Any piece of technology that stores information could be compromised—even obsolete devices that get thrown out with the garbage
In 2010, Affinity Health Plan, a Bronx, New York-based managed care provider, suffered a cybersecurity breach that put hundreds of thousands of health care records at risk. But the breach didn’t occur because of a socially engineered ruse or a malicious hack.
It happened because the lease was up on the copy machines.
“A lot of lawyers aren’t thinking that the copier has a hard drive in it,” says Joe Lazzarotti, a principal at Jackson Lewis where he co-leads the firm’s privacy, e-communication and data security practice.
Affinity’s photocopiers had hard drives. In the normal course of business, they were rolled out the front door along with the electronic health care information of more than 344,000 people, according to a 2013 settlement with the U.S. Department of Health and Human Services.
Affinity failed to consider copy machines as a potential security risk, costing the company over $1.2 million in a civil penalty. The settlement also required the company to expend resources to retrieve the machines, conduct a risk assessment and implement a new security plan.
“These peripheral devices of all kinds present risks that we’re not thinking about,” Lazzarotti says.
With so much attention paid to phishing attacks and hacking, ubiquitous technologies are being overlooked. Beyond photocopiers, fax machines, smartphones and USB drives create unique security vulnerabilities. For lawyers, overlooking these devices could have serious consequences for attorney-client privilege and create ethics violations.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Understanding the risks
In 2012, the ABA Model Rules of Professional Conduct increased attention on technology’s role in legal ethics. For example, Model Rule 1.1 regarding competency requires that lawyers be “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
However, this is easier said than done. “Most lawyers are not trained to deal with the issues associated with inadvertent loss of information or unauthorized loss of information,” says John Barkett, a partner at Shook, Hardy & Bacon in Miami and a member of the ABA Standing Committee on Ethics and Professional Responsibility, referencing the updated Model Rule 1.6(a) on confidentiality. “They don’t understand technology well enough to be able to deal with that.”
He says that reasonable attempts to follow the ethics rules may include talking with IT professionals and reading privacy policies and terms of service agreements to understand a device or piece of software.
The risks created by easily accessible software are increasingly coming into focus. Recent research from Northeastern University in Boston has found that apps for Android phones were acting beyond their terms of use by recording users’ screens and sending that information back to the company. Of the 17,260 apps researched, they found over half had the potential to exfiltrate data collected through the phone’s camera, microphone or ability to record the device’s screen.
“It’s alarming, but there’s nothing you can trust in regard to your mobile phones and smart devices,” says Elleen Pan, previously an undergraduate researcher at Northeastern and now a software engineer at Square, a mobile payments company in Atlanta.
“Screen recording could be more of a privacy risk than access to your camera or microphone,” says Pan. This software could capture the typing of credit card numbers, passwords and other personal information. The research notes that these actions were not always clear in user agreements and can’t be turned off by users.
small device, big breach
Smartphones aren’t the only ubiquitous threat. USB drives and the expanding world of internet-
enabled products, termed the “internet of things,” also create and compound security vulnerabilities.
“The idea that you would take something that you know nothing about and put it in your machine is repugnant,” says Jason McNew, CEO of Stronghold Cyber Security based in Gettysburg, Pennsylvania. “You have no idea where the thing was manufactured.”
Comparing the ministorage devices to a dirty needle, he says they can come preloaded with malicious software and are used by hackers and penetration testers to exploit human vulnerabilities to access a network. While there is no Consumer Reports for secure devices, he notes that the National Security Agency does evaluate and validate some products for high-security purposes, such as hard drives, encryption devices and paper shredders.
Regarding the internet of things, including web-enabled cameras and smart thermostats, reports have shown that poor security has led to people’s devices taking part in denial-of-service attacks while the owners were unaware. In other instances, device manufacturers built in secret “backdoors” so devices could be accessed remotely, which left the technology vulnerable to attacks.
“It’s important to consider those things when you bring them into your environment,” he says. “Once you get a toehold in the network—then it’s anyone’s guess to what you can and can’t do.”
This article was published in the November 2018 ABA Journal magazine with the title “Yesterday’s Technology, Today’s Problem.”