I am going to assume that you, dear reader, had no personal information leaked as a result of the Ashley Madison hack. In addition, let’s set the curiosity response aside because, of course, who didn’t wonder that if they could look at the list would they recognize anyone? With worry and curiosity off the table, I suspect many of you would now feel like this story is yesterday’s news and it’s time to move on. I beg to differ. This hack caught my attention because of the emotional response so many seemed to have. Don’t minimize what happened here because in my opinion, this hack impacts every attorney in active practice.
Why do I say this? Because this hack was different. It wasn’t about stealing credit card numbers, email addresses, or banking credentials. Financial gain wasn’t part of the equation. This hack was about morals, about what the hackers felt was right and wrong. It has garnered a whole new level of media attention because this one was a breach of privacy. Ashley Madison promised privacy, even charged for it, and they didn’t deliver. Thus the public outcry.
I continue to visit with lawyers month after month and talk about network security. Admittedly, the vast majority of them have taken appropriate steps to properly secure their networks from outsiders. I will even assume that you have done so as well at your firm; but I have to ask the question. Are all the steps most lawyers take to protect their networks enough? I have no doubt Ashley Madison took similar steps to properly secure their network and look at how well that turned out.
My point is this. The Ashley Madison hack demonstrated where the real weakness is, unencrypted data that was personal in nature. People get frustrated and upset when their credit card or even their identity is stolen. Trust me, I know firsthand. But a list of who’s out there cheating on their spouse is a whole different matter. For many on that list, a whole host of gut wrenching emotions came into play, not the least of which was fear. In fact, there were reports that people actually committed suicide as a result of this breach. These people expected and were promised that their information would be kept private and it wasn’t because Ashley Madison didn’t bother to encrypt it. Now here’s the rub. Don’t all your clients expect the very same from you as their lawyer? Remember, lawyers are charged with keeping secrets. It’s in our ethical rules.
The general public’s response to this hack is why you should care. You maintain client data that is personal and private in nature and people expect their personal and private information to be kept private, period. I know encryption isn’t always the easiest thing to implement but if you haven’t already done so, it’s time to stop with the excuses and figure it out. At a minimum, if client data is in the cloud, it should be encrypted and you need to control the encryption key. If lawyers or staff remotely connect to your network, VPNs must be in use without exception. If devices go out of the office, to include smart phones, jump drives, laptops, tablets, and backup drives, these devices should all be encrypted. Yes, there may be a learning curve here and perhaps a little inconvenience; but that’s why you have IT support. These folks can make recommendations and help bring you up to speed. Talk to them and follow through. Your clients expect nothing less, that’s the lesson of Ashley Madison.
As a Risk Manager for ALPS, Mark Bassingthwaighte. Esq. is responsible for developing and delivering new risk management and CLE products and services, risk management consulting, law firm risk evaluations, and writing content for the ALPS 411 blog at www.alps411.com. In his tenure with the company, Mark has conducted over 1,000 law firm risk management assessment visits, presented numerous continuing legal education seminars throughout the United States and written extensively on risk management and technology. Mark received his J.D. from Drake Law School. He can be contacted at: email@example.com