From left: moderator Michael Ross from the Law Office of Michael Ross; Karen Peters, former presiding justice of the Appellate Division, Third Department; Jonathan Stribling-Uss, of Constitutional Communications; James Bernard of Stroock & Stroock & Lavan; Timothy O'Sullivan of the New York State Lawyer's Fund for Client Protection; and William Rashbaum of the New York Times. Photo: David Handschuh/NYLJ

What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer?

Those scenarios could put lawyers—and their clients—at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association's annual conference in Manhattan.

One takeaway from the discussion, which was centered around data security in an attorney's day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information.

Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard, a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said.

Some corporate counsel offices even have internal reviews to make sure legal staff are sending encrypted email.

“They get dinged if they don't send out encrypted emails,” Bernard said.

The moderator of the discussion, Michael Ross, whose firm represents other lawyers in ethics and disciplinary matters, said some engagement letters can even set out the standards of encryption that law firms promise to provide.

If lawyers are not using encrypted technology, they could be exposing client confidential information, said panelist Jonathan Stribling-Uss, a lawyer, digital security consultant and director of Constitutional Communications, a nonprofit that specializes in information security.

In the situation of a lawyer using a public Wi-Fi network and sending email “that does not have end-to-end encryption,” that communication could be read by someone also on that network and the connection itself could be changed to allow for some sort of malicious attack, Stribling-Uss said.

“That's totally possible with any public Wi-Fi connection,” added Stribling-Uss, who also noted that printers can store documents for years and also be hacked.

Another panelist, Karen Peters, a former presiding justice of the Appellate Division, Third Department, said an attorney's ethical obligations vary depending on the firm.

“Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm's clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate's Court work.

For Peters, who retired in December, the issue of cybersecurity is one that her former colleagues on the bench must now face.

“The question I would think for any judge who has this situation in front of him or her is, 'What was reasonable under the circumstances,' and those change depending upon the kind of business you're in,” she said, citing Rule 1.6 of the New York Rules of Professional Conduct.

Still, a firm of any size can be targeted.

Timothy O'Sullivan, executive director of the New York State Lawyers' Fund for Client Protection, which reimburses client money that is misused in the practice of law, said a common scheme is an email solicitation to lawyers that asks them to deposit a check in escrow and then disburse the money.

“Turns out that check was bogus,” but it's not caught right away, said O'Sullivan in describing the scam.

Peters raised another hypothetical for any firm: An executive assistant, in their spare time, uses an office computer for online shopping, social media and other internet surfing. Is it best for the law firm to be rigid with staff on how they use the equipment in the office?

Stribling-Uss said that firms should be strict, confirming that personal use of office equipment by staff can expose law firms to hacking. Stribling-Uss, however, said that firms don't have to pay a fortune.

“The best types of encryption are actually free,” he said. “You're being fleeced by these security companies,” he added, pointing out encryptions apps such as Signal and WhatsApp.

Meanwhile, notices at the end of law firm emails noting that any information included in them is intended only for the person to which is it addressed with unauthorized access being strictly prohibited is “mostly just catnip” for hackers, Stribling-Uss said.

Another takeaway from the discussion is just “to be smart and start thinking about these issues more often,” said Bernard, noting that various ethics opinions on this subject are situational.

“You definitely need to be thinking about this all along a graded scale, if you will, in terms of how important the matter is and what it is you're transmitting,” Bernard said.

A New York Times reporter on the panel, William Rashbaum, reminded the audience, “When somebody provides us with documents that are confidential, they are newsworthy because they are confidential.”