First it was Abbe Lowell of Norton Rose Fulbright, who was lured into a public email exchange on Monday with someone impersonating his one-of-a-kind client, Jared Kushner. Then, on Wednesday, Wilmer, Cutler, Pickering, Hale and Dorr helped to publicize secret investigations involving its client PepsiCo after the firm accidentally emailed details about the probes to a Wall Street Journal reporter.
Email may be essential for lawyers, but this week it felt like their worst enemy.
While the mechanics of the foul-ups were different, each episode illustrated how the legal industry’s war on cyber-insecurity can be undone by basic human error. Kenneth Grady, a professor at Michigan State University College of Law who specializes in technological innovation and attorney-client relationships, said these mistakes have happened before and will happen again.
The reaction to Wilmer’s situation was largely one of understanding—with another legal journalist sharing that Covington & Burling once sent him all its client billing records. Reporters overhear or mistakenly receive information fairly often. Business dealmakers tip off the other side on negotiating positions. And so on.
But that’s little comfort to the lawyer or the client when it’s their secrets being outed.
On Lowell’s slipup, where the defense attorney responded in earnest to an email from a prankster at firstname.lastname@example.org asking what to do with pornographic web files, Grady said, “The hackers are not using technology. They’re using simple tricks that have been around for awhile. How do you manipulate somebody to give you information?”
(The same poseur who tricked Lowell also enticed White House special counsel Ty Cobb into oversharing with a political antagonist over email earlier this month.)
As for Wilmer’s error, Grady said, “I wouldn’t blame the lawyer. It’s more concerning that there wasn’t a process in place that enabled this person who sent [the erroneous email] to avoid the problem altogether.”
Wilmer said in a statement that it would take “additional measures designed to ensure that emails are not misaddressed to unintended recipients” in the future. The firm declined to elaborate.
Yet even protocol changes aren’t foolproof.
“In the legal industry, we’re still in the Wild West, where everybody does what they want to do in a very ad hoc way,” Grady said. This inconsistency, especially when using technology, is what leads to problems. “It’s always been a profession where people enjoyed the fact that they had the creativity to do things on their own. That’s somewhat catching up with the legal industry today.”
Grady did suggest ways firms could make minimal adjustments to avoid some traps of technology:
- Test phishing emails on their own lawyers, to see who responds and correct that behavior.
- Take extra steps to protect privileged documents, such as not attaching them to emails and transferring them to clients and other lawyers through dropbox or a secondary password-protected account.
- Pare back the availability and use of contact auto-fill, the technology that allows one or two characters typed into the recipient line of an email to predict the rest of one’s address. This may be what happened to Wilmer, where a reporter had a name or email closely related to the intended recipient.
- If an unsolicited email comes in from a client, a lawyer can return the email’s message by avoiding hitting “reply” or “reply all.” Instead, start a new email thread where the lawyer emails the client directly.
Of course, these measures may be tough to implement in a profession that expects immediate interaction with clients at all hours, and where there’s historical resistance to change. “It’s a tension,” Grady acknowledged. “But it also reflects a level of comfort with technology without an appropriate skepticism of technology.”
Katelyn Polantz is based in Washington, D.C., and writes about government and the business of law. She can be reached at email@example.com. On Twitter: @kpolantz.