INSIGHT: The Lawyer’s Role in Protecting Cybersecurity in the Courts

As “officers of the court,” lawyers have always played a vital role in making sure that documents being submitted electronically are free of viruses and malware, and ensuring their office cybersecurity meets requisite technical, administrative, and physical safeguards. During Covid-19, with courts turning to technology for hearings and documentation, lawyers need to appreciate this role even more.

Those cyber and technology safeguards are inherent in a number of laws affecting the practice of law such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Consumer Protection Act (CCPA)—both of which have privacy and security aspects.

Appreciating what technical, administrative, and physical safeguards to implement can enable an attorney to uphold his/her professional obligations, while as an officer of the court, assist the judiciary in keeping proceedings sound from a cybersecurity standpoint.

Upholding the Rule of Law

As the U.S. Supreme Court stated in Ex parte Garland, 71 U.S. 4 Wall. 333 333 (1866), “[a]ttorneys and counselors are not officers of the United States; they are officers of the court, admitted as such by its order upon evidence of their possessing sufficient legal learning and fair private character.”

As such, it is incumbent upon attorneys to uphold the rule of law, maintain professionalism and adhere to the requisite “legal learning” requirements in order to provide competent representation to clients.

Over 150 years later, the American Bar Association’s Model Rules indicate that sufficient legal learning also includes “develop[ing] sufficient competence in technology to meet their obligations under the rules after a breach [and] protect[ing] trust accounts, documents and property the lawyer is holding for clients or third parties.”

Reading these two parts of the ABA’s Model Rules in pari materia, it appears that competence in technology is required before a breach in order to protect client materials, sensitive items and pleadings filed with the court, which are sometimes done “under seal” or in camera. See 31 U.S.C. §3730(b)(2).

Additionally, most states have adopted language that is similar to the ABA’s Model Rules. For example, on Feb. 26, 2019, the Supreme Court of Texas amended Rule 1.01, Paragraph 8 of the Texas Disciplinary Rules of Professional Conduct (Maintaining Competence) to expressly state that lawyers hold a critical role in the legal process and have an obligation to remain proficient and competent, including the risks and benefits associated with technology.

Impact, Expectations in the Courts

In July 2019, Georgia’s Administrative Office of the Courts were infected by a ransomware attack, which caused the entire state court network to go off-line for a period of time. More recently, a May 8 ransomware attack perpetrated on the Texas Judicial Branch, highlights the topic of evaluating a lawyer’s role in mitigating the risk of a cybersecurity attack is timely, especially in light of the increased use of telecommunication applications such as Zoom during the Covid-19 pandemic.

According to the Texas Office of Court Administration’s Statement on IT Security Breach Affecting Judiciary, the attack was discovered in the morning of May 8 and it was subsequently determined that the attack was unrelated to its initiative to transition to remote hearings during Covid-19. The prompt action of disabling the branch network prevented further harm.

As of May 19, the court website was still down and it will be weeks or months before it is working again, due to the ransomware attack.

Likewise, the Administrative Office of the U.S. Courts (AO) has indicated that assisting federal courts with its cybersecurity needs, remains a top priority. The Judiciary is transforming to ensure that secure, robust, and flexible technology systems are maintained, so that the needs of judges, court staff, and the public can be met.

During the national emergency, the Judicial Conference approved the use of teleconferencing for certain criminal, civil, and bankruptcy proceedings. The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) provided provisions related to the federal courts, including the authorization of video or telephone conferencing until 30 days after the national emergency ends or when the Judicial Conference concludes that the federal courts are no longer affected.

Both state and federal courts have adopted the use of technologies such as Zoom. Yet, Zoom’s own Chief Executive Officer stated, “[c]learly we have a lot of work to do to ensure the security of these new consumer use cases.” Perhaps Zoom’s focus on security was prompted by an April 4 letter from Sen. Ed Markey (D-Mass.) to the Federal Trade Commission, which highlights cybersecurity concerns., which can be problematic for attorneys trying to protect client information and uphold their obligations during court proceedings.

Not surprisingly, reports indicate that cyber-criminals may be exploiting Zoom’s growing popularity to perpetrate phishing scams and spread malware. Users have also reported having their Zoom meetings hijacked by intruders, which is particularly problematic in Zoom video calls where personally identifiable information, attorney-client information, and intimate conversations have been stored in places accessible by the public.

Zoom has subsequently taken steps to correct the technical safeguards, including adequate encryption and access controls, which should have been present from the outset of its deployment. But, in circumstances where malware was already deployed, the long-term consequences may not be known for a while. Cybersecurity is an ongoing process, so lawyers and clients alike should take care to evaluate technology on an ongoing basis.

Safeguards for Video Meetings

In light of a lawyer’s professional responsibilities, here are a few suggestions for utilizing Zoom and other business-focused video chat meetings, whether with clients or for a court hearing:

• Don’t disclose your personal meeting number. Instead, generate a random meeting ID.
• Mitigate “zoombombing” by retaining control of screen sharing.
• Utilize a “waiting room” feature to vet participants entering the session.
• A crucial distinction between Zoom and other companies is encryption. iMessage utilizes end-to-end 256 bit encryption level and the companies and providers that exist between you and the end-recipient, cannot see the message content. By way of contrast, Zoom can view your meetings and previously pushed out unnecessary device data to Facebook.
• Make sure to update all patches and install the latest versions of the app.
• Ensure your law firm’s website is updated and secure on a regular basis.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Rachel V. Rose is a Houston-based attorney who advises clients on health care, cybersecurity, securities and qui tam matters. and teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Health Care), the National Women Trial Lawyer’s Top 25 and the National Trial Lawyers Top 100.