Cyber-hygiene tips help lawyers add value
By AdvocateDaily.com Staff
Every time there’s a news story about a high-profile cyberattack, such as the breach that recently compromised more than 50 million social media accounts, Duquette tells AdvocateDaily.com he gets a wave of calls from clients asking whether they’re at risk, and what they can do to prevent themselves from becoming the victim of a similar hack.
In the heat of an emergency, he says many businesses hire lawyers as breach coaches to co-ordinate the immediate response to an attack but adds that counsel have the chance to play a much broader role, by educating companies about preventative measures and the value of good cyber hygiene.
“The relationship that lawyers have with their clients puts them in a great position to inform them of some of the risks of data breaches,” Duquette says. “It’s a good opportunity to help mitigate everyone’s risks before the breach because, by the time you’ve reached that stage, it’s all very reactive, and you’re just trying to put out fires.
“We’re trying to help lawyers and their clients to be proactive and get in front of these issues,” he adds.
Duquette says large-scale breaches can serve as more than just a warning to clients of the dangers of lax cybersecurity.
For example, while criminals often sell the stolen data acquired in a breach, including email addresses and associated passwords, Duquette says more socially minded actors share the same information in an effort to reduce the effectiveness of future scams.
“The data gets into the wild very quickly on the dark web and other places,” he explains. “By aggregating this data, and putting it out there for the whole world to see, it provides a place for normal people to look up their own names and check if they’ve been breached.”
Following calls from a couple of clients targeted by a recent phishing scam, Duquette used websites like haveibeenpwned.com to show how crooks got hold of their email addresses.
“It seemed like the data originated from a 10-year-old breach, but some people who called in said they were still using the same email address and password, which was really scary for them,” he says.
Duquette suggests lawyers prompt their clients to check similar services, to see if their email addresses have been compromised.
In addition, he says the upcoming implementation of regulations for the federal government’s mandatory breach reporting regime under the Personal Information Protection and Electronic Documents Act (PIPEDA), provides the perfect opportunity for lawyers to demonstrate their added value to clients. While preparing businesses for compliance with the new requirement, Duquette says they can throw in some extra advice.
“There’s a wide variety of things that can be done, but some of the basics of cyber-hygiene, including checking your accounts and passwords, is a simple message legal counsel can advise on,” Duquette says. “For small and medium firms without a huge budget to spent on larger cybersecurity measures, small things can be very valuable.”
He says lawyers don’t even have to specialize in privacy law to educate themselves about simple security measures to pass on to clients.
“We had a recent case where a mortgage broker had a laptop containing client information stolen,” Duquette says. “I could see a real estate lawyer reaching out to a mortgage broker or real estate agents to provide some tips on protecting client data. Hexigent helps lawyers provide greater value and guidance to their clients during investigations and cybersecurity matters.”