What We Do
How we do it
Resources
SECURITY ADVISORIES
Sep 14, 2021
Update 2: Microsoft Zero-Day Vulnerability Announced - CVE-2021-40444
THE THREAT UPDATE 2: As of September 14th, Microsoft has released security patches to address CVE-2021-40444 for all impacted versions of Windows. eSentire has tested the update and confirmed its validity against public exploits. Organizations are strongly recommended to apply these security patches as soon as possible, as exploitation in the wild is ongoing. UPDATE: As of September 11th,…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Aug 25, 2021
eSentire named a Leader in IDC MarketScape for U.S. Managed Detection and Response Services
August 26, 2021 – Waterloo, ON -  eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), announced today that it has been named a Leader in the IDC MarketScape: U.S. Managed Detection and Response Services 2021 Vendor Assessment (doc #US48129921, August 2021). IDC defines the core services an MDR must provide as follows: reduced time for onboarding, 24/7…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Search
Resources
Blog — Jun 09, 2021

ABA FO498 Blog Post

Virtual Reality or the New Reality of Virtual Practice?

The Covid-19 pandemic forced lawyers and judges to practice outside of their physical facilities, and continue professional services from their home offices. That same period was the worst on record for cyberattacks:

In response, the American Bar Association (ABA) published Formal Opinion 498 (FO498) to address practicing law outside of the traditional brick-and-mortar office environment. It reminds lawyers that while the ABA Model Rules of Professional Conduct permit virtual practice, these Rules provide minimum requirements and recommendations for virtual practice, particularly in the areas of competence, confidentiality, and supervision.

ABA FO498 is more aspirational than prescriptive. Let’s take a look at how eSentire can help you operate a secure virtual law practice in the areas of:

Managing software and hardware

In the wake of massive software and vendor exploits (SolarWinds Orion and Microsoft Exchange), FO498 reminds lawyers of their obligations to review vendor terms and conditions (T&Cs) to ensure that client confidentiality is protected. But vendor management goes beyond T&Cs. Lawyers are required to ensure these systems are up to date with service patches which are often deployed to eliminate security vulnerabilities.

Accessing client data and transferring documents

When working remotely, it’s tempting to use personal services, like email and file sharing, to quickly distribute information to clients. Of course, these services are not necessarily secure enough to meet confidentiality requirements. And even commercial systems are vulnerable, as was the case with Jones Day when hackers claimed to have accessed Jones Day client files from their file sharing service, Accellion.

In addition to the protocols noted earlier (e.g., reviewing the terms of service and any updates to those terms), lawyers must confirm that documents in virtual document and data exchange platforms are appropriately archived for later retrieval and that the service or platform is and remains secure. For example, if the lawyer is transmitting information over email, the lawyer should consider whether the information is and needs to be encrypted (both in transit and in storage). And, avoid using personal email and file sharing services.

FO498 requires that lawyers prepare for the eventuality of a data breach, with policies that include client notification. It also requires lawyers to employ data back-up systems to create resilience, and assume the likelihood of data theft or destruction with specific data breach policies. In this regard, FO498 augments 2018 Formal Opinion 483 which outlines a lawyer's obligations after an electronic data breach or cyberattack.

Virtual meeting platforms

The term, Zoombombing, joined the popular lexicon as unwanted criminals joined meetings and took over screen sharing to display pornography or hate speach. And as the firm doubled-down on security measures, the FTC investigated the firm’s claims, resulting in a rapid settlement. And it wasn’t only Zoom; Citrix and Microsoft Teams also had their issues and vulnerabilities.

Much like any other software, these systems must be updated and operating on the latest versions to prevent exposure to known vulnerabilities, and rely on controlled access (passwords and other security measures) to restrict unauthorized access. Beyond the FO498 requirements, there are a few best practices that reduce the risk of abuse:

Smart speakers, virtual assistants and other listening devices

Lawyers understand that the need to protect client confidentiality extends beyond the confines of the law firm, but think in terms of overheard conversations in elevators, public spaces or restaurants. But few consider what their smart speakers, virtual assistants or even watches are overhearing. These devices are generally used under consumer T&Cs which create risk when it comes to how these devices listen (passively or actively), what they capture, the purpose of the collected information, and how it is protected. Unless the technology is assisting the lawyer’s law practice, the lawyer should disable the listening capability of devices.

How we can help

Learn from the past to invest in the future

One lesson to learn is that tectonic events like the Covid-19 pandemic wasn’t the first event to shape security practices, and it certainly won’t be the last. Many security events can be avoided by simply adhering to basic cyber hygiene: use strong passwords, multi-factor authentication, secure WIFI and VPNs. And vendor risk can be reduced by keeping up on patching, and avoiding accessing corporate services from personal accounts. We can help.

eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.