I am going to assume that you, dear reader, had no personal information leaked as a result of the Ashley Madison hack. You may have been curious — after all, who didn’t wonder whether they would recognize someone on the list? But let’s set that aside, too. With worry and curiosity off the table, I suspect many of you think this story is yesterday’s news. I beg to differ.
This hack caught my attention because of the emotional response so many seemed to have. Don’t minimize what happened here because, in my opinion, it impacts every lawyer in active practice.
This Hack Was Different
The Ashley Madison hack wasn’t about stealing credit card numbers, email addresses or banking credentials. Financial gain wasn’t part of the equation. This hack was about morals, about what the hackers felt was right and wrong. It has garnered a whole new level of media attention because this one was a breach of privacy. Ashley Madison promised privacy, even charged for it, and didn’t deliver. Thus the public outcry.
I continue to visit with lawyers month after month to talk about network security. Admittedly, the vast majority have taken appropriate steps to properly secure their networks from outsiders. I will assume you have done so at your firm as well. But I have to ask the question: Are all the steps most lawyers take to protect their networks enough? I have no doubt Ashley Madison took similar steps to properly secure their network and look at how well that turned out.
Keeping Clients Secrets
My point is this: The Ashley Madison hack demonstrated where the real weakness is — unencrypted data that is personal in nature. People get frustrated and upset when their credit card or even their identity is stolen. Trust me, I know firsthand. But a list of who’s out there cheating on their spouse is a whole different matter. For many on that list, a whole host of gut-wrenching emotions came into play, not the least of which was fear. In fact, there are reports that people have committed suicide because of this breach.
The site’s users expected, and were promised, that their information would be kept private and it wasn’t because Ashley Madison didn’t bother to encrypt it. Now here’s the rub. Don’t all your clients expect the very same from you as their lawyer? Remember, lawyers are charged with keeping secrets. It’s in our ethics rules.
The general public’s response to this hack has been, “Why should we care?” As a lawyer, you maintain client data that is personal and private in nature and people expect their personal and private information to be kept private, period. I know encryption isn’t always the easiest thing to implement but if you haven’t already done so, it’s time to stop with the excuses and figure it out.
At a minimum, if client data is in the cloud, it should be encrypted and you need to control the encryption key. If lawyers or staff remotely connect to your network, VPNs must be in use without exception. If devices go out of the office — smartphones, jump drives, laptops, tablets, backup drives — those devices should all be encrypted.
Yes, there may be a learning curve here and perhaps a little inconvenience — but that’s why you have IT support. These folks can make recommendations and help bring you up to speed. Talk to them and follow through. Your clients expect nothing less, and that’s the lesson of Ashley Madison.
Mark Bassingthwaighte is a Risk Manager with Attorney’s Liability Protection Society, Inc. (ALPS). In his tenure with the company, he has conducted over 1,000 law firm risk management assessment visits, presented numerous CLE seminars, and written extensively on risk management and technology. Mark received his J.D. from Drake University Law School. He blogs at ALPS411. Contact him at firstname.lastname@example.org.