The ABA released ABA Formal Ethics Opinion 482, Ethical Obligations Related to Disasters, on September 19, 2018. The opinion may be found at https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_482.authcheckdam.pdf. In the opinion, the Standing Committee on Ethics and Professional Responsibility clarifies the ethical obligations attorneys face when disaster strikes.

Lawyers must follow the duty of communication required by Rule 1.4 of the ABA Model Rules of Professional Conduct, which requires lawyers to communicate regularly with clients and to keep clients reasonably apprised of their cases. Following a disaster, a lawyer must evaluate available methods to maintain communication with clients. The opinion instructs that lawyers should keep electronic lists of current clients in a manner that is “easily accessible.” Most lawyers have taken that to mean that the lists should be stored in the cloud so they can access them from an internet connection anywhere.

Lawyers should pay attention to the duty of competency, Rule 1.1, which includes a technology clause that requires lawyers to consider the benefits and risks of relevant technology. Because a disaster can destroy lawyers’ paper files, lawyers “must evaluate in advance storing files electronically” so that they can access those files after a disaster. Storing client files through cloud technology requires lawyers to consider confidentially obligations. Again, the opinion has been read by lawyers to encourage cloud storage.

With a little due diligence, this should not present much of a problem. We constantly encourage lawyers to keep backups in the cloud. It is prudent to have a local backup, but the cloud provides additional security. As we learned from Katrina, having a backup at the office and one at home a mile away is not sufficiently protecting confidential data.

If a disaster causes the loss of client files, lawyers must also consider their ethical obligations under Rule 1.15, which requires lawyers to safeguard client property. For current clients, lawyers can first attempt to reconstruct files by obtaining documents from other sources. If they cannot, lawyers must notify the clients of the loss of files or property. To prevent such losses, “lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.” Yup, we’re back to the cloud again.

A disaster could impact financial institutions and, therefore, client funds. Thus, lawyers “must take reasonable steps in the event of a disaster to ensure access to funds the lawyer is holding in trust.” It struck us that this could be highly problematic in some circumstances, but of course it is wise to do whatever one can.

A disaster may cause an attorney to have to withdraw from a client’s case under Rule 1.16. “In determining whether withdrawal is required, lawyers must assess whether the client needs immediate legal services that the lawyer will be unable to timely provide,” the opinion notes. We certainly saw a lot of withdrawals after Katrina. Entire law practices closed their doors, some forever.

The opinion also warns lawyers that they should not take advantage of disaster victims for personal gain: “Of particular concern is the possibility of improper solicitation in the wake of a disaster.” Ambulance chasers, hurricane and flooding chasers – all distasteful, but they’ve been with us for a long time.

On balance, the opinion provides some good guidance and may help lawyers to form an incident response plan that complies with the guidance of this opinion. It’s worth taking a look at your incident response plan to see if modifications are warranted. And if you don’t have a formal incident response plan, this is a good time to formulate one! At a recent CLE with some 40+ attendees, only a single attendee had a written incident response plan. We need to do better than that – put that high on your agenda for 2019.

On October 17, 2018, the ABA issued Formal Opinion 484, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack which may be found at https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf.

This opinion builds on the standing committee’s Formal Opinion 477R released in May 2017, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally.

The new opinion states: “When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).

There is a “rule of reason” overtone to the opinion, which states, “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”

This is of course what cybersecurity experts have said for a very long time – and, in our experience, all large firms tend to have an incident response plan. The smaller firms? Not so much.

The opinion also recommends, in a footnote, that firms should have data retention policies that limit their possession of personally identifiable information. We certainly agree with that. Lots of firms have “zombie” data – data they don’t know they have until there is a data breach.

Since data breaches cannot entirely be avoided, the opinion says, “When they do (have a breach), they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation.”

In general, when it comes to solo/small/midsize firms, virtually all experts agree that the cloud will protect confidential data better than law firms will. Their security expertise far exceeds that of the average law firm, their IT employees or their outside consultants. What questions to ask your cloud provider is the subject of a separate article. Maybe next time!

Taken together, the two opinions offer sound guidance – but it was particularly interesting to see what seems to be an increasing endorsement of cloud computing in Formal Ethics Opinion 482 as part of the solution to business continuity and the protection of confidential data.

Every year the American Bar Association sends out a survey to tens of thousands of attorneys requesting information about several area. The 2018 survey contained six questionnaires covering the following:

1. Technology Basics & Security
2. Law Office Technology
3. Online Research
4. Marketing & Communication Technology
5. Litigation Technology & E-Discovery
6. Mobile Lawyers

The complete survey is available for purchase from the ABA at https://www.americanbar.org/products/ecd/ebk/350226911/. It’s not cheap, but packed with useful information. We’ll cover a few of the highlights here. Each volume is available separately, but you’ll need the complete publication to appreciate all the technology that lawyers use and the trends for the legal profession.

Cyber Liability Insurance

It seems like we hear about data breaches on a weekly basis. Certainly, protecting against security incidents is moving up on the priority list for many attorneys. As a result, lawyers obtaining cyber liability insurance is on the rise. The survey reports that 34% of respondents now have cyber liability insurance compared to 26% in 2017 and 17% in 2016.

Technology Budget

The survey asked if the technology budget has increased this year over the prior year. 45.1% said the budget did increase and 32.5% stated that the technology budget stayed the same. Only 3.7% said the budget decreased. It is not surprising that the response varied based upon the size of firm. 35.4% of solo attorneys had a budget increase. 38.6% of firms with 2-9 attorneys saw an increase and 47.5% of firms with 10-49 attorneys increased their technology budget. The largest group of attorneys to increase their technology spend occurred in the 50-99 lawyer firms, where 60% of firms increased the technology budget.

Cloud Computing

We have seen a tremendous increase in lawyers using the cloud. Being faced with the decision of replacing a server or moving to the cloud, many firms are going with the cloud option. Our experience has shown that Office 365 is a big enticement in pushing law firms to the cloud. The Legal Technology Survey reports that over half (55%) of respondents are using cloud computing technology. The smaller firms appear to have a higher adoption rate than the larger firms. 59% of solo responders are using the cloud, followed by 58% of firms with 2-9 attorneys.

The survey identifies the top used cloud services as Dropbox (60%), Google Docs (36%), iCloud (22%), Evernote (14%), and Box (14%). When asked about the most important benefits to using the cloud, respondents answered with the following:

• Easy browser access from anywhere – 68%
• 24×7 availability – 59%
• Low cost of entry and predictable monthly expense – 48%
• Robust data backup and recovery – 46%
• Quick to get up and running – 40%
• Eliminates IT & software management requirements – 34%
• Better security than I can provide in-office – 31%
• None – 8%

Observations

Clearly the movement to cloud-based solutions is continuing to rise. More and more attorneys are comfortable with cloud solutions, which has the tendency to make them more mobile. Concern about cybersecurity and protecting client confidential data are also key concerns of today’s practicing lawyers. You may not be able to afford the complete volumes of the 2018 Legal Technology Survey, but consider obtaining at least one of the volumes. It will help you see what other attorneys in similar sized firms are using, which can make you much more successful in your technology decisions.

As we write this, we are a week out from ABA TECHSHOW 2019, which author Simek had the honor of co-chairing along with our longtime friend Lincoln Mead.

There was a lot of conversation before, during and after TECHSHOW about the future of legal tech conferences, especially ABA TECHSHOW itself. Before the conference began, our friends Tom Mighell and Dennis Kennedy recorded a Legal Talk Network podcast on-site on the TECHSHOW EXPO floor discussing the future of legal tech conferences. You may listen to the podcast here.

During the conference, we talked at length with other members of the faculty, attendees and exhibitors about the future of ABA TECHSHOW.

After the conference, Bob Ambrogi wrote a thoughtful piece in Above the Law entitled “After 33 Years, The ABA TECHSHOW Remains Relevant and Essential”.

Let’s start with the Legal Talk Network podcast. Tom and Dennis attend a lot of conferences and noted that conferences should regularly try new things. Some conferences are responding to the desire for lower cost education by doing them online, but, as Dennis noted, you risk losing the attention of attendees who are at work and apt to be answering emails and doing other work while theoretically attending. He likes the idea of video conferences and collaborating with colleagues.

Brand new conferences have to struggle to get traction. Happily, that wasn’t a problem for TECHSHOW. After 33 years, TECHSHOW has an enviable brand.

Many conferences these days seem focused on innovation, but as Tom points out, there are always lawyers who need training in the fundamentals of using Microsoft Word and other core software applications. They are not yet thinking about artificial intelligence or blockchain and the practice of law. But of course some people are more advanced and want different conference sessions so TECHSHOW had to present a lot of diverse offerings.

Let’s face it, the large firms are primarily focused on LegalWeek. There you find the vendors who cater to large firms. Smaller firm lawyers stopped going to LegalWeek because it didn’t feel like “their place.” It was seen more as a networking event for the larger firms. Besides, New York is really expensive for solo/small firm lawyers.

ILTA is a terrific conference, but more geared to the technical folks in law firms than the practicing lawyers.

TECHSHOW educates on practical legal technology but also focuses on the future of law practice. Every year, it works to stay relevant and hip, targeting different audiences and the ever-changing need of lawyers. As an example, Wellness and Future Proofing tracks made an appearance this year.

Though both Tom and Dennis like conferences where there is a lot of interaction, they acknowledge that they tend to be smaller conferences. Big conferences, by necessity, have to stay at a fairly high level. There is no way you can become an expert in blockchain in one hour, but you may absorb the basics and be able to follow up on more specifics post-conference through reading, webinars, etc.

As Tom notes, you’ll never satisfy 100% of the people, which is why the TECHSHOW Planning Board pays careful attention to evaluations to see which subjects, speakers and events resonated with the audience.

Without question, TECHSHOW attendees struggle with so many educational tracks, often finding that there are multiple sessions at the same time that they wish they could attend. That’s a good problem to have in many ways. You get the written materials and the PowerPoints for every session and you can look for webinars after the conference if you want to pursue a particular topic.

Sometimes, TECHSHOW doesn’t ask for CLE credit for a session but finds that there is good attendance anyway because the topic is so compelling. TECHSHOW has experimented with communities of lawyers in the same area of practice or interested in particular legal tech topics, which offers more in the way of networking opportunities. Its Academic Track has recently grown very popular. Attracting attendees from additional diverse areas of law (e.g. law students and educators) was a conscious decision of the Planning Board, which this year doubled the Academic Track to a full two days.

As a large conference, TECHSHOW works to make sure there are social events to meet people, including receptions, Taste of TECHSHOW dinners, Yoga, a 5K run and other social events. It now has Start-up Alley showcasing new legal tech products and services (hat tip to Bob Ambrogi for moderating the opening-night startup pitch competition). It has the Law Practice book booth. The EXPO Hall is an education in and of itself. TECHSHOW is famous for its open and inviting speakers – faculty members are well known for being receptive to conversations outside of sessions. And we have the “On the Road” podcast reporting from Legal Talk Network available during and after the conference, another fantastic addition to traditional conference education.

As Bob Ambrogi noted in his article, TECHSHOW’s challenge is to attract savvy legal tech lawyers who are chasing the future as well as newbies who need rudimentary technology training – and everyone in between. It certainly pleased us that Bob thought that TECHSHOW achieved the right balance this year.

Cost is always a consideration when planning a conference. Striking a balance of delivering relevant quality content for an affordable price to attendees is always on the minds of conference planners. TECHSHOW couldn’t achieve such success without the sponsorship and participation of all the vendors. This year there were 75 first time vendors to TECHSHOW and the EXPO continues to expand each year.

Of course, one of our favorite parts of TECHSHOW is that we get to visit with so many of our Canadian friends – and we’re always happy to make more Canadian friends – so mark your calendars for ABA TECHSHOW 2020 on February 26-29!

“We don’t believe in digital marketing. We believe in marketing in a digital world.” – Clive Sirkin, CMO of Kimberly Clark

And a digital world it is. We live in a world where three year olds have their own tablets (and operate them quite expertly, thank you very much) and people can work on a project across the globe from their kitchen table in their pajamas. While it is an exciting time, it is also a very challenging time to reach people and to stand out effectively in the crowd. Understanding Mr. Sirkin’s quote is a great first step. The basics of marketing have not changed (networking, creating/maintaining client relationships, word of mouth, etc), but the world in which we market has. It’s a fast-paced, ever-evolving digital world and lawyers must stay vigilant, educated, creative, and honest to stay in the game.

The Basics

At the very least, every lawyer and firm should have a website and email address. And NOT an AOL or Gmail address. These days, you must have an email address with your own domain to appear credible to potential clients. The website should look professional (no cheesy clip art, no gavels or scales of justice) and give clear information on who you are and what you do. It should also have an easy way to contact you. There are tons of options for website hosts these days that are affordable and user-friendly, so there really is no excuse for firms not to have one.

While a website is a basic step, it is an imperative one. Your website will serve as your cornerstone in the digital world. It will either be the first thing potential clients will see as they search for a service online or it will be where they come back to after seeing something on social media (yes, we will get to that). Your website can make or break the transition from potential client to actual client. If you don’t know about Search Engine Optimization (SEO), you have two choices – hire someone who does or invest a good chunk of time to bring yourself up to speed.

Social Media

Now we enter the overwhelming world of social media. There are so many different social media sites to choose from and they all have different layouts, themes, focuses, etc. One commonality is that they are an essential tool for marketing in a digital world. You as a lawyer and/or your firm (preferably both) need to be on social media. You can make a personal and company page on most social media sites and it’s highly recommended that you do so (if you have not already). Your presence on these sites will increase your digital footprint and allow for more opportunities for a potential client to contact you and your firm.

With all of the choices out there, it is important to find the right venues for you and your firm. Instagram is all about pictures, YouTube is all videos, LinkedIn is heavily focused on professional connections, Twitter is lightning speed news and information sharing, while Facebook is all of the above. These are all great places for potential clients to get a first glimpse, not to mention see reviews, read conversations and articles you post, and get to know you. However, whichever sites you choose, you must have a plan to stay active on those accounts. Be sure to share your own material, but also interact with others by commenting, liking, sharing/retweeting, and tagging. Having a page (or multiple pages) is great, but you must be an active participant for this effort to be effective. Perhaps dedicate a small portion of your day, 20 minutes or so, to this form of marketing.

Remember, quality over quantity is key. While posting more frequently can help to get your firm more “hits”, these hits don’t usually convert to leads or business all that often. It’s the quality of a post or content that will take your efforts further and convince people to share your work or contact your firm. This also holds true for the number of followers you have. It’s easy to be discouraged if you only have a few hundred followers while other firms or businesses have thousands. Keep in mind, users can buy followers or many of those followers could be bots or inactive accounts. If you are having great conversations and making new contacts on your social media sites, then you are doing quality work.

If you are a solo lawyer or small firm worried about having the time to do this, there are social media managers out there like Hootsuite or Buffer. However, these are frowned upon by marketing experts since these managers cannot customize posts for each platform (they are not human). These managers also cannot converse with followers or share posts, which are important elements of a successful social media presence. But for a lawyer in a pinch, social media managers as a digital tool can be very helpful. Wait, did someone say digital tool?

Digital Tools

So you have your website, email, and you are on social media. Now what? All of these steps will help your organic reach out in the digital world, but if you want to increase your reach and up your SEO there are tools out there to help. The list of options is long, so here are just a few top contenders for you to consider.

First, videos are arguably the most popular form of content online right now. While an adorable dog howling “I love you” may be what you are thinking of, lawyers can use videos too in order to set themselves apart. For instance, videos are a great way to newsjack. Newsjacking is “the practice of taking advantage of current events or news stories in such a way as to promote or advertise one’s product or brand.” Many times, news stories are lacking the legal perspective of a situation, so if you can be the person to give it, you can attract great attention. You could do this in blogs or articles as well, but videos are a great way to get news out there quickly. You could use FB live, Periscope (Twitter), Instagram Stories, YouTube, etc. to do these videos. Newsjacking is just one example of effectively using videos, but there are many others. How-to videos, newsletter videos, customer references, and short, concise interviews can be beneficial as well.

Next, we’ve all heard the phrase “there’s an app for that” and well, it’s true. All of the above mentioned social media and video streaming options are themselves apps or they have apps. There are scheduling apps, fitness apps, note-taking apps, communication apps, weather apps… you get the idea. The list is endless. Some law firms have created and customized their own apps. Now that is a little extreme, and beyond the financial reach of most small firms, but it gives you an idea of the possibilities. Just as with social media, you need to find the apps that work for you and your firm. Want to make your photos look nicer? Get a photo editor app. Need to organize your contacts and leads better? Download an app for that. Just make sure the apps you want are made by reputable companies and have good reviews before you download them. If you end up downloading an app that your phone or computer software then identifies as a “low reputation” app, uninstall it and look again!

Last but not least are online advertisements. The days of billboards and park bench signs are dwindling. Today, you can run ads on Google, any social media venue, blogs, new sites, etc. You can customize these ads to target certain keyword searches or audience demographics. Facebook even has a specific “lead generator” ad you can run. Now lawyers may see dollar signs when they hear the word “advertisement”, but online ads don’t necessarily have to be expensive. Of course, the more money you can spend on them, the better, but you can still push out a great ad and not break the bank. It may take a little time to find the most beneficial venue and advertisement for your firm, but your time will be well invested.

Test, Track, Analyze

None of the above-mentioned techniques or venues are worth anything unless you test, track, and analyze your marketing efforts. Testing, tracking and analyzing results is marketing 101 and as we established at the beginning of this article, we still need to implement basic marketing strategies… we are just doing it in a digital era now.

Luckily, tracking is fairly easy these days thanks to tools like Google Analytics. You can track all the activity on your website – where did a user come from? Which page(s) did they visit? How long did they stay? Every social media site has a “Analytics” tab or section for you to view how well posts performed, how many “likes” you received, how many new followers you gained, etc. Any ad you run online should have a report to access at the end of your campaign. So the “how” is easy, but the difficult part is the “doing.” Lawyers must track these results in order to see what is working and what may need to be improved or stopped. Without this critical step, all of your marketing efforts are for naught because you are not measuring you return on investment (ROI) with respect to both money and time.

It’s also important to remember that trying something new, testing it out, tracking and analyzing it to conclude that it does/did not work does not mean it is a complete failure. In the legal world, where lawyers either win or lose cases and have definitive lines of success versus failure, it’s easy for them to feel defeated when something does not work out exactly as they were hoping. Mistakes are learning tools. You know that test did not work, so move on and tweak it or try something new. “Rome wasn’t built in a day” and neither was any effective marketing strategy!

Human Connection

If there is one point you take away from this article, let it be this… humans need human connection. The most effective marketing strategies in the digital era will involve strong human connections. In a world where everything is becoming more and more automated and digital, these primal connections will become increasingly important.

So what does this mean for lawyers and marketing? Let people know why you are practicing law. What drives you? Show your human side on social media – do you have hobbies? Favorite recipes you can share? Are you a member of charitable organizations? There are so many different ways you can reach people and make connections by just being you. As in all things digital, be careful not to overshare – common sense will guide you.

Where does honesty comes into play?. Do not push a persona that is not you because you think it is more marketable. You need to be able to live up to the expectations you set online. Being someone’s lawyer is a both a professional and a personal relationship, so why not give potential clients a preview of who they are hiring? And never forsake any connection, unless they prove problematic in some way. You may connect with someone who does not need a lawyer at the time, but that may change or they may end up recommending you to a friend who needs legal assistance. Jayson Gaignard, a Canadian entrepreneur & networking specialist said, “…in today’s day and age we are drowning in contacts, but we are starving for connection.” If you can build that bridge from contact to connection, you will foster and maintain very meaningful and beneficial relationships for you and your practice.

What Works for Us?

As stated previously, finding what marketing efforts work for your law practice will take some trial and error. We have been at this a while now and while we are not a law firm, our findings and best practices could be beneficial to lawyers and law firms. One of our most popular marketing and networking items is Sensei Sherlock. He is a stuffed Scooby Doo (dressed as Sherlock Holmes) that we take with us when we give presentations or travel for work. We take pictures of him at various events and with various people. Then we post these pictures on our social media accounts and on our website. We make sure to tag the person/people in the photo and/or link to their company/firm. We have had great networking and human connection successes from this! People eagerly request to have their picture taken with him now.

Other popular social media posts involve eye-catching photos or headlines, happenings around our office (employee promotion, decorating contests, etc.), and funny technology themed comics. We also see greater reach and engagement numbers when our employees (particularly, our President) share posts from our company page to their personal pages. This is extremely helpful especially if you have an employee with a large number of followers – the more eyes on posts, the better!

Sensei also produces blog posts, podcasts, and articles (like this one) that aid in our marketing efforts. These help in getting our name out there and often lead to contacts from the media or prospective clients. We push these out on social media as well and tag, link to whomever we can. People are very grateful to see themselves tagged, linked to, etc. As you can see, everything we do goes on social media.

While we have experienced positive returns on most of our efforts, not everything is a success. We are constantly tracking and experimenting with changing features or new ideas. Something may work for a while and then suddenly not work, so we have to stay alert and be ready to switch directions if needed. Luckily, we have a great marketing team that keeps the ship on course!

A Word of Warning & Conclusion

We would be amiss not to warn lawyers of the possible perils of a large digital footprint. The more information you put out on the internet, the more susceptible you are to cybercriminals doing their best to steal your data (among other things). In this case, make sure you use well-reviewed, secure apps, don’t overshare on social media, and give out only work contact information. Be sure to take steps to keep yourself, your firm, and your clients safe online.

In conclusion, the basic principles of marketing have not changed much over the years but the mediums have evolved at dizzying rates. Do your best to keep up with the changes, educate yourself, come up with creative ways to stand out, stay safe, and be authentic! There is a pot of gold at the end of the marketing rainbow!

The Electronic Frontier Foundation (EFF) announced on May 20th that it had launched TOSsed Out, a new iteration of EFF’s continuing work in tracking and documenting the ways that Terms of Service (TOS) and other speech moderating rules are unevenly applied to people by online services. Sometimes, posts are deleted. Sometimes accounts are banned. For many people, the internet represents an irreplaceable forum to express their ideas, communicate with others, etc.

We have long been fans of the EFF and were delighted to hear that cybersecurity guru Bruce Schneier is leaving IBM, in part to focus on teaching cybersecurity to the next generation but in part to focus on his role as a public interest cybersecurity specialist. Since he is already on the board of the EFF, he is in a great position to be of help.

But back to TOSsed Out, which follows in the path of Onlinecensorship.org, which EFF launched in 2014 to collect reports from users in an effort to encourage social media companies to operate with greater transparency and accountability as they regulate speech. TOSsed Out will focus on the ways that people are negatively affected by these rules and their erratic enforcement.

Commercial content moderation practices negatively affects lots of folks, especially people who are marginalized. This includes black women who share their experiences of racism to sex educators whose content is deemed too explicit. TOSsed Out’s mission is to show that trying to censor social media ends up removing legal, protected speech.

You can find the TOSsed Out website at https://www.eff.org/tossedout. It provides some examples of online content moderation gone astray – with future examples to be added. The EFF is attempting to make clear the need for companies to embrace the Santa Clara Principles which it created to establish a human rights framework for online speech moderation, require transparency about content removal, and specify appeals processes to help users get their content back online. Those are all good objectives and we support the Principles. As of June 2019, three of the largest internet platforms—YouTube, Facebook, and Twitter—began to implement the recommendations outlined in the Principles.

There has, however, been a movement to apply the First Amendment to private companies in spite of the fact that it applies only to governmental speech. Of course, it makes perfect sense that Facebook pages and Twitter accounts, which are made public forums by politicians, are subject to the First Amendment. By way of example, see Knight First Amendment Institute v. Trump, in which the court ruled that the President could not block followers who expressed opposing points of view – note that the case is on appeal and was argued on March 26, 2019 in the U.S. Court of Appeals for the 2nd Circuit.

It is true that we now live in a world where private social media entities can limit, control and censor speech as much or more than governmental entities. There has been a growing number of people advocating that the First Amendment should be extended to cover these entities.

The new thesis is that when a private actor has control over online communications and online forums, these private actors are analogous to a governmental actor. The notion is that the U.S. Supreme Court should relax the state action doctrine and interpret the First Amendment to limit the “unreasonably restrictive and oppressive conduct” by private entities such as social media entities – that censor freedom of expression.

Some conservatives believe that the majority of tech entrepreneurs are liberal. They ask: Do their algorithms, which search for and remove objectionable content, contain biases?

But extending the First Amendment to private businesses is controversial and does not seem to be a majority position. These businesses have discretion over the content they wish to promote or forbid.

In any event, one hurdle to applying the First Amendment to social media companies, mentioned above, is the state action doctrine, a key concept in constitutional law. This was examined in the April 2019 ABA Journal, which noted the U.S. Supreme Court explained in the Civil Rights Cases (1883) that the 14th Amendment limits “state action” and not “individual invasion of individual rights.” Translated, this means that the Constitution and the Bill of Rights limit the actions of governmental actors, not private actors.

Just last year, a federal district court in Texas affirmed that traditional view, ruling in Nyabwa v. Facebook that a private individual could not maintain a free speech lawsuit against Facebook, stating that “the First Amendment governs only governmental limitations on speech.”

Most legal experts view it as unlikely that social media platforms will be held to First Amendment constraints, believing that no court could see these platforms as being fully state actors subject to the First Amendment.

Most social media forbids hate speech that offends or attacks people on the basis of race, ethnicity, national origin, religions, gender, sexual orientation, disability disease or other traits. Social media is very cognizant of the controversy surrounding their policies. Let’s look at Facebook, the big kahuna of social media. Facebook is certainly trying, especially recently, to establish a balance between freedom of speech and unacceptable speech.

On its community standards page, (https://www.facebook.com/communitystandards/, Facebook acknowledges that striking a balance is an ever-evolving effort.

Twitter has a Hateful Content Policy which may be found at https://help.twitter.com/en/rules-and-policies/hateful-conduct-policy. Its general guidelines and policies may be found at https://help.twitter.com/en/rules-and-policies#general-policies.

Legally speaking, social media companies are not compelled to do anything about hate speech. 72% of respondents to a June 2018 Pew Research Center survey believe that social media platforms actively censor political views that those companies find objectionable. https://www.pewinternet.org/2018/06/28/public-attitudes-toward-technology-companies/.

There is increasing pressure on social media to stamp out hate speech. A lot of that pressure comes from advertisers who do not want to be affiliated with a platform that allows it.

Facebook (which owns Instagram, SnapChat and WhatsApp), Twitter and YouTube have hired thousands of new moderators to filter out content in violation of their standards. Moderators are inconsistent. There are Facebook users whose posts on racial issues were deleted by Facebook but white friends, when posting the same posts, did not have their posts deleted.

The Silicon Valley mindset is that every problem can be solved by algorithms – the current thinking is that the solution is at hand but they just haven’t gotten it quite right yet.

Social media and other providers are now thinking about the broader social impact of their platforms and the possibility that they might be regulated if they don’t act.

For those interested in this subject, on March 27, 2019, the Congressional Research Service released a report entitled Free Speech and the Regulation of Social Media Content (https://fas.org/sgp/crs/misc/R45650.pdf), a 43-page document which takes an extensive look at some of the issues we have raised.

Facebook and YouTube are currently in a dither about what to do with deepfake videos which are getting harder and harder to detect as the technology improves. Furthermore, on June 5, 2019, YouTube announced plans to remove thousands of videos and channels that advocate neo-Nazism, white supremacy and other bigoted ideologies in an attempt to clean up extremism and hate speech.

The new policy will ban “videos alleging that a group is superior in order to justify discrimination, segregation or exclusion,” the company said. The prohibition will also cover videos denying that violent events, like the mass shooting at Sandy Hook Elementary School in Connecticut, took place. This is sure to reignite the debate about whether the First Amendment should be extended to private companies.

People rely on internet platforms to share experiences and build communities, and not everyone has good alternatives to speak out or stay in touch when a tech company censors or bans them. Rules need to be clear, processes need to be transparent, and appeals need to be accessible.

Amen to all of that. But regulation may not be the answer and it may present its own dangers. It is currently a sea of confusion with no clear channel markers in sight.

It was big news in late August when Microsoft said that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks. This doesn’t apply just to Microsoft accounts. It applies to any other account on any website or online service.

Today, virtually all service providers support multi-factor authentication, and in most cases, there is no charge. It can be something as simple as SMS-based one-time passwords or advanced biometrics solutions.

“Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA,” said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Weinert said that old advice like “never use a password that has ever been seen in a breach” or “use really long passwords” doesn’t really help.

Weinert should know – his credentials are impressive. He was one of the Microsoft engineers who worked to ban passwords that became part of public breach lists from Microsoft’s Account and Azure AD systems back in 2016. As a result of his work, Microsoft users who were using or tried to use a password that was compromised in a previous data breach were told to change their credentials. These days, many providers will not allow to use a password that is known to have been compromised. So much for the ever-popular “123456.”

However, Weinert said that despite blocking leaked credentials or simplistic passwords, hackers continued to compromise Microsoft accounts. Why? Because today’s passwords or their complexity don’t really matter anymore. Hackers have many different methods that they use to get users’ credentials.

With over 300 million fraudulent sign-in attempts targeting Microsoft cloud services every day, Weinert says that enabling a multi-factor authentication solution blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user’s current password. Now that’s impressive.

The 0.1% number accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are still extremely rare compared to the daily grinding of credential stuffing botnets. What most lawyers fail to realize is how automated these attacks have become.

Microsoft’s claim that using MFA blocks 99.9% of automated account takeover (ATO) attacks isn’t the first of its kind. In May, Google said that users who added a recovery phone number to their accounts (and thus indirectly enabled SMS-based MFA) were also improving their account security.

“Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation,” Google said at the time.

We get it – lawyers perennially want convenience over security – they are loathe to spend a previous few seconds enabling a second layer of security. We believe that many lawyers think they will have to employ multi-factor authentication every time they log in somewhere. Not necessarily true. In most cases, you can request that your provider remember your device (phone, laptop, etc.). It is only when someone tries to log on from an unknown device that you would, for instance, have to enter a code texted to your phone.

Think about it. If an unknown device is trying to access one of your accounts, you want very much to know about that and have a method of stopping it. That’s what MFA gives you – peace of mind.

And consider this: When both Google and Microsoft are recommending the same thing, it’s probably a good time to start following their advice.

We always look forward to the ABA Legal Technology Resource Center’s Annual Legal Technology Survey Report on the use of technology in the legal profession. The summary of the “Marketing and Communication” portion of the 2019 survey was recently published. It was written by our good friend Allison Shields and contains some fascinating (and worrisome) statistics.

Respondents to the 2019 Survey segment covering websites and law firm marketing were mostly solos or from smaller firms, consisting of 27% solos, 29% lawyers in firms of 2-9 lawyers, 18% from firms of 10-49 lawyers, 11% from firms of between 100-499 lawyers, 10% from firms with 500+ lawyers, and 5% from firms with 50-99 lawyers. The average age of respondents was 58 years old, with 55% of respondents identifying as 60+ years old, and another 24% between 50-59 years old. Wow, the graying of the profession is noteworthy – or do younger lawyers not participate in surveys?

The summary focuses on marketing and website trends mainly among firms with fewer than 50 lawyers. We think the survey is troubling in that it seems that many solo and small firm attorneys engage in “random acts of marketing” rather than having a cohesive marketing plan.

According to the 2019 Survey, only 47% of firms overall have a marketing budget. The largest firms are the most likely to report having such a budget (94% of those from firms of 100+ lawyers), and 61% from firms of 10-49 lawyers. However, only 31% of firms from 2-9 lawyers and 17% of solo respondents have firm marketing budgets.

From our foxhole, these stats are pretty much reflective of what we see in the real world. Solos and small firm lawyers struggle to keep their fundamental technology “semi” up-to-date. Their revenues just don’t seem to permit the luxury of having a marketing budget.

The leading channels for marketing across all firm sizes are email (41%), Facebook (30%), and direct mail (19%). Fewer than 15% of respondents overall report their firms use Avvo, Findlaw, Lawyers.com, or the Yellow Pages to market their practices, however, 25% of solos report using Avvo.

Frankly, we think Avvo may have peaked. It will be interesting to see next year’s numbers. Consistently, solo and small firm lawyers have reported aggressive marketing by Avvo which may contribute to the number of lawyers using it.

Solos most often use email (40%) for their marketing, followed by Facebook (26%) and Avvo (25%). Facebook was the most popular for lawyers from firms of 2-9 lawyers at 39%, followed by print at 33%. In firms of 10-49 lawyers, respondents reported using email most often (47%), followed by print (41%). LinkedIn was not included as one of the channels in this survey question, which we find odd. When we poll audiences, LinkedIn is frequently mentioned as a valuable marketing tool.

Only 57% of solos have a firm website, while over 90% of respondents in all other firm sizes report having a firm website. This is disturbing in a time when prospective clients are often searching online (via their computer or smartphone). Of those solos who do have a website, we think it’s a good bet than many of those websites are not optimized for mobile device display, which is all but required in today’s world.

Although most firms report they have not used video in their marketing, the numbers show an increase in the adoption of video. 26% of respondents said their firms use video as part of their marketing, and 65% have not yet adopted video marketing. Naturally, the largest firms (100+ attorneys) are most likely to use video – but then of course they have the budget for it. Only 4% of solos use video – and the quality tends to be low among smaller firms.

30% reported this year that their firm has a blog. Only 9% of solos have a blog. Our guess is only the big firms (in general) tend to have regular posts. There are many, many legal blogs where the last post was made months ago – not a good reflection on the firm. The survey reports that 56% update their blogs monthly and 18% update it weekly. 21% have stopped updating their blog completely and some have others do their blog posts for them.

80% of firms have a presence on social media. LinkedIn leads at 79%, followed by Facebook (54%), Martindale (38%), and Avvo (23%). Reported use of Facebook and Avvo has declined over the past year; in 2018, 63% of respondents reported their firms maintained a Facebook presence, and 36% maintained a presence on Avvo.

80% of respondents use social media themselves for professional purposes, including 67% of solos, 83% of lawyers in firms of 2-9 lawyers, and 86% of lawyers in firms with 10-49 lawyers. LinkedIn is the leading platform – 73% of all respondents maintain a LinkedIn presence.

Overall, only 39% of respondents who participate in social media report using Facebook (that’s a significant drop from 47% in 2018). Solos and small firm lawyers use Facebook for professional purposes more often than lawyers in larger firms; 50% of solos and 48% of lawyers in firms with 2-9 lawyers report using the platform, as compared with only 26% of lawyers in firms with 10-49 lawyers.

Just 28% of respondents report using Twitter, including 31% of lawyers from firms between 10-49 lawyers, 28% of lawyers in firms with 2-9 lawyers, and only 19% of solos reported using the platform.

“Handling” marketing still lies largely with the attorneys themselves. 59% of respondents, including 60% of solos, said attorneys perform these functions within the firm. Only 31% of firms overall have internal marketing staff, and 17% use outside consultants, while 16% report that administrative staff performs marketing functions for the firm. 13% of respondents say “no one” is responsible for marketing in their firms, including 30% of solos and 13% of respondents in firms of 2-9 lawyers.

Only 7% of all respondents indicated that their firms were using AdWords (that certainly proved to be pouring money down a rathole for us). Overall, 59% of respondents report that their firms do not use a consultant for SEO, AdWords/PPC (Pay Per Click), or social media.

Why do lawyers blog and use social media? Pretty much the same answers – 67% said they did these things for career development and networking and 49% said for client development. Thirty-eight percent of respondents say they have access to analytics or reports to monitor the effectiveness of their website or blog. 41% do not have such access and 21% do not know. Our own experience with clients is that very few monitor the SEO effectiveness of their blog or website, especially at the solo/small firm level.

Of those respondents who report maintaining a legal topic blog, 49% have gotten clients as a result of blogging and another 34% do not know whether they have gotten a client or not. Of those who used social media for professional purposes this year, 31% report having gotten clients as a result, 44% say they did not, and 24% did not know. Solos (35%) and lawyers from firms of 2-9 lawyers (34%) were the most likely to report having gotten clients through social media, followed by lawyers from firms of 10-49 lawyers (28%) and firms of 100+ lawyers (29%). Only 3% of Twitter users reported getting clients from their use of Twitter.

Overall, across all firm sizes, on a scale of 1 (not at all confident) to 5 (very confident), respondents placed their level of confidence in their firm’s marketing efforts at 2.9. We would have said that the confidence level is lower than that!

It amazes us how many people leave marketing to others. We suppose time constraints are one huge reason. The outsourced efforts often seem to falter without attorneys closely managing them – which of course defeats part of the purpose of outsourcing. And firms are just terrible at tracking the return on their investment of both time and money.

In a highly competitive marketplace, solos and small firms have a long way to go, a fact underscored in the survey. We recommend that law firms schedule regular marketing meetings and develop a cohesive plan – and then follow it. We flounder ourselves now and again when the workload is overwhelming, so we understand how hard it is to keep one’s nose to the ground – but organized marketing always pays off!

ABA RESOLUTION 105

The ABA House of Delegates adopted Resolution 105 at the 2018 ABA Midyear Meeting. The resolution supports the goal of reducing mental health and substance use disorders and improving the well-being of lawyers, judges and law students. It urges stakeholders within the legal profession to consider the recommendations set out in The Path to Lawyer Well-Being: Practical Recommendations for Positive Change. The pursuit of lawyer wellness has spread rapidly through law firms, bar associations, state bars and state supreme courts.

The National Task Force on Lawyer Well-Being, assembled in August 2016 to “create a movement toward improving the health and well-being of the legal profession,” defines lawyer well-being as a “continuous process whereby lawyers seek to thrive in each of the following areas: emotional health, occupational pursuits creative or intellectual endeavors, sense of spirituality or greater purpose in life, physical health, and social connections.”

The Task Force’s recommendations in their report entitled The Path to Lawyer Well-Being: Practical Recommendations for Positive Change, published in August 2017, focus on five central themes:

(1) identifying stakeholders and the role each of us can play in reducing the level of toxicity in our profession,

(2) eliminating the stigma associated with help-seeking behaviors,

(3) emphasizing that well-being is an indispensable part of a lawyer’s duty of competence,

(4) educating lawyers, judges, and law students on lawyer well-being issues, and

 (5) taking small, incremental steps to change how law is practiced and how lawyers are regulated to instill greater well-being in the profession.

The authors have monitored many of these developments – and now teach several CLEs related to lawyer wellness. We applaud the actions taken to date – and there is still so much to be done. We decided to write an article that highlights some of the developments since Resolution 105 was adopted, including several sad stories that have shaken the legal profession.

THE DEATH OF PAUL RAWLINSON

On April 16, 2019, The ABA Journal carried a story about the death of Baker McKenzie’s global chairman Paul Rawlinson. He had died four days earlier, six months after he took a temporary leave to deal with health issues caused by exhaustion. He was 56 years old at the time of his death.

When he took the leave, his firm was struggling with an inquiry into the firm’s handling of sexual harassment complaints and internal disagreement over associate pay. The firm at that time had 78 offices and nearly 5,000 attorneys. Reportedly, Rawlinson had visited more than half of those offices.

The exact cause of death was not released, but his death spurred the growing concern about lawyer wellness and the systematic pressures placed on many lawyers, especially at large law firms – and most especially those who lead those firms.

We do not suggest that Rawlinson’s wellness issues resulted in unethical behavior of any kind. It was simply a crushing and disturbing story, suggesting that a lawyer’s exhaustion could lead to their death. One thing we wondered – and still wonder – was whether there was a culture of wellness at Baker McKenzie and whether his colleagues had reason to suspect how unwell he really was. Have we, as a profession, become impervious to the symptoms of extreme stress on our colleagues?

THE SUICIDE OF GABE MACCONAILL

Attorney Gabe Macconaill, a 42-year old partner at Sidley Austin, committed suicide on October 14, 2018., His widow, Joanna Litt, wrote an open letter saying that “Big Law killed my husband.”

In this case, there were signals – episodic binge drinking, the departure of several close friends at the firm which created more pressure on him, a new position chairing the summer associate program, and then a huge bankruptcy case.

He became visibly stressed, anxious and wasn’t sleeping. When his wife called his closest colleague, she said he was working more and more with his door closed – and that his sense of humor had been gone for a while.

He told his wife that he felt like a phony who had fooled others about his abilities as a lawyer and he thought he would be fired at the end of the bankruptcy case. He worked himself to exhaustion, going to an ER with cardiac symptoms, but when early indications were that his health problems might be due to dehydration, he left the hospital without seeing a doctor so he could return to work.

His wife arranged a mobile IV to come to their home and give him fluids. He then flew to Delaware to file the bankruptcy case.

Here, ethics entered the situation because, as his wife found out later, he had stopped responding to work emails when he returned home to LA. Every lawyer reading that sentence knows how close someone must be to the edge of the precipice when they stop responding to work emails in the midst of a high value case.

On the last morning of his life, he kissed his wife goodbye, took his gun with him, and shot himself in the head in the garage of the firm’s high-rise office building.

His wife said that he set impossible high standards for himself, that he was a “maladaptive perfectionist” who lacked self-compassion. He said he couldn’t “turn off his head.”

She said, “He had a deep, hereditary mental health disorder and lacked essential coping mechanisms. But these influences, coupled with a high-pressure job and a culture where’s it’s shameful to ask for help, shameful to be vulnerable and shameful not to be perfect, created a perfect storm.”

Remember that these are the words of a grieving widow. The description of the law firm is certainly accusatory and we cannot know how much is an accurate depiction.

Sidney Austin told the press that the firm handled the situation well, and that it was MacConaill’s responsibility to come forward and ask for help when he was overwhelmed. The firm has a wellness program, but an anonymous source at the firm told Financial Times that folks at Sidley aren’t comfortable using it. The source said “There is not a culture or feeling of safety right now in that set of offices. You can have resources in place, but unless you have the right culture, people aren’t going to feel safe using them or approaching someone to ask for help.”

That assessment, if true, certainly cries out for remediation.

THE STRESS OF PRACTICING LAW TODAY

Clearly, the personal stories above had a profound impact on the authors. Author Nelson, a former president of the Virginia State Bar, worked on the VSB’s Special Committee on Lawyer Well-Being, chaired by then VSB President Len Heath, and was one of the many authors who worked on its May 2019 report, “The Occupational Risks of the Practice of Law.” For anyone who works on such endeavors, what one learns often comes as something of a revelation.

The demands of being a lawyer can often hide substance or mental health issues and the high-achieving people who become lawyers often do not avail themselves of available resources to help them. There is a stigma attached to asking for help and a fear that one will seem “weak” or perhaps not worthy of rising within the firm.

The authors live in Virginia but frequently lecture across the nation. We have heard a lot of sad stories. After one CLE, a lawyer in another state called to ask for help because, as he said, “I just can’t practice law anymore.” It is amazing to think how many ethical rules he must have violated, because he flatly acknowledged that he wasn’t able to adequately do his work for his clients.

In his case, he was simply distracted by everything – he had lost the ability to focus. Everything distracted him – the turbulent politics of our time, sports, online games, social media. He could no longer keep his nose to the grindstone and get his work done. He was ignoring emails, missing deadlines, failing to call clients back or respond to their email – and very much afraid of getting in disciplinary trouble. Fortunately, there are confidential resources in his state and we were able to persuade him to contact those resources.

ATTORNEY IMPAIRMENT

The ABA, in conjunction with the Hazelden Betty Ford Foundation, funded a large study dealing with attorneys and substances abuse. The Journal of Addiction Medicine published “The Prevalence of Substance Use and Other Mental Health Concerns Among American Attorneys” in 2016. The study surveyed nearly 13,000 attorneys.

Some of the findings: 20.6 percent reported problematic drinking, 31.9 percent of them attorneys age 30 or younger.

Of those who used drugs, both legal and illegal, respondents reported using stimulants the most—74.1 percent. Additionally, of those who used drugs, 51.3 percent of respondents reported using sedatives, 46.8 percent tobacco, 31 percent used marijuana and 21.6 percent used opioids.

It should be noted that this study relied on the attorneys self-reporting. Only 3,419 lawyers out of 14,895 surveyed answered questions about drug use. Peter Krill, one of the authors of the study, remarked: “It’s left to speculation what motivated 75 percent of attorneys to skip over the section on drug use as if it wasn’t there.”

The most common mental health concerns were:

• Anxiety, 61.1 percent.
• Depression, 45.7 percent.
• Social anxiety, 16.1 percent.
• Attention deficit hyperactivity disorder, 12.5 percent.
• Panic disorder, 8 percent.
• Bipolar disorder, 2.4 percent.

How did those with alcohol and drug problems feel about getting treatment? The main concern, and it is huge, is confidentiality. Only 6.8 percent sought treatment and of those who did, only 21.8 percent went through a program designed for legal professionals.

ETHICAL MISSTEPS MAY INDICATE A PROBLEM

In many cases, the actions an attorney takes (or perhaps inactions) can lead to professional discipline or malpractice AND indicate the presence of mental illness or a substance use disorder.

Examples? An attorney could demonstrate a pattern of conduct – missed deadlines, missed appointments, last-minute requests for continuances, frequent absenteeism, failing to return client phone calls or respond to mail, co-mingling or inappropriately taking client trust funds, or making false representations. The attorney may also demonstrate behaviors at work that appear different from their prior functioning. For example, an attorney may become socially withdrawn, procrastinate, have unpredictable and frequent mood swings, demonstrate unwarranted anger or hostility, and seek to point the finger at others for personal failings.

Any of these behaviors may be the product of depression, anxiety, neurological dysfunction, gambling addiction and/or substance use disorder.

As indicated above, anxiety and depression are the two most common mental health problems affecting attorneys.

A depressed attorney may demonstrate low motivation, an absence of energy, fatigue, and difficulty concentrating. The attorney may take a long time to learn something new or to respond to client calls or answer mail. The attorney may not respond to important emails, mail, or phone calls out of panic or fear.

The lawyer may procrastinate and leave a job unfinished for someone else to complete, come into work late, leave early, or not come into the office at all for several days. They may file motions or briefs that omit important details because the attorney could not concentrate and could not remember specific information.

Work could be completed late, or not completed, and would likely contain major mistakes. If the lawyer’s supervisor gave negative feedback, the depressed attorney may respond with anger and irritability. To this attorney, everything would sound like criticism, resulting in angry responses or blaming others for mistakes.

If the supervisor asked the lawyer to redo something or to correct a problem, the lawyer might feel overwhelmed and too stressed to manage. This attorney’s ability to tolerate stress and cope with the everyday demands of clients, partners, opposing counsel, or judges becomes severely compromised to the point where the lawyer is unable to practice competently.

WHEN MUST A LAWYER WITHDRAW OR BE REMOVED FROM CLIENT REPRESENTATION?

Rule 1.16 (a)(2) prohibits a lawyer representing or continuing to represent a client where “the lawyer’s physical or mental condition materially impairs the lawyer’s ability to represent the client.”

In Formal Opinion 03-429 (Obligations with Respect to Mentally Impaired Lawyer in the Firm), the ABA Standing Committee on Ethics and Professional Responsibility writes, “Simply stated, mental impairment does not lessen a lawyer’s obligation to provide clients with competent representation.” The opinion does provide some direction: “[W]hen considering what must be done when confronted with evidence of a lawyer’s apparent mental disorder or substance abuse, it may be helpful for partners or supervising lawyers to consult with an experienced psychiatrist, psychologist, or other appropriately trained mental health professional.”

An initial referral generally includes consultation with a state Lawyer Assistance Program (LAP), which most states now have. Many programs are run by volunteers or other attorneys who are in recovery. LAP programs differ widely in what services they can provide, so check to see what your state’s organization is able to offer. Some LAPs merely provide referrals to mental health professionals in the community, while others may have mental health professionals on staff. Most LAPs are not able to provide a fitness to practice evaluation. In those cases, a referral to a forensics psychologist will be needed.

It is very common for impaired attorneys to need a month undergoing treatment with subsequent treatment thereafter.

These treatments often have good outcomes, with a combination of therapy and medications. This protects clients, the firm reputation and may save the lives of impaired lawyers. As we well know, the financial burden on a small firm may be significant – no hours billed and continuing to pay salary, benefits, etc. And of course, there is never a guarantee that the underlying impairment will be cured.

Sadly, sometimes a law firm must act. As the opinion says,

“If the mental impairment of a lawyer has resulted in a violation of the Model Rules, an obligation may exist to report the violation to the appropriate professional authority. If the firm removes the impaired lawyer in a matter, it may have an obligation to discuss with the client the circumstances surrounding the change of responsibility. If the impaired lawyer resigns or is removed from the firm, the firm may have disclosure obligations to clients who are considering whether to continue to use the firm or shift their relationship to the departed lawyer, but must be careful to limit any statements made to ones for which there is a factual foundation. The obligation to report a violation of the Model Rules by an impaired lawyer is not eliminated by departure of the impaired lawyer.”

PROMOTING LAWYER WELLNESS – BEGINNING TO ADDRESS THE PROBLEM

How do firms nurture lawyers and help them stay well? The answer to that is complicated, but it is refreshing to see that more and more firms are committed to finding a path that encourages lawyer wellness. Here is some of what we’ve seen:

• Law firm physical fitness centers (greatly loved by lawyers)
• Space for yoga or meditation
• Non-alcohol events – or at least events where there is a choice of beverages
• Training/education sessions/retreats about wellness, including stress reduction, meditation, self-care, team building, etc.
• Policies which encourage employees to come forward for treatment without being afraid of losing their jobs
• Setting a maximum for billable hours and lowering the minimum required
• Special training for partners in creating a culture of wellness and how they can help
• For larger firms, hiring a Director of Wellness has become common
• To make sure lawyers are ready to come back to work and to perform competently, firms are requiring verification of participation in a treatment program, requiring that the lawyer commit to sticking with the program, and agree to alcohol and drug screens where appropriate

PROMOTING LAWYER WELLNESS – EVOLVING STEPS TO ADDRESS THE PROBLEM

We did a little research on 2019 steps taken by law firms to address lawyer wellness. While some steps echo the beginning steps above, some are innovative.

Law firms, particularly large firms, are offering CLE wellness courses, bringing in speakers and also offering online resources to help with stress or substance abuse. The resources are often available via firm intranet or through custom apps.

Firms have offered clubs ranging from knitting to running and events like “bike to work week.” Reed Smith highlighted the connection between art and wellness and established a program encouraging its employee to create and exhibit art – as well as viewing art in the firm’s offices around the world.

Firms are creating mocktails for retreats and functions – and they sound pretty appealing! New terminology and imagery are being employed. For Cooley, “cocktails and conversation” is no longer used – ditto for images of martini glasses and champagne flutes promoting events.

Unsurprisingly, there has been an emphasis on mindfulness and meditation, with firms offering training, guided meditation sessions, and subscriptions to meditation apps.

Employee assistance programs have bloomed, offering help for those with addiction problems, financial stress, relationship difficulties and other crises. Most programs are provided by a third-party vendor with interactions taking place via phone, video counseling, online chats or even face-to-face.

Some firms are bringing in counselors on a regular basis – and the sessions are confidential. This seems to be successful as appointments fill up quickly.

Knowing how helpful it can be to have symptoms of a colleague’s struggle recognized, some firms are providing mental health first aid training, making sure that staff, attorneys and managing partners know the symptoms of depression, anxiety and substance abuse.

There has been a sudden rash of hiring to fill a new position: Director of Well-Being. As you might imagine, this is more likely to happen at larger firms. As of June 2019, 11 of 40 large firms had someone exclusively working on a firm wellness program.

FINAL THOUGHTS

The National Task Force on Lawyer Well-Being concluded, in part: “To preserve the public’s trust and maintain our status as a self-regulating profession, we must truly become “our brothers’ and sisters’ keepers,” through a strong commitment to caring for the well-being of one another, as well as ourselves.”

As of August, 2019, Bloomberg Law reported that 29 states have established working groups or task forces, and revised regulations related to continuing legal education (CLE) programming and to bar admissions. Virginia modified Rule 1.1 to add a comment specifically addressing lawyer well-being:

“7] A lawyer’s mental, emotional, and physical well-being impacts the lawyer’s ability to represent clients and to make responsible choices in the practice of law. Maintaining the mental, emotional, and physical ability necessary for the representation of a client is an important aspect of maintaining competence to practice law.”

Systemic progress is happening. Still, it is legitimate to ask whether the efforts by law firms outlined above are “enough” or whether there is a real commitment to them. Let’s face it, billable hours have been the holy grail for a very long time. While skepticism is fair, we think firms recognize (maybe for the first time) the true extent and cost of impaired lawyers. That recognition, coupled with a commitment to provide effective and confidential help to lawyers in need of assistance, is a good sign of what we hope will be a long-term effort to make sure that lawyer wellness is a core concern of every law firm and legal entity.

We’ve spent a lot of time worrying about the possible effect of deepfake videos on the 2020 election.

While that’s a real concern, we were blown away by the stats in a report from Deeptrace Labs. The most startling statistic was that 96% of fake videos across the internet are of women, mostly celebrities, whose images are used in sexual fantasy deepfakes without their consent.

Deeptrace Labs identified 14,678 deepfake videos across a number of streaming platforms and porn sites, a 100 percent increase over its previous measurement of 7,964 videos in December of 2018.

Sadly, we imagine we’ll see a surge in lawyers representing exploited celebrities whose publicity rights have been violated. Far worse, we are quite sure those women (and non-celebrities too) feel physically violated by these images. Revenge porn (targeting ex-girlfriends/wives) has also been taken to a whole new level with the use of deepfake videos.

The top four websites dedicated to hosting deepfakes received a combined 134 million views on such videos. There is, sadly, no absence of demand for these images.

There are places you go on the internet (I’m not going to give them publicity here) with a lineup of celebrities. Their faces move, smile and blink as you move around them. They are fully nude, waiting for you to decide what you’ll do to them as you peruse a menu of sex positions. Inevitably, because there is so much money to be made, the sex will be of all kinds, including rape.

We briefly watched a snippet from one of the videos. It was creepy and nauseating. To think that a real woman somewhere would have to cope with seeing herself manipulated by a user in this manner is horrific. And of course, those behind the videos will move to using children as well. Because they can and because there is a market. The full force of the law needs to stop revenge porn, the violation of publicity rights of celebrities, and the non-consensual use of anyone’s face in these videos. Where the laws are currently insufficient, we need new and stronger laws.

Most of the states have revenge porn laws of some kind, sometimes weak laws with minor penalties. The laws tend to assume postings by a vengeful ex-spouse or lover rather than a mass market for products capitalizing on the demand for celebrities in sexual deepfake videos.

Sharing deepfake revenge porn is now a specific crime in Virginia (effective July 1, 2019). We have not seen a study of current revenge porn laws fail to specifically criminalize deepfake revenger porn videos, but it is a good guess that many state laws are now inadequate. The federal government (we know you are shocked) has not been able to agree on a law outlawing revenge porn deepfakes.

How do we combat the spread of $50 apps like DeepNude (thankfully defunct as we write, but there will be others), which could undress women in a single click? DeepNude was trained on more than 10,000 images of nude women and would provide the undressed woman within 30 seconds—and of course the image could be shared to smear reputations (sending it to the woman’s employer or friends and family) or to post online as revenge porn.

Let’s hope our legislatures and the federal government pass laws with teeth to put a stop to this online debasement of women.

When lawyers turned the calendar page to January 2020, they could not have dreamt of the two-fold nightmare that would descend upon the profession so quickly. A global pandemic and a tanking economy at the same time? We thought we had seen the end of hard times when we finally emerged from The Great Recession in 2009. Some of our lawyer friends still have lines of credit to pay down from that recession.

While government leaders say the economy will “come roaring back” or “I’ll bring the economy back,” most lawyers are skeptical, to say the least.

The New Normal

What have we seen so far? Beyond the fact that virtually all lawyers are working remotely, with some phased reopening in the works, we have seen dismal news.

Clio’s survey, released in May 2020 showed that during March, new legal matters were down more than 30% compared to the first five weeks of 2020 and down by more than 40% from the year’s highest weekly averages. 56% percent of legal professionals say they have seen a serious reduction in the number of people asking for legal help, and 53% say they are significantly less busy.

Though understandable, 49% of companies say that if they had a legal issue now, they would probably delay getting legal help until the pandemic has receded.

Sixty-seven percent of lawyers are worried about the success (and even the survival) of their practice and 57% are worried about making a living over the next few months.

The survey found that 75% of legal professionals report higher levels of stress and anxiety, and nearly half are more worried about their finances than their health. Not all lawyers are in pain. The bankruptcy attorneys are doing just fine – and other areas of law practice have not yet seen a decline.

Eleven percent of firms say they have already laid off staff, the survey found. Another 15% expect layoffs in the next three to six months.

On May 8, LAW.COM published a report on actions taken by major law firms in response to the economic downturn. It was a slash and burn story which rapidly made its way around the listservs and social media.

Firm after firm reported some mixture of layoffs, furloughs, hiring freezes, pay cuts, reductions in party distributions, freezes on discretionary expenses and suspension of summer associate programs.

Youngs lawyers are looking at a grim future. Those who are graduating this year and passing the bar will not likely find jobs and those who have been with firms for just a year or two are the most likely to be laid off or furloughed. Add to that the burden of their student loans and it is no wonder that they are so anxious.

Where Are We With Technology?

The Clio report says 69% of lawyers view technology as more important to their firm than before COVID-19. Cloud computing is now seen as a necessity for survival by 83%.

Will the way we practice law change? Two-thirds of lawyers believe it will. Shifting to law firm clients, 58% say that, at least for the next couple of months, they prefer meeting with a lawyer by videoconference rather than in person. Sixty-nine percent would prefer to work with a lawyer who shares documents electronically via a web page, app or online portal.

All of this is borne out by our own experiences. For years, lawyers have deferred (mostly because of cost considerations) upgrading their technology and cybersecurity enhancements. We have explained the importance of endpoint protection endlessly, but not until everyone was working remotely did that message hit home.

Cybercriminals, always sniffing the air for new opportunities, quickly realized that lawyers working at home were vulnerable, both because they were often using home machines (unprotected by their firm’s security) and using home networks, many of which were not secure. Everyone had to scramble to up their security game under this new working environment. Now everyone wanted endpoint protection – immediately.

Webinars we taught on “Working Remotely – and Securely” attracted hundreds of attendees, suddenly interested in recommended VPNs, ways to speed up home networks, video conferencing tools and their safe usage . . . the list of live questions was so long that we had to extend the webinars past their scheduled end times.

The Future Ain’t What It Used to Be

Yogi Berra’s words ring true more than ever for lawyers. In two months, we changed how we practice law more than we did in the last two decades. Virtually everyone now knows about e-notaries, how to prepare documents for electronic signature, how to videoconference with colleagues, clients and courts, how to deposit checks via a phone app – and that list just keeps growing . . .

We were struck by the recent words of Professor Richard Susskind, when he gave a virtual talk via Zoom for Harvard Law School to discuss his latest book, Online Courts and the Future of Justice. He talked about how we had grafted technology onto the way we had always practiced law, rather than fundamentally changing the way we practice law. But fundamental changes are now here in droves and we will not likely go back to the way law was practiced before this pandemic. As he said, what he has seen since in the last several months probably means he needs to write a new book.

More than we ever thought possible, we are looking at how we practice law and how we can evolve in practicing law. Online court proceedings are still new, but rapidly becoming normal. There has been lots of lawyer resistance to online courts in the past – but it appears that more and more lawyers and judges are rethinking how we solve our disputes. Mediators have quickly glommed onto Zoom as a tool for conducting mediations. Will we ever go back fulltime to brick and mortar offices? As the Clio study referenced above demonstrates, two-thirds of lawyers believe the future has changed.

When we look back from a future that it is hard to fully see at this moment, we may be astonished at how this topsy-turvy time advanced the practice of law.

The year 2020 will be remembered as the year that lawyers were catapulted into the future. As a result of COVID-19, the majority of law firms suddenly found themselves thrust into a work-from-home (WFH) environment. Some were prepared for working remotely, but many were not. We’ve helped a lot of lawyers transition to a different working environment by providing training and implementing new technologies in their practice. Along the way, we’ve learned some things about how lawyers have responded to the pandemic. Here are ten cybersecurity lessons we’ve learned about WFH.

1. Home networks are 3.5 times more likely to have at least one family of malware than corporate networks. A study by BitSight analyzed data from 41,000 U.S. companies. The study found that 25% of devices (e.g. printers, computers, IoT devices, etc.) on a home network had services exposed to the internet. Another scary statistic is that “Nearly one in two organizations (45%) had one or more devices accessing its corporate network from a home network with at least one malware infection.” Ouch.
2. Sharing the device you use for law firm work with family members is a bad idea. Devices used to access the law firm network and work on confidential client data should only be used for that purpose. Family members should not be using the same device even if there is a separate login ID and password for the device. If a family member inadvertently performs an action that allows the installation of malware, client data and law firm access could be compromised.
3. Zoom is currently the choice of clients/potential clients. Teams, Webex, Zoom, and GoToMeeting are all good video conferencing platforms. The reality is that Zoom is the technology of choice for your current and potential clients. All the other platforms are playing catch-up to Zoom. Despite some early histrionic media reports, you can use Zoom securely for client communications.
4. Make sure your confidential client conversations are kept private. Many of us are sharing working space in our homes. As a lawyer, you have an obligation to ensure that client conversations are private. That means having a separate room to conduct client conversations and consider using a headset too. You wouldn’t loudly discuss a client matter while commuting on the train so why would you allow family members to eavesdrop?
5. Employee security awareness training is more important than ever. The WFH environment has put law firm employees into situations that carry different risks than when they were in the firm’s office. As item #1 in our list identifies, we need to be even more diligent with practicing safe computing. The cyber criminals know there are a lot of targets working from home using insecure home networks, Training employees to recognize the current cyber threats is an absolute must at this time.
6. Have a Work-From-Home policy. If you don’t already have one, now would be a good time to develop a WFH policy. The policy serves to set employee expectations and what they should and shouldn’t do. Specific technology requirements may be part of the policy too. The policy can also have a statement about family use of devices to further support item #2 in our list.
7. Consider issuing firm-owned laptops so that you control the security of devices used at home. More and more of our clients are not purchasing desktop computers, opting for laptops (or tablets) with docking stations as the primary computing device. Taking that approach makes it much easier to quickly migrate to a WFH scenario. A firm-owned laptop is configured with the security software and applications the user needs to perform their job. Relocating the laptop to the home network preserves the security of the computer, making it safer to use than the typical home machine.
8. There are options for home users “competing for bandwidth.” Your spouse is probably working from home and your children may be attending school remotely as well. This means that you are probably sharing the same Wi-Fi network as everyone else and experiencing a slowdown. You may want to try the hotspot on your phone to see if the speed would be better than your home network. Directly connecting your computer via Ethernet to the router will help maximize speed. If you don’t have Ethernet cabling in your walls, try using an Ethernet powerline adapter. The TP-Link AV1000 is a good choice and should be around $50 at Amazon, although pricing and availability are all over the place.
9. Utilize a Virtual Private Network (VPN) for remotely connecting to the firm network. Using a VPN is better than not using one. A VPN creates an encrypted communication channel from your computer to the firm network. Many users will be tempted to use Remote Desktop Protocol (RDP), especially since it is included free with Windows. There are many known vulnerabilities with various versions of RDP. If you must use RDP, consider running RDP through a VPN tunnel instead of exposing RDP directly to the internet and by all means, utilize multi-factor authentication (MFA) for any connection.
10. Prioritize lawyer wellness. Lawyers in wellness trouble are a security risk. Lack of concentration, mental health problems or substance abuse can cause serious lapses in making smart decisions concerning the use of technology.

Those of you of a certain age will remember the song “What Kind of Fool Am I?” That song was about love, but for Pete’s sake, why is it that some lawyers keep insisting that they won’t use MFA (multi-factor authentication)?

Thanks to our good friend Ben Schorr (who works at Microsoft) for sending us an August 7 Microsoft update on why multi-factor authentication is so critical. It is short, sweet and should be read by anyone who has resisted multi-factor authentication (and there’s a lot of you!).

From the post:

“When you sign into your online accounts – a process we call “authentication” – you’re proving to the service that you are who you say you are. Traditionally that’s been done with a username and a password. Unfortunately that’s not a very good way to do it. Usernames are often easy to discover; sometimes they’re just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites.

That’s why almost all online services – banks, social media, shopping and yes, Microsoft 365 too – have added a way for your accounts to be more secure. You may hear it called “Two-Step Verification” or “Multifactor Authentication” but the good ones all operate off the same principle. When you sign into the account for the first time on a new device or application (like a web browser) you need more than just the username and password. You need a second thing – what we call a second “factor” – to prove who you are.”

Probably the most important point is that you do not need to use the second factor every time. You can make your phone and laptop “trusted devices.” If the bad guys know your ID and password, but try to access your account from another device, they will need that second factor. Statistics show that using MFA stops over 99.9% of all account takeover attacks. It doesn’t get much more persuasive than that.

When will you HAVE to use the second factor? When you get a new device or change the password for your account. But that’s not very often. Sometimes, you may be required to enter the second factor when you are accessing particularly sensitive data – medical sites and financial institutions often require two-factor authentication at every logon for your own protection. But for the most part, it won’t be nearly the inconvenience that most people think it will be.

If you are really interested in security, consider the different kinds of two-factor authentication. SMS texts are infinitely better than not using 2FA, but there are more secure methods that you might consider.

SMS text messages are the least secure of the MFA implementations, primarily because it is vulnerable to SIM-jacking. That’s where someone obtains a SIM card with your phone number and hijacks your phone number to another phone. Those SMS text messages then get sent to the hijacked phone.

A more secure MFA method is to use an authentication app such as Authy, Duo, Google Authenticator, Microsoft Authenticator, etc. The app generates a unique six-digit code every 30 seconds. When prompted for the MFA code, you type in the code that is displayed in the authenticator app. This type of MFA is susceptible to man‑in‑the‑middle (MITM) attacks where the code can be intercepted as you type it in.

An even more secure MFA method is to receive a push notification to your authentication app. When you logon, the system sends a push notification to your registered phone. All you do is tap the notification to allow access. This means there is no code to enter or intercept.

Finally, the most secure of the MFA methods is a physical security key. YubiKey is a very popular security key as is the Titan Security Key from Google.

Recently, we have seen more account takeovers than ever. Read the Microsoft post carefully – it will answer most common MFA questions. And then begin to use MFA for all your online accounts. It’s almost always FREE (your favorite price, right?). Very effective too. Just do it.

Virtual private networks (VPN) are very standard these days. But they are riddled with vulnerabilities – and subject to a “man in the middle attack.” They have wreaked havoc in 2020 in a work-from-home environment.

Enter zero trust network access (ZTNA).

An October 2020 Forrester study (commissioned by Cloudflare) offered some key findings.

Working from home compelled firms to transform how they operated in the cloud. However, 80% of the IT decision-makers interviewed said their companies were unprepared to make the transformation. Existing IT practices made it difficult to support employee productivity without security compromises.

As a result, 76% of the decision-makers said their firms intend to accelerate their shift to the Zero Trust security framework. More than three-quarters (76%) of decision-makers polled said their companies’ security practices were “antiquated” and needed to shift towards Zero Trust Network Access.

The report found that 82% of the firms said they were “committed” to migrating to a Zero Trust security architecture. To achieve this goal, close to half (49%) of the firms elevated the role of CISO to board visibility while 39% had a Zero Trust oriented pilot for 2020.

The migration towards Zero Trust faces various challenges, with 76% of the firms identifying Identity and Access Management (IAM) as the major challenge.

For those who are unfamiliar with the Zero Trust security model, it allows remote workers to access applications through a secure web-based gateway. The solution implements least-privilege principles and supports multi-factor authentication (MFA) and device security checks. Unlike a VPN infrastructure, Zero Trust is highly scalable, more affordable, and easily integrates with various single sign-on (SSO) platforms already available in the marketplace. It also permits the configuration of access control policies to manage permissions based on users’ privileges and devices.

More than half of all businesses have experienced data breaches (58%) or increased phishing attempts (55%) during COVID-19. Ransomware attacks affected 29% of the respondents.

Infrastructure outages and VPN connection latency issues disconnected 33% and 46% of workers, respectively.

Several vendors offered their services for free or on extended trial periods to allow customers to test their Zero Trust security solutions during COVID-19. The free trial period allowed companies to migrate to a Zero Trust security model and test advanced security solutions from reputable vendors. They could then select the products that met their security needs and sign up on a permanent basis.

Why the sudden interest in a Zero Trust architecture? The short answer is our migration to the cloud, increase in third-party service providers and the need for mobility. Protecting the security perimeter was fine as long as all the services and people were within the network boundaries. A VPN assumes that a trusted device is now outside of the perimeter and needs to connect securely to inside resources. With more cloud services and a mobile workforce, we need an architecture that provides security for the user and application regardless of location or device.

Even though Zero Trust Network Access as a VPN replacement is right around the corner, it is not a solution for everyone or every application. Zero Trust works great for applications that have migrated to the cloud where you can clearly identify the users that need authentication. In other words, you have identified those users that need access and you trust nobody else.

Where ZTNA doesn’t work well is for applications that need to be exposed to the public. Think about Zillow, Amazon, Expedia, Airbnb, etc. Applications such as these need to be open to the public. You really can’t have a user logging on just to see what’s available for sale or hotel rates in a particular city. Those users want to be anonymous until they make a purchasing decision.

Users are still a problem even with ZTNA. If a cyber criminal gains access to a valid user’s credentials, they can access resources just like the authorized user. In other words, if the user continues to reuse passwords or doesn’t utilize MFA, an attacker can act just like a valid user.

We always knew Zero Trust Network Access was coming, but COVID has accelerated its arrival. Just like any other technology, ZTNA has to be securely implemented with strong authentication controls, thereby protecting users from themselves.

Jim Calloway, Director of the Oklahoma Bar Association’s Management Program, frequently speaks with us about the future of law. Recently, Jim recorded a Legal Talk Network podcast with Sharon which bears the same name as this article. You can find the podcast at https://legaltalknetwork.com/podcasts/digital-edge/2020/12/whats-on-the-horizon-for-law-firms-in-2021/.

The authors continue the discussion below.

We were glad to see the backside of 2020. But 2021 carries many uncertainties with it and that makes predictions risky. Fortunately, we are not averse to risk‑taking and it is a worthwhile effort to make predictions, especially about things we’re fairly certain will come to pass.

One thing that both lawyers and clients seem to have changed their minds about is the importance of physical office space. Until we read the Clio 2020 Legal Trends Report which surveyed a combination of Clio users and non-Clio users, we had no idea that 21% of law firms were already operating without commercial office space and since the pandemic, another 7% of lawyers have given up their commercial offices and 12% are unsure they’ll keep them going forward.

It’s a pretty good bet that those numbers are higher today. We have heard from some of our big law friends that they are actively looking to sublet some of their space. Those that were near the end of their leases were the lucky ones because they can negotiate for downsized space. We, on the other hand, signed a five-year lease in February 2020. Great timing, huh?

We may also see rotating offices (yes, there will be institutional resistance), where lawyers showing up to work get assigned to an office with the office space rotating among the firm’s lawyers. Large, luxurious partner offices may also become a thing of the past. The physical footprint of the office may be reduced but virtually everyone seems to agree that firms of a certain size need some kind of office in which to conduct meetings, have a receptionist to deal with mail, packages, etc.

Another topic that comes up frequently is the cloud. We’ve been saying for a very long time that the cloud protects the security of law firm data better than the lawyers would and that is so true. We regularly hear stories of cloud breaches but lawyers often misunderstand their cause. The majority of those breaches are caused by users who misconfigured the security of the cloud and their presence in the cloud.

Recently, we’ve begun to say that the best time to move to the cloud was five years ago and the second-best time is today. Clio CEO Jack Newton has said that if you’re not in the cloud, you’re not in the game. He calls the cloud table stakes, which we thought was a very interesting term. Also of note is the ILTA 2020 survey where the majority of respondents said, with every upgrade, they were going to the cloud. So, it’s a staged process but it’s in place for every upgrade.

In the beginning of the pandemic, those lawyers that had all their data in the cloud were way ahead of those who still had all their data locked in physical files. If your files were in the cloud, you could work. You weren’t stuck with lugging files back and forth from the office.

We worry sometimes that lawyers are rearranging the deck chairs on the Titanic because they’ve been holding on to the past so much, not adapting to the future. We did see a lot of change caused by the pandemic and we’re hopeful that we will continue to innovate. Lawyers need to take a look at what they’ve always done and say, “Is this what we always should do? Is there a better way?” The seven most dangerous words might be “But we’ve always done it that way.”

Cybersecurity has been a huge issue and will continue to be. The pandemic has been a nightmare of people calling and saying, “We’re down, we’re down, we’re down. We have a ransom demand that we’re supposed to pay. What is all this about? What do we do?”

It was clear that there is not a lot of incident response planning going on because any incident response plans they had (if any) were just frozen in time, never updated. Cyber criminals of course are always sniffing for new opportunities and we certainly gave it to them with our new work from home environment. We saw more than a 750% rise in ransomware in the first six months of 2020 and home networks are about three and a half times more vulnerable than law firm networks. Using home machines rather than work-issued laptops that we bring home that are secured by the law firms – well, those home machines just complicate the problems.

As a result, one change we are seeing is that law firms are warming to the idea of making sure that all devices connected to the law firm network must be owned and secured by the law firm. That’s one trend we are sure will continue.

We have fond memories of the days when a thousand dollars was a big ransom. Seems like a long time ago. In the third quarter of 2020, the average cost of a ransomware demand was approximately $233,000 according to the cybersecurity and ransomware specialist firm Coveware.

Law firms are getting hit left and right among many other entities and, of course, recently, we’ve had government agencies and others hit in the SolarWinds attack which seems to be more about espionage than it does about ransomware.

With law firms, we now have the double ransom where the bad guys steal your data before they encrypt it. If you’re able to recover from backups without paying the first ransom demand, you will then get a second ransom demand for supposedly destroying your data and, of course, since we always trust cybercriminals, paying the ransom is often what we do. We pay them and trust them that our data has been deleted. When they make the demand, they will send you samples to show you that they have the data or they’ll post it on the dark web to scare you into paying. If you chose to pay for the decryption key in the beginning, you may still get that second ransom demand.

Insurance companies are often choosing to pay the ransom rather than pay for an extended business interruption and possibly the costs associated with the theft of the data. So, as of the end of 2020, fully 25% of victims today were paying ransoms.

We saw a 75% increase in business email compromise in the first three months of 2020, but the whopping great statistic was that we then saw a 200% increase each week from April to May. We have to assume that this means that cyber criminals are having a great degree of success using these compromised accounts.

Worse yet, once the criminals have all of your email, your contacts, your calendar, et cetera, you can’t do anything about that. That horse has left the barn. What everyone should do is have multi-factor authentication enabled, which prevents 99.9% of business email compromise attacks. Wherever you can, you should enable MFA. It’s almost everywhere these days. But it’s a matter of security versus convenience because lawyers don’t want to have to enter a text code from their phone. If you can block 99.9% of these attacks, focus on security instead of convenience. Microsoft itself thought it was so important that they made MFA free.

Yes, most lawyers are afraid they’ll have to enter a code from their smartphone, on their laptop or other device, but in most cases, that’s not true. It might be true of your doctor’s office. It might be true of your bank or your stockbroker but most of the time, you can make your devices “trusted devices” so that no code is needed unless you buy a new device, you change your password or perhaps you’re visiting someone and using their device for some reason.

Recently, we’re trying to move people away from text messages because SMS text messages can be so easily compromised. But if that’s all you have, it’s infinitely better than nothing. Authenticator apps and authenticator tools are what’s going to replace both two-factor authentication and multi-factor authentication. There are actually hardware tokens like Yubico’s YubiKey line or CryptoTrust OnlyKey where you have a physical thing you carry on your key ring or in your purse and it plugs into either your USB-A slot or USB-C slot or Lightning for iPhone users.

Most people are going to prefer the software tokens – Microsoft authenticator, Google authenticator, etc. These apps constantly generate new codes that are only valid for about 30 seconds, so when you log into an account and you’re prompted for a code, you just open your app and enter that most recent code and you’re good to go.

Obviously, there’s a lot of change in cybersecurity.

But let’s go back to the daily business of law.

Some things are going to stick post-pandemic. Virtually all law firms now do electronic contracting, most using DocuSign (our preference) or Adobe Sign.

Every lawyer now knows about e-notarization, which they didn’t before. People who didn’t have case management software are getting it and recognizing the value of secure client portals. Clients love the security of client portals where they can go in anytime and see their documents, review/pay their bills, etc. This has become part of being a client-centric law firm.

There are still an amazing number of lawyers who refuse to accept credit card payments. We’ve never understood that because 40% of consumers, according to one of the Clio surveys, would never hire a lawyer who didn’t take debit or credit cards. We’ve accepted credit cards for a very long time, but the pandemic caused cash flow to slow (slow mail delivery may have been a part of that). We began emailing our clients asking those who were writing checks to shift over to credit card payment. We immediately saw a marked increase in people paying promptly and the cash flow is much more dependable. It is critical these days to send out bills electronically with a payment link.

The thing that we are most certain will stick is the dependence on video conferencing. Yes, we’ll go back to in-person meetings and courtrooms again, but now that the legal world and even the judicial world has learned to use virtual conferencing software, we doubt that we’ll ever totally go back to our old ways. Too much money and time is saved by meeting clients via Zoom (the clear winner of the video conferencing software wars) – the same is true of court proceedings.

There are drawbacks of course. Some things are just better in person – when you can look a client or opposing counsel in the eye, you may “read” them better – and you may be more persuasive in-person. There are trade-offs and we’re still figuring out what works when.

Clients are totally sold on video conferencing – they don’t want to be waiting in your well-appointed reception area, which they are now keenly aware that they are paying for. They don’t want to travel to your office. They don’t want to take time off from work. Clients and prospective clients all seem to have mastered Zoom – at least its fundamentals – so we doubt it will lose its dominance no matter how many of its features are imitated by its competitors.

Finally, we are seeing artificial intelligence being adopted more rapidly by firms of all sizes and that’s likely to be a continuing trend in 2021. Could it be unethical NOT to use AI? We just read an article with that title. The answer is yes!

Though there are several ethical rules which may be implicated, notably a lawyer’s failure to use AI could implicate ABA Model Rule 1.5, which requires lawyer’s fees to be reasonable. If AI reduces costs, limits risks and is much faster, not using AI may result in a lawyer charging an unreasonable fee to a client.” We are seeing more and more lawyers, even in small firms, beginning to use AI in e‑discovery, legal research, contract analytics, predictive analytics, document management and expertise automation, among many other arenas.

These are just some of the changes that law firms will see in the future. Nothing is more worthwhile to the thoughtful lawyer than to constantly scan the horizon for changes that can enhance the successful practice of law. If there’s any silver lining to the pandemic, it is that it has shaken the legal world up and brought it years into the future.

Passwords have been around since the early days of mainframe computing. Believe it or not, passwords were not originally designed to prove identity. The betting money is that computer passwords first showed up at the Massachusetts Institute of Technology in the mid-1960s in order to track time when using a mainframe computer: The Compatible Time-Sharing System (CTSS).

Today, passwords are used to help authenticate the identity of the computer user. From a security perspective, the problem is that people use crummy passwords, forget them and even reuse them across multiple systems. At the end of the day, if someone has your password, the computer doesn’t know it really isn’t you. It’s no secret that many lawyers are resistant to change. Abandoning passwords is no different. With the significant increase in remote workers, get ready for a change in how you will access your firm’s network or cloud service.

History

Password managers help users by generating strong and unique passwords for every account you access. Depending on the password manager you use, there may be issues with accessing the encrypted password vault across multiple devices. Many services will allow you to use your Apple, Google or Facebook passwords for access instead of creating one password specific for their service. That strikes us as a bad idea. If their service is compromised, the attacker has keys to your Facebook, Google or Apple account. You can add two-factor authentication (2FA) to increase security, but there are ways to intercept the second passcode sent by a text message.

Going Forward

You’ve probably heard of multi-factor authentication. A password is something you know. A second factor is something you have, such as a security key or token. A third factor is something about you – biometrics. There is a move afoot to totally ditch passwords and move to something you have and something you are.

Fast Identity Online (FIDO) are standards designed to let you dump passwords as an authentication method. The standards utilize hardware security keys and dovetail with biometrics. Think of hardware security keys as the digital equivalent of your house key. The security key plugs into a USB or Lightning port. It is a single device that works with multiple apps and websites. The key can be augmented with biometric access such as Windows Hello or Apple’s Face ID.

Andrew Shikiar, executive director of the FIDO Alliance said, “Within the next five years, every major consumer internet service will have a passwordless alternative. The bulk of those will be using FIDO.”

FIDO will stop phishing since it only works with legitimate websites and not the bogus sites trying to get your credentials. Stolen passwords won’t be effective either since the attacker won’t have the security key. If FIDO is successful, firms might not require passwords at all.

FIDO Process

When you visit a website login page, you insert your hardware security key (e.g. YubiKey) and then use biometric authentication such as Apple’s Touch ID or Windows Hello. As an alternative, you can also use your smartphone as a security key. The process starts the same way by entering your username. You will then get prompted on your phone. Unlock the phone and then validate yourself using the phone’s biometric authentication system.

What Could Go Wrong?

Passwords have been around for a long time and it will be difficult to switch over to security keys. The reality is that setting up security keys is a heck of a lot harder than picking a password or having your password manager do it for you. The primary difficulty is because the various websites use different procedures to register and use your hardware keys. As an example, Twitter only lets you use one security key and doesn’t allow a backup key. In other words, there is no consistent process that is the same across all sites. Another issue is that a site may not support the hardware key that you own. That means you will have multiple hardware keys in to access the various required sites.

The hardware keys cost money too. That means there will be potential pushback from users due to the investment. Finally, keys can be somewhere you are not, broken, stolen or lost.

Reality Prediction

We do believe that passwords will ultimately go away, but it won’t happen in the near term. It will be a slow process for users to let go of the familiarity of passwords. We predict that FIDO implementations will take at least five years (perhaps longer) to become commonplace.

A Warning for Law Firms

The first of the quarterly 2021 surveys appeared during April – and the news isn’t good for small and midsized law firms. Note these ominous words from Coveware, a highly regarded aggregator of global ransomware and cyber extortion data, which published the Coveware Quarterly Ransomware Report (Q1 2021):

“The most notable change in industries impacted by ransomware attacks in Q1 was the Professional Services industry, specifically law firms. Small and medium sized law firms continue to succumb to encryption ransomware and data exfiltration extortion attacks. Unfortunately, the economics of many small professional service firms do not encourage or enable adequate cyber security.”

Sobering Statistics from the First Quarter of 2021

The average ransom payment was $220,298 (+43% from Q4 2020)

The median ransom payment was $78,398 (+59% from Q4 2020)

The average number of downtime days was 23 (+10 from Q4 2020)

77% of ransomware attacks include a threat to leak the stolen data (up from 70% in Q4 2020).

Most ransomware-as-a-service (RaaS) affiliates now purchase network access (often for a nominal sum) from someone else, then use the data they can now steal to leverage payment from the victim.

And a new and disturbing trend in 2021? Attackers are taking to disrupting business after an initial attack while the firm is trying to recover – and stealing more data or relaunching ransomware.

What Law Firms Should Assume

Ransomware is no game, but if it were, boy have the rules changed.

The first thing a law firm should assume is that any of its data stolen by attackers will not be destroyed by the cyber criminals even if a ransom is paid. It may well be traded to others, sold – or even held for a second extortion attempt. Those re-extortion attempts are becoming a growing phenomenon.

Also assume that multiple parties held your data and that the data was not necessarily secured and may have been compromised. Also, any of those parties may have made copies for prospective extortion in the future.

It is increasingly likely that data will be published, often called “naming and shaming,” before you can even respond to the ransom demand. This ups the ante and puts pressure on the law firm to pay.

Where Does the Danger Come From?

The most common ransomware attack vector is compromised remote desktop protocols, which so many lawyers working from home use to connect to the law firm network.

This is followed by phishing emails, which continue to get better and better at fooling your employees. Employee security awareness training should take place at least annually (more often is better) and running phishing simulations periodically is a good idea. Employees simply forget over time so repetitive training is critical.

Why are Small and Midsize Law Firms So Vulnerable?

As the Coveware report notes, 24.9% of ransomware attacks target professional services firms, especially small and midsize law firms.

So, what are the firms doing wrong? In part, they are hobbled by the modesty of their budgets for cybersecurity. On the other side of the coin, they generally want to maximize profits and distribute income to the partners at the end of the year. Cybersecurity doesn’t make the cut when distributions are discussed.

Their clients tend to be smaller and may not demand security assessments as larger clients are prone to do. Sometimes they get to bask in obscurity because attacks on smaller firms often do not make the headlines.

Smaller firms get in a world of trouble because most of them do not have Incident Response Plans (IRPs) and therefore they have a “headless chicken” response to attacks, which they generally don’t properly handle. To make matters worse, they don’t properly attend to remediation of the vulnerabilities that caused the attack. And you know what happens then? They get re-attacked.

An example of sheer stupidity from our case files. A firm had an Incident Response Plan (IRP). Good for them, right? Except they didn’t print it out or put it on a device never connected to the network. So, their IRP was encrypted in the ransomware attack. Doh.

Don’t Think Paying the Ransom Will Guarantee You Get All Your Data Back!

Sophos, a highly regarded cybersecurity vendor, issued its “The State of Ransomware in 2021” report. Scary stuff. Their survey found that only 8% of entities get back ALL of their data after paying the ransom. 29% of those who paid the ransom got back no more than half their data. Not only is there no honor among thieves, but there are no refunds for partial performance! In addition, there is no customer service department where you can file a complaint.

There was some good news in the report – sort of. There was a decline of entities hit by ransomware from 51% in 2020 to 37% in 2021. On the face of it, that’s a good thing.

But the report notes a very worrisome trend. Attackers are now moving from automated attacks to highly targeted “hands-on-keyboard” hacking. Why is this causing such alarm? Because the potential damage is much greater from these more complex attacks, with more than double the remediation costs, from approximately $761,00 in 2020 to $1.85 million in 2021.

Oh, and to add to the merriment, remediation costs are now ten times greater than the average ransom payment.

Final Thoughts

Not much joy in this article, to be sure. One of the things it proves definitively is that the threats from attackers are morphing constantly. As the threats evolve, so must the defenses. Busy attorneys understandably have trouble keeping up with cybersecurity. But when they can, they should try to stay current through reading reputable blogs and articles online and taking cybersecurity CLEs at least once a year – and more is better. Batten down the hatches – we’re in for a bumpy ride for years to come.

The post Small and Midsized Law Firms Slammed by Ransomware appeared first on Slaw.

Not exactly a new subject, is it? And yet the pandemic has brought a new focus to technology addiction as way too many lawyers worked longer hours at home than they ever did at the office, their overtired, burning eyes fixed on their monitors.

As the pandemic receded and lawyers ventured out, we heard a regular theme about technology – “I can’t let go.” Finally, a chance to take a vacation emerged in the summer of 2021 and we proved to be pretty terrible at relaxing sans technology.

Technology Itself Gives You Tools to Cut the Cord

Your phone is your worst nemesis because you can’t stop “checking in”, right?

Put on “Do Not Disturb” (DND) and let your cares fly away. Of course, to do that, you need to let any critical folks at work know – and for the sake of those trying to reach you by email, make sure your “away” message is on. You also have the option to program DND exceptions to allow a specific caller which may be critical if you have elderly parents, grown children who may need you, etc.

Instructions to do that here:

https://itigic.com/configure-android-do-not-disturb-mode-to-add-exceptions/

https://www.theverge.com/2019/9/26/20883331/iphone-do-not-disturb-mode-exceptions-how-to

We’ll state the obvious: Don’t look at the phone when “Do Not Disturb” is on – those emails and notifications will show up if you do and your blood pressure will skyrocket!

Put your phone in a hotel safe and go to the pool or dinner. You can’t check what you don’t have. No safe? Another way to enforce your relaxation is to give your phone to your spouse or other travelling companion with orders about when to return it. Don’t get mad when they obey your orders – play fair!

As for laptops, do what needs doing once or twice a day. Maybe before breakfast and dinner? That’s our routine. And power them down in between. Your devices sing silent siren songs to you if you can bring them to life in a flash.

Advice From Friends

Our friend Reid Trautz recommends using technology pre-vacation to immerse yourself in your dreams of what you want to do. Envision your fun so that you are in a frame of mind to do everything you really want to do and not be sidetracked by technology.

Juda Strawczynsk has some excellent tips for unplugging on vacation:

Attack your “to-do” list with a vengeance – clear the deck as much as possible so that no deadlines are hanging over your head when you leave. Let your colleagues know you are “really” on vacation, so they don’t pester you and tell them who to contact in case of an emergency. If you must connect, set strict rules.

We follow that advice religiously. It took us years to succeed, so if you stumble at first, you are in good company.

The funniest advice shared with us came from our friend (and fellow technologist) Tom Lambotte. On vacation, his team was told that if they needed him, to text his wife. According to Tom, this allowed his more rational half to serve as a gatekeeper!

Our Average Day and Digital Downtime

Like everyone else, we struggle to keep our devices at bay. Workdays are the hardest for everyone, but we do religiously carve out after dinner time for a movie – the only permitted interruptions are the occasional texts from our six children.

We are pretty strict on weekends. Generally, we consult our devices 2-3 times a day. It feels quite restful after the workweek. You can truly get yourself into the habit of limiting screen time – and it gets much easy to maintain that kind of schedule once you’ve determined that you are going to be in charge of your devices rather than your devices being in charge of you!

The post Lawyers Addicted to Technology: Cutting the Cord appeared first on Slaw.

We can speak authoritatively about cybersecurity awareness for law firm employees because we give this training so often. Here are some of our tips to ensure you maximize the effectiveness of your training.

1. Take cybersecurity awareness training seriously and do it right.

A significant recent statistic is that human beings are involved in the success of 82% of cyber attacks. They tend to have crummy passwords, they reuse and share passwords, they click on links or attachments without thinking, they get emails which seem improbable and yet respond to them, and the list goes on and on.

We used to say that you should do training once a year but as things are moving faster and faster, we think it’s better to do it twice a year.

Employees need reiterative training. They simply forget what they were taught. Also, the threats and the defenses keep changing, so it really is hard to keep up. We would advise not to be tempted to use in-house IT to do the training for budget reasons. They’re not training professionals and they don’t carry the big bat needed to hit the lessons home. If you’re going to hire some to train, which is what most people now do, get some referrals from your friends.

Effective presenters have to be good entertainers as well as good teachers. Our own one-hour training sessions are either $500 or $1,000 depending on the customization involved. Small law firms can afford that. We recommend training be limited to one hour because after that, the attendees do tend to go numb. You can do a lot in an hour!

Training is definitely better live but it is not likely the predominant way of the future. Most law firms are now having virtual training and we see that continuing for the most part. Make sure you track the attendance and ask those who are giving the training to give you a recording to use later in case some employees can’t make it which always seems to happen.

2. Train employees on phishing tactics and ransomware.

In the early days, ransomware was just a way to encrypt your data and then hold you hostage until you paid a ransom in order to procure the decryption key and regain access to your information.

Now we have what the authors call ransomware version 2.0. That’s not an official industry term but the evolution of ransomware has become much more targeted. The tactics have changed because cybercriminals have realized that a lot of law firms have improved their backup mechanisms so they didn’t have to pay the ransoms anymore. They were just restoring from their backups and that dried up the money well. They figured out a new tactic: Now they access your network and steal the data before they encrypt it. So, if you decline to pay the ransom for the decryption key, the criminals point out that they have exfiltrated your data – now there’s another reason to pay a ransom before they expose or sell that data. You now have a bigger headache too as the exfiltration of your data means you have to report the event as a data breach.

Law firms have a big bullseye on their backs. They are one-stop shops for the data of many clients. The data you have is valuable and you are ethically required to protect it. Training must go into some depth about ransomware and phishing to drive the message home to employees – it’s all about creating a culture of cybersecurity.

77% of current ransomware attacks now include the threat to leak stolen data. Phishing is most often the entry point used by criminals to insert ransomware.

The recommendation for training twice a year is because the phishing techniques change, including how they trick the users to engage in clicking or opening things they shouldn’t. 57% of the respondents in a Proofpoint survey experienced some sort of successful phishing attack. 67% of the users didn’t even know what ransomware was or they gave an incorrect response, which is deadly. If you don’t understand your enemy, you won’t understand how to defeat that enemy.

We show employees a dozen or so phishing examples in the training so that they can look at it and say, “Yeah, I got something like that once and I didn’t click it,” or they groan and say, “Yeah, I clicked on it.”

3. Teach your employees to take their hands off the keyboard before hitting ‘Send’.

It’s a simple matter to take your hands off the keyboard before you sit ‘send’. Most lawyers acknowledge that they move too fast when they are working. We think we’re multitasking and we’re more efficient because we’re doing that, but the experts tell us that isn’t true. What we are doing is shooting short bursts of attention here and then there, which makes us much more likely to make an error. When we ask audiences who has ever sent an email to the wrong person or sent the wrong attachment or forgotten the attachment entirely, almost every hand in the room goes up.

If they take their hands off the keyboard and review who the email is going to, that’s the first step. Auto complete is not your friend. Important communications are often misdirected. If there is an attachment, make sure that the attachment to the email is the correct attachment. Even more fundamental, make sure you remember to attach the attachment!

4. Train your employees about the dangers of Business Email Compromises (BEC).

Ransomware is the #1 enemy, but BEC is number two – and it nets more money. In BEC attacks, the cybercriminal is trying to get the victim to wire money, send employees’ W-2 information or procure gift cards, etc. Huge sums of money have been wired to the wrong place because of BEC attacks.

If your email account is compromised and someone has full access to your content, now they’ve got all the information about your contacts and they’ve got all your emails. They know what vendors you’ve been working with. They know who your clients are and what cases you’re working on. Teach employees to be hyper vigilant about wire transfers – and to confirm any changes in instructions by calling a known good number for the person the email purports to come from. This can save a world of angst.

5. Teach employees about social engineering.

Social engineering can take many forms. Examples are great and drive the point home. For instance, there is phishing by phone, sometimes known as vishing with a V because it is voice phishing. The bad actors are generally trying to get information. They’re going to ask who pays the bills or wires its funds on behalf of a law firm. You’d be surprised how many people answer those questions. They may ask who the managing partner is or the CEO or CFO, looking for anyone who gives authorization for payments or wiring funds. Those are the people they want to pretend to be through compromising or spoofing their email – even by using deep fake audio. There are an increasing number of those cases.

They might even call to ask who your IT managed service provider is because then they can call pretending to be that provider. They will perhaps research some names there, perhaps through LinkedIn, which is a big help to the bad guys, however inadvertently. Your employees are much more likely to give their law firm credentials to someone pretending to be from your IT provider perhaps pretending to be in the middle of fending off an attack and needing an employee’s ID and password right away. Giving your employees real-life examples and teaching them to be suspicious is a good thing for the security of your data.

6. Pay attention to work-from-home security.

Many law firm employees are working partly from home. They use consumer grade equipment and they’re not up to date with patches on their home machines. They’re using consumer-grade routers. Surveys show that only 35% of users change the default router password on their home networks. Cyber criminals know this and exploit the vulnerabilities. They know that people are using RDP (Remote Desktop Protocol) for remote access. They’re also using VPNs (Virtual Private Networks). Those are what they attack. Train employees on how to secure themselves at home – better yet, give them a work‑issued laptop and make that laptop part of your firm’s network security.

Make sure those working from home apply patches quickly. Cybercriminals watch for notices of newly discovered vulnerabilities. They know that employees don’t tend to patch promptly.

Don’t allow any of your family members to use any equipment that you use to access client data. If you have a law firm-issued laptop, that’s certainly the best approach. Hopefully, the security of that laptop is managed by the law firm.

7. Stop sharing and reusing credentials!

Sharing your law firm ID and password is just plain stupid, but more than 50% of people do it. Often, partners share their credentials with paralegals or secretaries who monitor emails. There seems to be a million reasons why people share their credentials but none of them make any darn sense. Sharing credentials creates an enormous security threat.

Reusing passwords is as incredibly common as it is incredibly stupid. Once a bad guy/gal has your password from one place, the databases of known compromised passwords makes it easy for the cyber criminals to try that password in as many places as they want. We always stress that the law firm ID and password should be regarded as particularly sacred and never be reused anywhere.

8. Stress the urgency of using two-factor authentication.

You’ve probably heard the term two-factor authentication or 2FA, sometimes referred to as multi-factor authentication (MFA). More and more vendors are forcing you to turn on MFA. Our message is always to configure MFA. Use MFA everywhere that it’s available. Studies have shown that having multi-factor authentication enabled will stop 99.9% of credential-based account takeovers. Microsoft’s own studies have proven that. Microsoft believes that MFA is so important that it’s now included free with all their subscriptions. You don’t have to pay for it, but it’s not turned on and configured. Some employees don’t like the inconvenience of 2FA, but in today’s world, they have to be persuaded to get over it. Security comes first.

9. Teach employees about drive-by infections, baiting, piggybacking, and tailgating.

Drive-by infections are where you visit a website that automatically downloads malware invisibly while you are on the site. The lesson there for employees is not to go to places you don’t know. Name brands are much more reliable. They don’t have that stuff on their sites.

Talk about baiting where flash drives are left on airplanes, public park benches or conferences. The employee picks up a flash drive, curious about what’s on it or maybe wanting to return it to its owner and bada bing – they inadvertently download a malicious payload when they stick the drive in a law firm laptop.

Physical security is important. Piggybacking is when someone strikes up a conversation with you as you enter the building or office with a ProxCard key, keypad or whatever form of entry you use. They seem to have authority to be with you so they get in. Related is tailgating, where someone, as an example, pretends to be talking on their phone until you have opened the door successfully and then they pretend to hang up their call and they grab the open door. Not liking confrontation, we tend to let them in with us. Teach employees to be suspicious!

10. Teach employees current about alluring cyber attacks, particularly those that involve phishing.

Cyber criminals are clever – they know what will attract people. A subject line may talk about vaccines, expiring passwords, changes in vacation policies, and all manner of other things that folks are likely to click on.

Many emails reference shared files with links in the email (and they may pretend to come from another law firm or a client). Spoofing emails is simple – and of course email accounts also get compromised so bad guys may have in-depth info to use when they “bait the hook” when they go phishing.

Who won’t click on a link in a message purported to be about a delivery, whether Amazon, UPS, or FedEx? One of the surveys we saw indicated that in Q4 of 2020, the five most successful subject lines were “password check required immediately”, “touch base on meeting next week”, “vacation policy update”, “remote work policy update” and “dress code changes.” They do their best to entice, so you have to call employees’ attention to what works – so it will stop working!

The post Top 10 Tips: Effective Cybersecurity Awareness Training for Law Firm Employees appeared first on Slaw.

Just When You Thought You Had Perfected Your Cybersecurity Training for Law Firm Employees . . .

Time to think again. It’s no secret that cybercriminals have increased all kinds of phishing activity since the pandemic. More people utilizing consumer grade equipment in a less secure work-at-home environment creates a fertile ground for phishing attack victims.

According to a ZDNet report, phishing attacks are shifting to mobile devices. That’s not surprising since mobile devices are the primary computing technology for more than 50% of users. The goal of the attackers is to obtain usernames and passwords that could be used for accessing cloud services or other sections of the enterprise network. The goal of the cybercriminal is to gain network access. Attacking a smartphone means a greater success rate for getting that access.

So Why Are Phishing Attacks on Smartphones so Successful?

Spotting a phishing attack on a smartphone is much harder than on a computer. Think about it. When you get an email on a computer, determining the originating email address is pretty easy even if the display name is familiar. On a smartphone, typically you just see the display name and not the actual email address. It takes a lot more work and jumping through hoops to expose the actual originating email address.

As ZDNet states, “Tailoring phishing emails towards mobile devices can make them more difficult to spot because the smaller screen provides fewer opportunities to double check that links in messages are legitimate, while smartphones and tablets might not be secured as comprehensively as laptops and desktop PCs, providing attackers with a useful means of attempting to compromise networks.”

Multiple Attack Vectors Multiply the Problem

Multiple attack vectors make mobile devices particularly vulnerable to phishing attacks. There are a lot of vectors for cybercriminals to exploit on a smartphone. Some of the attack channels include the various social media platforms, messaging apps and plain old SMS text messages. In fact, according to a report from security provider Proofpoint, SMS text phishing (also called smishing) increased by almost 700% in the first half of 2021 as compared to the last six months of 2020.

Some of the more recent smishing campaigns revolve around impersonating delivery companies. This is particularly effective this time of year as we are all anxious about our holiday deliveries in light of the global supply chain issue. Imagine a text message impersonating UPS advising that there is a change in a scheduled delivery with a link prompting for your confirmation of some personal information. The webform that you are sent to is controlled by the cybercriminal and looks exactly like one you are familiar with. Mimicking PayPal and Amazon login pages are perennial favorite gambits.

Besides impersonating delivery services, expect to see smishing campaigns thanking you for a recent payment to your AT&T or Verizon account or something similar. The messages contain a link for you to “redeem” your special thank you gift by just completing a form. Again, the webform is identical to one you are used to seeing, but it is hosted on a malicious website. Sorry, but no thanks.

We would also suggest avoiding shortened URLs and QR codes. You really don’t have any idea where they are going to send you unless you do a little bit of advanced research and investigation. Employees cheerfully simply click away.

Defending Those Vulnerable Smartphones

Cybercriminals will continue to target mobile devices as firms continue to embrace a work-from-home environment. To make matters worse, the security of mobile devices is typically left in the hands of the remote user and not the enterprise. That’s another reason to seriously reconsider a BYOD (Bring Your Own Device) strategy and instead issue firm smartphones to end-users.

Train your employees to be particularly vigilant, especially if they use a mobile device to access corporate resources. Don’t reply to suspicious text messages and by no means click on any of the links.

Proofpoint operates the 7726 text message system on behalf of the mobile carriers. To report a suspicious or fraudulent text message, forward it to the short code 7726 (SPAM) so that it can be investigated by your cellular carrier. Just like computers, make sure that your smartphone is up to date and fully patched with the latest software versions. Security firm Lookout reported that “56% of Android users were exposed to nearly three hundred exploitable vulnerabilities by running out-of-date versions of Android OS.” Yikes.

In addition, you should be running some sort of security software on your smartphone (including iPhones) just like you do on your computer. After all, smartphones are really nothing more than small, hand-held computers that happen to be able to make phone calls.

The post Smartphone Phishing Attacks Escalate, Bedeviling Law Firms appeared first on Slaw.

The Battle Royal: Hybrid or Back to the Office?

You might as well resort to reading goat entrails and tea leaves to predict the future of law practice, because it is woefully unclear what law firms will decide. There are two large and outspoken groups, those who believe that we need to get back to the office if we haven’t already and those who believe that some combination of going to the office and working from home is the way to go.

As COVID continues to complicate our lives, most law firms we deal with are opting for the hybrid solution – not all of them enthused about it. Most, but certainly not all, of the law firm managing partners we have spoken with believe that remote working is less productive and that it seriously hurts the law firm culture.

Law firms find remote collaboration more difficult – there is a distinct advantage of having a team in a room with a white board working things out. Engagement via Zoom seems to pale in comparison.

While some lawyers working at home are perfectly content to do so, others worry that not being in the office deprives them of mentoring opportunities and the kind of personal engagement with others that leads to advancement within the firm. It is particularly difficult to train new lawyers.

Clients have had an impact here as well. Some are content that the work gets done no matter where the lawyers are located. Others are demanding office meetings or even traveling to attend meetings with the client.

Many law firms have said that trying to implement a hybrid is more challenging than when they were operating completely remotely, for some of reasons given above. There is often a sense that some employees are getting more flexibility than others – and that causes unrest. Navigating equity in a remote workforce has proven difficult. In a survey of firm leaders, most said they wanted lawyers back in the office at least three days a week. It is, in a word, complicated.

In late December 2021, Big Law firm Quinn Emanuel made headlines. John Quinn, the firm’s founder, announced that all its lawyers, including those coming right out of law school, can “work from anywhere”- permanently. Is this a progressive move or an impending disaster? We shall see.

In the end, we are still living with uncertainty – at some point, the pandemic will become an endemic (of that the experts are sure), but what does that mean for the future of law practice?

What Does “The Great Resignation” Mean for Law Firms?

We started to hear the moniker “The Great Resignation” in the summer of 2021. In August, 4.3 million Americans quit their jobs, 4.4 million quit their jobs in September. 4.2 million quit their jobs in October. A record 4.5 million Americans quit their jobs in November. Truly mind-blowing numbers.

Why the exodus? Many reasons. Some jumped ship for better wages or better benefits. Some lawyers certainly quit because they didn’t want to go back to the office or at least wanted a hybrid working environment. Not having to commute was a joy for some and others were relieved to have time to care for children or aging parents.

One thing is certain. Everyone suddenly considered their options. They thought about retiring early, rethinking their careers, reshaping their lifestyles, creating better work/life balance, leaving crowded cities – and the list goes on and on.

Millennials between the ages of 30 and 45 in midlevel positions have had the highest increase in resignation rates according to Harvard Business. Seventy-eight percent of millennials, in a Harris Poll conducted on behalf of Personal Capital over the summer, said they were interested in switching their jobs. They are not enamored of the “hustle culture” that law firms, especially large law firms, have nourished for a very long time.

How are law firms reacting? They are paying more money. Signing bonuses suddenly rose to $50,000 or more in larger firms. In Texas, the demand was so intense that some law firms were paying signing bonuses as high as $500,000 to get the most experienced associates from other firms, especially in practice areas such as mergers and acquisitions, capital markets, real estate and complex commercial disputes. The battle for talent has become cannibalistic.

Get Me to the Cloud!

It was remarkable how fast lawyers abandoned their on-premise servers and moved to the cloud. The 2021 attacks on those servers, and the fact that the online version of Exchange was not impacted was the deciding factor for many.

Microsoft 365 became the default solution for the vast majority of law firms and, with the pandemic law firm closures, we saw increased usage of Microsoft Teams, particularly for internal firm collaboration.

Are there potential hazards for firms using the cloud? Certainly, but the overwhelming consensus is that the cloud providers will secure your law firm data better than you would. Security is integral to cloud providers. It is rarely “top of mind” for law firms.

That doesn’t make clouds bulletproof however. In December of 2021, the potential frailty of the cloud became apparent when Amazon Web Services (AWS), on which so many businesses depend, suffered two outages. This caused disruptions for a number of websites and online applications, including Google, Slack, Disney Plus, Amazon, Venmo, Tinder, iRobot, Coinbase and The Washington Post.

This news understandably made headlines everywhere. AWS said that the outage was caused by “traffic engineering” incorrectly moving “more traffic than expected to parts of the AWS Backbone that affected connectivity to a subset of internet destinations.” More simply, AWS routed too much traffic over one connection. While worrisome, law firms can be sure that Amazon has dissected both outages and taken steps to ensure that the autoscaling capability of AWS, critical to shifting resources when demand requires it, has been analyzed and altered so that erroneous “traffic engineering” is far less likely to be a problem. Still, we have created an extraordinary dependency on AWS and other providers like Microsoft Azure, Google Cloud Platform, IBM Cloud, etc. That dependency can have devastating consequences, however rarely.

Rapid Adoption of Technology by Law Firms

No one doubts that the pandemic spurred quick adoption by law firms of technology. Suddenly, we were all on Zoom or other video conferencing platforms, interacting with clients and participating in virtual court proceedings. Many experts have said that we moved ten years into the future in 10 weeks. While one can quibble with the exact numbers, the advancement has been fast and furious.

Law firms mastered DocuSign and Adobe Sign in a matter of days. The days of “wet signatures” on attorney/client engagement agreements are all but gone. Online intake forms became the norm, not the exception.

We preached for years about the many benefits of electronic payments, but the pandemic pushed law firms who weren’t allowing electronic payments to adopt them – and the benefits became immediately obvious as the mail slowed and the e-payments came in steadily, increasing cash flow and decreasing the time it took to get paid. Online payments could now, by agreement, be automated. For clients who needed to pay in installments, this made legal services more affordable. It was no wonder that Clio CEO Jack Newton said that the launch of its own e-payment technology was the most important product release since Clio itself was launched.

Legal analytics continues to boom. Those analytics can aid in the hiring process assessing the litigation track records of attorneys and can also identify any conflicts they may have. Is a case wagging its tail or almost certainly a bonanza? Fed the right data, analytics may be able to tell you. The outcome of legal analytics may be shared with clients, who will appreciate the transparency and the collaboration in making decisions with their legal team. Legal analytics was previously the terrain of larger firms, but its use is now widespread – and its value is well established and growing year by year.

The pandemic made many phone systems obsolete. Everything is moving to the cloud including communication services. VoIP phones are taking over the world. Enter UCaaS (Unified Communications as a Service). UCaaS offerings provide robust features to VoIP phones without being married to a physical phone system. With UCaaS, you can use an app on your smartphone to emulate the phone on your desk. You can be working from home with the phone software running on your computer acting just like your desk phone too. Inbound calls ring on your computer phone app, smartphone app or physical desk phone. When you call out, the recipient has no idea you are calling from your smartphone at the grocery store. UCaaS provides communication services with just a network connection. You can speak to your clients from anywhere at any time…assuming you want to.

Small firms should not be spending any technology dollars for perpetual Microsoft Office licenses. Purchasing a subscription for Microsoft 365 is a much better alternative. If you purchase a perpetual license, you only get the features that are available at the time of sale and support is limited to only a few years. The subscription model gets you constant updates (security and bug fixes) and any new features and functionality. No question that the subscription model is the better — and more secure — pathway. The worst of the resistance to the subscription model eroded during the pandemic – we expect close to 100% adoption of Microsoft 365 by the end of 2022.

Our friend Richard Granat has predicted that productized legal services will be “the next big thing,” allowing lawyers to make money while they sleep. Sounds pretty good to us. Here’s his definition of “productized legal services”: “A software application that enables a user to solve a legal problem without the assistance of services of an attorney.” A good example is a DIY interactive legal form that a buyer purchases. Another is an application that analyzes contracts and software apps that do predictive coding as part of e-discovery.

We’ll have to check on that prediction in 2023!

Payment with Cryptocurrency Still on the Horizon for Most Firms

Perkins Coie, Steptoe & Johnson and Quinn Emanuel Urquhart & Sullivan all accept cryptocurrency. But a lot of other firms that you might think would accept cryptocurrency are not. DLA Piper has said that limited demand to make payments by cryptocurrency has meant that it is not worth the trouble to create the infrastructure.

Currently, we are hearing about more smaller firms accepting cryptocurrency, especially in Nevada and Washington, D.C. which have ethical opinions guiding lawyers on the acceptance of cryptocurrency as payment for legal services. Author Nelson has formally requested that the Virginia State Bar issue a legal ethics opinion in that topic. We’ll revisit this topic in 2023 and see if the movement toward acceptance of cryptocurrency has gained momentum.

Will Courts Ever be the Same?

Probably not. Courts adapted rapidly to the pandemic, establishing a structure for remote proceedings and utilizing electronic filing and email correspondence functions with court clerks. The Texas court system had never had a civil hearing via video, but it handled 1.1 million civil and criminal remote proceedings from March 2020 to February 2021.

In our own neck of the woods in Virginia, we watched judges and courts adapt (some more grudgingly than others) to remote appearances and new ways of providing justice. There were fits and starts at the beginning, and plenty of mistakes made, but in the end, justice prevailed, and courts adapted to the pandemic world fairly well. Roadblocks included attorneys and clients without high-speed connections and procedural differences among the judges which caused confusion.

Legal Conferences

This became a big topic at the beginning of 2022. Microsoft and Google pulled out of CES (and CES was very sparsely attended) and we are seeing many a live conference being delayed (Law Week is one example), going virtual or discussing going virtual. In the CLE world, lawyers have learned how great it can be not to consume time driving to a CLE or conference and how convenient it is to attend webinars instead. The authors have discussed this with a number of CLE organizers and they concur that, although there will be some live conferences, there is resistance from those who have simply gotten used to getting their CLE credits at the office or at home without travel or cutting into their billable time.

The networking opportunities are lost but, for many lawyers, that is a small price to pay. Conference organizers have a miserable job these days. Before the recent rise of COVID cases, many were planning live conferences. They are now rethinking those conferences, worried about whether attendees will come or exhibitors will think it worthwhile to exhibit if the number of attendees is lower. More and more, organizers are concluding that they will need to have a virtual component in order to succeed.

Digital Marketing

We were sold on digital marketing before, but never as much as now. Without the ability to network in person, there has been an increased reliance on digital marketing, especially using social media. That trend is very likely to continue. As fishing captains are fond of saying, “You have to fish where the fish are.”

If you want to follow the thinking of one of the leading legal digital marketers, go to https://www.attorneysync.com/about/gyi-tsakalakis/ and subscribe to Gyi’s marketing tips.

It is critical to keep up with the SEO changes that Google has made – and not easy to do on your own.

Also, take note that your website may be dated – and if it is, it is not going to rank well on Google. It may be time for a redo – less language, more white space to accommodate our dwindling attention span, and above all the loading speed that Google ranks so highly. Don’t forget that you need to optimize your website for smartphones – more than half of all the visitors to our website get there through their phones.

Make sure your “calls to action” appear everywhere on your site so that getting in touch with you is easy. Simplify your language. Do you know what “TLDR” means? “Too long, didn’t read.” If you are too wordy, you will lose their attention. Many law firms, caught up in the pandemic, now need to revisit their websites and learn the new rules of the road. We have just redone our own website in accordance with the advice above and are now more highly rated by Google and receiving more inquiries via the website. It wasn’t cheap, but it has already paid for itself in the number of clients that have been acquired through the website. The proof is in the pudding, right?

Laser-focused on Cybersecurity

There continues to be a laser focus on cybersecurity, which is no surprise given that the 2021 ABA Legal Technology Survey Report revealed that 25% of law firms have been breached at some point. Quite an alarming stat. Since the authors frequently are part of data breach investigations, we can assure you that they are calamitous events, especially if law firms don’t have good – and tested – backups that are impervious to attack.

Ransomware continues to be the nightmare of all nightmares. Routinely now, ransomware gangs will take your data and then encrypt the files on your network. If they’ve taken it, you have a data breach and all sorts of ethical duties, including the duty to abide by your state’s data breach notification law -and all states have them. Depending on your state, you may privacy laws to abide by. And there are a number of federal regulations governing data breaches too.

Avoiding the scourge of ransomware takes money and effort but recovering from a breach takes even more money and effort. Here are some of the best defenses against ransomware which should be part of your 2022 checklist:

1. Get a good cyber insurance policy.
2. Maintain, test, and secure backups so they can’t be deleted or encrypted.
3. Control or disable network services. Stop using Remote Desktop Protocol!
4. Use an endpoint detection and response solution, which monitors for behavior indicating malicious software or an attacker.
5. Install patches promptly.
6. Train and test employees on phishing and other dangerous user behaviors on a regular basis. Have a process for employees to report suspected phishing emails to IT.
7. Restrict privileged access and deploy a privileged access management solution.
8. Build decisions about ransomware attacks into your incident response plan.
9. If you get hit with ransomware, retain a law firm with cybersecurity expertise. The firm will help you retain other experts.
10. Decide whether you will reimage or fix in place.

By the way, only 36% of law firms currently have an Incident Response Plan (IRP). That’s deplorable – and all of the defenses listed above constitute the “reasonable measures” cited by ethical rules requiring lawyers to be competent and to safeguard the data of their clients. 2022 (and beyond) will undoubtedly see law firms compelled to “up their game” when it comes to cybersecurity.

Remember the words of Benjamin Franklin: “By failing to prepare, you are preparing to fail.”

Another scary stat: ILTA’s 2021 Technology Survey of 454 law firms found that 62% of respondents don’t conduct incident response table-top exercises. Of those that did, only 26% included all their firms’ departments in the exercise. These exercises are very important and allow you to explorable variables – perhaps you have a data breach and the managing partner can’t be reached or the electric grid is down. It is instructive to imagine how a change in circumstances may require modification of the IRP.

Zero Trust Architecture (ZTA) is VERY slowly being adopted by some law firms. 2022 is the year to get acquainted with one of the best steps you can take to protect your law firm data.

The National Security Agency has stated, “The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.”

In other words, trust nothing and constantly verify. It gives new meaning to Ronald Reagan’s words, “Trust, but verify.”

The current security perimeter model is one and done. Once a device or person is trusted, that trust is not re-verified. This means if someone gains access to a user’s credentials, they will be allowed to access the network and data no matter who they really are. Since users and devices regularly move from inside the network to outside, the ZTA approach means that a once-safe device cannot be assumed to still be safe.

Multi-factor authentication (MFA) is slowly becoming accepted by lawyers who find it an infernal nuisance. In this case, lawyers are going to have to sacrifice convenience for security. As Microsoft itself notes, MFA stops 99.9% of Account Takeover Attacks. Not a bad price to pay for something that can keep your account from being compromised by a cybercriminal who now has access to all your contacts, emails, etc.

Note well: Cyberinsurance companies are beginning to require the use of MFA. In fact, insurance applications are much longer and often filled with security questions or requirements. In 2021, rates rose 30-40% while coverage was reduced. Everyone is watching this volatile industry and 2021 may be just the start of paying more for less. All of which means that protecting yourself as well as possible is a smart thing to do.

Cybersecurity should be top-of-mind for all attorneys no matter their firm’s size. Ransomware attacks have escalated at an alarming rate, especially since the beginning of the pandemic when lawyers were working on their insecure home networks. Some reports put ransomware growth at 150% or greater.

Traditional antivirus software is no longer sufficient to protect your computer systems from attack. Yes, you still need to keep your investment in your antivirus/malware applications, but there is another piece of security protection you should be implementing. Firms should be investing in some form of endpoint detection and response, or EDR.

Think of EDR as being the next generation of antivirus and anti-malware. We are seeing it being adopted, but far more slowly than is needed.

EDR is extremely effective in combating ransomware. EDR uses sophisticated techniques such as artificial intelligence, machine learning and heuristics to determine what would be considered normal operations for your computer systems. Activity outside of normal would cause the EDR solution to take action. It might quarantine files, block activity, or even automatically disconnect the computer from the network.

Some EDR solutions work in conjunction with a SOC (security operations center), which adds a human element. Some have rollback ability as well, meaning your computer system can be rolled back to a known good state prior to the ransomware attack. This is invaluable. EDR solutions are generally very affordable, even for the solo attorney. Investing some 2022 technology dollars in an EDR solution is highly recommended.

A Law Firm Opens an Office in the Metaverse – Will Yours?

At the close of 2021, the ABA Journal carried a story about a New Jersey personal injury law firm, Grugngo Colarulo, which has opened an office in an online metaverse known as Decentraland. The metaverse has virtual reality, augmented reality video featuring users who “live” within a digital universe. A client or a potential client may interact with a Grungo Colarulo avatar.

Richard Grungo Jr., a founding partner, says “I think that there’s going to be an opportunity to connect, collaborate, transact, perform, argue, advertise and create like never before in history.” He added, “The sooner you get there, the sooner you put boots on the ground and start experimenting, the sooner you can start being effective there.”

Two things struck a nerve with us after our initial skepticism subsided. First, Grungo noted that he has a lot of difficult conversations with personal injury victims. As he says, “I think they may want to be behind an avatar to have that conversation.” We began to see possibilities there. And we’ve just been through a holiday season where we’ve seen our children and grandchildren take to VR like a duck to water. It’s only a step further to the metaverse. A bit of a puzzler is whether law firms will embrace the metaverse, but we wouldn’t bet against a slow growth in experimentation with it.

In late breaking news as we write this article, Californian law firms Falcon Rappaport & Berman and Metaverse Law are also there. Perhaps the growth of law firms in the metaverse will be greater than we initially thought!

What Do the Goat Entrails and Tea Leaves Tell Us?

Perhaps the most telling reading of those entrails and leaves is that the future is uncertain. We cannot clearly see the path forward until COVID is fundamentally defeated, with the pandemic reduced to being an endemic. Some look toward a “new normal” and others (like Clio’s Jack Newton) look toward a “better normal.”

One thing we are sure about: Our lawyer friends who long to return to the practice of law as it existed pre-pandemic are not going to get their wish. The practice of law has evolved in so many ways that we will, for the most part, have no alternative to embracing a different way of practicing law.

The post Goat Entrails and Tea Leaves: Predicting the Future of Law Practice appeared first on Slaw.

Why We Wrote This Article

The President of Sensei Enterprises, co-author Sharon Nelson, is a woman. She is involved with multiple groups and associations of women lawyers. For two years, she has been hearing that women suffered more than men during the pandemic and that they have “lost ground” professionally. So . . . along with her co-authors, who are accustomed to a woman leader, we set out together to learn and report on what has happened to women lawyers in the last couple of years and what they now want for their professional lives.

Life Pre-Pandemic was No Bed of Roses

Everyone has heard of the glass ceilings in many law firms. Some women broke through those ceilings, but the pandemic seemed to slow that trend. Work-life balance suffered. One female attorney reported that she felt guilty about sneaking into the firm elevator to leave at 7 p.m., spending a couple of hours with her children before bedtime and then working until midnight. She was chronically stressed and exhausted – and felt horrendously guilty about not spending more time with her children.

Routinely, women attorneys complained about the “good old boy mentality” which seemed to hinder advancement, the lack of work-life balance and the failure (often) to mentor women.

And then came COVID-19.

The Impact of the Pandemic

As we all know, women lawyers were now spending more time with their children – but there were stressors involved in that too. It was harder to have quiet time while children needed monitoring to make sure they were truly involved in their virtual learning. They needed to be fed, they needed help with homework and there were spats between siblings that had to be sorted out.

Some dads were more helpful than others. In some cases, there was no father in the home. And for many, caregiving for elderly parents or other relatives was a major burden. To do their legal jobs effectively, they were working day and night.

Notoriously, surveys showed that women increased their consumption of alcohol during the pandemic – and also suffered from anxiety, depression, burnout and other mental health problems.

A study by Lean In, a non-profit that focuses on women’s career advancement, partnered with McKinsey & Company and in September 2021 released a study called Women in the Workplace 2020 (not just lawyers). It concluded that COVID had disrupted workplace advancement for women and was potentially “unwinding years of painstaking progress toward gender diversity.”

Two reports to read, supported by the ABA Commission on Women in the Profession, Walking Out the Door (about women in law firms) and Left Out and Behind (about women of color) both detail how there is a lack of gender parity in law firms, particularly for black women – and that absence of parity seems to remain in place.

The Return to Work

This too was a struggle for women lawyers – some children were still learning virtually and it wasn’t always easy or financially feasible to have someone caring for the children at home. Both parents and children, used to being with one another all day every day, had to adjust to a new reality. Even when the children went back to school, many parents felt it was safer to take their children to school and pick them up rather than have them ride on a school bus.

And yet, in many law firms, back to work meant work as it was defined pre-pandemic – all day, every day. Though it was never going to be possible to revert to 2019, many law firms seemed to expect exactly that.

To be fair, many law firms tried to adjust to new times and allow hybrid working or flexible hours at work. The transitions and solutions were novel and not without pain, both on the part of the law firms and the women lawyers.

We believe that there was a general consensus that having a hybrid solution at least allowed for more training, mentoring and some measure of the pre-pandemic law firm culture.

Proximity Bias

We hadn’t seen the term “proximity bias” until recently. The truth is that men went back to work faster and more completely than women, who often had extra responsibilities at home.

Without being in the office and having the opportunity to interact with other lawyers, advancement became more difficult. While the law firm may have been allowing women attorneys to work less in the office to care for children or elderly parents, was there an unconscious bias created that negatively impacted the ability of women lawyers to rise within the law firm?

Data from Survey Research Associates has shown 52% of the legal workforce are women, but only 35% of partners are women, and that percentage dropped to 34% in 2021. The conclusion reached by many was that those who went back to the office on a more regular basis, often men, were more likely to be promoted within the firm, creating a “proximity bias.” It does seem natural that there is a greater connection or affinity between those who interact with each other regularly in the office than those who don’t.

It is a curious result of the pandemic that hybrid working, which allowed a better work-life balance for many women lawyers, may have given rise to “old-fashioned gender roles” in some cases. Many women are struggling with the fact that their preferred hybrid working to help with home responsibilities seemed to curtail their likelihood for career advancement.

Have law firms buckled down to address proximity bias? By in large, no.

The End Game: What Women Lawyers Want

The ABA has reported that more than a third of women lawyers are considering going part-time. 53% are thinking the same thing if they have children five years old or younger. The percentage is 41% for those with children between the ages of six to 13.

The most disconcerting stat was that 37% are thinking about quitting.

This potential exodus has law firms worried.

What do women lawyers want from their law firms? Here are some of the things most often mentioned in our research:

• To feel that law firms are invested in women lawyers and that they have an advancement path within the law firm even if they need flex time or part-time work. Too many have seen “dead-end mommy tracks.”
• Appropriate compensation
• Original approaches to teamwork that do not silo them
• More generous sharing of available work
• A lessened expectation of bringing in new work
• A lower billable hour requirement
• More personal days off
• Allowing women to take a “time out” and then return to practice
• Performance evaluations that are realistic for the specific situations that women lawyers face
• An effective program for mentoring younger women lawyers
• More professional growth opportunities
• More resources and policies to support women lawyers with children, including backup childcare, tutoring support and parental support
• Wellness and mental health programs
• Enhanced technical and administrative support for remote work

Final words

The list above is long and might seem daunting to those involved in law firm management. And not all women agree on what they want. Many women are concerned that reducing hours will be viewed as a lack of commitment – and therefore hinder their advancement within the firm.

Notably, studies have shown that male managing and senior partners rate their efforts in promoting and retaining women attorneys very highly. Their view was not shared by women attorneys.

Former ABA President Hilarie Bass sums it up nicely. She said, “For the most part, law firms underestimate the impediments women face to be successful in law practice . . . and they overestimate the initiatives they’ve created to try to assist. They think they are doing a lot of things that should make life better for women lawyers, but in fact they underestimate the ongoing challenges.”

Co-author Nelson concludes with a simple “Amen.”

____

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA. snelson@senseient.com

John W. Simek is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia firm. jsimek@senseient.com.

Michael C. Maschke is the CEO/Director of Cybersecurity and Digital Forensics of Sensei Enterprises, Inc.  He is an EnCase Certified Examiner, a Certified Computer Examiner (CCE #744) a Certified Ethical Hacker and an AccessData Certified Examiner. He is also a Certified Information Systems Security Professional. mmaschke@senseient.com.

The post What Do Women Lawyers Really Want? appeared first on Slaw.

It has been several years since we wrote on the topic of physical security, but it seems like a good topic now that so many law firms are changing how lawyers work. While there are some law firms demanding that all their lawyers return to work, more and more law firms have settled into a hybrid workplace environment. Many cybersecurity topics are sexier, but maintaining physical security is more critical now than ever.

Old-fashioned Physical Security

Pre-pandemic, we thought about conventional physical security (which some law firms still do not have). We had self-locking doors, security cameras, alarm systems, locked file cabinets and locked server rooms. We monitored for water leaks, fires, and unauthorized entry into our law firm.

For a long while, physical security didn’t seem like a big deal. And then came COVID.

The Impact of the Pandemic

In every cybersecurity webinar we give, we have a “See something? Say something!” slide. But for a very long time, we had a dispersed workforce. At the very beginning of the pandemic, most law firms had a skeleton crew. In smaller firms, sometimes only the office manager came to work every day to answer phones, clear voice messages, pick up mail and deposit checks. As we straggled back to work, many stayed home – and that added to a decline in physical security because there weren’t as many eyes on what was happening at the office.

Even that issue was dwarfed by the work-from-home employees, whose networks are 3 ½ times more vulnerable to attack. But to return to physical security, many of those at home had smart devices that might or might not be listening in on confidential calls. We began to see law firms issuing alerts to employees, advising them to turn off smart devices if they were going to engage in a confidential conversation.

Employees were also asked to work in a private room, which was not possible for everyone. Some of those people created an office in a shed, trailer, or other unusual accommodation. There was less physical security with those arrangements. No matter where employees worked from home, computers were not necessarily locked when the employees left the laptop for a few minutes – and files were often left in the open.

Not everyone locks their doors at night (somewhat surprising in these times) and while many have home security systems – including exterior video surveillance – many do not. Many firms haven’t asked about any of this.

Attorneys were sometimes (and sometimes not) asked to wear headphones for confidential conversations, making it impossible to hear more than one side of the conversation.

More policies followed, forbidding that a work device be shared with a spouse or children. And while personal devices were used at first, more and more law firms began to deploy firm-owned devices to replace the use of personal devices – and extending the law firm’s security technology and policies to those devices.

How Good is Your Physical Security?

COVID threw everyone off the rails, but it is time to return to assessing your law firm’s physical security. Many firms never made assessments of home offices. Therefore, many firms will be starting all over again, this time taking the work-from-home folks into account.

Getting a physical security assessment from an expert is the best way to proceed and that should be done right away, especially if attention to physical security lapsed during the pandemic. At this point, many cybersecurity experts have crossed over and including physical security in their overall cybersecurity assessments. For most law firms, especially the smaller ones, it is more economical to have both assessments done by one party – and you can generally get an expert to “flat fee” the pricing so you can budget for the assessment.

One of our friends tested the security of a law firm client by dressing as a janitor and “catching” the locked door to the building as someone went in using their prox card. He was unchallenged and able to enter a law firm and walk around without being questioned. Two major lessons there – don’t defeat your security by allowing others to “use your credentials” to get in – and be watchful for people you do not know roaming the office.

Famously, some years ago, a woman got in a law firm in much the same way described above. She walked around the law firm without being questioned. She even (unbelievably) sat in on a meeting in the law firm’s conference room. No one asked her who she was. After the meeting, she wandered around the law office stealing money from purses and smartphones. Yes, she was finally caught (she’d done similar things many times) and went to prison, but she remains one of our favorite stories emphasizing the critical nature of law firm physical security!

Final words – Why We Love Our Panic Buttons

No physical security system will be perfect. But you should be able to greatly reduce your risk. Policies, technologies and oversight by your employees are all part of the mix.

Highly recommended are emergency panic buttons that silently send an alarm to your local police department. You do have an alarm system, don’t you? Like so many other people, we have had a potentially dangerous, very drunk and threatening individual show up in our office.

Panic buttons are much more widely in place now in law firms. May you never need to use one, but they certainly can “save the day.”

The post Physical Security in a Transformed World appeared first on Slaw.

Unstructured Data – A Problem That’s Been Around for a Long Time

Recently, authors Simek and Nelson had the opportunity to talk to guest Peter Baumann on their Legal Talk Network Digital Detectives podcast. Baumann is the CEO and founder of ActiveNav, a leading data privacy and governance software provider.

As far back as 2008, Baumann was observing the exponential growth of data and specifically unstructured data, the data that sits outside of databases. He noted that today, “the best technology, the best doors and locks and alarm systems won’t stop the bad actors getting into your network. I think people understand that now.” Data protection, data privacy, policies and regulations are crucial to employ so that, if your network is compromised, you are prepared by having the data correctly labeled, categorized, and locked down to reduce your threat attack surface.

The truth is you can’t protect the data you don’t know you have.

How is Unstructured Data Different from Structured Data?

If it’s structured, it means that it’s kind of already gone through some sort of filtering, triage and parsing system and it typically sits in some kind of managed structured environment such as a database. Think SQL, think Oracle.

Baumann told us, “If it’s unstructured, I like to call it the wild west, it could be in potentially hundreds, maybe even thousands of different types of repositories from those that we’re very familiar with, like our general office documents in the Microsoft or the Google stacks, through to a multitude of different tools that different organizations will use.” Simply, what’s not in the database is unstructured.

What are the most common examples of unstructured data?

Common unstructured data often consists of text, in many forms including text files and documents, Word documents, email messages (generally considered semi-structured data), text messages, PowerPoint presentations, survey responses, chats, transcripts of call center interactions and posts from blogs and social media.

Other forms of unstructured or semi-structured data types include images, video files, audio files, sensor data, server, website and application logs. Machine data is growing quickly – log files from websites, servers, networks and apps – particularly mobile ones. And have you thought to include data from IoT connected devices?

The percentage of unstructured data has been estimated at 80%. At a recent RSA conference, a renowned analyst said that they had done some recent work which found the percentage was even higher than that.

Just think about the numbers. In a world where data breaches are proliferating at an extraordinary rate, most organizations have 80% plus of their data in an unstructured environment and most of them have no idea what’s in there.

Why is Unstructured Data a Big Threat to Law Firms?

As we’ve established previously, it’s a risk to everyone but it may be more of a risk to law firms because of the nature of the data they are holding, including very sensitive and confidential information. Many times they also hold monies or access to monies.

The bad guys will sniff things out. When you’ve got an arbitrary collection of unstructured data sitting in an email account, or on a file server or chat stream for example, you’ve got no signals or tools to identify and manage that data. You’re at risk. If hackers were to infiltrate the organization’s network, potentially via an unstructured data source, there’s nothing stopping them from getting hold of highly confidential client data files, court filings, contracts, deposition files, etc.

If a breach leads to a significant loss of confidentiality, that’s huge. Trust and data protection is fundamental to the legal industry. Failure to keep data safe might be seen as unethical depending on the security measures taken. There are all sorts of compliance issues, with all the states and territories having data breach notification laws – and there are more and more privacy laws in place. The ultimate horror show is significant reputational damage, which could be devastating.

Why Do Law Firms Often Avoid Dealing with Their Unstructured Data?

Bauman said his flippant answer is that “it’s just too hard.” He added a slightly more nuanced answer, indicating they may not really understand the implications of what might happen and what’s in the unstructured data. Dealing with unstructured data feels daunting. It can be a time-consuming and expensive process to deal with. Because most law firms are generally unaware of the magnitude of the risk, they procrastinate, perhaps not thinking of how expensive and time consuming a data breach would be.

They struggle with whether to do it now or push it off. They worry that they are not in control even of their structured assets. Some are only just realizing that perimeter protection is not sufficient and they are moving to a Zero Trust Architecture. But if firms ignore unstructured data, you may end up with thousands of potential entry points that attackers can exploit.

The return on investment for successfully dealing with your unstructured data is significant. In the early days, it was all about storage savings. Today, it’s all about risk. Firms are always willing to deal with this post breach. But there may be something else that motivates them to act sooner. Perhaps they are doing a data migration project and they are migrating data to a new cloud. That’s often a good time to look at the data, clean it, label it, etc.

What Tools Should Law Firms be Using to Control Unstructured Data?

Baumann says too many people have had a bad experience with trying to control unstructured data. Maybe they used the wrong tool. Maybe they didn’t even understand that there are tools to help. The key thing is you need tools that are built to do the job, not secondary or tertiary players in the market. You want to use tools that are built for unstructured data that have been built to have no knowledge of the content and build holistically ground up.

You don’t want to pass the burden of making decisions about the data to the busy managing partners. Historically, a lot of organizations think that just carrying out a manual survey asking people about their data will suffice. It is an important part of the process, but it doesn’t suffice. Once that survey is complete, it’s out of date the next day. The other problem with surveys is your reliance on human recollection, which is ever and always faulty. So, you must combine those surveys with actual data.

For a listing of the top 15 Data Analysis Tools in 2022, check out this link: https://hevodata.com/learn/data-analysis-tools/.

How To You Get Buy-in From Law Firms to Put New Restrictive Policies in Place?

You show them their own data. Then you show them the risks they have within their firm. You run the out-of-the-box algorithms rules which will very quickly show information that shouldn’t be there, personally identifiable information, non-compliant data, data that violates privacy law. You also show them the data against their existing in-house policies. For instance, Baumann recently talked to a law firm which never had a retention policy on their emails. So, they have an extremely high risk, having 20 years of emails.

If you have a policy that covers five years of emails, you’ve removed an enormous amount of risk by not having to deal with 20 years’ worth of emails.

What Steps Can Law Firms Take Today to Govern Their Unstructured Data?

The first thing is you need a plan. Make sure you’ve got the right executive sponsorship, in other words, the managing partners. Then you get into the nuts and bolts. Do that survey of your people. That’s a very helpful process to go through and most law firms, at least the larger ones, have probably already done it on their structured data, so leverage the same process across your unstructured data.

You need an up-to-date inventory of all your data assets. Once you have those in place, you can leverage the knowledge and experience and methodologies you’ve used already to your structured data and carry those across into the unstructured space.

You will need to bring the right tools in to support this process. That’s going to vary depending on the size of the firm. You need tools to provide an up-to-date inventory of all your unstructured data assets. The inventory must be kept current. Align the inventory with your policies, procedures, and your other methodologies.

You essentially need to start an ongoing process of data remediation, management, and classification as appropriate for your law firm.

If your head is spinning, that is the appropriate response. Perhaps the first step is to get expert help and guidance!

The post The Danger of Unstructured Data in Law Firms appeared first on Slaw.

Not since the pandemic began have we seen a live legal tech conference with more than 3000 people onsite, the third largest ILTACON ever. There was no virtual option. So back they came in droves, clearly pumped up at the thought of seeing one another in person. There were also over 160 exhibitors, a good number of them first time exhibitors.

How Was This ILTACON Different?

Overwhelmingly, attendees were talking about the pandemic and how it forced law firm IT departments to support working from home and major changes to workflows. According to ILTA’s 2022 Technology Survey, cloud adoption was essential to facilitate collaboration for lawyers and staff working remotely. We had the same experience, with virtually all our clients moving to the cloud if they weren’t already there.

And what a triumph the survey revealed for Microsoft Teams. Only 4% of survey respondents were using it in 2020 – that number jumped to 42% in 2022 for unified communications alone. For use in meetings, collaboration and chat, it was even higher. One of the ILTACON sessions had a standing room only crowd attend a panel discussion on Teams, including all that it can do to provide engaging and powerful workspaces while maintaining data security.

The survey also showed that cloud computing is the technology/trend that will create the most significant change in legal tech, followed closely by artificial intelligence.

Legal Tech Issues That Plague Us

Law firms have so much data and so many applications, but they seem clueless about how to compile that data and extract useful lessons with which to develop better ways to run their law firm. There are a lot of vendors in this space, lawyers do not seem to understand what they are buying and many intended implementations never truly get off the ground.

There are so many apps and so many integrations that seem to befuddle law firms. Integration in the cloud may present it own set of problems.

And, after all these years, with storage so cheap, we endlessly store data, much of which is “dark data” which we don’t know we have. There’s a lot of danger in hanging on to that kind of data, but we certainly haven’t solved the problem.

How cheap is it to store data? An Amazon study found that, in 2000, the cost of storing 1 terabyte of data was approximately $17,000 compared to $2.00 in 2020. No wonder we have all become hoarders.

One more issue is training. We don’t know how to utilize fully the technology we have but we bring in new technology all the time. We are lucky if we master 10% of any given technology. We figure out what we MUST do to perform our duties. The value of trainers is vastly underestimated. Yes, they cost money, but it costs firms more if their attorneys and staff don’t know how to use their technology effectively.

Why is Change so Hard for Law Firms?

For starters, lawyers are not keen on change. Many are content to do things as they have always done them. The time to master technology is scant in a lawyer’s life. Managing partners are often not enamored of change, whether due to risks and monies involved – or simply because they dig their heels down whenever change is suggested.

Change involves disruption and it may cost billable hours. The authors can attest to the truth of what some ILTA attendees noted – that a proposal for change is often met by the words “But we’ve always done it this way.”

Even where there is a willingness to change, lawyers are apt to be sucked in by the representations of salespeople as to what their products will do. Vetting vendors is still a challenge for many lawyers. Our own advice is to seek advice from trusted colleagues who are using the technologies that you are evaluating. Certainly don’t go to the references provided by vendors – they are not going to list as a reference an unhappy law firm!

What Were the Buzzwords at ILTACON?

Opinions differed, but the word “mature” came up frequently. Vendors appeared more confident in the products they were offering attendees. Integration (of course) was a constant source of conversation.

APIs (Application Program Interfaces) were a constant buzzword. Because APIs are poorly understood by many lawyers, an API is a software intermediary that allows two applications to talk to each other. You may not know the definition, but you use APIs every day! Many vendors are using APIs to work with other vendors – so you get more bang for the buck and enhance productivity.

As several attendees noted, lawyers are suffering from platform fatigue, having to constantly switch from one app or window to another. Tech Radar describes platform fatigue this way: “In order to get work done, accurately and punctually, you need to divide your time and attention between different windows, screens, data sources, files, alerts, monitors, programs, etc. There are just too many places to go and too many windows to check, a situation that practically guarantees you are going to miss something.” “Missing something” is a constant worry for lawyers!

So what’s the answer to the problem? Many say “platformization” which fundamentally means building a tech ecosystem, having multiple applications within a single platform. This makes workflow integration easier. APIs, as you can imagine, also address the problem of platform fatigue.

Final Thought

We read a lot of comments by ILTA attendees, but this one, from Edge Marketing CEO Amy Juer caught the flavor of the ILTACON 2022: “During my whirlwind week at ILTACON22, three main themes struck out: Camaraderie cannot be fully duplicated virtually, automation (for big and small tasks) may be overtaking AI as the latest buzzword, and everyone is still struggling with talent retention and hiring.”

Congratulations to the ILTACON 2022 organizers for doing a splendid job – we have rarely seen a conference evoke so much enthusiasm!

The post ILTACON 2022: the Legal Tech Conference Roars Back appeared first on Slaw.

Clio’s “Lawyer in Residence”

Delighted to be granted an interview with Clio’s “Lawyer in Residence” Joshua Lenon, co-author Sharon Nelson asked Lenon to describe his duties as his title seemed a bit obscure. He laughed, no doubt having heard this query many times before.

As he described it, he does a veritable hodgepodge of jobs – all of which need a lawyer, but often requiring him to work with different groups. Clio has a wide range of professionals, officers, business development folks, IT and cybersecurity specialists, programmers, trainers, customer support professionals, etc. All of them need the benefit of Lenon’s expertise somewhere along the way.

He offers advice on translating technology into advice that resonates with lawyers, he speaks at lots of conferences, he explains the requirements of HIPPA and state privacy/data breach laws – and importantly, the impact of the ethics rules as they apply to all that Clio (and its customers) do.

The Jump in Business and Revenues

Lennon talked about the large jump that lawyers have seen in the past year. More billable hours are a good thing, but where did they come? In part, Lenon speculates that the slowness of the courts may have contributed to law firm bottom lines as courts (and court dates) moved slowly, certainly increasing revenues for litigators as cases dragged on, were continued multiple times, etc. Litigation certainly moved at a snail’s pace.

Across the board, it appeared that clients were ready to spend their monies to get business done – and where businesses did well, their lawyers benefitted too.

What About the Current Financial Instability?

Lenon made it clear that the Clio 2022 Legal Trends Report doesn’t have the data to predict the financial future, especially the universal concern about inflation. However, he pointed out that firms have gotten MUCH more organized and innovative since the pandemic, which may allow them to stay in the black even if a serious recession strikes.

One other thing he noted was that the second biggest expense for law firms (after salaries) is office space. And yet here we were (as of October 2022) with only 30-35% of people in the office full time. With more people working from home (still), many firms have reduced their office space, also freeing up some funds.

Mind you, he cautions that there are reasons for time in the office working together, but also points to Clio’s finding that 76% of lawyers want to set their own hours (not that they may necessarily be allowed to do so). The Clio report noted that many more non-lawyers are spending increasing time at home, often with law firm laptops purchased during COVID, which are joined to and protected by the law firm network.

The situation remains fluid. Lenon noted that 1 in 5 lawyers changed jobs during the last year and 9% of lawyers plan to change jobs (as of the time of the survey).

The authors note that there has been a sudden marked slowdown of job changing in the legal sector, particular in lateral hiring, as the economy has caused more jitters. Which only goes to show you how fast things change in uncertain times.

What Do Clients Want from Lawyers These Days?

As law firms have evolved post-pandemic, there have been many changes that are attractive to clients. The steady rise in the use of client portals continues. Clients love the convenience of those portals. Weekend or evening hours have been adopted by a number of law firms.

What seems most obvious to Lenon is that clients value a good lawyer above all other things, many citing good reviews online as a compelling reason to select a particular lawyer. Good communication with clients is also a priority, but it doesn’t need to be onerous. You can set client expectations by explaining that responses at night or on weekends are not to be expected – this can (and in the authors’ minds should be) communicated in the engagement agreement.

Final Words of Advice

Lenon stressed the continuing need for creativity among law firms. Lawyers must be open to change, seeking to innovate to meet new challenges, particularly as they strive to attract new clients and keep current clients. Inspiration, he says, is key.

His parting words of advice as the interview ended came from Louis Pasteur: “Fortune favors the prepared mind.” We concur – and thank Clio’s “Lawyer in Residence” for taking the time to do the interview. We’re looking forward to ClioCon 2023 already!

The post Interview With Clio’s “Lawyer in Residence” Joshua Lenon appeared first on Slaw.

The Authors Are Detox Veterans

While that heading might seem a little silly, it is absolutely true that fighting digital addiction is a true battle. It took us a long time to realize how deep our addiction was – and winning our battle against the “drug-like” compulsion to be online was not an easy victory.

So . . . if you know you need a digital detox, we hope that what follows with be useful to you. And take heart, there are many of us who have now graduated from addiction to a MUCH healthier way of living!

The History of the Legal Profession’s Focus on Lawyer Well-Being

A brief history is useful on this topic. We’ve talked about lawyer wellness for a very long time, but the first giant wave that got dead serious about lawyer well-being was the ABA’s 2017 report “The Path to Lawyer Well-Being.” After all this time, it’s still a good read – and of course lawyer well-being encompasses far more than digital detoxing.

In our own state of Virginia, we added “Comment 7” to our version of ethical rule 1.1 (Competence). The comment states: “A lawyer’s mental, emotional, and physical well-being impacts the lawyer’s ability to represent clients and to make responsible choices in the practice of law. Maintaining the mental, emotional, and physical ability necessary for the representation of a client is an important aspect of maintaining competence to practice law.”

Amen. The Virginia State Bar also issued a report in May of 2019 entitled: “Proactive Wellness: How to Identify, Understand, and Mitigate Lawyers’ Occupational Risks.” Author Nelson had the privilege of serving on the Virginia State Bar Special Committee on Lawyer Well-Being which authored the report. Her particular emphasis was on – you guessed it – digital addiction and digital detoxing. That report (and many like it across the country) are well worth reading.

Virginia issued an updated report in June 2022 entitled “The Occupational Risks of the Practice of Law.” Since we all solve problems by learning about the genesis of the problems and proven techniques for conquering the problems, the three resources above are a good place to start. Undoubtedly, your own state bar has many resources of its own.

The Smartphone: A Ball and Chain

Increasingly, we are tied to our smartphones. You have only to drive to work to see a scary number of people, lawyers included, driving while texting. We live in a world where research shows that one‑third of us are trying (not very successfully) to cut back on screen time. Our self‑assessment tends to be that we are “burned out.”

Do you remember the terms “digital immigrants” – those who had no computers/smartphones in their youth and “digital natives” – those who can’t remember a day without them? Statistics show that the “digital natives” have a rougher time detoxing. The statistics indicate that 47% of lawyers detox “sometimes.” But lawyers under the age of 40 are much less likely to detox. In fact, 76% never or seldom detox. So . . . the younger you are, the greater your addiction to smartphones (which may extend of course to laptops/computers).

Overall, depending on the study you read, 20-40% of lawyers have a digital addiction problem. Our own experience with our lawyer friends suggests that the percentage may be closer to 40%.

Do We Need to Distance Ourselves from Our Smartphones?

We think the answer is a resounding yes! Studies have shown that we check our phones an astonishing 47 times a day. And 2/3 of us check our phones within 15 minutes of getting up. Half of lawyers sleep with their phone on their nightstand – or even in their beds!

Overall, more than half of our waking hours is spent staring at some sort of screen.

That brings us to the “3 Cs” Defining Addiction.

• Control – we cannot control our use of our computers or phones
• Compulsion – we are preoccupied with technology to the exclusion of many other parts of life
• Consequences – we continue our fervent use of technology in spite of negative social, physical and mental consequences

If the “3 Cs” are reflective of your life, perhaps it’s time for a change.

Symptoms of Digital Addiction (Many are Similar to Symptoms of Alcohol/Drug Addiction)

Let’s just make a list – no one will fit all, but if you see yourself in some, it should hit home.

• Loneliness or isolation
• Sleep disruption
• Inability to concentrate
• Headaches
• Feelings of being overwhelmed
• Anxiety, sometimes panic
• Stress
• Depression
• Burning eyes
• Exhaustion
• Inferior legal work product
• Poor time management
• Sore neck, back pain, etc.

How Do You Find Help?

Virtually every state has the equivalent of the Virginia Judges & Lawyers Assistance Program. These programs are wonderful resources, particularly if your addiction has become so serious that your health and/or your work are badly impacted.

The wonderful part of such programs is that they are confidential. These assistance programs don’t share information with the disciplinary folks so you can be candid about what’s wrong without being apprehensive about being disciplined by the bar.

The folks who staff the programs are familiar with the issues you are facing and have concrete suggestions for helping you unchain yourself from your addiction.

If you simply search online for “Digital Detox Retreats”, you’ll be overwhelmed. These retreats are now global! “Disconnect to reconnect” is an often used phrase – and it’s apt – we do indeed need to disconnect to reconnect – with family, friends, nature, and so much more.

Even your phone can be your friend. Two of the best things you can do to disconnect is use the software already on your phone to manage screen time. If you have an Android phone, go to “Settings . . . Digital Wellbeing” and set your time for work time or “me time.” If you have an iPhone, Go to “Settings . . . Screen Time” and set time limits for all your apps – while you are there, schedule downtime!

Tips for Digital Detoxing Success!

Make a plan and stick to it. Rome was not built in a day and you won’t detox in a day. Wean yourself off the phone gradually. Give clients notice – an “away message” is a great help for emails, so (for instance), a client who sends an email after hours on Friday may receive a reply that you will respond to emails on a Monday. Most of us already use “away messages” when we go out of town, but why not use them simply to let clients know when they will hear back? Colleagues will receive the same message – you may want (or need) to have a method for them to contact you in an emergency (e.g., via text).

Delete time-sucking apps – you know which ones suck all your time!!! At one presentation we gave, a judge stopped listening to us once he heard this tip and he deleted 84 apps from his phone on the spot. We got a wonderful note later from the judge telling us what a difference those deletions had made in his life. The “cure” can be different for different people, that’s for sure!

In a world where we get an average of 60-80 notifications per day, get rid of push notifications (anything you can see, hear or feel) so your train of thought is not continuously interrupted. For Androids and iPhones, just go to “Settings/Notifications” to make this happen.

Law Firms Have an Obligation to Help Lawyers Succeed in Digital Detoxing

Increasingly, law firms are noting that digital addictions is a problem for their lawyers – especially where the law firms themselves mandate employee online access. We are beginning to see law firms have guidelines for availability at night or during weekends – tiny steps today, but we hope they will grow as law firms appreciate the role they can play in nurturing lawyer wellness.

Final Words of Encouragement

Chinese philosopher Lao-Tzu said long ago, “A journey of a thousand miles begins with a single step.” Take that single step today and then keep on taking your journey away from digital addiction step by step.

We did exactly that – and it made all the difference in the world.

The post Digital Detoxing: A Lawyer’s Best Friend appeared first on Slaw.

 Zero Trust Architecture simplified

Lawyers have a “deer in the headlights” look whenever we talk about Zero Trust Architecture (ZTA) – and we do understand that look. ZTA is complicated and often causes your eyes to glaze over about two minutes after we bring ZTA into the conversation.

Let’s keep it as simple as a complicated subject can be.

Zero Trust Architecture (ZTA) is not a product you can buy in a store or online. It is a security model presented in 2003 by the Jericho Forum, although the term “zero trust” dates back to 1994. The zero trust model surfaced in 2010 but would take almost a decade to become prevalent. Our old models assumed that users and devices within a network could be trusted and given access to resources based on their location or other factors.

ZTA is different. It assumes that all users, devices, applications, etc. are potentially compromised and must be validated before they are granted any access to a network. And periodically, they must be re-valuated.

In essence, ZTA creates a security perimeter around each user, device or application – rather than a perimeter around the entire network. Now you have more granular control over access to resources. The perimeter security model doesn’t work as more and more firms move to a hybrid work environment or even complete remote access. ZTA drills down to smaller objects and is well suited for a mobile workforce. What does that mean to your firm? You stand a MUCH greater chance of defending against cyberattacks – and of limiting the damage that an attack may cause. Now that’s a goal worthy of effort and money.

What steps do you need to take to implement ZTA?

There are a lot of steps to take, but here are the basics.

• Identify all users, devices and applications that need to have access to resources on your network.
• Verify the identity of each user, device and application prior to granting access. How do you do this? You use multi-factor authentication, device profiling and a long list of other methods
• Limit access to the resources that are necessary to perform particular functions, using access controls and role-based access.
• Monitor (24X7) activity on the network so that you can be alerted to any suspicious activity. Use advanced analytics and machine learning.
• Encrypt all data at rest and in transit to ensure there is no unauthorized access.

Why is it so important that law firms implement ZTA?

As all lawyers should know, their firms are one-stop shopping for cybercriminals. Break into a normal company and you (mostly) get data about that company. Break into a law firm and you’ve got data about a lot of people, companies, organizations and often, governmental entities.

Much of the data may be deeply confidential (medical data, financial data and intellectual property, etc.) and law firms have an ethical duty to protect that data. In the event of a data breach, there could be major legal and reputational consequences. With perimeter security being a broken model, there is really no choice but to move to ZTA. To be ethically competent with the technology we use, there is no other pathway.

At this point in time, law firms are connecting to their network and cloud services from many different locations – and the people connecting may be clients, employees and third-party vendors. All of this necessarily increases the risk of unauthorized access.

ZTA can help truly secure law firm data, hardening the firm’s overall security defenses. It helps firms meet compliance and ethical requirements – and it sure as heck demonstrates to clients that the firm takes the protection of client data very seriously!

Ethics and ZTA

When we lecture, we are often asked if ethical rules require that law firms adopt ZTA. Explicitly? No. But they do require that lawyers take “reasonable” measures to safeguard client data. Both the duties of competence and confidentiality require that. Very soon, within the next couple of years, no one is going to question that ZTA is “reasonable” and must be implemented. Better to start down that path now and be prepared.

Failure to move to ZTA may well, one day in the near future, be construed as failing to take reasonable measures to protect client data from unauthorized access or disclosure – and that might lead to disciplinary action or legal liability. And, as we note below, clients and cyberinsurance companies may require the implementation of ZTA.

OK, you’re sold. So how much will it cost to implement ZTA?

Boy oh boy, do we wish there was an easy answer to that question. Obviously, a lot will have to do with the size of the law firm. Some firms need a greater level of security because of the data they hold. Some firms have a very complicated IT infrastructure, others (especially the smaller law firms) do not.

You will have hardware and software costs for sure, including such things as firewalls, intrusion detection systems and access control solutions.

Configuration and integration costs will be incurred as you integrate ZTA into your existing IT infrastructure. The bigger your firm, the more that will cost.

You’ll need to budget for training. Employees need to understand ZTA and be comfortable using the tools that come with it. They need to get used to access controls, multi-factor authentication and other security practices. Though the training is essential, it is unlikely to be a big cost for a smaller firm.

Maintenance and monitoring costs are also a factor. There will be ongoing updates, maintenance and monitoring on a 7X24X365 basis, with alerts likely going to a human-staffed Security Operations Center (SOC). Not to worry. There are affordable outsourced solutions available to implement a lot of the Zero Trust Architecture, even for small firms.

Overall, a small firm is looking at thousands of dollars, but likely not tens of thousands of dollars. The price tag goes up the bigger you are. As you groan about the price tag, bear in mind the much larger costs associated with a data breach. That may make your ZTA budget seem a little more palatable.

Still not persuaded? Need to understand why perimeter security won’t protect you?

We’re not surprised that we have to go over this ground again and again with clients. Perimeter security worked and worked well for a very long time. But with the prevalence of cloud computing, mobile devices and remote working, its effectiveness has eroded. Without a traditional perimeter, it becomes increasingly difficult to control access to data. It becomes easier for a cyberattack to succeed – and not by a little but by a lot.

Cybercriminals spend a LOT of time using techniques which will overcome a perimeter defense. These techniques include phishing (the big kahuna), social engineering and malware designed to defeat perimeter security. There are a lot of techniques – it takes us an hour to go through them all when we do a one hour lecture so forgive us for simply touching on the highlights.

Remember that it takes just ONE compromised VPN connection to pierce your perimeter security wall. And once inside the perimeter, the cybercriminals can move laterally through your network and do a world of damage, including deletion of backups and massive exfiltration of confidential data. ZTA is the inevitable upgrade you need.

Are cyberinsurance companies beginning to insist on ZTA?

Yup, they sure are. They may not explicitly demand it (yet) or even use ZTA terminology, but they are on the way to doing so. They certainly encourage all moves toward ZTA and premiums will be less the more you take steps to implement ZTA.

Today, insurers want to see multi-factor authentication. No ifs, ands, or buts about that. They also want clients in the cloud, where they are safer. They often require that you have technology which monitors for a data breach. They want all laptops used for work to be owned by and protected by the law firm – no access by personal devices. They want encryption everywhere too.

The list goes on and on – but you get the idea. Every new requirement is moving the insured closer to true ZTA. Expect that trend to continue. And if you don’t do what they want, they may deny coverage altogether or limit the amount of coverage. Every time we sit down with a client to go over a cyberinsurance application, there is much gnashing of teeth by the client.

Are clients beginning to insist on ZTA?

Absolutely. The larger the client, the more they are likely to require cybersecurity assurances from their law firm(s). Even less sophisticated clients are beginning to ask questions and demand cybersecurity assurances from their law firm.

In a world where clients hear about data breaches daily, it is no wonder that they are not only looking at their own internal security but that of their law firms. Law firms, especially the smaller firms, are not noted for first class security. In March 2023, a single cybersecurity company reported that it had dealt with data breaches at six law firms (not identified by name) in just the first two months of 2023. Imagine how many law firm breaches were dealt with by all cybersecurity firms in the same time period.

Clients are currently dictating that certain security measures be followed – and larger clients may be requiring that ZTA be implemented. In some industries – healthcare and finance are good examples – there are regulatory requirements that the client AND the law firm may be bound by.

One more thought re: ZTA for law firms: Firms which implement ZTA are becoming more attractive to clients. That’s something to think about as part of your marketing and client retention strategy.

If your head hurts from reading this article, a good resource is Microsoft’s Zero Trust Guidance Center which may be found at https://learn.microsoft.com/en-us/security/zero-trust/

Final words:

We’ll note one last time that “perimeter security” is dead. That’s what makes ZTA so urgently needed. So, if you choose to turn a blind eye to ZTA, remember the words of Benjamin Franklin: “By failing to prepare, you are preparing to fail.”

The post Law Firms Cringe, but Bow to the Need for Zero Trust Architecture appeared first on Slaw.

You don’t have to go back far in history to read about the many misbehaviors of law firm employees. Whether the media stories concern the alleged actions of partners, associates or support personnel, there is plenty of fodder to make law firms rethink its hiring practices and firm culture to keep the firm name out of the headlines. Unfortunately, they aren’t always successful in achieving that goal. While we don’t have first-hand knowledge of the details, there are several examples of alleged misbehavior that we can learn from.

Data theft

One major risk for law firms is the theft of data by current and/or ex-employees. Typically, that means client confidential data associated with a legal matter and/or client contact information. In other words, data that can be used to take the business to another law firm or assist in the starting of a new firm.

Jonathan O’Brien, the former chief operating officer for Proskauer Rose, is accused of stealing sensitive internal information. According to the lawsuit, O’Brien is alleged to have tricked firm employees into allowing him to copy 34 gigabytes of client and compensation data prior to his giving notice of leaving the firm. O’Brien has denied the firm’s claims that he intended to take the data to another employer. He said that the data was needed to allow him to work during his two-week vacation to Mauritius.

In another case, Littler Mendelson sued ex-associate, Uliana Kozeychuk, for uploading more than 7,900 documents to an external Dropbox account, which included proprietary firm and client confidential data. Bloomberg Law reported that Kozeychuk said in an interview, “They know that I didn’t take any documents and they did it as a smear campaign to silence me and make sure that nobody believes me when I finally get around to speaking about them.”

Abuse of client assets

Inappropriate activity isn’t restricted only to firm data. Lawyers are also entrusted with client assets. A former Miami Beach law firm employee, Susan Rolle, is accused of stealing from an elderly woman under the guardianship of the Kahn & Kahn law firm. The former employee allegedly used a client’s credit card to rack up close to $600 of charges at Publix, Victoria’s Secret, McDonald’s Family Dollar and Walmart. In addition, she is accused of writing herself a $5,290 check from the client’s trust account.

Another example involves a former paralegal, Betty Louise Sutton, at Saul Ewing Arnstein & Lehr in Chicago. Sutton is alleged to have transferred bankruptcy funds in excess of $600,000 for creditors to a different account that she controlled. Prosecutors allege that a credit card account, mortgage account, student loan account, personal bank account and a PayPal account she created were used to receive the transferred funds.

Document falsification

You would think that a lawyer’s involvement in the falsification of documents would be related to the representation of their clients and not the activity of the lawyer themselves. Our next example of misbehavior comes from the state of Illinois. As reported by the ABA Journal, attorney James Thomas Rollins agreed to make a $100,000 capital contribution in exchange for ownership in an asbestos-defense firm along with three other lawyers. The contribution would be adjusted for any expenses he paid for startup expenses.

Apparently, he submitted false invoices for $81,000 to represent startup expenses when the actual expenses were only $18,000. In other words, he tried to cheat the firm out of $63,000. When challenged, he submitted phony bank statements and fake checks. Not a good idea to take a bad action and dig a deeper hole. An Illinois review board recommended a five-month suspension.

BEC victim

According to the FBI’s 2023 Internet Crime Report, Business Email Compromise (BEC) was responsible for $2.7 billion in financial loss for 2022. Lawyers, especially those handling wire transfers of funds, are at significant risk of being targeted in a BEC attack. A lawsuit filed in Connecticut Superior Court on April 24, 2023 by Lesley Moody said the title to her recently purchased home is encumbered by the seller’s mortgage as a result of a Connecticut lawyer sending part of the proceeds to the wrong bank account.

Allegedly, the seller’s lawyer, William Cote, wired over $159,000 to a fraudster’s bank account after receiving phony payoff instructions. In a classic BEC scheme, apparently, his paralegal received an email from someone claiming to be the seller with a change in wiring instructions. The funds were transferred to the wrong account instead of being paid to Freedom Mortgage Corp. as should have occurred.

Solutions

While the above examples are unfortunate experiences for law firms, there are some things you can do to stop or limit misbehaviors. One of the first things that comes to mind is the concept of “least privilege.” Users should only have access to information needed to do their jobs. You can also implement technology that monitors data access and logs activities. As a minimum, your firm should have written policies for acceptable practices. This would include policies for internet usage, remote access, social media policy, privacy policy, acceptable computer usage, BYOD, etc. As a bonus, policies don’t cost you anything except the time to develop them.

Watching the money should also be at the top of your concerns. Your office procedures should have a process of checks and balances to reconcile the firm financials. It’s not just about balancing a checkbook every month, but client funds in a trust account should be reconciled at least monthly with that reconciliation being verified by second person.

You should also have a procedure for verifying that a money transfer request is valid. Don’t count on instructions in an email. Make sure you call the person authorizing the wire transfer at a phone number known to you to be good. You may also consider having a code word for verification of wire transfers that periodically changes. In addition, you should be performing security awareness training, at least annually, to educate employees in secure practices and recognition of the latest phishing, smishing and similar attacks. If you haven’t seen it already, your cyberinsurance carrier will likely require periodic security awareness training and a written procedure for validating wire transfers.

You are particularly at risk when an employee leaves the firm, whether on good terms or not. According to the 2023 Insider Risk Investigations Report from DTEX Systems, there was a 35% increase in data theft incidents caused by employees leaving a company. On top of that, 12% of employees took sensitive IP (sales contracts, customer data, health records, employee data, etc.) when they left.

What can you do about the potential theft of firm data? You can start by banning the usage of non-firm approved devices. In addition, you should have an employee termination checklist. Don’t forget to disable the departing employee’s user access to the firm network and any third-party services the firm uses. Make the employee sign a statement that they have surrendered all firm assets and no longer possess any firm data.

Think your employees aren’t misbehaving? You might be right – or you might be wrong. Better to be prepared!

The post Law Firm Employees Allegedly Misbehaving Make Headlines appeared first on Slaw.

When Everyone in the Legal World Knows Your Name

We are sure that New York lawyers Steven Schwartz and Peter LoDuca are not especially happy to have become famous by way of failing to vet the accuracy of ChatGPT which made up cases and citations that become a part of the brief they submitted to New York Federal Judge P. Kevin Castel.

The lawyers’ client, Roberto Mata, sued the airline Avianca, claiming he was injured when a metal serving cart struck his knee on a flight to Kennedy International Airport in 2019.

When Avianca requested that Judge Castel toss out the case, Mr. Mata’s lawyers objected, submitting a 10-page brief that cited more than half a dozen relevant court decisions, including Martinez v. Delta Air Lines, Zicherman v. Korean Air Lines and Varghese v. China Southern Airlines.

The airline’s lawyers and the judge were unable to find the referenced decisions or the quotations cited and summarized in the brief.

We know you can guess what happened. ChatGPT made it all up.

The “Schwartz Defense”

Schwartz, a lawyer with Levidow, Levidow & Oberman, threw himself on the mercy of the court, explaining in an affidavit that he had used the artificial intelligence program to do his legal research — “a source that has revealed itself to be unreliable.”

Mr. Schwartz told Judge Castel that he had no intent to deceive the court or the airline. He said that he had never used ChatGPT, and “therefore was unaware of the possibility that its content could be false.” So much for the ethical duty of competence with technology.

Schwartz told Judge Castel that he had asked ChatGPT to verify that the cases were real – and it replied that it had.

We wondered how it was possible that he knew he needed verification but didn’t understand that verification could not come from ChatGPT itself?

Ask a liar whether it’s telling the truth? Sounds like a bad idea to us . . .

Judge Castel said in an order that he had been presented with “an unprecedented circumstance,” a legal submission full of “bogus judicial decisions, with bogus quotes and bogus internal citations.” The judge set a hearing for June 8 to discuss potential sanctions.

Reports of the hearing made it sound excruciatingly painful for the lawyers. In fairness, lawyer Peter LoDuca, though his name appeared on the brief, did not conduct any of the research in question. Mr. LoDuca said in an affidavit that he had “no reason to doubt the sincerity” of Mr. Schwartz’s work or the authenticity of the opinions.

Mr. Schwartz said that he had used ChatGPT “to supplement” his own work and that, “in consultation” with it, found and cited the half-dozen nonexistent cases. He said ChatGPT had assured him that Varghese was a real case. He submitted a copy of the exchange with ChatGPT to the court.

He asked for a source and ChatGPT gave him a legal citation.

He asked the AI if other cases the chatbot had provided were fake.

ChatGPT replied, “No, the other cases I provided are real and can be found in reputable legal databases.”

Moral of the story: Never ask a liar if he’s telling the truth.

The Judge Sanctioned the Two Lawyers on June 22

The judge ordered the two attorneys and their law firm to pay a $5,000 fine in total. The attorneys and their law firm were ordered to notify each judge falsely identified as the author of the fake case rulings about the sanction. At least ChatGPT referenced real judges. The judge said he might have been more lenient if the lawyers hadn’t “continued to stand by the fake opinions after judicial orders called their existence into question.”

In his order, the judge wrote, “Technological advances are commonplace and there is nothing inherently improper about using a reliable artificial intelligence tool for assistance. But existing rules impose a gatekeeping role on attorneys to ensure the accuracy of their filings.”

What ChatGPT Itself Advises

ChatGPT simply made things up. It is not alone in hallucinating – every generative AI we are aware of suffers from similar hallucinations. The authors spend considerable time warning lawyers attending our artificial intelligence webinars to validate everything that ChatGPT and other AI products produce. This story will now become a permanent and prominent part of the popular CLE that we dubbed: “The Rise of AI in the Legal Profession: Lawyers Brace for Impact.”

Ironically, ChatGPT suggested that title.

With all the hoo-ha and so many articles written about this incident, we decided to have a chat with the AI itself. Curiously, Mr. Schwartz never thought to do something so logical.

We asked ChatGPT, “If a lawyer uses Chat GPT to write a brief, including citations, what resources should the lawyer use to validate that the cases are real and the citations are correct?”

The AI suggested using reliable legal databases such as Westlaw, LexisNexis or Bloomberg Law. The full answer is too long to include here, but there was more helpful advice as well.

We asked why Google Scholar was not included to offer an alternative to paid legal databases.

We were impressed by its reply which included an apology. The reply included practical steps for using Google Scholar to verify cases and citations.

We particularly liked the first part of ChatGPT’s extensive answer.

“Apologies for not including Google Scholar in my previous response. Google Scholar is indeed a valuable resource that lawyers can use to verify cases and citations, especially when they don’t have access to paid legal databases. Google Scholar provides access to a vast collection of legal opinions, court decisions, law journals, and scholarly articles. While it may not be as comprehensive or specialized as paid legal databases, it can still serve as a useful tool for lawyers on a limited budget.”

Nicely nuanced – paid legal databases are better, but for a solo or very small firm, it acknowledged that Google Scholar might be a reasonable resource. Well done. It even added, “Thank you for pointing out the importance of free resources, and I apologize for any oversight.”

Final Words

Other attorneys, including author Nelson, have had experience with ChatGPT citing non-existent cases, articles, books and invalid hyperlinks. As one leading law firm has advised its attorneys sternly, when using AI, “You must validate everything coming out of the system. You have to check everything.”

This highly publicized misadventure will certainly be a poster child for that advice.

The post Lawyers Become Poster Children for Failure to Verify ChatGPT Information appeared first on Slaw.

Cyberinsurance Sticker Shock

We’ve been watching cyberinsurance get more and more expensive over the years. Perhaps in the wake of the extraordinary number of data breaches in 2023 (both small and large organizations), it is no wonder that a recent survey showed that respondents report an increase in insurance rates of 50-100% upon initial application or renewal.

Ouch. You must also prepare yourself for an ordeal of six months or more to obtain or renew cyberinsurance.

The August 2023 report from Delinea caused a lot of eyebrows to go up. Almost 80% of survey respondents have used their cyber insurance policy. Half of them needed to use it multiple times. That’s more than a little blip!

Cyberinsurers Slash Coverage

Slashing coverage was rare a few years ago, but now you need to read the fine print carefully, something which many lawyers are not doing. What could void your coverage?

• Lack of adequate security protocols (43%)
• Human error (38%)
• Acts of war (33%) – read carefully so you’ll know if “state sponsored attacks” (very hard to prove sometimes!) are covered
• Not following the required compliance procedures (33%)

We would add a requirement for annual cybersecurity awareness training for law firm employees – and attendance should be mandatory and documented. In fact, some carriers specifically ask about (or demand) employee training efforts.

And, of course, if you lie on the application, denial of coverage is likely. Sadly, we have seen applicants check a box which they know darn well shouldn’t be checked.

Security Solutions are Required

Most organizations (96%), including law firms, have to buy at least one security solution before their application is approved. 51% of respondents to the survey indicated that Identity and Access Management and Privileged Access Management (49%) are required. Why? Because most attacks involve stolen credentials.

Fundamentally, the insurance companies are enforcing good cybersecurity, often compelling applicants to budget for extensive cybersecurity measures. Since we often help law firms understand what cyberinsurance companies are requiring, we can tell you that they are dumbfounded by the changes required, not only the higher level of security, but the price tag that goes with it.

Trying to explain some of the measures above along with anti-malware software, encryption, firewall and intrusion detection, the importance of patching quickly, vulnerability management, password management etc. is a challenging task. Cyberinsurance carriers will want you to implement a few technology solutions such as multi-factor authentication (MFA) and endpoint detection and response (EDR). Don’t worry. There are several solutions that vary in cost from free to very affordable even for a solo attorney.

Even policy claim procedures have gotten tougher – fail to follow the claim procedures scrupulously and you may find your claim disapproved.

What’s the Bottom Line on Cyberinsurance?

Very likely, it will be harder to get cyberinsurance and it is likely to have less coverage. Many insurance companies are still figuring cybersecurity out. A lot of them have found that their risk assessment models were not correct. And it is certainly true that insurance companies are not in the business to lose money.

As their understanding deepens, requirements are likely to get tougher to meet, especially for smaller law firms.

A shoutout to Marsh LLC is warranted for developing its Cyber Pathway insurance program. The Cyber Pathway permits Marsh clients that had been found uninsurable for cyber risks to procure coverage as they followed the Pathway to improved cybersecurity. There are a lot of specifics in the Pathway, which makes it easier to follow and to obtain coverage.

Final Words

One of the things we have learned is this: It is all about the broker. Most brokers are not cyberinsurance specialists – and that’s exactly what you need. By using a knowledgeable broker, we ended up paying less and getting more coverage – the precise result we are all looking for!

The post Cyberinsurance: More Expensive, Less Coverage appeared first on Slaw.