Breaking news! Ignoring your problems will not make them go away. Who knew? (Sarcasm, sorry). The headline from a June article in The Florida Bar News' "Ignoring Cybersecurity Puts You and Your Clients at Risk," is perhaps a little less than informative. Imagine a headline in your local paper "Ignoring the road leads to accidents." But, this article is a must-read for any small business person.
The focus is on a recent 7-hour seminar program on technology provided by the folks at The Florida Bar. It was presented by the Legal Fuel program. They have a website full of links to help you with cybersecurity for your firm. I say firm instead of law firm as there is advice there that might benefit any business.
The lead premise from the recent program is pretty simple, lawyers are required to study technology. The Florida Supreme Court has concluded that technology is here to stay and that its challenges are worthy of our attention. Sound advice (CLE requirement) indeed. It is interesting that only two states have a technology education requirement for lawyers, Florida and North Carolina. Perhaps technology is not a concern elsewhere?
Within the Florida context, the discussion turns to the substantive requirements that lawyers face regarding education generally, largely Competence and Confidentiality. The Bar News article concludes that these two "require lawyers to be familiar enough with technology to take reasonable precautions to protect client data." The crux is patent, lawyers have both volumes of confidential data and responsibilities to protect it.
The issue is, of course, also related to the very essence of legal services. People come to lawyers with very personal problems. They seek help and remediation, advice, and confidence. Are lawyers really any different in this regard from doctors, accountants, and a variety of other professions? I would suggest not; not to diminish the topic but to suggest all professionals should share this concern. The program suggests that COVID has enhanced our technology and security dependency and therefore our challenges. This is seen in the transmission of data, the sharing of computers, and more; it should encourage us to be more cognizant still.
There is a recognition stated that technology is ubiquitous in our world today. Some express incredulity that we can be efficient and effective without it. The News article focused on how we perceive and plan for "business continuity," meaning that you are prepared for the worst in terms of losing access to your data (ransomware attack), or diminishing your image (public perception following a data breach), or merely the time required for rebuilding in the wake of a loss (replacing hardware, installing software, etc.). This might also include explaining to clients, The Bar, your insurance company, or others about impacts of such an event at your business. It may be a matter of trust, but after a breach if may be about proactivity, documentation, and remediation.
There is advice about understanding the manner in which a business stores, shares, and secures data. There are a variety of ways data might be intercepted or lost. It could be as simple as details on a misplaced flash drive. Or, one might choose to use "common collaborative tools such as Office 365 and Google Drive" that could be breached. There have been instances of the biggest names in the business being breached, including DropBox, Microsoft, Apple, and Yahoo. Or, information could be intercepted during transmission over the internet. Worse, someone might intentionally enter your "virtual office" to take your data (for their own purposes), hide your data (to collect a ransom), or co-op your systems to provide ongoing access to data as it is acquired.
The article provides practical suggestions such as offsite data backup. However, any transmission of data comes with risks. There is discussion also of "multi-step authentication and email encryption" to help with the challenges of theft or interception. Of crucial interest, the experts noted that lawyers are responsible for their own actions, but also for the actions of others. This includes lawyer staff in the simplest sense, but also the vendors a lawyer uses. If a lawyer is hiring someone to be a courier of papers, the lawyer may be responsible for that person's actions; similarly, when procuring a service for digital transmission or storage of data, the lawyer is equally obligated to be diligent regarding data protection.
The experts cited in the article acknowledge the benefits of software and services. However, they contend that the greatest threat to cybersecurity, the "weak link," is us humans who interact with the firm's data. We are the ones who might click on a link in an email and open the door. We are the ones prone to social engineering, where we obliviously allow someone into our confidence, accommodating their access to do bad. We are the ones that might receive or even find a flash drive and blithely insert it with the best intention of finding the owner, but wreaking havoc in the process. In the world of computers, software, and technology, the simple human element is indeed the weakest link.
We may unwittingly rely on computers. Tools meant to help us, such as digital assistants like Alexa, Cortana, and "hey Google" may be able to record our conversations, share our data, and undermine our security; we may be unaware as it occurs. As Walt Kelly's Pogo famously noted, "We have met the enemy and he is us." The greatest threats to our digital security are thus all within our own control. We can educate ourselves, remind ourselves, and improve our focus and attention to the threats. The education and information above are free for the taking.
Courtesy Walt Kelly, 1971.
But, more specific to the wealth of data and challenges we face in the workers' compensation community, there is a great upcoming opportunity. On December 15, 2021, at the WCI conference in Orlando, I will host a full day of cybersecurity training and education. We will have experts from a variety of backgrounds and perspectives. The program is included in your WCI registration. We will focus on the data, the practices, and the threats. Those who would do you harm are imaginative and persistent. Can you afford to be less? I hope to see you in December!
