As the COVID-19 pandemic pushes many aspects of daily life online, there’s growing concern about threats to the privacy of attorney-client communication in civil and criminal cases.
Many lawyers and their clients are struggling to make sure their communications stay between them–and away from the eyes and ears of hackers domestically and abroad, The New York Civil Liberties Union (NYCLU) writes in a new report.
“The COVID-19 crisis has exposed this digital security gap in an alarming way, and the increasing use of digital communications for client matters necessitates permanent changes to legal ethics rules,” said Jonathan Stribling-Uss, a technologist fellow at the NYCLU and the author of the report.
Stribling-Uss argues that many vulnerable clients have placed their trust in the promise of confidentiality, and without the ethical rules to enforce it, their vulnerability has increased because of risk of data breaches.
The World Economic Forum has identified the lack of cybersecurity as one of the top 10 threats to global security, and this clearly impacts law firms working with clients.
Cybercriminals use phishing tactics, or sophisticated coordinated cyberattacks, to expose the client’s data. And, as the NYCLU report explains, hackers are drawn to vulnerable law firms because of the massive amount of valuable documents, technical secrets, financing information, and even criminal histories of clients.
The NYCLU report outlines how, since 2014, over 100 U.S. law firms have reported data breaches. One incident in particular that the authors detail is the Mossack Fonseca law firm’s massive data breach that took place in 2018.
Considering Mossack Fonseca was the fourth largest provider of offshore financial services in the world, they became a target, falling victim to a breach of more than 11.5 million leaked files spanning nearly 40 years of data from over 35 locations around the globe.
In New York state, the number of unique law firm data breaches doubled between 2017 and 2018, detrimentally impacting nearly 1,500 individuals, according to the NYCLU report.
And, in a recent action in the Manhattan Supreme Court, a couple alleges that over $1.9 million was stolen, due to their real estate lawyer’s negligence in failing to encrypt her communications. This led to cybercriminals targeting the couple and stealing their money.
The NYCLU report mentions that all clients who work with attorneys—whether for civil or criminal cases—deserve protection to their information.
“Evidence is clear that our clients face multiplying digital threats, and the legal profession is accountable for allowing these foreseeable risks to proliferate,” said Peter Micek, General Counsel to Access Now, and a lecturer at Columbia University’s School of International and Public Affairs.
Micek said it’s disappointing to see New York State, which is usually at the forefront of these issues, fall behind on adopting new technologies to protect client confidentiality.
The authors of the NYCLU report mention that adding additional security to close the existing security gap is not a novel concept. They cite how other professional sectors — like financial services — were quick to recognize and attend to the security enhancements needed as the COVID-19 crisis began.
The NYCLU authors say lawyers and law firms should implement the same cybersecurity defenses used by these other sectors.
The authors write that the most “robust technical way” to protect the attorney-client communication that takes place is stop end-to-end encryption for all communication styles, including email and video.
The NYCLU authors also recommend that attorneys should stay informed about open source platforms—like Ubuntu or Devian—which allows for software engineers to fully control all aspects of a computer’s system, so they can use them with their clients whenever possible.
These accessible programs apply “very rigorous math, logic, and technology” to communication programs to help ensure that everyone’s information stays safe and confidential.
Other recommendations the NYCLU detailed include:
- Attorneys, clients, and professional associations should advocate that open source privacy-focused operating systems are utilized for all attorney-client drafting and at rest encryption;
- Professional legal associations should offer services to assist civil society organizations and legal services offices to achieve security audits and internal reviews to assess the security of their privileged communications; and,
- Professional legal associations should offer training to organizations to educate them about how to utilize open-source end-to-end encryption whenever they have clients.”
Overall, advocates and lawyers alike are pushing for change to ensure that vulnerable clients have their privacy rights protected.
Andrea Cipriano is a staff writer for TCR