Please enjoy this blog post authored by Rebecca Sattin, CIO, Worldox.
Before COVID-19, most people worked in an office. Some firms had solutions in place for those who worked remotely periodically, but most people came into the office to work. That is where their files were, their phones, their colleagues, and their office staff.
Then in March of 2020, everything changed very quickly. Whether or not firms had remote work plans in place, they had to put something together immediately. At that point everyone’s main concern was ensuring people could continue working. Security may have been a concern, but the priority was to ensure the firm could stay in business by enabling everyone to work from anywhere.
Many companies did what they had to do to ensure they could stay in business but now, a year and a half later, they are starting to look at better and more secure ways of doing things. What we thought was going to be a temporary situation has become the new normal.
Some of these changes come from lessons learned in the last year and a half. Many people have embraced working from home as it has allowed them to spend more time with their families that they would previously have spent commuting. Some firms have demanded that everyone return to the office, but many are going the route of a hybrid situation, often due to the demand of the work force.
In the “better late than never” department, the ABA updated its guidance regarding the virtual practice of law in March of 2021. They reemphasized rules 1.1, 1.3, and 1.4 pertaining to competence, diligence, and communication as these functions can be more challenging when practicing virtually. They also reemphasized the guidance provided in formal opinion 477R regarding encryption of communications to clients.
They added an important component pertaining to rules 5.1 and 5.3, their duty to supervise lawyers and staff, because the supervision of other lawyers and non-lawyers, while more difficult with a virtual practice, remains an ethical obligation. Practicing virtually does not change or diminish this responsibility and it extends to those outside of the law firm too, including outside vendors.
In this opinion, the ABA stresses reevaluating technology used in your practice to ensure your ethical obligations are being met, especially confidentiality. I will discuss some of them here and include some observations I have seen in the field.
The first challenge that many encountered was in relation to home internet connections. One firm mentioned to me that they initially furloughed people who had no internet connection but then ultimately provided a technology allowance that could be used towards anything, including an Internet connection. Other considerations going forward include ensuring a separate network is used for business than for personal. The importance of this varies based on what type of remote solution a firm has, but I’ll get to that later. The ABA, not known for publishing technical requirements, even recommends using VPN and reminded people to change the default SSID and password on their Internet equipment from their ISP.
BYOD or Firm Owned
While many firms may have had ways for people to work remotely before the pandemic, they may not have been set up for everyone to work remotely. Those remote systems had to scale up to manage the demand. In speaking with our clients, often the determining factor in their strategy involved what equipment was owned by the firm.
Once it was clear the pandemic was not going to subside quickly, many firms migrated to Cloud solutions. Some lucky ones had done so prior to the pandemic. For those firms who opted to go with a hosted desktop solution, it made the transition to working from home easier as it is less important as to whether people use their own computers or a firm owned computer, provided the security of the hosted desktop is set accordingly so that nothing from the local environment can traverse that connection.
There are some firms, however, who had staff members who did not have computers at home. Some of them opted to go with Chromebooks as there were not as many supply chain issues with these as there were with PCs.
Some firms without VDI or hosted desktop solutions had their staff use RDP to access their PCs in the office. Using Group Policies they were able to put in place restrictions so that nobody could inadvertently shut down their office PC. Still another firm with whom I spoke had everyone take their work PCs and one monitor home with them. (They each had two monitors in the office.) Now that the firm is working in a hybrid situation, they have to bring the PC back and forth. Luckily they were small form devices.
Those who did not have VDI environments and also had individual Cloud applications were often forced into some tough decisions. It is never ideal to utilize firm applications directly from a computer not owned by the firm, especially if that computer is also used by other family members. The ABA actually addressed this in Formal Opinion 498 by suggesting creating a new account for work use on a home PC and setting it up so that it could not access any other account on the machine and vice versa.
When dealing with both home equipment or firm equipment that is used at home, patching and antivirus updates become more critical. Some firms that allow personal equipment to be used to access a VDI environment still put restrictions in place that are enforced by their systems to only allow patched systems with up to date antivirus to connect.
Law firms must always keep in mind their duty of confidentiality, especially when working remotely. The ABA stresses the importance of having a clean desk policy even when working remotely. Unless the technology is assisting the law practice, the listening capability of devices such as smart speakers, virtual assistants and the like should be disabled while communicating about client matters.
Often technology teams forget about one other aspect of confidentiality that goes right along with the clean desk policy. If lawyers and staff are allowed to print at home, printed documents must not be kept within sight of others in the household and they should be shredded when no longer needed. Some firms provided shredders for people and others had the documents to be shredded shipped to the office for shredding.
It is also critical to ensure Client related meetings cannot be overheard or seen by others in the household, or other remote location, or by other third parties who are not assisting with representation. This goes without saying, but all communication platforms must be secure.
Many firms have reevaluated their phone systems and other communication platforms as a result of pandemic experiences. At the start of the pandemic, I encountered several firms who were merely allowing calls to go to voice mail and then returning them with their cell phones. Hosted VoIP platforms often allow unified communications through an app that can be installed on a mobile device. Some provide a single number that can be used for phone and text messages for those firms whose clients prefer texting. Keeping all of this data on a firm-provided system rather than going to personal devices protects the entire device content from being discoverable.
If this was a problem with everyone at the office, it became an even bigger problem with people working remotely. Working remotely, many may have been inclined to take advantage of free or consumer grade products for convenience. ABA Formal Opinion 498 even indicates that such products should not be used and that, even for business grade products, the terms of service, onboarding and offboarding procedures and system requirements should be reviewed thoroughly to ensure that the data and any backups of it are stored in this country and encrypted in transit and at rest.
Training & Support
Prior to the pandemic, many firms struggled to get lawyers into training classes. In many cases that is now a thing of the past as many were forced to do things themselves that they would have previously entrusted to an assistant or other support person. The demand for training has increased and the support needs have changed entirely.
Many firms provided training for their staff on how to set up equipment at home and how to use it securely. Some firms increased teams who handled video conferencing because the demand for assistance setting up Zoom or Teams meetings increased.
One challenge that was mentioned by several firms was that they were asked to support other home equipment that may not have been related to work. Depending on the firm, some have contracted with outside companies to handle this type of support.
The most important thing to remember – and this was emphasized by the ABA – is that risk assessment is a constant and ongoing process. With each procedural change or product change a new risk assessment should be done.
Rebecca is Chief Information Officer of World Software Corporation. She was formerly at Mitchell Silberberg & Knupp LLP for 18 years, where she was Director of Information Technology. She has more than 30 years of experience in the area of law firm technology. In the last several years she has spoken to law firms and bar associations about cybersecurity. She has spoken on various other topics such as design thinking, collaboration, and deployment planning at the International Legal Technology Association (ILTA) conferences, LegalTech Shows and other technology forums. She has also served on the advisory boards for LA City College’s Computer Technology department and Ithaca College’s Executive Education Cybersecurity Program. Rebecca is a graduate of Washington University in St. Louis.