By Scott Aurnou
This article originally appeared in the February 5, 2014 issue of the New York Law Journal.
Can you or your firm actually be held liable for using the wrong software? If that software is well known as out-of-date and insecure, yes. That circumstance is coming very soon. Below is a discussion of specific risks for attorneys and law firms (hint: it’s more than just your firm’s computers), as well as what to do if your office is still using the popular older software.
Microsoft software like the Windows operating system (OS), MS Office and Outlook is commonplace in law offices. As newer versions are released over time, older ones are effectively retired. “Software retirement” itself is not unusual, though a particularly wide-ranging example is rapidly approaching.
What’s at issue? On April 8, 2014, both the Windows XP operating system and Microsoft Office 2003 will reach their respective “end-of-life” dates (also referred to as going “out of support”). While that does not mean that XP or Office 2003 will suddenly stop working on April 8, it does mean there will be no further technical support from Microsoft and no more security updates…ever. That should be a particular concern, since the combination of a widely used 13-year-old operating system and an older version of commonly used office software going out of support on the same day is basically a dream come true for hackers.
While MS Office 2003 was also in wide use when it first came out, switching to a subsequent version of essentially the same software will be less problematic than moving to a new operating system.
Windows XP was state of the art when it was released in 2001. A few subsequent “Service Packs” added additional features and effectively extended XP’s lifespan. It was viewed as a stable and successful operating system that was the dominant OS used on Windows computers for years. A brand new computer with Windows XP could be purchased as late as 2010. Even by late 2013, XP was still being used on about 30 percent of existing Windows computers, with a higher percentage in use at smaller businesses.
In a world when two-year-old technology is viewed as old, a 13-year old operating system is ancient.
Unfortunately, hackers aren’t stupid. Those with effective attacks against Windows XP will wait until after April 8 to use them so that Microsoft will never patch the system to defend against them. The sheer number of XP users (even after the end-of-life date passes) and vulnerability of the OS make it an extremely attractive target for organized crime and other cyber criminals going forward. Numerous commentators—as well as Microsoft itself—anticipate a spike in malware attacks against XP just after April 8th.
The issue here is not whether Windows XP and Office 2003 will still work at 12:01 on April 9 (they will). It’s whether they will be so insecure that it would be foolish for an attorney or law office to keep using either of them (they will).
The Model Rules of Professional Conduct were updated in 2012 specifically to address the effect of technology upon the legal profession. Those changes are readily applicable to this situation.
The language in Comment 8 to Rule 1.1 (Competence) has been amended to emphasize a duty for attorneys to stay up-to-date on technical matters pertaining to the practice if law: “[A] lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…” Model Rules of Professional Conduct rule 1.1, cmt. 8 (2014) (emphasis added).
Paragraph (c) of Rule 1.6 (Confidentiality of Information) states:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Model Rules of Professional Conduct rule 1.6 (2014).
Comment 18 to Rule 1.6 relates to the need for a lawyer to “act competently” to prevent the disclosure of “information relating to the representation of a client.” It offers a safe harbor provision and factors to determine the reasonableness of an attorney’s conduct in protecting the information at issue:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Model Rules of Professional Conduct rule 1.6, cmt. 18 (2014)
Safeguarding client data with outdated, insecure and easily replaced software like Windows XP or MS Office 2003 is extremely likely to fail this test.
In addition to the Model Rules, using unsupported Windows XP or Office 2003 software after April 8 will not comply with security requirements under the Health Insurance Portability and Accountability Act (HIPAA) (see 45 C.F.R. §164.306(e) (2014)) and other applicable statutes, much less the strict data breach disclosure requirements and potentially significant fines under state and federal laws.
Doing so would also provide an effective basis for a colorable legal malpracticeclaim. For any attorney or law firm suffering a data breach while continuing to use Windows XP, it will be difficult to make a straight-faced argument in court that it was reasonable to safeguard client data with well-known outdated software that the software developer very publicly announced would no longer receive any further support or security updates.
Beyond Office Computers
The liability risk relates to both the office computers directly connected to your firm or company network, as well as any outside computers with which any confidential or privileged data is or will be exchanged. Even for firms that have already made the switch to the newer Windows 7 or 8.1 operating systems, issues can arise with outside computers exchanging sensitive data with an otherwise secure law firm or company network. This can include computers used by clients, third-party experts and vendors, as well as your own attorney and staff home computers.
If your clients are still using XP, you will have to take extra precautions when communicating with them electronically. Any attorney or staff home computers should also be properly secured before coming into contact with any sensitive client data or attorney work product.
Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistance) notes that an attorney can be held responsible for an outside vendor or expert’s conduct that would constitute a violation of the rules if performed by a lawyer. Model Rules of Professional Conduct rule 5.3 (2014). Comment 3 specifically notes, “[A] lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations” when storing data related to a client matter outside his or her firm. Id., at cmt. 3. In short, the standard vetting process prior to retaining an expert or utilizing a vendor has to include consideration of that vendor’s or expert’s technology and security practices.
If you are an attorney with a firm or organization of any size, continued use of Windows XP (including XP-based software) is both not secure and seems a likely violation of Model Rules 1.1 and 1.6. Moreover, if you use a third-party expert or vendor and don’t properly vet them to make sure they’re using sufficiently up-to-date software that protects sensitive client data or attorney work product, you could also be liable under Rule 5.3.
What if your office computers are still running the older software? What can replace Windows XP?
Larger firms with dedicated IT support should have addressed this issue long ago, but smaller firms and solos may still need to update their computers and networks. The most recent Microsoft operating systems are Windows 7 and Windows 8.1. Each has its pros and cons.
Windows 7 is well regarded and stable, with plenty of programs written to interact with it, but…it came out in 2009 and is already beginning to disappear from store shelves. Switching to Windows 7 will mean an easier adjustment for users seeking a more familiar looking operating system, but will also lead to the same “end-of-life” problem in about five years.
Windows 8 was released in late 2012 and added some impressive security features, but also significantly altered some familiar Windows screen layout elements and initially received decidedly mixed reviews. Subsequent updates have restored a number of popular features that had been taken away. The current version of the software is Windows 8.1. Windows 8.1 does take a little getting used to, but is newer and more secure than Windows 7. In addition, Windows 8 and 8.1 were designed to work on tablets, as well as laptop and desktop computers. This allows a greater level of seamless interaction between them. If you make use of tablets in your practice, Windows 8.1 may be a better choice.
Beyond the operating system itself, applications (i.e., programs) running on XP will also be affected. Developers simply won’t spend the time or resources to keep updating older software for an OS that is no longer supported. This will enhance the risk associated with Windows XP directly, since hackers can (and often do) attack through flaws found in apps, as well as the OS itself. In addition, new hardware (such as printers, etc.) won’t work with it since the manufacturers won’t create the software “drivers” to allow the new devices to work with the older operating system.
If you are still using Windows XP, time is running very short. There are numerous steps needed to set up a new system, migrate data, etc. The amount of time it will take depends on the size and complexity of the network at issue; but don’t delay—a large network could take well over a year to completely migrate to a new operating system.
With the end-of-life date rapidly approaching, the Windows XP operating system and any software running on it should have no place in any law office. If your firm is still using it and isn’t at least well into the migration process to Windows 7 or 8.1 by now, the situation needs to be addressed immediately.
Reprinted with permission from the February 5, 2014 issue of the New York Law Journal. Copyright 2014 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 – firstname.lastname@example.org.