When Accuracy Becomes a Red Herring

The obligation of lawyers to keep information confidential has faces increasing demands.  Technology enables inadvertent disclosure in so many more ways: cloud, mis-addressed or bogus e-mails, and on.  Yet educating legal professionals what these threats are can veer into the weeds.  The balance of explaining the threats in meaningful ways can be swallowed up in the need or belief that we need to name those threats appropriately.

The break point came for me when I read about a lawyer in the UK who, based on a phone call from her bank, transferred US$1.1 million to new accounts.  The article used the term vishing, which was new to me.  It’s a collapsing of voice and phishing and, as far as I can tell, unique to the UK (although the FBI tried it out in 2008 but it doesn’t seem to have caught on).  It’s also known as social engineering (which is not party planning).

For me, vishing was a wishful distinctive phrase too far.

A lawyer needs to understand the potential threats.  It is incredibly easy to try teach them to use terms like vishing, phishing, spear phishing, whaling, watering hole and other catchy but not obvious terms.  There is a good discussion to be had about technology use without actually referring to Heartbleed, Poodle, Cryptolocker, and the myriad other names that appear when media needs to distinguish one hack from another, or to get eyeballs.

If I’m pointing fingers, then I’ll start with myself.  It has seemed reasonable to use the terminology that is commonly found in online articles and news.  We are a profession that names things, even if we use stories to explain them.  Surely, if the lawyers I’m talking to are up on current events, they’ll have seen these?  I’m not so sure.  They certainly don’t seem aware of the terms in CLE sessions.

The terms can be useful shorthand if it’s your area of interest.  Or to help a reader know that something new has happened.  But to people trying to figure out how to deal with social engineering phone calls, to avoid Web sites and e-mails that are potentially dangerous (dare I avoid the word payload?), all of this lingo is likely useless.  They will only care about what the attack was called if it has happened, not if they have avoided it.  It looks like I’d forgotten my audience.

Here’s a new goal.  When talking to lawyers about the impact of technology on their duty to protect client confidences and private information, I’ll focus on the how and care less about what it’s called.  Otherwise the lawyer may perceive a long, never-ending line of new threats without realizing that the same basic advice will help her to avoid them.

Originally posted on LinkedIn.