Survey Finds That 28 State Bar Association Websites Fall Short On Security Settings
According to Bob Ambrogi, 31 states have now adopted the ethical duty of technology competence. Yet ironically, many of the same states that have adopted the duty of technology competence are home to bar associations that aren’t setting a very good example for members. Here’s what I mean.
Last month, the Federal Trade Commission released a report entitled Do Webhosts Protect Their Small Business Customers With Secure Hosting and Anti-Phishing Technologies?. The report recommended that small business sites have SSL which is “a technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private.” Sites that have SSL certification will have an “https” prefix rather than http and will have a tiny padlock next to them – such as the one you see here on MyShingle.
The FTC Report summarizes the importance of SSL certification to consumers:
First, [SSL/TSL certification] offers some assurance to a website’s visitors that they are viewing the legitimate site rather than an imposter. Second, it establishes an encrypted connection between a browser (i.e., a user’s computer) and a server (i.e.,a website), shielding anything from credit card numbers to passwords from eavesdropping. Finally, SSL/TLS protects against modification of the information exchanged, including changes to the information so small that users are not likely to perceive them. Together, SSL/TLS adds an extra layer of security for consumers, and helps companies protect their brand and build trust with customers.
These considerations are even more important for lawyers, who often collect confidential or sensitive information from clients on their website – which if disclosed could result in waiver of privilege. And although the prospect of a small firm website being hacked once seemed laughably remote, that’s no longer the case: a recent study released earlier this week found that the average small business website is attacked 44 times per day.
If that statistic isn’t enough to persuade lawyers to obtain SSL certification, Google’s new policy should provide added incentive. Last month, Google announced that all sites using the “http” prefix (i.e., those without SSL cert) will be marked as “not secure” by its browser. Let’s just say that having a potential client greeted with a big honking warning that “this site is not secure” is unlikely to engender confidence in a law firm.
So here’s the thing. Even as 31 states have imposed a duty of technology competence, 28 bar associations have imperfect security protections at their websites. Arizona, Maryland, Indiana, and South Dakota are all “Not secure” sites, which do not have an “https” version available. Oregon has an “https” version of its site that is non-functioning, while Hawaii’s “https” version is only accessible via log-in by staff.
The remaining 22 bar association sites shown on the chart do have a valid SSL certification. However, I’ve not let them off the hook because these sites do not show the “https” (i.e., the secure version of the site by default) either because the server is not forcing use of the SSL version and requires a redirect, or because the sites contained mixed content – i.e., some pages protected and others not. [You can determine the reason for the errors by visiting the site WhyNoPadlock.com and enter a site URL to figure out the issues]. Both of these situations are problematic because most website visitors lack the knowledge to hunt around for a secure version of the site before entering confidential information.
For an ethical duty of technology competence to have any meaning, best practices must begin at home. Yet if the state bar associations lack the technology competence to fully implement SSL protocols, how can they expect solo and small law firms to take on the task?
Though well-intended, the ethical duty of technology competence simply isn’t sufficient to protect clients in the digital world. Here, many state bar associations and regulators missed the boat on informing lawyers of the importance of maintaining SSL security measures on their websites while by contrast, the FTC was out ahead on this issue in advising small businesses. If we lawyers are serious about protecting our clients in the digital age, we must move away from self-regulation and self-enforcement of technology competence and instead, subject ourselves to the same privacy and data security laws, regulations and practices that apply to all other businesses. In a digital age, lawyers’ special snowflake status no longer serves our clients.