An attorney’s duty to keep client-attorney communications private now includes knowing how to prevent hackers from gaining unauthorized access to a client’s confidential information. Here’s why using “free” Wi-Fi is risky business. 

By David Sarif and Natalie Tyler, Family Lawyers

free-wifi hackerNew and advanced technology has drastically changed the practice of law. Technology has enabled lawyers to easily access, exchange, and provide information to the courts, opposing counsel, and clients. Given the demanding nature of our work, we as attorneys have been eager to learn to use new technology in order to be more productive and efficient. In the process, we have also put ourselves at risk of forgetting that certain technologies can actually pose a major threat to our practice – and to our clients.

Attorneys have an ethical duty to keep client-attorney communications and informational exchanges private and confidential. This duty has now expanded to cover staying up-to-date on knowing how to safeguard against hackers (or perhaps even unscrupulous opposing parties) who may try to gain unauthorized access to the information we store for our clients. By way of example, if a client gives you an engagement ring for safekeeping and you place it in an unlocked, open safe compared to one with a secure combination lock only you know the code to, where is it more likely to remain? Similarly, if you ignore the potential risks of using technology to access, share, and store tax returns, social security numbers, and bank statements by leaving them in a metaphorically unlocked, open safe, you cannot guarantee that your clients’ information will remain private and confidential.

Rogue Wi-Fi Access Points and Evil Twins

Hackers look for weak spots and vulnerabilities wherever they can be found. For example, they might try to use a rogue Wi-Fi access point, which could be installed on your private or office secure network without your knowledge or authorization. Once installed, the person controlling it could potentially access your secured network and wreak havoc by stealing information or changing settings.

Imagine you invite the parties and attorneys involved in a very contentious case to your office for mediation. The opposing party with a little bit of know-how (perhaps from an online video), and fueled by emotion, installs a rogue Wi-Fi access point to your network while waiting in your lobby for mediation to start. Now that party has the ability to attack your secured network remotely, accessing your client’s information and any other information that may be stored on your network.

email hackingA hacker could create an “evil twin”: an unauthorized access point connected to an external network rather than your secure network. The evil twin appears to be a legitimate Wi-Fi access point offered by your office, but in reality, it has been set up to view information the user has not been authorized to view. For example, the hacker could create an access point and simply title it “XYZ Law Firm Wifi” (where XYZ is the name of a legitimate law firm).

What is particularly troublesome about the security loopholes in technology is that in today’s world, you don’t need to have connections, an MIT degree, or a high net worth to learn how to gain access to the information you seek. There are an endless number of websites and videos providing information on how to hack someone else’s data. Unfortunately, this information is easy to find and access.

There are also many popular and easily accessible hacking tools available to the public. Some of the more popular and easily available ones are named Angry IP Scanner, Burp Suite, Cain & Able, Ettercap, John the Ripper, Metasploit, NMap, Nessus Remote Security Scanner, THC Hydra, and Wapiti.

A hacker can also bring one of many relatively inexpensive and portable devices to a Wi-Fi hotspot and attract any other device trying to find a Wi-Fi access point. Such devices steal the credentials of legitimate Wi-Fi access points and pose as that Wi-Fi access point. Once a user logs into this fake Wi-Fi access point, it’s relatively easy for the the hacker to access the information stored on the user’s network – or even alter that information. The hacker can continue to access and alter information even after the initial attack. Most tablets, phones, and other Wi-Fi devices automatically connect to a network they have previously accessed, and these devices allow the hacker to respond to previously accessed networks by impersonating that network.

Think Twice Before Using “Free” Wi-Fi

At the end of the day, we are the protectors of our clients’ information and data. It would be naïve not to believe that a motivated individual would not be tempted and able to access our clients’ information – especially if we leave the metaphorical door open to them. Attorneys need to have conversations with their clients about the risks of hacking and how to safeguard against it. Everyone, especially attorneys, should consider turning on the “Ask to Join Network” function on their devices to prevent automatically joining Wi-Fi networks. We should also use tools like wireless intrusion prevention systems to safeguard against hacking. Finally, we all need to think twice the next time we consider accessing the free Wi-Fi available at the airport or at our local coffee shop. ν

David Sarif is a partner at Naggiar & Sarif in Atlanta, GA. He devotes his practice to divorce and family law, and he represents many high-profile clients. He has been honored as a Georgia Super Lawyers Rising Star. Natalie Tyler is also a family lawyer at Naggiar & Sarif. She earned her BA in Psychology from Georgia State University, and her Juris Doctorate from Atlanta’s John Marshall Law School.

More From Family Lawyer Magazine

Mitigating the Risks of the Cloud

The Smart Law Office