By Anna Sanders

Law360 (September 29, 2020, 12:02 AM EDT) -- Attorneys must expand their use of end-to-end encryption and take other steps to boost cybersecurity to protect their clients as the coronavirus pandemic intensifies risks from digital threats like hacking, mass surveillance and data breaches, a new report warns.

The increased reliance on virtual and remote work during the pandemic underscores why all legal professionals and especially criminal defense attorneys must use end-to-end encryption and other methods to protect client confidentiality, the New York Civil Liberties Union concluded in a report released Tuesday. In the spring, New York banned in-person client meetings to curb the spread of COVID-19, ordering all nonessential legal organizations to go completely virtual.

"The pandemic forced attorneys to move more of their operations to digital, and it certainly exposed preexisting security gaps that already needed to be addressed," Jonathan Stribling-Uss, an NYCLU technologist fellow who wrote the report, said in an interview with Law360.

While coronavirus restrictions deepened this "digital security gap," the report recommends legal organizations and law firms make permanent changes to their digital protocols and ethics standards. The report says attorneys should not only use end-to-end encryption for all confidential talks with clients but that the federal government, states, bar associations and other entities regulating the industry should require such technology for all privileged communications.

End-to-end encryption works by scrambling messages so they can only be read by the sender and intended recipient. This would allow an attorney to privately discuss a case with a client without risking sensitive information.

The report also recommends that attorneys use "open source" platforms like Linux instead of "proprietary" products — such as Microsoft or Apple systems — where the owner controls the technology and could turn over any data while cooperating with a government intelligence agency.

"A new approach to cybersecurity is especially important for court-appointed attorneys and those representing more vulnerable clients whose privacy is most threatened by the government or others looking to take advantage of attorneys' growing use of digital tools," Stribling-Uss said.

The report says attorneys should work to "sniff out unlawful or warrantless surveillance" that could have been a source of evidence collected against their clients, according to the report. The NYCLU recommends that New York state modify recently reformed discovery rules so that defense attorneys know how surveillance was conducted and with what technology.

"The attorney-client relationship is based on the promise of confidentiality, and we need new ethics rules to ensure we're not giving up privacy in our increasingly digital age," Stribling-Uss said.

Even before the pandemic forced lawyers to rely more on video meetings and email, emerging technologies had already exposed security vulnerabilities in the legal industry.

More than 100 law firms in the U.S. have reported data breaches to authorities since 2014, according to the report.

Entertainment law firm Grubman Shire Meiselas & Sacks was hit in May by hackers who demanded $21 million in exchange for stolen data, according to the Los Angeles Times.

And last year, hackers calling themselves "The Dark Overlord" released a cache of confidential files they said they stole from a law firm involved in 9/11 litigation.

Firms of all sizes are at risk of being attacked. DLA Piper was hit with a ransomware attack in 2017. One American law firm specializing in intellectual property was targeted by Chinese intelligence-backed hackers in 2017 and 2018 during a campaign to "steal valuable intellectual property or gain commercial advantage," security researchers warned in February 2019.

--Editing by Jill Coffey.

For a reprint of this article, please contact reprints@law360.com.