ABA Journal eReport

Friday, Oct. 17^th 2003

LACKING FIREWALLS COULD MEAN HACKING FREE-FOR-ALL
ABA Survey: Most Firms Don’t Protect Confidential Documents With Security Software

BY STEPHANIE FRANCIS WARD

Lawyers are noted for their respect of client confidentiality, but they are showing an interesting lack of concern about computer security, a recent ABA survey shows.

Computer software that prevents unauthorized access to private data by outsiders, known as firewalls, for the most part can protect businesses from hackers. But it seems the devices are not prevalent at law firms.

The ABA’s 2002 Legal Technology Survey, published in August, surveyed 3,904 attorneys and found that nearly 81 percent did not use firewall software on personal desktop computers. About 35 percent reported that the software was not available at their law firms, and 23 percent of the respondents did not know if their law firms had firewall software.

If lawyers think hackers aren’t interested in targeting them, says John A. Klein, they’re wrong. Klein should know because his Minnesota-based company is named Rent-A-Hacker Inc. The firm tests client sites to see if they are secure.

The notion that hackers only target large corporations is a misconception, he says. He estimates that only about 2 percent target high-profile businesses.

"The majority of hacks have nothing to do with that," he says. "They’re looking for the low-hanging fruit, and if that happens to be the lawyer down the street, great."

In some instances, Klein or one of his independent consultants can be hired to gather electronic information from a third party. "We won’t be hired to break the law," says Klein, a self-described hacker known as "Cobras." "But there are some gray areas, and the law regarding electronic communications may be the grayest, because it’s the newest."

As an example, he mentions an instance in which his firm was hired by law enforcement to break into the computer of a noncustodial parent who had kidnapped a child. The authorities "may or may not have had the appropriate warrants," he says.

Hackers use the Internet to send out scanners, which check groups of Internet service providers for vulnerability, Klein says. Once they find vulnerability, they attack it. If a scanner hits a law firm, there’s nothing keeping the hacker from accessing confidential client information, which could be sold illegally.

"One would think that a group that understands due diligence would know better than to put itself at risk," Klein says.

That being said, there are no model rules or ethics opinions that deal with lawyers protecting electronic information, says Vincent I. Polley, chair of the Cyberspace Law Committee of the ABA Section of Business Law. According to the Houston lawyer, it’s an area that would be hard to legislate.

A firewall is not something you can admire, which might explain why few lawyers have one, says Robert McNeill, a Washington, D.C., lawyer and legal technology consultant. Also, he thinks that many lawyers may not completely understand what a firewall is.

"It’s not pretty, like an LCD display," he says. "Sometimes the companies that put in the computer system aren’t as diligent as they should be about recommending this sort of thing because it’s not sexy."

Hiring a technician to install a software firewall costs around $300 for a small law firm, says Ben Sherwood, an Illinois-based computer security consultant. Also, you can download an individual firewall for free at sites such as zonelabs.com.

Sherwood wasn’t surprised by the ABA survey results, which also showed that 80 percent of respondents have sent confidential or privileged communication in e-mails, while 70 percent of those lawyers rely solely on a confidentiality statement accompanying the transmission to cover ethical concerns. When he speaks about computer security with various legal groups, most audience members indicate they have not taken measures to protect their systems.

"Obviously, there are many different threats, like eavesdropping, lack of client confidentiality of e-mail files, and the possible destruction of files," he says. "Law firms are low on hackers’ radar screens, but people are realizing the value of the information law firms have."

McNeill did not know of any law firms that have been targeted by hackers, but he says it’s something that few broadcast because of the client confidentiality implications. According to the ABA survey, 13 percent reported that their law firm had experienced a hacker attack, and 28 percent said that they didn’t know if such an attack had occurred.