Eighth Annual Ethics Update
Presented by Professor Jack Costello and attorney Ryan A. Brown
Wednesday, October 17th, 9:30am to 11:30am
George Mason University School of Law
The Virginia Lawyer's Ethical Duty to Protect a Client's Electronic Information
|Start Downloading Encrypted Mail Software|
Free OpenSource Solutions:
- Windows users who use Outlook for their email and who don't want to switch to FireFox may want to purchase the PGP Desktop Email program. This is a commercial program, unlike all of the free OpenSource software listed below, but it does integrate well with Outlook and comes with commercial support. There is also a Mac version of the PGP Desktop Email program which works with the Apple Mail client, although the free software is pretty easy to set up on the Mac.
- Mac Users
- Download and install Mac GNU Privary Guard
Get the version that matches your Operating System. If you're unsure about your MacOS Version, click the blue Apple icon in the
upper left corner of your screen and choose "About This Mac" and you will see the Mac OS X Version number.
Here is a good step by step install guide.
- If you use Apple Mail for your Email, get GPGMail.
- If you use Microsoft Entouage for your Email, get EntourageGPG.
- If you use Mozilla Firefox for your Email, get Enigmail.
- Windows Users
- Download and install GnuPG 1.4.7 compiled for Microsoft Windows
- If you use Mozilla Firefox for your Email, get Enigmail. If you don't already have Mozilla Firefox, you can download Firefox 2 here. Firefox + Enigmail + GPG is the easiest free solution under Windows for encrypted email.
- Download and install the FireFox 2 web browser if you don't already have it.
- If you're using Microsoft Outlook, you'll need to get a front end that connects Outlook to the GnuPG encryption software. There are a number of options, based upon what version of Outlook you have. Here is a current list of front ends.
- Linux Users
- If you're already using Linux for your main operating system, you should be able to figure out how to install GnuPG and set it up with your mail client.
- GMail Users
If you use Google's GMail service through your web browser, you can still use encrypted email.
- Download and install GNU Privacy Guard -- see above for the correct version for Mac, Windows or Linux.
- Download and install FireGPG, a plugin for the FireFox browser.
- Download and install the FireFox 2 web browser if you don't already have it.
- Hosted Secure Email Options
If you're not up for installing anything, or you need to communicate with a client who is not computer savvy, you may consider
using a hosted email service that provides access to encryption tools. The only downside to this method is that the hosting company
will have your encryption key, so you're placing your trust in them.
|5||The Only Competent Defense [Rule 1:1] to Attacks on Electronic Client Data
or Lawyer's Office is to Take Proactive Steps to Prevent Revelation of Client Information [Rule 1:6].
- Network Sniffer Demonstration.
- Rule 1.1. Competence.
A lawyer shall provide competent representation to a client. Competent representation
requires the legal knowledge, skill, thoroughness and preparation reasonably necessary
for the representation.
Comment : Thoroughness and Preparation: Competent handling of a particular
matter includes inqury into and analysis of the factual and legal elements of the problem,
and use of methods and procedures meeting the standards of competent practitioners.
It also includes adequate preparation. The required attention and preparation are
determined in part by what is at stake; major litigation and complex transactions
ordinarily require more elaborate treatment than matters of lesser consequence. (emphasis added)
- Rule 1.3. Diligence.
(a) A lawyer shall act with reasonable diligence and promptness in representing a client.
(b) A lawyer shall not intentionally fail to carry out a contract of employment entered into with a client for professional services, but may withdraw as permitted under Rule 1.16.
(c) A lawyer shall not intentionally prejudice or damage a client during the course of the professional relationship, except as required or permitted under Rule 1.6 and Rule 3.3.
- Rule 1.6. Confidentiality of Information.
(a) A lawyer shall not reveal information protected by the attorney-client privilege under applicable law or other information gained in the professional relationship that the client has requested be held inviolate or the disclosure of which would be embarrassing or would be likely to be detrimental to the client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraphs (b) and (c). (emphasis added)
(b) To the extent a lawyer reasonably believes necessary, the lawyer may reveal:
(1) such information to comply with law or a court order;
(2) such information to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer's representation of the client;
(3) such information which clearly establishes that the client has, in the course of the representation, perpetrated upon a third party a fraud related to the subject matter of the representation;
(4) such information reasonably necessary to protect a client's interests in the event of the representing lawyer's death, disability, incapacity or incompetence;
(5) such information sufficient to participate in a law office management assistance program approved by the Virginia State Bar or other similar private program
(6) information to an outside agency necessary for statistical, bookkeeping, accounting, data processing, printing, or other similar office management purposes, provided the lawyer exercises due care in the selection of the agency, advises the agency that the information must be kept confidential and reasonably believes that the information will be kept confidential.
(c) A lawyer shall promptly reveal:
(1) the intention of a client, as stated by the client, to commit a crime and the information necessary to prevent the crime, but before revealing such information, the attorney shall, where feasible, advise the client of the possible legal consequences of the action, urge the client not to commit the crime, and advise the client that the attorney must reveal the client's criminal intention unless thereupon abandoned, and, if the crime involves perjury by the client, that the attorney shall seek to withdraw as counsel;
(2) information which clearly establishes that the client has, in the course of the representation, perpetrated a fraud related to the subject matter of the representation upon a tribunal. Before revealing such information, however, the lawyer shall request that the client advise the tribunal of the fraud. For the purposes of this paragraph and paragraph (b)(3), information is clearly established when the client acknowledges to the attorney that the client has perpetrated a fraud; or
(3) information concerning the misconduct of another attorney to the appropriate professional authority under Rule 8.3. When the information necessary to report the misconduct is protected under this Rule, the attorney, after consultation, must obtain client consent. Consultation should include full disclosure of all reasonably foreseeable consequences of both disclosure and non-disclosure to the client.
- Rule 1.15: Safekeeping Property.
(c) A lawyer shall:
(1) promptly notify a client of the receipt of the client's funds, securities, or other properties;
(2) identify and label securities and properties of a client promptly upon receipt and place them in a safe deposit box or other place of safekeeping as soon as practicable;
(3) maintain complete records of all funds, securities, and other properties of a client coming into the possession of the lawyer and render appropriate accounts to the client regarding them; and
(4) promptly pay or deliver to the client or another as requested by such person the funds, securities, or other properties in the possession of the lawyer which such person is entitled to receive.
|39||Size of Law Firm and Scope of Practice Determines What Level
of Care Constitutes Competency [Rule 1:1] and Diligence [Rule 1:3] in Protecting Client Data|
- Rule 1.1. Competence, supra. Note especially Comment .
- Rule 1.3. Diligence, supra.
- Rule 1.15. Safekeeping of Property, supra.
||Types of Encryption to Protect Client Data
- Content Level Encryption
- Symmetric Key Encryption
Symmetric Key Encryption is one of the two main modern forms of data
Data is encrypted using a single key that is shared by all of the users who are
party to the communication. Just like the key to your house, if you make a
copy of the key and give it to someone else, they will be able to open the lock.
The advantages of Symmetric Key Encryption are that it is relatively fast and
that the size of your message does not get larger when it is encrypted.
The challenge with Symmetric Key Encryption is that you need everyone to
have the key. But if you're an attorney and you want to send something to your
client, how do you initially get them the key? Do you use some alternate form of
communication like FAX, telephone call or letter in the mail?
- Public Key Encryption
Public Key Encryption solves the problem of exchanging keys that arises with
Symmetric Key Encryption.
With Public Key Encryption, each user gets two keys: a public key which they
publish to the world and a private key which only they know. The two keys
are related mathematically -- messages that have been encrypted with the
public key can only be decrypted with the private key.
You can think of the public key as an open, empty box with a combination
lock on it. You can give out these open, empty boxes to anyone and everyone.
You can put this open, empty box on your web site or publish it on a key
server so that anyone in the world can get a copy of your open, empty box.
When someone wants to send you a message, they get one of your open, empty
boxes and put their message in the box. They close the box and spin the
combination lock. At that point, nobody can open the box, not even the sender.
Only you can open the box by using your private key, which serves as the
combination to the lock. The contents of the box are protected even if they are
intercepted, lost or mislaid or copied a million times. Without your private
key, they remain secure.
Most email encryption software uses Public Key encryption just to exchange a
Symmetric Key. So the only thing in the box would be the Symmetric Key,
and then you would get a second box that was encrypted with the Symmetric
Key that you now both know. This solves the speed and message size issues.
- Transport Level Encryption
Transport Level Encryption protects the communications channel, no matter
what type of communication passes through that channel, but it only protects the
content during transmission.
- Digital Cellular Telephone Networks -- Encryption between your handset
and the tower, but no encryption on the land line network.
- Virtual Private Networks (VPN), infra
- Encrypted WiFi Networks, infra
- Secure (HTTPS) Web Sites, infra
||All Firms: SPAM and Email Virus Detection and Filtering
- Your ISP can filter your email for SPAM and Viruses, but you still need software on your computer to
act as a last line of defense.
||All Firms: Anti-Virus and Anti-Spyware Software
- Trojan Horses, Spyware and other Malware defeat all other kinds of protection, including encryption.
||All Firms: Firewall and Virtual Private Network (VPN)
In the Internet context, you have probably experienced at least one of the most
common types of Transport Level Encryption: Virtual Private Networks
(VPNs), Encrypted Wireless Internet (WiFi) Hot Spots, and Secure (HTTPS)
- BBC News Article: Warning of webmail wi-fi hijack, August 3, 2007.
- A VPN provides an encrypted tunnel between your computer and your firm's network.
- Using a VPN makes your communications inside the firm secure, but does not protect against
connections made to outside computers, or messages sent outside your network.
- Even with a VPN, your traffic is only as secure as the computers on the network. If
one of your office computers has Malware on it, it can sniff network traffic including
your VPN traffic.
Virtual Private Networks are created by installing a special program on your
computer and then having either software or a hardware device on your office
network. When you start up your computer, you open the VPN software and
connect to your office network with a login and password. From that point on,
all traffic between your computer and your office network is encrypted, and
you can access anything on your local office network as if you were physically
in the office, even if you are traveling.
The downside to a VPN is that it only encrypts the traffic between your
computer and your office network. Any connections to computers outside
your office network are not encrypted. Furthermore, if your office network is
compromised -- e.g. Charlie has a physical connection to your office network,
or Charlie has installed some spyware or malware on one of the computers in
your office -- the VPN will not provide any protection.
||All Firms: Encrypted File Systems
- Encrypted File Systems are especially important for portable devices such as Blackberrys, PDAs and Laptops. The enrypted file system is only as good as the encryption key and the password that unlocks the key. Make sure that that if you are idle or away from the computer for a period of time that re-entry of the password is required.
- Blackberry Content Protection Demonstration.
- Thumb print scanners vs. good passwords.
- Thumb Drives: Encryption and physical recovery should be used hand in hand. See, e.g., StuffBak "Carry It Easy" Drive.
||Larger Firms & Boutique Practices Dealing with Sensitive
Client Information (Trade Secrets, Intellectual Property,
Divorce/Family Law): Encrypted Email and Instant
- Encrypted IM protects against sniffers and malware.
- In house Jabber server can provide encrypted IM communications between employees while they are in the office or on the road. The Jabber server uses SSL (Secure Sockets Layer) to provide encrypted communication between each user and the Jabber server which acts as a hub to relay messages.
- IM Sniffing Demonstration.
- Encrypted Email
Sending a normal email is like sending a post card, so it's unclear how the ABA determined that there was a "reasonable expectation of privacy" in email.
- Transport Level Email Protection
- Webmail over HTTPS.
- IMAP, POP and SMTP over SSL, and the danger of passwords sent plain text.
- Content Level Email Protection
- Pretty Good Privacy (PGP) and the OpenPGP Standard.
- GNU Privacy Gaurd (GPG)
- Interactive PGP Demonstration
|6||Pitfalls and Common Sources of Client Data Loss|
||Backups, Archiving and Offsite Storage
- Encryption should be performed before data is transmitted, and using your own key.
- Internet Based Backups
||Spyware and the Local Office Network
- Physical security of your office is still very important.
- TIME Magazine Article: Hackers for Hire, December 2006.