help clients improve the privacy and security of their iOS and Android phones.
  9. Desktop OS: Acknowledging this is a stretch for many, using Linux should be considered for privacy and security benefits. If you’ve ever read through Windows and MacOS terms and conditions and other documentation, it’s pretty frightening how much information these operating systems collect. Windows 10, for example, comes preinstalled with software that can collect keystrokes, mouse clicks, screenshots, files, etc.

For Clients

Don’t be afraid to ask your attorney how he or she handles your data. At the end of the day, if they mishandle your data, you may be dealing with the consequences for the rest of your life. In addition to the above (For Lawyers), we recommend that clients do the following:

  1. Use privacy-respecting search engines. Google search queries, in addition to being abused by Google, may be used against you in court. The same can be said for Yahoo and Bing. Consider DuckDuckGo, StartPage, and Brave Search instead.
  2. Avoid social media. Social media posts are regularly used in legal cases.

Final Thoughts

Everything is going digital – even the legal profession. This brings tremendous convenience and productivity. However, we’re concerned that many lawyers and law firms aren’t prepared to handle the privacy and security risks presented by today’s digital world. This isn’t to suggest that lawyers are ignorant of technology, but rather that they’re attractive targets for cyber criminals. We’re of the opinion that lawyers need to be much more cognizant of these issues than most other professionals.

As you can see from this lengthy post, this issue is quite complicated and, unfortunately, there’s no silver bullet. In fact, we’ve had to omit a lot of content to keep it down to this size. We understand how overwhelming this can be, which is why we help our clients navigate these challenging waters. We encourage you to reach out to us for your free initial consultation by filling out the form at the bottom of the page.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Email - Mobile Phone - Privacy and Security - Technology - Hands Privacy & Security

Email is Insecure – Stop Using it for Sensitive Communications

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Scroll to Top