Bill Cramer published in Dallas Bar Association's Headnotes

Bill Cramer, senior counsel in Clark Hill Strasburger’s Dallas’ office, published an article in the Dallas Bar Association’s January 2020 edition of Headnotes.

A former systems designer in the telecom and datacom sectors, Cramer regularly counsels clients in all aspects of intellectual property and cybersecurity. In the article, Cramer writes about recent changes to the Texas Disciplinary Rules of Professional Conduct 1.01 requiring competency about “the benefits and risks associated with relevant technology.”

The full text of Cramer’s article is below, and may also be viewed on the Dallas Bar Association’s website.

The Benefits & Risks Associated with Relevant Technology

In March of 2019, the Texas Supreme Court amended comment eight of Texas Disciplinary Rules of Professional Conduct Rule 1.01 to require competency regarding “the benefits and risks associated with relevant technology.” While this change does not require you to become a technical expert, because of the increasing dependency on electronic creation, storage, and transmission of confidential data, you must have a fundamental understanding of the basics of technology. And one of those basics involves mitigation of the risks when you connect your device to a remote cloud where your firm’s documents are stored.

Every time your data moves from one location to another, you expose it to interception. For example, when you sit at Gate A12 at DFW and connect your laptop to a cloud service provider, your data may be found in your laptop, the airwaves, the wireless router, the Internet, and the cloud service provider’s equipment. Your data could be intercepted at virtually any of these locations. However, some of the risks are more likely (and more mitigatable) than others. For purposes of becoming sufficiently competent on the “benefits and risks,” let’s look at some of the low-hanging fruit.

Risk #1: When you connect to an “open” wireless router, your data travels unencrypted to and from the router. Further, older protocols like wired equivalent privacy (WEP) can be cracked in a matter of seconds. Therefore, if your connection to the router is open or uses WEP, your confidential data could be easily intercepted.

Risk #2: Using a more secure connection between your laptop and the wireless router, like the Wi-Fi Protected Access version 2 (WPA2), will only keep your data encrypted as long as it is in the air. Once it has arrived at the router, the router decrypts the data and sends it on to the Internet. Even if the router’s owner does not have evil intentions, sloppy setup and configuration may leave the router susceptible to compromise.

Risk #3: From a technical perspective, there is nothing that prevents “impersonation” of a legitimate wireless router. The router that shows up on the list of available connections at Gate A12 might be a legitimate service provider’s router or it may just be a router having a similar or exact name.

Risk #4: Storing data in a third-party cloud necessarily puts your confidential data outside of your control. While your data may be encrypted while “in flight” between your laptop and the cloud service provider and also while “at rest” on the cloud service provider’s disk drive, there is a transition point when your data must be decrypted and then re-encrypted. During this transition, your unencrypted data may be at risk because of sloppy setup and configuration by the service provider, or worse still, a rogue employee.

Mitigation #1: Most cloud storage providers (and most common websites) now use something called “Hypertext transfer protocol secure” (HTTPS), which provides encryption of your data from the time it leaves your laptop to the time that it arrives at the service provider’s computer. However, not every website uses HTTPS and not every communication that passes out of your laptop is via your web browser, and as such, relying only on use of HTTPS still leaves your laptop somewhat exposed.

Mitigation #2: A better option to relying solely on HTTPS is to use “virtual private network” (VPN) software to first create an encrypted link between you and a known place of safety, for example, your firm’s network, which then links you to the cloud service provider. There is still a window of lower security while your laptop establishes the VPN, but this window can be minimized if your computer’s software implements an “always on” VPN which blocks any communications until after the VPN connection has been established.

Mitigation #3: VPNs can also be implemented using an external device that is physically connected to your laptop and wirelessly connected to the wireless router. In this configuration, your laptop is not directly exposed, which should eliminate most conventional security risks associated with wirelessly connecting your laptop to a potentially compromised router.

Mitigation #4. Perhaps the most secure solution is to encrypt your data before sending it off to the cloud. In this scenario, no one (including the service provider) ever has access to your unencrypted data. There are “zero-knowledge” cloud providers that make the process fairly transparent, however, because your data is effectively doubly-encrypted, speed may become an issue.

And so now you are hopefully a bit more competent about the “benefits and risks” associated with connecting your laptop to the cloud.