The NC Rules of Professional Conduct Rule 1.1 (Competence) comment  was updated in 2014 to read: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice”. One very real risk is the continued use of older software and operating systems when they are no longer supported.
Say Goodnight, Gracie
Most lawyers know that maintaining firewalls, up-to-date anti-virus and anti-malware definitions, practicing vigilance when opening attachments and surfing the Internet, and maintaining adequate backup files are all vital for security. Considering that in the 2018 ABA’s Legal Technology Survey Report 40% of respondents affirmed that their firm had been infected with a virus/spyware/malware, these precautions are absolutely necessary to maintain competency and confidentiality.
What lawyers should also know is that running old, outdated and unpatched software and operating systems puts the firm at a high risk for infection, data breach and violation of confidentiality. In the 2018 ABA survey 18% of firms were using Windows 7. Windows 7 will no longer be supported as of January 2020. You will need to upgrade all computers running this operating system to Windows 10 before the end of the year. Also, as of October 2020, MS Office 2010 will no longer be supported. And, don’t forget servers. Windows Server 2008 (SP2) and Exchange 2010 (SP3) will no longer be supported after January 2020. Lawyers should start asking their IT folks now what they are running and take action before the holidays arrive to get up to date.
So, what’s the big deal?
Unsupported operating systems receive no security updates, no security hot fixes, support or online technical content updates from the vendor. The computer and software will still operate but becomes more vulnerable to security risks and malware infections. There will be no patches for threats such as zero-day vulnerabilities (high risk security holes). Often the zero-day exploit is a code injection that sits undetected in the background opening a back door to the firm’s data and files.
Even if a firm has upgraded from Windows 7 and Office 2010 to more recent versions there are still heavily used, yet unsupported and unpatched software applications putting files at risk on many law office machines. Adobe Acrobat X Reader/Standard/Pro is no longer supported as of November 2015. Adobe Acrobat XI and Reader XI support ended October 15, 2017. Internet Explorer 10 (and 8 and 9) is no longer supported as of January 2016. Mac users are not immune, as OS X 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) and older versions of their Safari browser are no longer receiving security updates from Apple.
Software installed on a computer that is “invisible” or inactive until used by an interactive website, like Oracle’s Java or Apple’s QuickTime, is often exploited because computer users ignore the update messages. While some of these exploits have made news, many others do not. It is essential to keep all applications, add-ons, and applets patched on firm machines. Easy targets for hackers include Adobe Flash, Apple’s QuickTime, Adobe Reader, and the aforementioned Oracle Java. In fact, as of April 14, 2016 both the US government and Trend Micro are recommending Windows user uninstall QuickTime 7 due to vulnerabilities Apple has no intention of fixing. And Oracle’s Java has suffered from similar warnings – disable it if you haven’t already. Do not ignore reminders to update these applications. If you are unsure whether the message to update is a virus a quick Google search will usually confirm whether a patch has been issued.
The Boogey Man
A high profile security threat that is constantly evolving and exploiting old, outdated software is ransomware. Ransomware is a prevalent threat that infects a computer or network, hijacks and encrypts the files and holds the firm’s data ransom for payment in untraceable Bitcoins. Often police and the FBI will concede infected users may need to pay the ransom to free the files. The ransomware builders are becoming bolder and more sophisticated. They are building in countdown clocks to pressure victims and will delete files if the ransom is not paid quickly. The ransomware code is delivered often by exploiting vulnerabilities in software like Adobe Reader by tricking a recipient to open a PDF document or run a macro in a Word document sent via email. Even with a completely up to date system with excellent security protection companies are getting hit with ransomware. However, hackers like easy targets. They are now intentionally exploiting hospitals, municipalities, and schools – entities that often run out of date and old systems. A few years ago law firms were targets of spoofed emails appearing to come from the state disciplinary agency or bar association. These emails are well written, personalized messages claiming a disciplinary complaint has been filed or that membership has lapsed. What will be next?
What to Do?
In addition to replacing outdated software and keeping current software patched and updated, firms must maintain constant vigilance against social engineering and train all staff and lawyers to be wary. Social engineering is a method of tricking a person to open the door for malicious attacks, and usually prey on fear, vanity, or the desire to help someone in need. Most all have seen them: the direct message from Twitter from someone you know asking “what are you doing in this video?”; the email from a friend needing you to send money via electronic transfer because she lost her wallet while traveling outside of the country; the email from the Better Business Bureau requesting you to click through to see a negative report that has been filed; and the list goes on. Learn to recognize the signs, practice defensive computing, and exercise skepticism to avoid having one of these tricks best someone in the firm.
Current (Technology) Awareness
Most of the time if Google or Dropbox or other large provider has a security issue the news will make the headlines. Take a quick look at the technology section of the daily news (site/show/program) for any breaking headlines. Legal technology and security blogs, like Sharon Nelson’s Ride the Lightning or the free daily ABA Journal email are also fantastic resources for the current thought on “is it secure enough for a lawyer?”. Keep an eye out for press releases, social media notification, email alerts, and blogs for information you may need to know from products that are used in the firm. Feel free to contact the NCBA CPM with questions.
Technology can be extremely beneficial for lawyers and their clients, but it does not come without risk. Not updating your technology may provide short term savings but will be very costly in the long run. Running old, unpatched and out of date software increases the firm’s exposure to ransomware and viruses. Additionally, last minute system upgrades and updates can be extra costly if they necessitate new hardware and other software updates, precipitate the need for training, or cause disruptions such as downtime. Keeping office technology up to date and following best practices for basic security will help you stay competent and guard client confidentiality.