What Lawyers Need to ...

What Lawyers Need to Know About Cybersecurity | Dennis Van Metre

December 9, 2021 | by D. Todd Smith

As technology becomes more sophisticated, so too do the security issues its users encounter. These challenges impact attorneys and law firms particularly, as they regularly deal with confidential data and privileged information. Often, however, attorneys and law firms remain unaware or unprepared for potential traps. But there are resources to address these threats. That’s what Dennis Van Metre, this week’s guest, aims to do as Chief Information Officer at Vinson & Elkins in Houston. Dennis chats with hosts Todd Smith and Jody Sanders about how attorneys can prepare for security threats, identify areas of concern, and work to protect both themselves and their clients.

Listen to the podcast here:

What Lawyers Need to Know About Cybersecurity | Dennis Van Metre

Our guest is Dennis Van Metre. Dennis is the Chief Information Officer at Vinson & Elkins in Houston. Welcome, Dennis, to the show.

Thanks for having me on. It’s nice meeting you guys.

I’m sure our audience is wondering why we’re talking to the chief information officer and what that has to do with appellate law. I’m here to tell you from experience, it’s broader than that. What Dennis has to say affects lawyers across firm sizes, industries and even applies far beyond the legal industry completely.

Dennis is in a unique position to talk about these things, considering his position at V&E. We thought we’d bring him here to talk with us and have a conversation about data security and those kinds of related issues. Dennis, why don’t you tell us a little bit about your background? Who are you and how did you get to your current position at V&E?

I was trained as a software engineer. I went to Lamar University College of Engineering as a software engineer. Back then, we called it computer science. Not a lot of people still call themselves computer scientists. My training was in technical programming. Back then, we didn’t have a lot of languages with everything, assembler languages, which are machine languages. Back then, what we call microcomputers, now we call them PCs, I did some work supporting those because they were becoming a thing in business and in education.

I joined Vincent & Elkins in 1990 as a programmer. I’ve been with Vincent & Elkins pretty much since 1990. I took a short stint to do a consulting gig, network design and implementation for some big people back then. They were putting in fiber networks everywhere. It seemed like an up-and-coming business, but I returned back to the law firm. I’ve been there ever since.

What need did Vincent & Elkins have in 1990 for a programmer?

At the time, we were the number 7 or 8 law firm in the world in terms of attorney count. We had an automated time input system. Automated time input is very generous. Attorneys would have their secretaries, we called them back then, now we call them professional assistants, enter time on a computer. They would take the floppy diskette out and put it in a special mailer. It would be collected by someone in the mail room and delivered to the data processing room. They would take that diskette, load it into another machine and type everything that was on that thing into another machine.

I wrote a program to help with that. We had a program to create labels for telephones. I had a program to do a software inventory. There was no software inventory system tool for an enterprise that had no network at the time. We didn’t have one, so I wrote a tool. You put the floppy in, close the door, reboot the machine and it would produce a report. That was one of my big projects.

It goes to show you how the practice of law has changed in the last several years. That’s incredible to think about. A lot of the stuff is either done in the cloud or there’s some other readily available solution to go and purchase. Spend a little money and get these needs met. Most lawyers are entering their own time, in whatever software packages firms are using. You have seen it all, Dennis, in terms of technology in the legal industry for all that time.

We wanted to have you on to talk about security issues because you’ve developed some expertise in that in your current position. You can also give us a little sense of the history of data security issues. We were joking around before we started recording, thinking back to those of us that were around at Y2K and thinking that the sky was going to fall in law firms. Do you have any funny stories relating to that?

Y2K at the time, we were running old equipment and storage was at a premium. I can remember spending six figures on a twenty-megabyte storage system for our time and billing system. It was very expensive to get storage. That system was not Y2K compliant. We knew that it wouldn’t support it. IBM offered to sell us a new one, but they wanted $200,000 to buy a modern version with less capacity.

We decided since the world was moving toward, what we called then client-server, we call them PCs now, that we wanted to move in that direction. We worked very hard to update as many systems as we could that did not represent the year as two numbers. The year 00 looks like 1900. When you start calculating and do a little math, subtract the year from the present date, you get a negative number. That doesn’t look good on a client’s aging report. There was no easy way to update that software without replacing the core systems.

The funny story is that we had done all this work ahead of time. At the time, we had an office in Singapore. We had replaced routers, servers, software and whole systems. We had done far in advance but the night of Y2K, I was up. I live here in the Woodlands. I had active pings going on New Year’s Eve to our servers in Singapore. Singapore crossed over before North America. They were in Y2K before anything else, but they ran the same equipment.

We were monitoring everything. We had everything up and monitored because, like you, we didn’t know what would happen. By 4:00 or 5:00 in the afternoon, it was clear. Nothing was happening. We called off all the work we were going to do in the office overnight and called it a day. The next day we got a call from our technology partner, wandering the halls of our firm, looking for my boss and me. “Where are you all? I’ve got the champagne.”

We had to say, “Sorry, Alan. We’re not there. We went through Y2K eighteen hours ago.” When Singapore went through it, Y2K had already happened. Texas was one of the last places to experience it. He was pretty disappointed that we weren’t there. He imagined all these hairy sleepless IT guys standing around sleeves rolled up. We got a good night’s sleep. We weren’t there.

You told me that you oversaw the rolling out of technology in the law firm over the years. You also reminded me of this little device that we used to have around that same time called the Blackberry. Tell us a little bit about what it was like to roll that out to lawyers in a large law firm.

person looking at a screen
Cybersecurity: This has been a war of attrition, and the technology and techniques used by the attackers adapt to the responses that we all, as information professionals, take. What worked a year ago may not work now.

 I believe still, to this day, it was the fastest adopted technology other than Zoom meetings because of COVID, but prior to that, the Blackberry flashed through the firm to the point that we went from zero attorneys with it to all of them or almost all of them having it in less than twenty months. When we first started showing it to our partners, there were highly technical partners who looked at it and said, “There is no way any attorney will ever carry that pager. I’m not going to do that.” They will never carry a Blackberry. “I don’t care what you dress it up as. That’s a pager.” Not long after that, the firm said, “We have to adopt it. There’s no way we can respond to our clients in a timely manner without it.”

It all depends on how you define timely. I remember getting my first Blackberry, thinking how great it was that I could check my email from my couch. Little did I know how much that was going to change my life. Not always for the better. I remember the lawyers being so excited about having the ability to stay in contact constantly like that. Now, that’s something we take for granted. We’re all plugged in all the time, especially with our smartphones.

I’ve got to take responsibility for the heads down, disconnected nature of families. Every kid’s got a smartphone. Every family member does. I was that guy in 1999. I was the heads-down guy where people were saying, “What are you doing? This is a family event. It’s Thanksgiving. Why do you have your head buried in that thing?” Now I’m the one saying, “What are you all people doing? There’s a family. Why are you all in your phones, in that iPhone?” I realized that I was that unfortunate trendsetter. I was the nerdy one then. Now, it’s the standard that everybody uses.

We’re going to get into some real nitty-gritty issues about data security. Before we do that, let me ask you generally. How did the concern about data security evolve from the time that the Blackberry was rolled out when you had a device in your pocket that could access firm data at some level? It may have been only what was pushed out to that device? When did the industry start being concerned with data security?

Every law firm and every business was concerned about cyber security because we had gone through several virus generations. ILOVEYOU or they called it the Love Bug Virus. There were a number of viruses. Some were based on putting a floppy disk in your machine and rebooting it. 2016 was the inflection point. In 2016, a law firm by the name of DLA Piper had every bit of their data erased in a matter of 15 to 30 minutes, everything.

Every laptop, computer, server, system that was attached to that network was erased by a tech called the NotPetya. It’s the same one that took out Maersk Shipping. It took out the English National Health Service. They were down for weeks. There are pictures from the front page of The New York Times and The Wall Street Journal showing a handwritten sign in DLA’s headquarter office saying, “Do not turn on your computer. Go home. We will let you know when there’s time to work.” Everything was erased. In no time, this happened to a firm.

That was a wakeup call for the rest of us. If this could happen to a well-run professional firm that had 1,600 attorneys at the time and offices all over the world, why can’t that happen to me? There was no reason it couldn’t happen. They were still running an older version of Windows. I talked to their CIO to understand what the risks were so we could try and determine if we were at risk. They hadn’t run some patches, but the honest truth was they fell victim to the same style of attack that SolarWinds fell victim to or SolarWinds customers did.

A trusted software company that wrote tech software for Ukrainian companies to file tax software. That software had an embedded piece of software that agents presumably from the State of Russia had embedded into it and downloaded it to every customer. They had one attorney in Europe who was representing a client who had a division in Ukraine.

They had to update. It said time to update. They update it. They didn’t do anything wrong, but that software was written to travel laterally throughout their network and it did it in less than half an hour. It erased everything. That was the inflection point. Since 2016, I’ve had to focus on this. One of the most terrifying things I can imagine happening is losing everything.

Did that reach their backups too? You lose all your data, but surely we’ve got a backup. You’ve got the old school tape backups and then a lot of cloud-based backups.

I’ll let Don Jaycox, the CIO for DLA address that. Generally speaking they, like a lot of us, had moved away from tapes. There is no way to backup information on our networks on the terabyte scale onto tape. It’s impossible. There is not enough tape and it’s not just the backup. It’s the restoration. If I had to restore it, having a human robot stand there and feed tape after tape would take weeks or months to restore. All large organizations had to move to virtual tape libraries. Virtual tape libraries are just computers sitting on your network. They’re as susceptible as any other system connected to your network.

person looking at a computer with data on the screen
Cybersecurity: Phishing is the number one avenue that attacks are still launched. The best way to counter it is to control your machines so that they’re not vulnerable to the types of attacks that worked before.

They would only protect you in the event you had a hardware crash or maybe other situations.

There are threats with rogue employees saying, “I’m leaving. It’s time for me to delete all my files.” They accidentally delete everybody’s files because they’re in a shared folder. That happens more often than we like to admit. “That’s not my folder, I’ll delete it.” It turns out it was somebody else’s. You need a backup to restore that but you’re right, hardware failure, rogue employees, accidental overwrites but it may not protect you from a malware attack. You have to find a new strategy.

I was thinking about what kinds of threats lawyers and law firms need to be aware of. Malware is one of those. Many of us have already heard about that. Some of the other big ones that I can think of are viruses which are closely related to malware, I suppose. We also hear about ransomware and a few others. Your credentials being compromised is another big threat that we see out there and phishing, which is everyone’s favorite. It shows up in your inbox all the time or if you’re in a large firm like yours. There’s software designed to try and counteract that. What do lawyers need to know generally about that frontline data security threat?

This has been a war of attrition, and the technology and the techniques used by the attackers adapts to the responses that we all as information professionals take. What worked years ago may not work now. That’s why you may read information about password strength, password rotation and then find someone in 2021 saying, “Passwords don’t work.”

I don’t want you to get the idea that if you grab onto a story that was in Wired in the year 2018 and use that as the Bible that is the way it is now. It’s constantly changing. It is a constant war of attrition. The first threat is going to be malware distributed largely by phishing that includes a virus. The way it typically works is a person in the organization, doesn’t have to be a person with privileges. It could be any individual in the organization who receives an important email. It could be from a client, judge or the state bar that says, “You need to respond to this right away.”

There’s always a needed response and a time limit. The attackers want to get your attention and they want you to act without asking anyone for help. If you fall prey, they could, at that point, ask you to direct to a web page or download a piece of software. In some cases, the most common threat to law firms are MacroScripts that are running inside of Word and Excel files.

Too often organizations don’t disable the scripts. Those scripts are like batch files that can ask to download and run additional tools. If your malware package has never seen that signature before, it may say, “It’s safe.” It will let it run. That is not a good idea. I don’t want to overstate other threats but I’ll tell you why the supply chain is my most worried about threat but phishing is the number one avenue that attacks are still launched.

The best way to counter it is to control your machines so that they’re not vulnerable to the types of attacks that worked before. In the case of DLA, there was a release from software for Windows XP that they hadn’t applied yet. If they had, then yes, the machine that had downloaded the software would’ve been compromised but then it started acting like a server and telling other machines near it, “Run this software.” That wouldn’t have happened. It was an oversight that was easy to make. As a result, that virus ran laterally so fast. It crossed the Atlantic and affected everything very fast.

You have to patch your machine and constantly update it. Microsoft and every vendor are releasing updates all the time. If you have an iPhone and you get those messages saying, “You need to update your software.” You have between 50 and 150 apps on your phone. Imagine an organization with 700 programs. All of those programs are being patched constantly.

Windows itself is constantly releasing new updates because there are new techniques that are found. That’s the number one threat. The program comes in. It tries to take advantage of a known vulnerability that many organizations haven’t patched yet. It will then move laterally from machine to machine, even if the person who ran the program doesn’t have the privilege to distribute software.

You also mentioned some that I had not heard about like denial-of-service attacks. We have a few more like that we can go through. Tell us what those are. We know what ransomware is and phishing, but what is a denial-of-service attack or a zero-day vulnerability?

Zero-day vulnerability is what I described, patches or fixes that need to be applied. I’ll give you an example. Microsoft Exchange is an email server a lot of businesses and law firms run. Microsoft Exchange had an unknown vulnerability that a technique could take advantage of. What was damaging about the zero-day vulnerability was you did not need to open an email or click yes.

If your Exchange server was open to the internet, this vulnerability in Exchange 2016 would allow an attacker to take over your Exchange server. This happened in 2021. It was 1 month or 2 after SolarWinds was announced. In that attack, when Microsoft was researching effects, they were working only with trusted security partners.

They announced that the fix is coming out within 48 hours of when Microsoft made that announcement, but before they could distribute it 100,000 email servers were taken over. No users did anything wrong. That’s a zero-day. No copy of anti-malware, including Microsoft’s anti-malware software, knew to look for that type of attack. That means it happens before anyone knows it can happen. It’s terrifying because there is no piece of software you can run to look for the signature.

screen connecting different points
Cybersecurity: Don’t rely on a single internet access point or a single point-to-point transmission across the internet. Instead, diversify yourself so that you have more than one of everything.

The denial-of-service is completely external in most cases to your organization. Their attack vector in a denial-of-service is not to steal your data or even subject you to public disclosure of your private data. Their attack vector is to shut you down to make sure nobody can get in or out of your organization, digitally. Most organizations, almost all of them, use the internet for something. It is the primary network for most organizations, how they move information from one location to another.

A denial-of-service attack aims to locate all of your internet IP addresses and send so much data to the end points that the end points can’t distinguish between real work and this garbage that’s flowing in. Denial-of-service can shut down an organization for days before the targets are found. A distributed denial-of-service takes advantage of the fact that there are so many unpatched home machines owned in the residential space that are being taken over and they become these fleets of attack machines. The owner of the machine doesn’t know that they’re being used. Their machine has been taken over for one purpose, to act as a brigade to attack a single IP address for service.

For those kinds of attacks, what’s the end game? They’re messing everything up. We know with ransomware what the end game is. It’s the payment of the ransom. Whether the service is restored or not after payment of the ransom is a whole another story. What about with denial-of-service?

Denial-of-service during the attack some of the things that you can do are limited by what you have available. The response before the attack is to distribute yourself as much as possible. Don’t rely on a single internet access point or a single point-to-point transmission across the internet. I call it diversity. Diversify yourself so that you have more than one of everything and do not commonize any of your internet services. If you have a public webpage, don’t use that for your main business. Use a different internet provider and a different IP address so that if they attack your public web server, they’re just taking down your storefront. You still have the back door of the business to work through. Diversity is the key.

The attacker is trying to inflict economic harm on the person or the entity being attacked. They’re not out to get, as with ransomware, they’re not looking for a direct pay day. Would that be accurate?

I’ve read a few DOS attacks, Denial-Of-Service, where they’ve tried to solicit but the truth is those are hardly ever successful. The ransomware attack is successful because you’ve not only been deprived of doing business. You’ve been deprived of your information. The modern way of doing a ransomware attack is to steal your data first, make a copy of it, then deprive the owner. Then you have two threats. “You want your data back. If you don’t pay me, I’m going to give it away, put it out on the dark web and everyone’s going to have it. Your private data is no longer private.”

Think about what that means for lawyers.

It is hard to win a client’s trust back once you disclose their secrets. That happened with a law firm. You guys may have read about the LA entertainment law firm Grubman. They were attacked. A lot of famous information got disclosed. It’s hard to win back that trust once your data has been disclosed.

There are a couple more that I want to explore conceptually. I want to talk about what the defensive responses are to that and then the preventative measures. That’s where the important conversation lies. We should all be scared listening to you talk about this, Dennis. You also mentioned the man in the middle. Can you tell us a little more about that?

All of modern computing relies on privacy protection that says, “Anything I sent to you, I’m going to encrypt. Anything you send to me, you’re going to encrypt.” We used to call that private key encryption. We have different names. TLS is the protocol that we use. The idea is that if say, Jody and I were having a conversation with each other.

Let’s pretend I’m Amazon and Jody’s a customer. When Jody signs into my website, the first thing his browser will do is say, “I want to encrypt. Give me your public key.” I will hand out an encryption key that he will use to send everything to me. Only I can unlock it because there’s a private key that only I have. You can’t derive it from the private key. Likewise, when that handshake happens, I asked Jody’s PC or Mac, “What’s your public key?” Then I will use it to encrypt conversations to you. It’s a very strong way to protect information. It’s worked for decades.

The man in the middle says, “Jody, you can’t talk to Dennis Amazon. You have to talk first to Todd. Todd will talk to Dennis Amazon for you.” Jody at a Wi-Fi network called Free Public Wi-Fi says, “It’s free. I’ll trust Todd’s Wi-Fi.” When you ask Dennis Amazon for that public key, Todd gets the conversation and says, “Hold on, Jody. I’ll get it.” You ask for my public key. I send it to you. You make a copy of it. Then you hand it to Jody. For every conversation, you, man in the middle, Todd, make a copy of it because you have the keys and all the information to do it. Likewise, the reverse conversation happens.

Most servers are designed to look for those man in the middle attacks. They may even put a warning up. Every bank has technology that says, “I think there’s a man in the middle. I can’t let you sign in.” Largely it’s because people are using untrusted network providers. If you’re in a hotel or you’re somewhere that’s not the known hotel Wi-Fi point, that’s the number one way to get a man in the middle attack.

It’s because you’re using a Wi-Fi that isn’t the right one. You need to ask the hotel, “What’s the name of the Wi-Fi network I should use?” If you’re in an airport, ask someone in the airport, “What’s the name of your Wi-Fi network?” Don’t just grab onto the first one that looks like it’s free and helpful. They’re not always free and helpful.

What about the risk of using an unsecured airport Wi-Fi, even assuming it’s the official airport one without some VPN or something?

There is a risk. There’s no question. Let’s pretend that they’re not even nefarious. They’re not trying to hurt you, but what if they are poorly managed? What if their routers were attacked and someone was able to encrypt and record the data that comes off of it? There’s a level of trust. You’re trusting someone. This leads to the issue of not just security but also privacy.

How private is your conversation? If you’re using a service that has a little lock in the browser, the key or whatever they have on those things, you can somewhat trust that but there’s a limit to how much you want to trust. What’s the value of the information you’re shuttling through it? If the value of information is low, where are our seats for the Astros game, the value of that information is pretty low.

I don’t think you’d have to worry too much about it. If you’re exchanging a defense strategy in a $50 million civil litigation, maybe that information is pretty valuable. Maybe you want to be careful how you communicate that information. You have to put some value to the information when you start taking risks with the privacy of it.

I wonder if we got a little lax to security during the pandemic because we’re working from home. If you’ve got your home network set up right, you’ve got your ten-digit SSI ID to where it’s reasonably secure. Hopefully, you would agree with that, Dennis. The world has opened up a little. We’re back in our offices to some degree, but we are traveling a little bit more. There’s the inevitable, “Can I get on the Starbucks network and work safely?” You hear the stories about some guy wearing flannel and hanging out at Starbucks who carries a little device with him called a pineapple and being able to look at what you’re looking at on the internet.

person typing on laptop
Cybersecurity: Assign a value to the information you’re exchanging. It’s the new world. The number one threat for people working at home was the tendency to want to use tools that may not be private.

That’s the textbook version of the man in the middle attack I described. He’s pretending to be the Starbucks network. He’s trying to trick people to sign in so he can copy down those keys and hopefully replace your data or make copies of it. That’s what his hope is. That’s what they’re trying to do. I would assign a value to the information you’re exchanging. It’s the new world.

The number one threat for people working at home was the tendency to want to use tools that may not be private. Let’s take Google’s online document sharing system called Google Office. Google Office is a great tool. It’s designed so people can work and share work product, whether it’s a spreadsheet. That tool, though, may not be as private as you want.

If you’re using Google Office to type a document because you couldn’t sign into your law firm’s network, you may be using a tool hosted by a company that may not want to respect your privacy. I will tell you Google’s privacy policy says, “We will keep your information as private as we can reasonably keep it.” Who’s to say that carrier doesn’t have an agreement with somebody that may not follow those rules?

You didn’t pay for the service or if you paid, I guarantee you, there is a warranty, a declaimer and also an indemnity clause in that click-through that you click that says, “By the way, if we let your data out, you can’t sue us and you’re paying our judgment. At any case, the most you can collect from us is the total value of what you paid for this free service.”

That’s the risk in people working at home when they can’t get the technology to work but use the things that they use for the neighborhood Christmas-like competition. The value of that information is low. That may not meet the standard of privacy control that an organization like mine or yours wants to maintain, and certainly not what we affirm to our clients. You want to use the tools that you’ve told your clients you maintain the privacy on.

If you have a VPN on your laptop available and let’s continue with the Starbucks hypothetical, the first thing you do when you connect is log in through your VPN. Does that provide you any additional level of security?

It does, provided that your VPN has the contemporary checks to make sure that the conversation is secure. Some banks look for that man in the middle. Many VPN tools will look for that handshake to make sure that the key exchange is clean and that there are no intermediate conversations. Every machine has a unique number. Every machine issues an IP and they want to make sure that it’s you that’s giving me this public key I’m going to use to encrypt my conversation. It’s a tough world to be in.

It floors me to think about all these kinds of breaches and the consequences of those. Moving into the responses to those threats, we’re talking more broadly. What do you suggest to a law firm faced with malware, ransomware or denial-of-service attacks? How do you deal with them when you come across them?

The first step is planning. Everything must be planned. Your best defense is preparing for the possibility that one day something may happen and you may get that message on your screen saying, “We have your data. You have to pay us.” The first step is to make sure you have good reliable backups that are under your control. There were two threats from ransomware. One is losing access to your data but the other threat is disclosure. What can they get? What can they disclose?

I’m going to talk about the defense against the first one. You need to have good backups that are isolated that need to be on the internet in a disconnected system. The credentials cannot be in your main network in an accessible means or they’re going to get it. If you put the password to your backup tool in a spreadsheet or on your C drive, they’re going to use it to get your backups. You have to use a vault-based service. Vault is an encrypted software structure where you have to put in one key to open it and get the key back out for the backup service so that they can’t get it.

The defense for the other side, them disclosing it, is to encrypt everything that’s of value. You don’t have to encrypt the copies of your software because that’s the same software they could buy if they went online and bought a copy of Excel. You need to encrypt your data. It has to be encrypted in a way that you keep the key safe. If they steal it, they’re just stealing a jumble of bits. They’re not getting valuable data. They may think it’s valuable but until they try to decrypt it, they can’t do anything with it. They have to steal your keys to open it. Everything you do must be encrypted. It’s the only way to protect it.

I don’t know if you guys remember that Sony was attacked by the North Koreans. They stole a bunch of movies. In that disclosure, there were spreadsheets that were put in the public that included list of accounts and passwords to servers and services that were published out on the outside world. It was very embarrassing and it demonstrated a poor practice at privacy management. Those keys need to be locked down. You need to keep them in a secret place that can’t be hacked.

That takes me to something I did want to ask you about and that is password managers. I have a particular one that I like and I’ll mention it. It’s 1Password, which does allow you to lock things down. You don’t have to store your passwords in an Excel sheet. Kept them on your system, which I can see that is a total faux pas, no doubt. I suspect what you would say is, “They’re great but they’re not everything.” Why don’t you tell us what’s your feeling about password managers and how they can be effective?

Every person reading and not reading this needs a password manager. I’m not going to tell you which one is better than the other. I happen to use LastPass. I started using them in the beginning and they were one of the few. There are a lot of them that are out there. Apple has a very good password manager. If you’re in the Apple world or in another world, you may have others that are out there.

You want something that’s easy to use that protects your data. Remember, your passwords are stored in this thing. You need to know it can’t be stolen. They have to offer you a password vault solution. Meaning that vault is encrypted. If the service you’re using gives you an easy recovery by saying, “Let me reset my password with a simple email,” that may not be the safest tool.

If they tell you, “Do not lose these recovery passwords because if you do, we may not be able to get it back,” the good password managers can’t read your vault. That’s something I would look for. Make sure that you use the highest level of encryption that they offer and make sure that they tell you, “If you lose this and you’re not using a biometric backup, which stores a key inside your TPS chip, you can’t get it back.” I know that sounds scary, but that’s the only way to be sure that your passwords can’t be used against you.

At what point does using a password manager become the standard of care for lawyers? It seems like an easy software solution. I’m a little surprised that even at this point, it hasn’t become more widespread. A lot of lawyers still don’t know what they are or how to use them.

The move toward biometrics for mobile devices has minimized a lot of the interest. Think about it. The days when we had to punch in a four-digit code or many people didn’t want to code on their mobile device at all. That opened you up to a bad world because most of the tools that you use to handle private information, whether it’s your bank or client documents, were on that mobile device and could be unlocked without any security.

We’ve got biometric measures on most of the smartphones at the higher end, so that’s a minimum standard for every organization. Use that biometric lock to control that device and lock it down. If your mobile device is lost, whoever finds it, can’t get it. I know some families told me, “That tells people in my family I don’t trust them.”

Every week, I get a call from someone whose device was lost. I don’t know if it’s stolen, they left it or it fell in the Chesapeake. I’m assuming if a mobile device that has my firm’s information on it is no longer under the control of the attorney to whom we issued it, that’s a compromised device. We will do everything we can to make sure that the device can’t be attacked.

From our perspective, we want to make sure that there are layers of security on it, including a password that controls it and a biometric identifier that must be present to unlock it. The same thing holds for our mobile and fixed desktop computers. We’ve got to have some way to make sure that stealing it won’t reveal the information. That means the data must be encrypted. It means that you have to have some way to lock it.

I will tell you both. Password protection of physical devices like laptop computers and desktops are probably not safe. People do silly things. They tape the password and use the same password for fifteen years. It’s an easy one to type. Once you steal that machine, you know the password because it’s on a post-it note underneath the keyboard. Sorry if I gave away the secret of some of the readers but that’s a threat. We’re going to have to move every organization to two levels of security. That includes that password and some other factor, probably a biometric marker. Your face, a fingerprint or something that you have that can’t be replicated.

That takes us into the next point, which is how do we be proactive against being exposed to the kinds of attacks we’ve been talking about. Are you getting into multifactor authentication?

This is the best way to defend your organization, or you personally, from anyone trying to steal your secrets. You want to have multiple levels of authentication on everything. You want to protect that information so that if they somehow violate that, the information is encrypted. We call that zero trust. Don’t trust anything. Remember what I told you, the story about the DLA Piper attorney downloaded a piece of software. They trusted it.

photo from above a person's desk showing computer screen with the word "protection"
Cybersecurity: If you’re going to use a similar tool from other providers, you want to make sure you’re using all the available privacy controls. This is the best thing you can do as a sole practitioner.

We all trust vendors. Every now and then, we get a note saying, “It’s time to update the software.” In order to get to zero trust, we have to assume one of those updates is compromised. You want to make sure your data is protected in an encrypted cloud or a place protected by your biometric markers. The best way to do that is to use trusted services that have strong passwords and multiple authentication mechanisms. Multifactor is what you referred to.

I would also add one additional thing, least privilege. Don’t give yourself full privileges. If you have ordinary users in your organization and they say, “I need to be able to read everything,” you have to say, “That’s not safe.” We need to limit the privilege to the least amount you need to get your job done. That includes me. I do not use a privileged account on my law firm’s network. I haven’t for over six years.

I don’t have the privilege to go in and change the software. I have to go to our software vault. It’s a piece of software we bought. It runs on an encrypted controlled server. I have to check out those credentials. Those credentials get changed, frequently. When I say frequently, I don’t mean six months. They’re changing a lot faster than that. Every organization is going to have to do that.

What are your thoughts on taking it down to the man on the street level? We get asked to authenticate ourselves frequently by SMS messages or the authenticator apps on our phone. Do you think those are reasonably safe second-factor authentication methods?

Authenticator apps that require you to type in a number have been state-of-the-art. The new state-of-the-art for authenticator apps are the push notifications. Any of you who have a bank account with Wells Fargo, Capital One, JPMorgan Chase, when you sign into your account, they may ask you on your smartphone, “Did you just sign in from a Mac computer located in Katy, Texas?” It will ask you that question in the app, not in SMS. The reason they’re doing it is SMS is no longer safe. Your phone’s unique EIN number can be replicated. If you’re a target, they could duplicate it.

By having an in-factor authentication in the application, your bank is saying, “I want to make sure the machine you’re using is you. Did you sign in here?” Google and Apple will do this. If you sign into a new device, it’s never seen before. Your mobile account, which is linked to that account may get a note in one of their apps. Not necessarily an SMS but it could come in email saying, “Is this you? I noticed the machine signed in.”

It’s sometimes confusing. I’ve got a lake cabin up on Hemphill but it appears in all different places in Texas. I’m always getting notes from Google saying, “Did you sign in from Waco?” I’m not in Waco. I’m in Hemphill, Texas. That happens to be where my ISP has their presence that day. That’s what they think. I know the time I signed in, that’s why it’s asking me.

One lesson to come out of this is those messages are annoying, but they’re for our own good. That’s how we know that our data is being cared for and not being easily allowed to fall into the wrong hands.

We’ve talked about SolarWinds. The way that Mandiant discovered the SolarWinds attack that had already covered many tech firms and the US government was an employee who received a notice, “Are you signing in at this location?” That employee didn’t sign in. That was the clue that the Russians or whoever, whatever state actor, was using the SolarWinds malware to spread and they were signing in clandestinely.

They didn’t use a heavy hand and a sledgehammer, they were sneaky. They moved laterally, pretending to be people and that organization, Mandiant, had an echo back force notification on a smartphone. One of their employees got notified. They had been moving for months undetected through the US government and other security companies like Microsoft.

That’s crazy how something so small can be the key to the whole thing.

You can consider me appropriately scared. It’s nice to see some of the things you’re talking about that I know my firm was already doing. I’m very careful with our personal data. There are several things that strike me in this conversation, but the one thing that strikes me for our purposes and trying to relate all this to lawyers is we all know the confidential nature of data that exists on lawyers’ computers and servers.

We have different levels of resources among lawyers practicing out there in the real world and a firm the size of mine, Jody, Dennis and the size of V&E. There are folks like you who are standing by and standing guard over the data, keeping people like me from downloading software onto my firm laptop that’s not authorized. I have a much better understanding of why that is. What about the sole practitioner? That’s not the world you live in, but do you have any advice for the sole practitioner on how to keep an eye out for their data?

I’ve consulted with the judicial committee on IT for a while. Before that, I started consulting with the access to justice commission to their technology committee because they have a lot of smaller organizations and that’s a question that commonly comes up. My best advice is to use a high-level trusted cloud-based service for all of your provision systems. It seems like an easy tripe answer to say, “Use Microsoft Office 365 online and protect your account with multiple factors.”

If you’re going to use a similar tool from other providers, you want to make sure you’re using all the privacy controls that are available. This is the best thing you can do as a sole practitioner. Those services are the highest level of protection. In fact, I have a security team that I can measure on 1 hand, maybe 2. They have 10,000 people who are full-time security people. They check their machines, constantly monitoring to see if something’s wrong. Sometimes they make mistakes, but they are the most capable in taking care of your private data for you.

It’s nice that you can go and buy those services off the shelf. I remember when I went out on my own years ago, those services weren’t available. Getting an email push system was challenging back in 2006. That changed drastically over the next few years. I felt like as I was wrapping up my solo practice that I had great tools available to me as probably more sophisticated than average lawyer-consumer of those services. Somebody is out there with the five-year-old laptop and their software is probably not up-to-date. Who knows what’s happening with their data?

They’re going to Starbucks to meet with clients and that raises a whole host of other issues about client confidentiality. Starting with those widely available software packages is great. I’ll also throw out there the idea that I had used a couple of different outside vendors to help me make sure that my data was staying secure and keep my software up-to-date.

There are a lot of those kinds out there. Certainly, we can’t recommend any specific ones. You should shop around for those if you’re in this situation. As a consumer of those types of services, it seems like you can get your needs met out in the marketplace and have some assurance that you’re not making your client data available to folks who shouldn’t have it.

Also remembering that this starts to bump up against the attorney ethical obligations on client confidentiality. Many states have data privacy laws, breach notification, breach fines and all that. If you are practicing in those states or your business touches those states, there are many obligations that you may not even be aware of that you have for this thing.

It also touches on the duty of technological competence. As a former sole practitioner, I’ll just send a message to my former colleagues out there in that world. You need to make sure that your technology is up-to-date. It is worth spending the money to consult with someone and get somebody’s help, integrating the kinds of systems that Dennis is talking about here into your practice so that you don’t have to be the one calling your clients explaining that you’ve given away their file to somebody in Russia. They’re holding it hostage or they’re distributing it, even worse. Coming back and to wrap things up, Dennis. For those not in that situation who do have an IT support system in place, what questions should lawyers ask those folks to make sure that their data is being properly protected?

The first question I would ask is when was the last phish test and how did I do? If your organization is not phishing you, there are people in the organization giving away credentials. You want to know that your people are testing you because phishing is the number one avenue. We’ve talked about supply chain attacks and man in the middle, but the number one avenue that most organizations are falling prey to are phishing attacks.

Test everyone and get as much as you can in the way of opportunities to train. The best way to do it is to phish them. Microsoft includes in their Office 365 package a free phishing test. You can phish all your users. They may get angry with you when you send them a message saying, “Here are the facts. Click here. You fell for a trick. Don’t fall for it.” You have to train. It is so hard to get the message across, particularly to attorneys. Don’t trust that email. You don’t know who sent it to you. It can say it’s your mother or brother. That doesn’t mean they sent it. Verify everything. Phishing tests are the best way to reinforce that message.

Dennis, this is great. We’re reaching the end of our time here. We always like to ask for a tip of war story in the end. I feel like you’ve given us so many tips. If you have anything else that you wanted to add or any good data security stories, we’d love to hear one as we close out.

I’ve given most of my war stories away. I’m a chief information officer for a fairly large law firm. I have a multimillion-dollar budget, but the number one headache and driver of all the projects I’m working on are data privacy and data security. It is my top of mind. It’s the most important thing that we’re doing as an organization for our law firm. It should be top of mind and the most important thing for every organization that values the privacy and security of your group’s information.

You have complete support from both Jody and me, and hopefully anyone else who’s reading to this. The nice thing about our show is we don’t limit ourselves to just appellate lawyers or appeals. We thought this was going to be an informative episode and we’ve achieved that. Anyone out there reading, please follow Dennis’s advice. You don’t want to fall prey like some of these other folks have.

The Texas Court of Appeals.

We have talked about the ransomware attack at the Texas Supreme Court that trickled down and shut down that server for a long time. That was quite an ordeal. That’s an example. If it can happen to the Texas Supreme Court, it can happen to you.

It can happen to anyone. It’s not a measure of character if you’ve been a victim of ransomware, but it tells you how important it is to prepare and plan.

Dennis, thanks so much for being with us.

Thanks a lot.

Important Links:

Love the show? Subscribe, rate, review, and share!

A special thanks to our sponsors:

Join the Texas Appellate Law Podcast Community today: