Lawyers: Be Smart (and Ethical) With Those Smart Devices
Cameras and microphones are everywhere, capturing our movements and recording every sound within their reach. The cell phone, the voice assistant, the family car, the pet camera, even that new sous vide precision cooker. They’re all listening or watching.
Nearly everyone is aware of these devices. But are we sufficiently aware of them? Do we sufficiently understand the implications of the vast data capture and data processing technologies that underpin so much of our daily lives?
These are important questions for everyone, of course, but for attorneys they are critical inquiries. Any internet-connected device provides an opportunity for a hacker to gain access to the rest of the law firm’s computer network and, from there, to destroy attorney-client privilege, steal client confidential information, or install ransomware.
It’s understandable — but no longer acceptable — for busy litigators to forget that these devices are present when client confidential information is being transmitted or discussed.
Lawyers Talk, Smart Devices Listen
Linn F. Freedman, an attorney who chairs the Data Privacy + Cybersecurity Team at Robinson & Cole LLP in Providence, R.I., says it’s important that lawyers understand that any internet-connected device can be hacked and that any device with a microphone is listening all the time — unless it’s turned off. “We talk all day long and when we are talking on Zoom, on Microsoft Teams, on our phones, when we’re talking those apps have access to our microphone,” Freedman told attendees during a recent Massachusetts Bar Association seminar. “They can listen to all of our client contacts and that is possibly, potentially, a breach of our confidentiality of our client data.”
Freedman, who writes about current cybersecurity legal issues at her firm’s Data Privacy + Cybersecurity Insider blog, advises attorneys to be aware of the presence of these devices whenever they are discussing a client matter and then to take steps to eliminate whatever threats to their client’s confidential information arise under the circumstances.
In addition to voice assistants, which are always listening, cell phone and smartwatch apps pose another significant threat to client confidentiality. When these apps are first installed on a phone, they seek the user’s consent for access to the phone’s microphone, camera, location — even the user’s contacts database that, in the case of a lawyer, could contain an abundance of information about the lawyer’s clients.
Rental cars can also lead to the inadvertent loss of client information. Connecting a cell phone to the car, either directly with a cable or via Bluetooth, could possibly cause the lawyer’s contacts database to be transferred to the vehicle and left there for a subsequent vehicle lessee to discover. Connecting a cell phone to a personal vehicle is not much better, because information on the lawyer’s cell phone will then be accessible to the vehicle manufacturer.
Lawyers’ Ethical Obligations
The need for lawyers to be mindful of the threat to client confidentiality posed by smart devices was specifically addressed in 2021 by the American Bar Association Standing Committee on Ethics and Professional Responsibility. In Formal Opinion 498, the committee cautioned:
Unless the technology is assisting the lawyer’s law practice, the lawyer should disable the listening capability of devices or services such as smart speakers, virtual assistants, and other listening-enabled devices while communicating about client matters. Otherwise, the lawyer is exposing the client’s and other sensitive information to unnecessary and unauthorized third parties and increasing the risk of hacking.
The many data security risks created by smart devices implicate several ethical obligations applicable to lawyers:
- Duty of technological competence (ABA Model Rule 1.1, Comment 8). Lawyers must have a good understanding of the technologies used in their practice, particularly the security risks associated with those technologies.
- Duty to maintain the confidentiality of client information (ABA Model Rule 1.6). Lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of client information.
- Duty to communicate (ABA Rule 1.4). Clients must be kept “reasonably informed” about the status of the representation, including information about data breaches or other threats to confidential information.
- Duty to safeguard client property (ABA Rule 1.15). Several jurisdictions have concluded that the day to safeguard client property includes a duty to safeguard client information in electronic form. In Formal Opinion 483, addressing ethical obligations in the wake of a data breach, the ABA merely remarked that treating electronic property differently than physical property would not be a reasonable interpretation of Rule 1.15.
Some jurisdictions have been more active than the ABA in regulating cybersecurity practices, so lawyers should be sure to consult the professional regulatory bodies in their locality.
Outsmarting Smart Device Hackers
Freedman offers several suggestions for how lawyers might safely, and ethically, serve their clients in a work environment seemingly saturated with data collection devices:
- Change the password on the router when working from home. The default passwords that come with new router installations are well-known by hackers.
- Review the privacy policies for all devices that are used to transmit client information.
- Review (and frequently revisit) cell phone settings to learn which apps have access to the camera, the microphone, the user’s location, or any other phone usage data.
- Turn off all devices that contain a microphone (e.g., Alexa) when there’s a chance the device might capture client information.
- Protect every access point to the law firm’s computer network with two-factor authentication. Use strong passwords.
- Be careful when sharing information on social media services. Hackers frequently use publicly available information on these services to compile dossiers on future victims — usually for phishing exploits.
- Be sure to install security patches on software as soon as the manufacturer makes them available.
Finally, attorneys should be aware of the heightened cybersecurity threats currently posed by the Russian and Chinese governments. “All of your IT professionals should be on high alert,” Freedman says. Russia and China have been attacking U.S. law firms for years, and these attacks are expected to escalate in the near future.
Law firm managers should consult the information and guidance published by the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency frequently for the latest information on cyberthreats and strategies for addressing them.