ParfumGigi@aol.com

30 janvier, 2008 14:23

How to protect confidential client information when using public wireless networks

By Joel L. Frank and Scot R. Withers

The Legal Intelligencer

January 30, 2008

In today's digital world, lawyers are becoming increasingly adept at using convenient technology to make their work easier and to provide prompt advice and services to clients. Laptop computers, remote access to firm servers and wireless networking are just some of the expedient ways that lawyers can connect to the Internet and their own offices from around the world.

Hopefully, most firms employ an IT (information technology) administrator, or even an entire IT staff, to set up firewalls, anti-virus and spyware protection and/or encrypted virtual private networking to help protect and secure the firm's sensitive data and confidential client information.

However, how secure is confidential client information when lawyers are not actually in their offices using a desktop computer, or they are using a laptop computer on a secured wireless network set up by a network administrator? When lawyers take advantage of wireless networking, or "WiFi," to connect to the Internet or an office server to access e-mail or client documents, they may unwittingly risk the loss and disclosure of sensitive data and confidential client information.

As if it were not disconcerting enough that the loss and disclosure of sensitive data such as online banking passwords and personal information can lead to fraud and identity theft, lawyers who are required by the "confidentiality rule" to protect confidential client information risk running afoul of the ethical rules and facing attorney disciplinary sanctions.

Broadly stated, the "confidentiality rule" requires a lawyer to hold inviolate any and all information relating to the representation of a client. The confidentiality rule is embodied in the Pennsylvania Rules of Professional Conduct, specifically Rule 1.6 ("Confidentiality of Information"), Rule 1.9 ("Duties to Former Clients"), and Rule 1.18 ("Duties to Prospective Clients").

Under these rules, unless the client consents or disclosure is otherwise authorized, a lawyer's duty of confidentiality extends to any and all information relating to the representation of current and former clients, and continues even after the lawyer-client relationship has concluded or the client dies. The confidentiality rule also extends to a prospective client who consults a lawyer for the purpose of obtaining legal representation or advice, even if the lawyer performs no legal services for the prospective client or the representation ultimately is declined.

The confidentiality rule applies not only to any and all matters communicated to the lawyer in confidence by the client, but also to any and all information relating to the representation of the client, regardless of the source of the information. The confidentiality rule is extremely broad -- it applies to disclosures by a lawyer that do not in and of themselves reveal confidential information, but reasonably could lead to the discovery of confidential information by a third party. It prohibits the disclosure of such information as a client's or a former client's identity or whereabouts, financial matters, billing information that may reveal confidential information about clients, and even extends to information acquired by nonlawyer assistants, paralegals and firm employees.

Additionally, there is no exception to the confidentiality rule which would permit disclosure of information, even if that information is readily available from other sources.

A WiFi-enabled device such as a laptop computer with a wireless card can connect to the Internet when within range of a wireless network connected to the Internet. "Free" WiFi "hot spots" are increasingly available to the public in such places as airports, office buildings and other commercial establishments like coffee shops, as a convenience (and marketing tool) to members of the public. However, anything one does when connected to a WiFi hot spot does not simply go straight from one's laptop computer to the nearest connection. Instead, it is broadcast over a fairly wide range, surrounding the laptop computer in a radius of up to 500 feet.

Lawyers who connect to these "free" networks could be putting themselves and confidential client information at great risk. Computer hackers are able to hijack unsuspecting WiFi transmissions from laptop computers by "skimming," or scanning the WiFi spectrum and picking up the information sent through the air, and through another hacking technique dubbed the "Evil Twin." Through this technique, also known as "channeling," the hacker sets up an illegitimate wireless access point (the "Evil Twin") near a legitimate one, using the same name or a very similar name, which sometimes the hacker then jams. Users within range of the Evil Twin unknowingly connect to the hacker hotspot instead of the legitimate one, assuming that they have made a real and safe connection to the Internet. However, the information transmitted is captured, or "channeled" to the Evil Twin.

Setting up a fake "free" WiFi hotspot in a public place to steal sensitive data is an alarmingly simple task. In fact, there are a number of hacker Web sites that provide specific instructions on how to accomplish such frauds.

However, lawyers can still take advantage of public WiFi by securing their laptop computer to ensure that they and their clients do not become victims. There are several things lawyers should always do to enhance and protect their security.

The first thing lawyers can do to protect themselves and confidential client information is to raise the issue with their firm's IT administrator or IT staff, letting them know that public WiFi is being utilized, so that the IT specialists can use their expertise to protect sensitive and confidential data. Additionally, lawyers should follow the following basic tips to better protect themselves in public WiFi environments:

Disable file and printer sharing in Windows -- not doing so can provide an easy way for hackers to access one's computer and load malicious spyware that will remain on one's computer even after leaving the public location.

Always choose encrypted networks when they are available, even if it involves paying a fee, and utilize a VPN (virtual private network) connection to one's firm whenever possible.

Before connecting to a WiFi hotspot, locate a sign that advertises the name of the network to which one is connecting and verify that the network is legitimate.

Keep your wireless card shut off if you are not planning to connect to the Internet.

Be conscious of the information being shared in public locations. A simple login to an e-mail account may give a hacker access to more important data, since it is well known that most users utilize the same password (with minor variants) for online activities.

Frequently run updated comprehensive security software to prevent spyware and viruses.

Keep your operating system updated with the most recently issued security patches.

Make sure your software firewall program is properly installed, running and up-to-date.

The protection of client information is a fundamental principle in the lawyer-client relationship. It contributes to the trust that is the hallmark of that relationship, and it encourages clients to communicate freely with their lawyers, which, in turn, enables lawyers to effectively represent and advise clients. Lawyers can never be too cautious in safeguarding confidential client information. Preventing the unauthorized disclosure of confidential client information will not only help to preserve and maintain the lawyer-client relationship, but it will also protect the lawyer from an unwanted foray into the attorney disciplinary system and prevent unwanted disciplinary sanctions that could jeopardize the lawyer’s livelihood.