Keep Confidence Through Prevention

Yesterday was the bi-annual educational session for lawyers coming to practice in Ontario from other jurisdictions.  It is the 20+ time I have given a session on how lawyers can protect confidential information while using technology.  Year to year, there’s little change, but over the last decade, I’ve shifted my entire approach from discussing the what and focusing more on the why.

In that time, I’ve dug into the products lawyers might use, I’ve done a Star Wars version on May the Fourth day, and pretty much anything in between.  The materials have included a checklist and a free ebook.

Two things struck me yesterday.  One is that just as many lawyers seem to be surprised each year at the same things – how visible they are to others on the internet through tools like, for example, or that PDFs can carry javascript within the file, invisible to the reader – that seem very old news.  The other is that, while there was one question about whether or not to use the cloud, it’s largely dropped off lawyers list of concerns.

But as a recent technology debacle (not mine) showed me, the technology really doesn’t matter as much as the lawyer.  Even yesterday, one lawyer asked which technology I preferred, and I told her it didn’t matter.  No technology is fool proof (no offense to lawyers) and so she should choose what she will be most productive using.

All technology used to protect confidential information is preventive and intended to minimize, not eliminate, the threat of inadvertent disclosure.  The very best you can do is put enough obstacles in the path of data loss.  And put them in place before there’s any access or data loss.

One part of that is figure out the right balance – for you – between protecting confidential and private information and not protecting it.  Make choices on passwords and password managers, biometrics, what connects to the internet and how, so that the friction protection creates doesn’t overwhelm your interest or ability, or that of your staff, to do the necessary work.  There’s no point installing endpoint security software if your staff are going to go on auto-pilot and click anything that gets past it.  And don’t put anything in the cloud or internet-accessible that’s confidential if you’re not going to go through the work of unique, strong passwords.

I’m including my slides below, for what they’re worth (not much).  The sites that I referred them to or, in the case of an online quiz, actually used within the presentation included:

  • The Harvard Kennedy School’s Belfer Center for Science and International Affairs’ Cybersecurity Campaign Playbook.  It’s focused on elections but we covered the exact same topics in the session.  Every professional is facing the same issues and it’s not rocket science.  This publication came out on Monday (the 4th) and was a good read through the basic steps to harden one’s practice.
  • Pew Internet’s Cybersecurity Knowledge Quiz.  This is a ten question quiz that gets increasingly challenging as you go through.  Take the time and try it out.  At the end, look at the results, in particular the “Don’t Know” results – people who didn’t choose a correct or incorrect answer.  This was the staggering take away for me: almost as many people don’t know the answer (like what’s the best password) to some questions as those who make a correct answer.  If we think of lawyers being held to a reasonable test in the context of using technology and taking reasonable steps, I’d expect lawyers to get most of these questions right, or know why they didn’t.

It’s an unusual opportunity.  The audience is, by definition, different each time.  I could really just use the same slide deck and presentation every 6 months.  But, while the underlying topics are largely the same year over year, there are always new and recent examples of people screwing up.  They might be big, like law firms involved in the Panama Papers or Paradise Papers. Just as often they’re small, mundane mistakes that a little bit of forethought – and only human interaction – would have necessary to avoid.