By Tom Lambotte and Martin M. Shenkman, CPA/PFS, MBA, JD, AEP® (Distinguished)
Protecting your firm electronic communications and data is perhaps one of the most important steps your practice can and must take. If cybercriminals can scam sensitive client data it can create tremendous liability exposure for you and could destroy your practice. Imagine what the consequences might be if one morning you find your firm electronic files were hacked and confidential client financial and tax information is showing up for sale on the dark web? Imagine the impact on your professional reputation (apart from any financial damage) of your being required to email every contact in your data base to inform them that your practice was hacked and confidential client data stolen? Many practitioners assume that these matters are routinely handled by an in house IT manager in larger firms, or by an independent IT consultant in an outside firm. Unfortunately, unless there is an independent periodic review of what is actually being done, your firm may have exposure. Most important, the concept that an IT expert can alone handle these issues is a dangerous misconception. Every person in your practice needs to be trained and involved in cybersecurity, yes even senior professional partners. This article will explain why, and steps you can take or use to evaluate your current cybersecurity environment.
Cybersecurity Risks are Real and Growing
Nearly one of every three lawyers has reported being hacked, the American Bar Association reports, and that number is likely to grow because theft of clients’ confidential data is on the rise. While many of the examples in this article focus on attorneys, similar issues affect all the allied estate planning professions, especially in smaller firms. But data security is imperative for professionals in all size firms. Surprisingly many professional advisers don’t recognize the magnitude and frequency of cyberthreats. Many professional advisers do not believe they are being targeted by cybercriminals, nor that they will ever become the victims of a data theft, or that someone in firm management has handled all these issues. As a result, many advisers and their firms are unnecessarily exposed for what could easily develop into a career-altering and/or a financially ruinous disaster.
If your practice has already been struck by a cyberattack, you know how disturbing and damaging such an event can be. But worse is unfortunately to come. Cybercriminals are becoming increasingly sophisticated in their illicit craft. Advisers are at growing risk of becoming cyberattack victims. Professional advisers, because of the sensitive financial, legal and tax data that they routinely maintain for large numbers of clients are becoming an increasingly bigger target facing increasingly higher stakes.
Professional Bodies All Encourage Cybersecurity Planning
Attorneys: For attorneys, the American Bar Association’s (ABAs) Model Rules of Professional Responsibility, Rule 1.6(c) requires lawyers to safeguard the confidential data entrusted to them by their clients. Failure to do so can result in disciplinary action, up to and including loss of license.
Ethics Opinion 477 updated older Ethics Opinion 99-413 to reflect the common use of technology in law practices, such as tablet devices, smartphones, and cloud storage. Each device and each storage location creates a risk of the inadvertent or unauthorized disclosure of information relating to the representation, and thus could implicate a lawyer’s ethical duties under Rule 1.1 of the ABA Model Rules concerning competency, confidentiality, and communication.
Comment 8 was modified to require that lawyers should keep abreast of changes in the law and its practice “including the benefits and risks associated with relevant technology.” How can practitioners facing the demands for billable hours, keeping current with ongoing and regular estate tax and other law changes, demonstrate that they have kept abreast of such changes?
Lawyers must take reasonable efforts to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches. Lawyers must use “reasonable efforts” to ensure the security of client information. Citing the ABA Cybersecurity Handbook, the opinion explains that the reasonable efforts standard is a fact-specific inquiry that requires examining the sensitivity of the information, the risk of disclosure without additional precautions, the cost of additional measures, the difficulty of adding more safeguards, and whether additional safeguards adversely impact the lawyer’s ability to represent the client.
Thus, what is “reasonable” is a gray area that will vary based on the particular circumstances. Therefore, consideration should be given to what may be done to also corroboration that the practitioner has acted with “reasonable efforts.” The opinion notes that generally lawyers may use unencrypted email when communicating routinely with clients.
Opinion 477 included several aspects to consider when sending unencrypted emails:
- Understand the nature of the threat.
- Understand how client confidential information is transmitted and where it is stored.
- Understand and use reasonable electronic security measures.
- Determine how electronic communications about clients should be protected.
- Label client confidential information. This should include digital files.
- Train lawyers and non-lawyer assistants in technology and information security.
- Conduct due diligence on vendors providing communication technology.
The ABA in 2018 issued Formal Opinion 483. Together, the rule and the opinion make clear that lawyers have a duty to ensure that every data input, storage, management, and transmission device employed in their practice be secured. Further, they compel lawyers to take reasonable steps to protect the amassed sensitive information and as well initiate reasonable responses to data breaches once those unlawful cyber-intrusions are discovered.
IRS Publication 4557: Safeguarding Taxpayer Data: A Guide For Your Business: Practitioners should consider that if they are ever sued over a data breach, they cannot claim that they were not aware of the points set forth in a publicly available IRS publication. This applies not only to CPA firms but to law firms that prepare gift and estate tax returns, trust companies that prepare trust income tax returns, and perhaps even many financial planning firms as the scope of their work expands to include some tax preparation. Whether or not these guidelines would be imposed on a firm merely holding tax return information but not participating in return preparation may not be a prudent distinction to make. Thus, even a law or financial planning firm that does not prepare any income tax returns, may still be affected, as many firms that do not prepare tax returns obtain copies of prior tax returns to provide critical planning information.
The IRS publication notes that data theft against tax professionals is on the rise. Addressing data security is an essential step for the largest firms and firms of all sizes including solo practitioners. The IRS recommends that tax preparers hire data security experts, buy cyber security insurance, and educate their staff.
Tax preparers must create written information security plans to protect client data.
- Learn to recognize phishing emails. Remember these scams are intended to entice you to open a link or to open an attachment containing malware.
- Create a written information security plan. See Small Business Information Security – The Fundamentals by the National Institute of Standards and Technology.
- Review internal controls.
- Install anti-malware/anti-virus security software on all devices (including laptops, routers, tablets and phones).
- Encrypt all sensitive files and emails.
- Backup sensitive data.
- Wipe clean or destroy old computer hard drives.
- Withdraw from any outstanding authorizations (e.g., power of attorney for tax information) for taxpayers who are no longer clients.
- Report suspected data theft or loss to the IRS immediately.
Use security software. Anti-virus software prevents malware from causing damage to a computer. Anti-spyware prevents unauthorized software from stealing information on your computer. A firewall blocks unauthorized access to your system. Drive encryption protects information from being read if a device is lost or stolen. Whatever you use must be updated regularly.
Other suggestions include:
- Use a name for your router that is not identifiable by the public.
- Use strong passwords. Use a strong unique password for the administrator.
- Use multi-factor authentication.
- Secure your wireless network.
- Protect stored client data.
- Backup dated to secure cloud storage.
- Use drive encryption.
- Don’t attach USB devices with client data to public computers.
- Use separate personal and business email accounts. This is also important for professionals to minimize the risk of confidential personal data being exposed in the event of a malpractice or other claim that results in an analysis of firm data.
Federal Trade Commission Rules: These rules may be relevant to other estate planning advisers. Those affected should comply with the FTC’s Safeguards Rule which requires financial institutions to protect consumer information they collect. Develop a written security plan that describes your program to protect customer information. The plan must be appropriate for the size of your company and the nature and scope of your activities and the sensitivity of customer information. If the firm engages in estate planning you may have tax returns, Social Security numbers, detailed family data, information on all assets including financial accounts, family data, etc. Could any data be more sensitive? Select service providers that can provide and maintain appropriate safeguards
What General Steps Might Your Practice Take
For attorneys, and perhaps other professions as well, a critical and uncertain step is to define the key term “reasonable.” What are “reasonable” steps that you must take? According to the ABA, there are six factors that disciplinary committee members should consider in determining what is reasonable. When viewed in their totality, the six factors suggestion that firms take steps to endeavor to prevent data theft or loss and that to remedy the situation in the event theft or loss does occur. The sensitivity of the information the firm has is a critical step. The more sensitivity the data has, the greater the effort that should be taken to protect that data. The most sensitive types are personally identifiable information, trade secrets, and confidential documents. That includes client names, addresses, Social Security numbers, communication records, financial and health records, employment histories, etc.
The reasonability of your firm’s security efforts also depends on how likely it is that the data may be disclosed if additional safeguards are not employed. Reasonableness is further determined by whether the cost of employing additional safeguards is high or low and also whether the difficulty of implementing the measures was major or minor.
Years ago, only larger firms had the resources to identify and implement adequate cybersecurity safeguards. That has not been the situation for some years and is certainly not the case now. Sophisticated safeguards are now easily obtainable, affordable, and deployable by even solo practitioners. The concern practitioners should consider is the risk that their inaction (or less than desirable action) may be construed as unreasonable to eschew those additional safeguards. Another factor in the reasonableness calculus is the extent to which putting safeguards in place adversely affects your ability to represent clients.
Some advisers worry that bolstering certain safeguards for fear those extra precautions will frustrate clients, especially those who are elderly and find using computers a challenge. The thinking is that those clients will respond poorly to being made to jump through electronic hoops every time they want to communicate with their adviser. Everyone has no doubt helped clients frustrated over trying to access a secure email, client portal, or similar matters. This fear, while an issue, is likely overstated as most clients in all age brackets have post-COVID become more adept at communicating with the aid of technology and more comfortable dealing with its increasing security requirements. Simple steps may also reduce the clients that do become frustrated with cybersecurity measures by offering in all communications sending data in that manner that if the client has issues to contact their advisor or a designated person at the firm. In some instances, but those seem relatively few, some clients just cannot navigate the technologies involved and old-style paper communications might be necessary.
Indeed, there are indications to suggest that adding security measures is viewed positively by a majority of clients. It is interpreted that you take security and their sensitive data seriously.
Consider having the firm’s IT manager, or in a smaller firm, the firm’s outside IT consultant prepare an annually summary of IT and cybersecurity actions taken, and steps that are recommended for consideration. Such a letter may assist in documenting that the firm is keeping current and addressing new threats and issues. Another consideration might be to require for all professionals in the firm, to take at least one continuing education course in IT matters annually even if the applicable regulatory bodies do not require it.
How to Better Protect Data
Take steps to not only safeguard data, but to corroborate that you have taken reasonable efforts to safeguard data. That may be established by demonstrating that you implemented what’s known as layered IT security. Layered security is an effective way to reduce your risk of becoming a cyberattack victim. Layered security puts in the path of cyber-criminals multiple impediments that they must surmount if they want their efforts to reach your confidential data to succeed.
Practices for layered IT security may involve addressing and implementing a number of different elements, perhaps including:
- Cybersecurity training for all staff, including administrative staff and part-time staff.
- Automated phishing defense platform
- Phishing simulations to train staff.
- Documenting and implementing IT security policies.
- Dark web monitoring.
- Password vault and sophisticated passwords.
- Antivirus and web-protection patching.
- Cloud-to-cloud SAAS backup.
Layered security, however, it is not a panacea, for it affords protection of only the data systems within your firm’s control. Even if your firm has the best cybersecurity practices, you may still be vulnerable to some extent if, for example, a website where you have an account is breached. So, it’s important that all staff recognize your firm will never be able to perfectly secure your practice against cyberthreats. Yet, by adopting the layered security approach, you can significantly reduce your risk of becoming a cybercrime victim and may satisfy the professional or regulatory requirement to show you made reasonable effort to safeguard data in your possession.
It is also vital to be certain that all those who have access to your firm’s computer systems have appropriate safeguards in place. This has become more complicated with remote workers, out-sourcing and other changes to the traditional workplace.
Defensive Components of a Cyber Security Plan
Following are explanations of IT security layers for professional advisers:
Cybersecurity Training. If your employees are trained and knowledgeable about cybersecurity risks, they should be better equipped to protect your data. Unfortunately, there is a wide spectrum as to the effectiveness of cybersecurity training. The shortcomings of some cybersecurity training are that it is tedious, which makes it boring and difficult to remember.
For some, cybersecurity training that is more entertaining, such as by incorporating storytelling techniques, may better educate staff in a manner that is more engaging. It may also be more efficient. Some consultants suggest shorter periodic sessions, e.g., 15-minute sessions once per month. The better your staff understands and retains the information imparted during training, the better the resulting safeguard.
Automated Phishing Defense Platform. Automated Phishing Defense Platform. Beware: spam filters are ineffective against phishing emails. That’s why phishing emails keep landing in your inbox. An automated phishing defense platform is artificial intelligence-based anti-phishing protection that helps intercept and purge from your inbox advanced email threats, notably those in which cybercriminals pose as trusted contacts to trick you into supplying credentials. These platforms are rated as up to 99.9 percent effective. Spam filters are ineffective against phishing emails. An automated phishing defense platform is artificial intelligence-based anti-phishing protection that helps intercept and purge from your inbox advanced email threats, notably those in which cybercriminals pose as trusted contacts to trick you into supplying credentials. These platforms are rated as highly effective, but bear in mind that the cyber-criminals are also constantly honing their craft.
Phishing Simulations. As many as 91 percent of successful data breaches start with a phishing attack. What is phishing? It’s a method used by cybercriminals to trick you into innocently divulging your credentials. This is typically accomplished by the thief impersonating a person you know, or an organization you trust or do business with. Phishing emails can be extraordinarily convincing. Many are almost impossible distinguish from legitimate correspondences. Even sophisticated and IT savvy advisers have been tricked by phishing emails. A common phishing email is one that appears to have been sent from someone purporting to be a colleague you may frequently work with. These emails can be incredibly similar to a real email from that colleague, even as to your colleague’s signature. Because phishing emails can be so realistic you or your staff pause and consider it before clicking the supplied link. Those links may lead to a website that is an exact replica of the colleague’s firm’s website, except it may in fact be a trap. If you or a staff member log into the counterfeit website using for example, your Microsoft 365 credentials the phisher will have your username and password. Should this occur you or an IT person in your firm should immediately go to your Microsoft 365 account (or whichever other account credentials you were tricked into divulging) and change the credentials, thereby preventing a serious beach that surely would follow.
Phishing simulations are a helpful method to prepare for such attacks. Your cybersecurity consultant or firm IT manager will send dummy phishing emails to everyone in your firm. If no one takes the bait, great. However, if anyone is taken in by the bait, that person will be identified as a risk in your firm’s security chain. The simulated phishing simulations lets you see exactly who is clicking on these things, who is answering their requests to input credentials, and specifically, who needs additional training.
IT Security Policies. Many professional firms have no formal security policies. IT security policies set forth the rules and procedures concerning access to and utilization of your firm’s computer systems. They detail what is acceptable practice, such as requiring multifactor authentication to log in, creation of strong passwords, using the internet appropriately, never accepting offers of free downloadable software, and taking specific precautions while handling sensitive data, etc. Policies could be contained in a written document shared with everyone in the firm. Some suggestion having recipients sign an acknowledgement stating they have read, understood, and agree to abide by, the policies.
Dark Web Monitoring. The dark web might be viewed as a shopping center of sorts where cybercriminals go to purchase stolen credit cards, confidential personal data, and website user credentials, and other contraband. Dark web monitoring alerts you when credentials associated with you or your firm are put listed for sale on the dark web. This allows you to immediately change those usernames and passwords, rendering them useless to anyone who buys them.
Password Vault. Studies have suggested that a majority of computer users have just one password for most or all of their online accounts. They do this because it’s easier to remember a single credential for all websites and other purposes. This habit creates greater risks to cybercriminals. You and your staff should never use the same username and passwords for multiple website. Even subtle changes to a common password, such as substituting the numeral “3” in place of the alpha character “E” may do little to add additional protection. Skilled cybercriminals often rely on the fact that humans are extremely predictable can quickly figure out these things and crack your password. Also, the software they have access to can often quickly crack weak passwords and even anticipate the common modifications many people make.
A password management tool can mitigate this risk. With it you need never commit to memory your passwords. A password management tool also creates a very hard to crack passwords that is unique to each website you visit. Moreover, if you have a password management tool as part of a team-based vault, all work-related passwords (those created when the firm has an online account that multiple employees utilize) will be fully sharable in a secure method.
Proactive Monitoring, Maintenance, and Patching. Commonly referred to as “RMM.” This layer of protection may serve multiple purposes . It can automate your operating system updates for Mac or Windows, which are important because they typically contain patches to remedy exploitable security vulnerabilities that have been detected. RMM also automatically checks for updates produced by the third-party vendors from whom you’ve acquired software and apps. RMM can also monitor your systems’ performance and provide early warnings of potential issues (such as hard drives and batteries moving too close toward catastrophic failure) so you can take action before disaster strikes. Not always included with RMM is DNS protection. If you or a colleague clicks a link that leads to a malicious website, DNS protection may block access to that malicious site. No access means the elimination of the danger of viruses, malicious scripts, and ransomware infecting your system.
Cloud-to-Cloud SAAS Backup. This may be used, for example, for Microsoft 365 and/or Google Workspace. SAAS is shorthand for security-as-a-service. You need it, in light of fact that more than 3/4ths of cloud application users have suffered a data loss in the past 12 months. Those losses almost never are the result of shortcomings at Google or Microsoft. Rather, they are more commonly the product of mistakes made by you or your staff. These can include missteps like accidental wholesale deletions of client directories or the vengeful actions of disgruntled employees past or present. Cloud-to-cloud SAAS backup ensures that anything lost to missteps or malfeasance will be easily recovered and fully restored.
Being Proactive Is Important
The common thread that ties important IT security layers together is proactivity. They are actions intended to be taken before a cyberattack takes place. Being proactivity is therefore important. It may also be prudent to confirm what steps the person tasked with monitoring cyber security for your firm has taken. Perhaps if the firm is large enough a committee should meet periodically with the person handling these matters to objectively review the status and steps being taken. In a smaller firm where that is not feasible, periodic meetings with an outside IT consultant to confirm status and recommended steps may keep the practice safer, and demonstrate the reasonableness of the actions taken.
Example: A young estate planning professional was tech-savvy enough to realize that he needed to put in place better cybersecurity protections for his firm. The problem was that he lacked time to address it—he was too busy building his practice. One day, his opposing counsel’s email system was hacked. The advisor’s contact details were among the items stolen. In short order, the advisor received an email purporting to be from the opposing counsel. Attached to it was a file said to be pertaining to case matters. The advisor was asked to open the file.
To his credit, the adviser was being a careful person, sent a reply email to the opposing counsel’s known email address asking that the file be sent to him by other means. Within minutes, the advisor received back an email assuring him that the file was secure and could be safely opened. The email entreated him to open the file immediately, for the sender sought prompt feedback. However, despite this assurance, the advisor’s “gut” told him not to open the file. Turns out he was right to not open it because it was indeed a cybercriminal he was in an active email thread with, trying to get him to login and give up his credentials.
But had he opened the email attachment, it would have been understandable. The correspondence looked legitimate and plus there was that rapid confirmation email from the opposing counsel’s actual address. This just goes to show the sophistication of today’s cybercriminals. Incredibly, they have the ability to access your inbox in real-time and occupy it while you’re sitting at your desk with your email inbox staring you in your face.
The next day, the adviser still shaken by how perilously close he came to having his data systems compromised and his practice put in serious jeopardy, began implementing the eight cybersecurity defenses described in this article.
The adviser realized the danger and did not hide from it. Instead, he took action.
What To Do if You Experience a Breach
Consider having a data breach plan in place before an event occurs. If an event occurs who is to be contacted to address it? Will they have the resources to address likely breaches? Retain a cyber security expert to assess the breach. Report to your insurance company. Are they familiar with the regulatory environment affecting your practice? For example, you might need to report a data breach to the IRS, the FBI, local police (file a police report). For states in which you file tax returns determine whether you may be required to notify the State attorney general.
Cybersecurity issues are common, dangerous and growing worse. Your firm, regardless of discipline or size, should take reasonable measures now to reduce the risks of such an attack. If your firm does not currently have cybersecurity coverage, obtain it. Be certain that all staff (including administrative staff and part-time and remote workers) all have regular training.
 Tom LaMotte is President of Bobaguard, a cybersecurity firm based in Twinsburg, OH. Martin M. Shenkman, Esq. is an attorney in New York.