We are all focusing more on security, and the World Wide Web has become a staple of our challenges in this world. Within the past couple of years, I have proceeded from blissful unawareness to a critical focus on cybersecurity. I have been fortunate to run into some of the best and brightest engaged in addressing the threats we all face in the Internet domain. On December 15, 2021, I will host a morning at the Workers' Compensation Institute, at which a preeminent group of subject-matter experts will provide cybersecurity insight for the workers' compensation world.
As my awareness of the topic has grown, I have addressed various concerns. I am focused on this because we are all dependent upon the Internet. This community of workers' compensation has evolved, like much of the world, and is now utterly dependent upon digital data, and interdependent upon others in the systems. We see it in medical records, case-management reporting, adjusting, and more. There are vast quantities of data moving through the web to keep the world's workers' compensation benefits processes flowing, and all of that data is of potential interest to the miscreants who troll the web looking for some profit or advantage.
Thus, there have been some posts about security; see Cybersecurity 2020's Hot Topic (January 2020); The Physical Premises of Cyber Security (August 2020); Your Cybersecurity is Your Job (June 2021); Cybersecurity Forum 2020 (August 2020); and, It Can Happen to Everyone (July 2021).
We even dedicated an edition of the Workers' Compensation Hot Seat to the topic in August 2020. That the Workers' Compensation Institute has decided to focus on this topic is telling. Over the years, it has become somewhat of a tradition that one hears of new challenges and solutions at the WCI each August. Sure, we are a little late this year in an accommodation to the SARS-CoV-2 and COVID-19. But, with vaccinations and other persistent precautions, we will gather soon in Orlando to continue that tradition.
We are now all persistently focused upon the ether. There are so many threats to our data, coming from miscreants in the cyber world. We will have lots of discussion of that in December. But, in organizing for the December 15 program, my thoughts have returned to the physical world aspects. It is too easy to lose track of the physical threats of loss or theft that we all face from corruption or loss of flash drives, laptops, and servers. Yes, servers.
In July 2019, The Florida Supreme Court permanently disbarred an attorney in one of the most intriguing examples of identity theft I have ever read. The referee's report is interesting and descriptive, a harbinger worthwhile for anyone that is interested in our expanding digital present. There are those in Cybersecurity who repeatedly warn us that our human elements are the greatest threat. They typically refer to someone in your office making an error, clicking on a deceptive link, or similar. But, what if you work with someone that is simply a bad actor?
In The Florida Bar v. Brady, SC19-39, an amazing recitation of facts illustrates again the physical challenges of cyber security. Following testimony and argument, the referee concluded to recommend that the attorney involved "be found guilty of violating each of the seven rules as alleged in the Bar's Petition." There is an interesting discussion of trial preparation, following instructions from the tribunal, and the appellate process as well. Any attorney interested in the Florida disciplinary process would do well to read the report issued in this unpublished Court decision.
The attorney in this matter was an employee of a law firm but was terminated. Soon thereafter, the attorney established a website with a very similar URL (uniform resource locator, the "www" that you use to find a website). With that close similarity, this lawyer established a web presence that looked a lot like the law firm he had just departed. The owner of the real law firm, the attorney's former employer, eventually managed to get that new website closed through a court proceeding and injunction. But, for a while, the law firm owner had to contend with essentially a usurpation of his business' identity.
The former associate who was terminated also filed information with the Florida Secretary of State to incorporate a business under the website URL name, a very similar law firm name, but that attempt was rejected as too similar. The lawyer nonetheless made contact with some opposing counsel in existing cases. He communicated that he was now "the lone true owner of" that law firm and directed future communication to himself. Thus, in a few subtle maneuvers, this attorney strove to capitalize on someone else's identity and misdirect communications and data to himself.
But, he was not done. The attorney next resorted to simple burglary. In a scene that one might think could only be conceived by Hollywood, this attorney "and his twin brother," staged a "broad daylight" assault on the law firm (I have not named the attorney or the brother, let's simply refer to them as "Lloyd and Harry," fictitious names for convenience). Unfortunately for them, surveillance video captured the scene. See Assume Everyone is Watching (September 2015), cameras are everywhere.
Lloyd and Harry (not their real names) backed a "truck up to . . . (the law) firm." They tied "a rope from the truck to the front door," and "rip(ped) the front doors open." They then removed "two sizeable items from the law firm," the "firm's safe," and "the firm's computer server." Thus, a physical assault evolved into a cyber attack in a somewhat spectacular manner, on video. In the event the video was not sufficient, the former employee's attorney sent the owner of the law firm a text message confirming the liberation of the data storage.
The law firm owner sought and was granted equitable relief from a court. There were injunctive orders entered precluding the former employee lawyer from "interfering with his business," or even making contact with the firm or its clients. But, the harassment did not end. The referee noted that this attorney eventually was "held in contempt on three separate occasions by the Circuit Court for intentionally violating this injunction." There is a description in the referee order of ongoing behavior including "false and unauthorized (legal) filings," and even "forg(ing) another attorney's signature."
The referee makes specific reference to one such filing as "patently false" as well as "a flagrant fraud upon that court." In another instance, the attorney sought to solicit the business of a client represented by the law firm that had terminated him. When that business declined to hire the attorney, he proceeded anyway to sign and file documents "in various pending . . . cases handled by" that law on behalf of firm clients and to assert that he was personally "entitled to fees from those cases."
Thus, the operation of a law firm's business was interrupted and inconvenienced. The contrarian individual committed acts that either procured the business' data or deprived the firm of that data, the theft of the server. Not addressed by the referee is whether the data on that server was backed up to allow the firm to continue to function or encrypted to prevent the miscreants of the world from harvesting that data once in possession of that server. As easy as it may be to envision the loss of a laptop or flash drive containing a trove of data, the idea or a physical theft of a server from an office may come as a surprise threat to some readers.
The referee recommended permanent disbarment in this instance, and the Florida Supreme Court agreed. The referee cited various precedents involving "conduct prejudicial to the administration of justice," "inability to maintain personal integrity," and more. The referee examined potential for mitigation in the facts of the case and noted that the attorney had never been disciplined for violative behavior previously.
The referee made particular mention of the server theft. This was characterized as "an intentional interference with the administration of justice" because the theft presented "the potential to hobble the firm's practice entirely." This is a recognition of the critical nature of data in our modern world and businesses. The actions "caused significant injury to" the server's owner and the law firm, but also "indirectly, his clients." The owner of the law firm substantiated this harm in his testimony before the referee, and the referee noted that the former associate attorney "clings to his justification for his actions with a ferocity that is quite disturbing." In short, it appears that some people believe strongly in their right to interfere with or take the data that belongs to others, to you perhaps.
No doubt, our inboxes or spam folders are often inundated with phishing emails and worse. The bad actors are striving for us to make mistakes, click links, or otherwise grant them access to our digital data. But, there is physical security involved with all of this data as well. Are physical premises appropriately secured? Is information encrypted and protected from the loss or theft of some storage media like a flash drive or a laptop? Have you ever considered the potential for someone to rip the office doors away with a truck and drive away with your server, data, and more?
Cybersecurity continues to vex and challenge us. I look forward to speaking with you about the subject as I introduce a stellar succession of speakers on December 15, 2021, at the WCI. See you there.