Much of the media coverage of the revelation that former Secretary of State Hillary Clinton maintained an email account on a server in her home has focused on deletion of messages Secretary Clinton considered “personal.” But there is another, perhaps more serious concern that, as a lawyer as well as a public official with highly sensitive information that may comprise national security issues, she perhaps should have considered more carefully: How secure was that server, physically and technically?
The physical security of the server is a safeguard that is often overlooked by lawyers. Regulations of certain industries such as healthcare and finance require lawyers to employ physical, technical and administrative (policy, procedure and training) safeguards similar to those required of their clients. Cybersecurity assessments of law firms for compliance with these regulations and the ethical rules on safeguarding client information often reveal servers in HVAC rooms and other poorly secured locations. Secretary Clinton’s server was in her home. Granted, here home is protected by the Secret Service but it is still private home, and private homes are often burglarized despite the highest levels of protection.
The level of technical safeguards may be of greater concern. Many law firms do not encrypt data on the server (encryption in storage, called “at rest”), so if the server is stolen or attacked the data is fair game for attackers. Law firms have been hacked in recent years with accelerating frequency. Secretary Clinton’s home email server, despite the steps she took to maintain “robust protections,” as indicated in a statement by Secretary Clinton’s office released March 11, would remain highly vulnerable. “If all she had was standard (protection) technology… it would be merely a speed bump for a sophisticated adversary to gain access to…treaties, trade negotiations. She would be an incredibly lucrative target,” noted Richard Schaeffer, a former director of information assurance of the National Security Agency stated in an interview with the Washington Post.
The duty to safeguard communications of public officials is embedded in government regulations. The obligations of lawyers to protect client confidences are a cornerstone of the lawyer’s ethical responsibilities and enshrined in the disciplinary rules of every state. In this digital age, when over ninety-five percent of client communications are in electronic form, the physical and technical safeguards of law firm servers are a critical element of an overall information security plan required by these ethical obligations.
For more information on law firm cybersecurity assessments and compliance, please contact Kenneth N. Rashbaum.