Lawyers, Passwords, and the Obligation to Keep Clients’ Secrets

Posted in: Law Practice

It’s now February, and many people have forgotten their New Year’s resolutions. The gymnasiums, packed the first two weeks in January, are empty today. Yet, it is not too late to make a new resolution—one that you can keep and you’ll thank yourself for doing it.

Change your passwords into passphrases.

In 2009, ABA President Carolyn B. Lamm created ABA Commission 20/20, with the mandate to engage in a “a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments.” The Commission’s Report proposed various changes in the ABA Model Rules.

The Commission’s Introduction to this Report referred to “technology” 43 times. It referred to “password” not at all. It issued a more extensive Report to the House of Delegates on “Technology & Confidentiality” in August 2012, recommending specific changes in the Model Rules to take into account the role of technology. That Report uses the word “technology” 56 times; it uses “password” zero times.

Among the changes the Commission recommended (and the ABA adopted) was to add a clause to what is now Rule 1.1 (Competence), Comment 8, advising lawyers to “keep abreast” of changes in the law, “including the benefits and risks associated with relevant technology.” Well, that’s not very precise. We can be much more specific.

Rule 1.6 of the ABA Model Rules of Professional Conduct proclaims that lawyers have the obligation to keep the secrets of their clients. To do that, we need passwords. It is typical for many websites to allow you to sign in using your Facebook account, or a Google+ account. That is convenient, but it means that if a hacker discovers your Facebook or Google+ password, you have given him a master key to your other sites. The same risk occurs when you use the same password at more than one site. You may think you have a clever password—the square root of your son’s year of birth—but if you use it on more than one site, you risk having others use it as a master key.

Speaking of Facebook and other social media sites, the more information you put on those sites, the easier it is for a thief to impersonate you. Frank Abagnale, made famous (or infamous) in Steven Spielberg’s movie, Catch Me if You Can, is now an FBI security expert, sorry for his past and atoning for his previous crimes. He warns, “If you tell me your date of birth and where you’re born [on Facebook] I’m 98% [of the way] to stealing your identity.” When you post such information, you “are saying ‘come and steal my identity’.” On Facebook, he notes, people “tell you what car they drive, their mother’s name, their wife’s maiden name, children’s name, where they’re going on vacation, where they’ve been on vacation. There’s nothing you can’t research in a matter of a couple of minutes and find out about someone.”

If you must post a photo, do not “use a photograph of yourself straight on, because there are too many devices today that can take that picture and match it online. Use a photo of yourself with a group of friends, taking part in some kind of activity.” That makes it a little harder for the thief to use computer software to match your photograph with you name and identity in other places.

Some people use their social security number for a password, thinking that no one can guess it. However, the hack into Equifax exposed nearly 143 million social security numbers, along with birth dates and home addresses! For nearly half of the entire country, crucial data used for credit card checks, identity, and some passwords are now out there. You can change your address, with difficulty, but you cannot change your birth date.

However—what most people do not know—you can change your social security number, with difficulty. The Social Security Administration has the power to assign you a new social security number if you are “being harassed, abused,” or “if you can prove that someone has stolen your number and is using it.” You must provide evidence that the number is being misused, and that the misuse is causing you significant continuing harm

If hackers can break into your law firm password-protected files, they can have a field day of insider trading, based on law firm records of your corporate clients. The hackers may even be able to buy and sell shares using your stolen identity, so you can add, to your list of troubles, defending yourself from an insider trading investigation.

We need to create different passwords for every site we use on the internet. And we have to change those passwords, probably monthly. What are some clever passwords? In 2011 and 2012, the most common password was “password”! From 2013 through 2017, “password” dropped to the second most common. In its place as the most common is, “123456”! Another top password, in the top 6 since 2014, is “qwerty.” People find that easy to type, and hackers find it easy to use. You can find the 100 worst passwords here. The 7th most common is “letmein”. Many people use the default password “admin;” it is the 11th most common. Then there are the people who think they are clever by using a form of “password,” such as “passw0rd” (the 19th most common password), or “P@$$w0rd1” (which one can find in standard cracking software dictionaries).

Are you a fan of Star Wars? A lot of people are. In fact, “starwars” is the 16th most favorite password of 2017.

If people use one number in their password, it is “1,” not “0” or another number. We do not know why people favor 1; we do know that it was a major achievement in mathematics to discover (invent) the zero as a mathematical placeholder, an event that did not occur until the fifth century AD, in ancient India. The Romans did not have it. That, by the way, is why the first year in the century is 1, which means that the end of the first century is the year 100. Hence, 2000 is the end of the twentieth century, and 2001 is the beginning of the twenty-first century. All the people who had their major New Year’s Eve celebration on December 31, 1999 were one year early in welcoming in the new millennium.

If the site requires people to use symbols, they tend to use “$” for “s” or “@” for “a.” If the site requires use of a capital, people usually place it in the beginning of the password, just as you would do when writing a sentence. That is so predictable.

We know what we have to do, and we have to do it now. We have to create different passwords of each of our accounts. We have to change those passwords on a regular basis. Experts suggest using a phrase (not just a word) intermingled with characters such as % or &.

We can use password generators (computer software that creates truly random series of letters and symbols). We can buy password recall software that remembers our passwords. Granted, someone can always break into our office, break into the computer and then start accessing our sites, but that requires old-fashioned burglary. The new-fashioned burglary is of greater concern.

When we take these precautions, the modern-day equivalent of a deadbolt, we will know what to say when the client asks, “What are you doing to keep my information secret?” We can be more precise than merely quoting the advice in ABA Model Rule 1.1, Comment 8, that lawyers should “keep abreast” of “the benefits and risks associated with relevant technology.”