Is the Substantive Law Focus of CLE All Wrong?

Presented By:

Dan Pinnington Lawyers’ Professional Indemnity Company (LAWPRO) Toronto, ON

Presented at: ACLEA 53rd Annual Meeting July 29th – August 1st, 2017 Montréal, Québec Dan Pinnington Lawyers’ Professional Indemnity Company (LAWPRO) Toronto, ON

Dan Pinnington is VP Claims Prevention and Stakeholder Relations at the Lawyers' Professional Indemnity Company, the mandatory malpractice carrier for 26,000 Ontario lawyers. He is the driving force behind LAWPRO's innovative and internationally recognized claims prevention (practicepro.ca). Dan is a Fellow of the College of Law Practice Management and is a prolific writer, speaker and blogger on risk management, legal technology and law practice management issues. He is a veteran of hundreds of presentations at law firms, CPD programs and conferences all over North America. He was Chair of ABA TECHSHOW 2007, and was Editor‐in‐Chief of the ABA's Law Practice Magazine for several years. Dan is also active with the Ontario and Canadian Bar Associations. Dan has a combined LL.B./J.D. from the Universities of Windsor and Detroit and was called to the Ontario Bar in 1993.

Is substantive focus of CLE wrong? ACLEA Montreal 2017 Dan Pinnington/LAWPRO

Is the Substantive Law Focus of CLE All Wrong?

Dan Pinnington VP, Claims Prevention & Stakeholder Relations Lawyers’ Professional Indemnity Company

ACLEA'S 53rd Annual Meeting Montreal, Canada August, 2017

Are substantive law errors the most common cause of ethics complaints?

Of malpractice claims?

Are substantive law errors the most common cause of ethics complaints?

Of malpractice claims?

NO!!!

Agenda

• Causes of LSUC complaints

• Causes of LAWPRO claims • Strategies to avoid claims • CLE program ideas • Questions

For ethics complaints and malpractice claims

The most common ethics complaints

Per capita complaints for lawyers in private practice

All stats from Professional Development and Regulation May 2017 Report to LSUC Convocation (lsuc.on.ca)

Law Society of Upper Canada Summary of 2016 Complaints

Special Applications Conflict Issues 5% 7% Service Issues Governance 34% Issues 14%

Financial Issues 19% Integrity Issues 21%

See LSUC Convocation report

LSUC Complaint details

• Service issues fail to follow client instructions, communicate or serve client, fail to provide client report, withdrawal of services/abandonment, fail to supervise staff, breach of confidentiality/fiduciary duty • Integrity: conduct unbecoming, criminal charges, discriminatory conduct, sexual misconduct • Financial: mishandling trust accounts, excessive/improper fees, misappropriation, improper referral or splitting of fees • Governance: fail to maintain books & records, practice while suspended, fail to report misconduct or error, fail to cooperate with LSUC, practising without insurance, improper advertising • Conflicts: Business/financial relations with client • Special applications: Readmission, capacity, competency failure, interlocutory suspension

The most common malpractice errors

What is LAKKAARO?

• Mandatory malpractice insurer for 26,600 Ontario lawyers • 2,616 new claims reported last year • 3,700 open claims files • Gross claims under management over $375 million • $90 million claims costs per year

General claims statistics

• 101 claims / 1000 lawyers / year • Claims reported average of 2-3 years after services provided • Lawyers 6-25 years most claims activity • No claims sensitivity for any geographical region

‘Global’ Descriptions of Loss (2006-16 by count)

Other Conflict of Fraud 6% Interest 2% 4% Communication Clerical 31% 7%

Error of Law 13%

Inadequate Time Investigation Management 18% 19%

See biggest claims risks article

‘Global’ Descriptions of Loss (2006-16 by cost)

Other Fraud 3% Conflict of 5% Interest 8% Communication Clerical 33% 3%

Error of Law 17%

Inadequate Time Investigation Management 17% 14%

Communications errors

• Failure to follow client’s instructions • Work promised, but not done • Failure to obtain consent/inform client • Work done without instructions • Implications of decisions/actions • Poor communication with client • Who looks after what

• Often he said, she said…

Time and calendaring errors • Failure to know/ascertain deadline • Missed limitation • Failure to calendar properly • No tickler system • Fail to react to calendar • Basic calendar snafu

• Procrastination/lack of follow up • Not doing work as promised/timely basis • Instructions sent, no follow-up

Inadequate discovery or investigation of facts

• Not digging deep enough • Examples: – Not identifying all parties on litigation matter – No property/pension valuations on matrimonial file – Not asking about spousal status/assets on will matter – No medical reports on personal injury matter – Not doing title search on commercial lease

Failure to know or apply the law

• Substantive law • Legislation • Regulations • Case law • Recent decisions

• Tax issues • Often dabblers!

Clerical/delegation errors • Misfiled or lost documents • Mistake on filing/form • Not completing critical steps – E.g., issue a claim, file pleadings • Lack of supervision or poor delegation – To employee and not checked – Instructions to/from foreign lawyer

Conflicts of interest • Acting >1 party/entity – Previous vs. current clients – Family members and businesses – Company and directors/shareholders • Acting where self-interest – When fees owing – Investing in client

Are big firms really that different?

LAWPRO claims count by area of law and firm size (2006-16)

LAWPRO claims count by error type and firm size (2006-16)

Errors by areas of law

Plaintiff litigation claims (2006 to 2016)

Defence litigation claims (2006 to 2016)

Real estate claims (2006 to 2016)

Corporate law claims (2006 to 2016)

Family law claims (2006 to 2016)

Wills & estates claims (2006 to 2016)

IP claims (2006 to 2016)

practicepro.ca/factsheets

Years Between Error and Reporting for Claims 1998‐2016

Wills Estates 45 Yrs

Real Estate 58 Yrs

Tax 27 Yrs

Family 59 Yrs

Criminal 23 Yrs

Corporate 44 Yrs Under 10

Securities 22 Yrs 10 to 15 Over 15 Bankruptcy 14 Yrs Oldest Plaintiff Lit 31 Yrs claim

IP 14 Yrs

Labour 16 Yrs

Defence Lit 24 Yrs

80% 85% 90% 95% 100%

Specific claims risks

Cyber dangers and liabilities

“Cyber” claims danger scenarios

The dangers: • Trust account theft The how: • Confidentiality • Bad cheque frauds… breach • Hacked email account… • Data destruction •Malware… • Service interruption • Lost devices … • Compromised systems… • Denial of service attack

Biggest technology dangers

•Email – Sending email to wrong people • E-mail auto-address –BCC – Saying nasty things • Data/systems breach

• Occasional danger – Loss of client data on portable devices – Social media – Getting into trouble online or in another jurisdiction

The weakest links

• Lawyers/staff falling for phishing scams • Sloppy use of passwords

• Poor training • Failure to update software

Disputes about money

• Control client expectations about fees • Get sufficient retainer at start • Bill regularly • Replenish retainer when it runs out • If clients don’t replenish retainer or pay outstanding accounts:

• Don’t sue for fees

Difficult clients

Categories of difficult clients*

• Angry/hostile • Vengeful/with a mission • Over-Involved/obsessive • Dependant • Secretive/deceitful/dishonest • Depressed • Mentally Ill • The difficult client with the difficult case • Client who is unwilling to accept, follow or believe any of the lawyer’s advice

* From paper by Justice Carole Curtis

How to deal with difficult clients

• Set expectations at the start • Continually manage expectations • Be firm and consistent • Don’t tolerate inappropriate behaviour • Know when to say goodbye

• See paper by Justice Carole Curtis and client billing and administrative information precedents – www.practicepro.ca/difficultclients • Retainers – www.practicepro.ca/retainers

Problems with precedents

• Final draft does not reflect the client’s instructions • Due to: – Miscommunications – Drafting errors

• Ambiguous clauses • Conflicting clauses • Missing clauses

Accommodate the (big) client errors

• Inappropriate things for big client – Cut corners – Take shortcuts – Overlook conflicts of interest

• Drivers – To please the client – Keep client for fees

Resolution of claims

Resolution of LAWPRO claims (1998 to 2015)

Indemnity Paid 14%

No Cost 45%

Defence Only 41%

Distribution of number of claims by size of loss (1998-2015)

Over $250,000 4% $101,000 to $250,000 6%

$1 to $100,000 90%

Distribution of cost of claims by size of loss (1998-2015)

$1 to $100,000 Over $250,000 33% 44%

$101,000 to $250,000 23%

How to avoid the dreaded call to LAWPRO

Keep clients happy

Avoiding a malpractice claim: File handling procedures • Formal file opening/closing procedure – Conflicts check – Written retainer with clear scope • Conflicts – Follow firm procedures religiously • Systems normally catch them • Ignored because poor judgment/greed – Listen to your instincts - Who is your client? – You can't judge your own conflicts – Take appropriate action when real or potential conflict arises

Avoiding a malpractice claim: Control client expectations

• Manage/control client expectations from the start – Process and procedures – Anticipated timing – Prospects for success/likely outcome – Anticipated costs/disbursements • Don’t assume client understands everything – Keep client informed • Have them review drafts • Explain consequences of decisions • Don’t wait until end to ask how you did – Milestones or yearly (off the clock!)

Avoiding a malpractice claim: Create a paper trail • Confirm information, instructions, advice and work done in writing –But not everything • Get signed directions on major decisions • Detailed contemporaneous dockets – Telephone conference with client re termination provisions of lease •Use written offers to settle • Send interim and final reporting letters • Be clear when retainer is over – Final reporting letter – Non-engagement on consult – I am not your lawyer letter

Avoiding a malpractice claim: Do your homework • Know the law • Know the facts • Don’t rush or take shortcuts - dig deeper - ask yourself: • What does client really want need? • Read between the lines • Is there anything unusual? • Is there something that doesn’t add up? • Do good work – Put case in properly • Evidence Act notices, expert reports etc. – Appropriate due diligence

Where can risk management fit in a CLE program? • Substantive

• Ethics

• Procedural

• Skills (“soft”)

• Law practice management – Technology, management, finance and marketing

Sample agenda: Your first trial

• Evaluating the case • Getting expert reports What is • Preparing pleadings missing? • Handling discoveries • Preparing for trial • Making opening statements • Examining and cross-examining experts • Making closing statements • Professionalism and ethics

Sample agenda: Lease drafting

• Common drafting errors • Landlord issues What is • Tenant issues missing? • What should be in the preamble • Key lease clauses • Termination provisions • Standard boiler plate clauses • Negotiating lease terms

What we like to see on CLE agendas: client communication • Setting and controlling client expectations as to options, outcomes, timing, and costs • Keeping clients informed • Interim and final reporting letters • Confirming settlement discussions • Dealing with difficult clients • Talking to clients when there is bad news

What we like to see on CLE agendas: practice management • File opening process –Conflicts check – Retainers • Necessity of tickler system • Meeting deadlines and keeping files moving • Best billing practices • Managing practice finances • File closing process • Office procedures manual

What we like to see on CLE agendas: paper trail to CYA • Documenting a file – How (formal and informal) – What not to document • Interim and final reporting letters • Reviewing draft with client

What we like to see on CLE agendas: soft skills • Dealing with stress • Delegation • Effective communication •How to listen • Time management

What we like to see on CLE agendas: technology • Avoiding cyber dangers • Tools to work more effectively and efficiently – Document automation • Practice management software • Essential technologies for a law office – Accounting software – Practice management software • Basic technology skills

Places to learn more:

practicePRO/LAWPRO Resources

•Best LAWPRO resources brochure in materials

• www.lawpro.ca • www.practicepro.ca

Profile of Legal Malpractice Claims: 2012-2015

Published by ABA Standing Committee on Lawyers' Professional Liability

In closing…

• Main causes of complaints and malpractice – Client communication issue – Poor practice management • With proactive in using risk management strategies many complaints and claims are easily preventable • CLE can help!!!

Thanks and questions please

Dan Pinnington Vice President, Claims Prevention & Stakeholder Relations LAWPRO, Toronto, Ontario (416) 598-5863 or 1-800-410-1013 [email protected] Web: www.practicepro.ca and www.lawpro.ca Blogs: AvoidAClaim.com; slaw.ca; LAWPRO is on LinkedIn and Facebook and Twitter @LAWPRO and @practicePRO Connect with me on LinkedIn, Twitter or Google+:

More info:

www.lawpro.ca www.titleplus.ca

www.lawpro.ca/excess www.practicepro.ca

© 2017 Lawyers’ Professional Indemnity Company 36 LAWPRO’s best claims prevention tools and resources Nobody wants to deal with a malpractice claim – but 4 out of 5 Ontario lawyers will have at least one claim made against them in their careers. When a claim occurs, it is nice for the lawyer and client to have the LAWPRO insurance program in place, especially when claims arise out of honest mistakes or for reasons beyond the lawyer's control. However, the majority of claims are preventable.

LAWPRO sees the same errors time and time again. Lawyer/client communications problems are the most common cause of claims for law firms of every size and in almost every area of practice. Missed deadlines and procrastination are the second largest cause of claims. Inadequate investigation or discovery of fact is the third largest cause of claims.

Over the last 17 years, the practicePRO program has produced a large collection of tools and resources aimed at helping lawyers avoid claims. This brochure has LAWPRO’s best claims prevention content. We strongly encourage all Ontario lawyers to review and use these tools and resources in their practices.

For an electronic version of this brochure with links to these resources, visit practicepro.ca/topresources

The top 15 things you can do to avoid a malpractice claim

Many claims are preventable, often with very little effort. The following is a list of the top 15 proactive steps you can take to avoid a malpractice claim:

Start out on the right foot with Don’t dabble or handle a matter amount in trust is getting low relative to the WIP 1 a formal file opening procedure 2 you are uncomfortable with: If you on the file or when the accounts have not been and a written retainer: With every new are unsure or hesitant about handling the matter paid within 30 days. Stop work if the retainer is client you should go through a standard file for any reason, get appropriate help or refer it to not replenished or accounts are not paid on a opening procedure that includes client/matter another lawyer. Send the matter away if you timely basis. Working on credit with a growing screening and a conflicts check. If you are going are unfamiliar with the area of law, a real or A/R greatly increases the likelihood you will not to act you should prepare a retainer letter or potential conflict exists, the matter is for a relative get paid and the potential for a malpractice agreement that sets the key terms of engagement or friend and you are not able to be objective, claim (see #13). (This is especially important for for the matter. It should clearly identify who the or the client is very demanding and difficult. plaintiff litigation, where you could find yourself client is and what you are retained to do, and in the middle of a malpractice claim due to in particular, any limitations on the scope of the Get the money up front at every an administrative dismissal of the action. If the retainer. Consider including a provision that 3 stage of a matter: At the time you retainer is not replenished, get off the record describes your firm’s policy on disbursing money are retained, get a retainer that is sufficient to in a timely fashion.) from your trust account, in order to protect your- cover all work that needs to be done at the initial self against counterfeit cheque fraud: Put the stage of the matter. Replenish retainer funds Control client expectations with client on notice that you reserve the right to hold before they are exhausted and at the start of 4 good communications at all times: funds for a specific time period or until you are each stage of a matter or file. Configure your Clearly and accurately communicate to your sure they have “cleared.” accounting system to remind you when the clients the available courses of action and

© 2016 Lawyers’ Professional Indemnity Company. This article originally appeared in LAWPRO Magazine, Student Issue #4, 2016. It is available at www.practicepro.ca/education/newlawyers.asp LAWPRO’s practicePRO initiative provides risk management, claims prevention and law practice management information for Ontario lawyers.

2016 | Student Issue 4 11 < > possible outcomes, all the implications of any Delegate but supervise: Delegation is returned within 48 hours (not same day), describe decisions or actions, how long things will take, 7 an essential part of running a practice, but them in the initial retainer letter (See #1). and the expected fees and disbursements. make sure there is appropriate supervision and Immediately advise them if changed circum - review of junior lawyer or staff work. Never allow Don’t wait until after the file stances affect any aspect of your initial advice others to use your Teraview ® key and password. 11 is closed to ask how you did: to them. Ask clients for feedback as the matter progresses, Dig deeper to get all required at milestones, or when interim accounts are Document (almost) everything: 8 information and ask questions rendered. Proactively address any concerns or 5 It is just not practical to document every - if things don’t add up: Lawyers in many issues the client raises. thing on every matter, but strive to document as areas of practice are not taking the time to get much as you can in some contemporaneous all the information they need to give proper and Send interim and final report - manner. Formal letters are fine, but emails, detailed complete advice to their clients. (For example, 12 ing letters: At milestones, confirm to time entries or marginal notes on documents can identifying all assets and liabilities on a will or the client the work that was done and the results be equally effective. In particular, record advice family law matter; getting details of injuries on or outcomes, good and bad. Be sure to note or instructions that involve significant issues or a tort claim, etc.) You must dig deeper, spot any follo w- up tasks that are the responsibility outcomes, as well as major client instructions or relevant issues and ask all appropriate questions of you or the client. In the final reporting letter decisions (especially with respect to settlements). of a client, especially if there is something on be clear that your retainer is concluded. Documentation takes on a greater importance a matter that doesn’t quite make sense. when dealing with difficult or emotional clients. Think VERY carefully before Memorialized communications are invaluable Do not allow yourself to become 13 suing for fees: Suing for fees almost to confirm what was said to, or done for, the 9 a pawn: Do not allow loyalty to a client, guarantees a counter-claim alleging negligence, client in the event of a malpractice claim. Make pressure by a client, greed, or other motivations even if there are no grounds for the allegation. sure nasty or embarrassing comments never get in the way of your professional duties and appear in your client files or records. ethics. Do not cut corners, cover up irregularities, What goes around comes or forgo investigative steps at the urging of a 14 around: Your reputation will precede Meet or beat deadlines: Set realistic client. Doing any of these things will come back you. Be civil at all times to: your client, judges, 6 deadlines for completing tasks and/or to haunt you. court staff, and the counsel and client on the delivering documents or advice to clients. Under- other side. promising and over-delivering (i.e., earlier than Don’t do any of the things that promised) on work for clients will make them very 10 most annoy clients: These are all Communicate and document happy. Don’t leave work to the very last minute the things that would equally annoy you. They 15 (almost) everything: Read #4 as unexpected events beyond your control may include not returning phone calls or emails, long and #5 again – controlling client expectations intervene and lead to missed deadlines (e.g., periods of inactivity, and surprising a client with with good communications is the best way to blackouts, snow storms or a sick staff member). bad news or a large account. If you have certain avoid a claim, and having some documentation Give yourself a margin of safety by setting standards or practices that govern your client of those communications is one of the best ways deadlines a day or two early. communications, such as phone calls will be to defend a malpractice claim.

Top technology articles and resources

Technology has become an essential part of practising law. These tips, articles and papers, available at practicepro.ca, will help you use technology to become more effective and efficient. They will also help you avoid some of the dangers inherent in the use of technology in a law practice setting.

1LAW PRO Magazine – December 6 Fifteen tips for preventing identity 11 Be smart about spam: Use 2013: Cybercrime and law firms theft and online fraud white listing so you don’t miss key messages 2 Keeping your passwords strong 7 Technology and stress: Good tool, and secure bad tool 12 Danger signs: Five activities not covered by your L AW PRO policy 3 Don’t take the bait on a spear 8 Docketing dos and don’ts phishing attack 13 Social media pitfalls to avoid 9 Technology in trying times: 410 Tips to managing your inbox How and why you should use 14 Essential dos and don’ts for technology in your practice LinkedIn users 5 Danger: When a hacker emails you instructions in the name of 10 Is Facebook secretly sharing what 15 Employee departure checklist your client you’re reading and watching?

12 2016 | Student Issue 4 < > 15 of our most practical and helpful checklists, precedents and resources

We have a large collection of checklists, precedents and other resources that give you practical and helpful direction on steps you can take to reduce the risk of a claim. Here are 15 of our most helpful and practical claims prevention tools:

Retainer agreement precedents : Domestic Contract Matter Toolkit: Managing a mentoring 1 One of the best ways to reduce the risk 6 This toolkit helps lawyers systematically 10 relationship booklet: Practical of a claim is a retainer agreement that clearly consider and discuss all relevant information at advice on how mentors and mentees can build identifies the client and the scope of work to be the initial interview and signing of a domestic mentoring relationships that are productive done. We have a variety of retainer agreement contract. It includes an intake form, an intake and successful. precedents for different types of matters which checklist, a post-meeting client assignment form, you can adapt for your practice. and a review and signing checklist. Managing a better professional 11 services firm booklet: Loads Client administrative information Commercial Transaction Check - of advice on how you can improve client 2 and billing information letter 7 list : This checklist contains a series of communication and service at your firm. precedents: These helpful letters tell a client questions lawyers should ask themselves to help everything they need to know about dealing ensure that the commercial documents they are Managing the finances of with you and your staff and how legal fees will drafting correctly reflect the client’s instructions and 12 your practice booklet: Details be dealt with. expected results. It helps ensure that your commu - of the steps you can take to better manage nication with the client has been thorough, too. and improve the finances of your practice. The Canadian Bar Association’s 3 Conflicts of Interest Toolkit: Fraud Fact Sheet: This pamphlet Business plan outline: Looking A great collection of practical checklists and 8 describes the bad cheque and real estate 13 to grow your practice or to borrow precedents that will help you recognize and frauds that most commonly target lawyers and some money from the bank? This business plan avoid conflict of interest claims. lists the “red flags” that can indicate that an outline will help you set some long-term goals otherwise legitimate looking matter is actually for the finances, management and marketing Post-matter Client Service a fraud. Share this with your staff too! of your practice. 4 Survey: What did your clients think of your service? Use this post-matter client service Rule 48 Transition Toolkit: Sample budget spreadsheet: survey to find out. 9 On January 1, 2017 files commenced 14 This detailed 12 month budget before January 1, 2012 that are not yet set spreadsheet will help give you detailed insights Independent legal advice (ILA) down for trial will be automatically dismissed into your practice revenues and expenses. 5 checklist: A hasty $150 ILA consult unless there is an order otherwise or the plaintiff can easily lead to a claim and a $5,000 is under disability. Move your files along and Limited Scope Representation deductible. Use this ILA checklist to make comply with the requirements of the new Rule 15 Resources: These resources will sure you cover all the bases when giving 48.14 with help from this toolkit. help you understand some of the risks inherent in independent legal advice. providing limited scope legal services, and how you can reduce your exposure to a claim when working for a client on an unbundled basis.

lawpro.ca practicepro.ca AvoidAClaim.com

Everything you need to know about LAW PRO ’s Practical resources, precedents and checklists Daily updates on practice advice, claims insurance program for risk management, claims prevention and prevention and alerts to the latest frauds law practice management

2016 | Student Issue 4 13 < > Practice advice for avoiding claims: 15 articles we wish lawyers would read

Below are the 15 claims-prevention articles we most wish lawyers would read. Many of these articles appeared in past issues of LAW PRO Magazine or one of our webzines. You can find these and other past articles online in the LAW PRO Magazine archives. They are fully searchable and are listed chronologically and by topic.

New Year’s resolutions for a Litigation claims trends: errors Landmines for lawyers when 1 healthier law practice and a 6 & insights: This article examines the 11 drafting wills : LAW PRO claims new you: If you are going to read one article most common civil litigation-related errors that counsel Pauline Sheps outlines some of the this is it – 15 pages of practical tips for reducing LAW PRO sees, and the steps you can take to areas of greatest malpractice danger for risk and avoiding claims and stress. reduce the likelihood of a litigation claim. wills practitioners.

Is anyone listening? It’s easy Self-represented litigants: Diversify without dabbling: 2 to prevent communication 7 A survival guide: Having a self- 12 Before expanding your practice, breakdowns: This article describes specific represented litigant on the other side of a expand your competence. Dabblers – lawyers communication pitfalls and how to avoid them matter can be very frustrating for you and working outside their usual area of practice – in many areas of practice. your client. This article will help lessen cause a significant number of claims. Read this those frustrations. to understand why. Lets get talking: A look at 3 communication breakdowns: Real estate claims trends: Wondering when to report Lawyers don’t always communicate as well 8 A detailed review of where and why 13 that claim or potential claim? as they could. Read this article to improve real estate claims happen – and what can Do it now: Late reporting of a claim can have your communications skills. be done to avoid them. severe consequences. Read this article so it doesn’t happen to you. Inadequate investigation/ Six things I hate to read in a 4 discovery now #1 cause of 9 real estate claim file: LAW PRO The morning after mediation: claims: Lawyers in many areas of law are President & CEO Kathleen Waters runs 14 Settling a matter can require lots not taking the time to get all the information through the unfortunate explanations we of give and take and some compromise, they need to give proper and complete advice see on all too many real estate claims files. with the result that clients may have second to their clients. Read this article to learn how thoughts about what they agreed to the day to dig deeper, spot relevant issues and ask Unbundled legal services: before. Avoid this predicament with the advice all appropriate questions of a client. 10 Pitfalls to avoid: “Unbundled” in this article. or limited scope legal services are here to Avoiding administrative stay; but providing these services creates A checklist for avoiding 5 dismissals: Rule 48 Transition risks that must be managed. Read this article 15 conflicts on lateral transfers: Toolkit provides advice and tools lawyers to understand and avoid those risks. Lateral transfers need to be a good fit and and law firms can use to lessen the risk having the right credentials is important, but of a claim under the new rule. so is avoiding conflicts of interest. Get the advice to do it right here.

For an electronic version of this brochure with links to these resources, visit practicepro.ca/topresources

LAW PRO AvoidAClaim.com @LAW PRO LAW PRO insurance TitlePLUS @practicePRO TitlePLUS Home Buying LAW PRO @TitlePLUSCanada Guide – Canada

14 2016 | Student Issue 4 < > LAWPRO magaz ıne DECEMBER 2 013 VOL 12.4

The risks and dangers are real How to protect yourself and your firm

Also: •LAW PRO cybercrime coverage and other insurance options • How to make your passwords strong and secure • Recognize and avoid phishing scams

…making a difference for the legal profession lawpro.ca NEXT > key DATES

LAW PRO Key Dates for 2 014 Make a note of the key dates for 2014 and mark your calendars accordingly. January 31, 2014: On or about October 1, 2014: Real estate and civil litigation transaction levies and forms are due LAW PRO online filing of Professional Liability Insurance renewal for the quarter ending December 31, 2013. applications for 2015 is expected to begin. If you wish to file a paper application instead, please note that paper renewal applications will February 5, 2014: not be automatically mailed out, but it is expected that you will be Last date to qualify for a $50 early payment discount on the 2014 able to download a 2015 pre-populated paper renewal application policy premium (see page 13 of the 2014 Program Guide for details) . from our website on or about October 1, 2014. April 30, 2014: October 31, 2014: Real estate and civil litigation transaction levies and forms are due Real estate and civil litigation transaction levies and forms are due for the quarter ending March 31, 2014. for the quarter ending September 30, 2014. April 30, 2014: November 3, 2014: Annual exemption forms from lawyers not practising civil litigation E-filing discount deadline: Renewal applications filed online on or or real estate in 2014 and wanting to exempt themselves from before November 1, 2014 qualify for the e-filing discount to be applied quarterly filings are due. to the 2015 insurance premium. July 31, 2014: November 10, 2014: Real estate and civil litigation transaction levies and forms are due Renewal application filing deadline: 2015 LAW PRO insurance for the quarter ending June 30, 2014. applications filed/received after this date will be subject to a surcharge equal to 30 per cent of the base premium. September 15, 2014: File your LAW PRO Risk Management Credit (for Continuing Professional Development) Declaration by this date to qualify for LAW PRO customer service department can be reached at: the $50 premium discount on your 2015 insurance premium for each 416-598-5899 or 1-800-410-1013, by fax at 416-599-8341 LAW PRO -approved program (to a maximum of $100) completed by or 1-800-286-7639; or by email at [email protected] this date.

LAW PRO FAQ Higher deductible for certain administrative dismissal claims

Is it true that the deductible that I will have to pay for certain More information Q. administrative dismissal claims will now be $10,000 more than ( i.e., on top of ) my usual deductible amount? For more details, please see “ $10,000 increase in deductible Yes. for certain administrative dismissal claims ” on page 2 of the A. In order to control claims costs related to often-preventable October issue of LAW PRO Magazine . administrative dismissal claims, LAW PRO has introduced a $10,000 deductible increase that will be imposed in addition to (i.e., on top of) the insured’s existing deductible amount for claims that result As well, for such claims, the deductible will be deemed to apply to where an administrative dismissal is not set aside through steps taken claim expenses, as well as indemnity payments and/or costs of repairs, by or under the direction of LAW PRO . regardless of the deductible option selected by the lawyer.

< PREVIOUS NEXT > Volume 12 Issue 4 December 2 013 CTECH TIP o| CnOULD THtIS HeAPPENn TO YOUt? s| PRACTICE TIP | BOOK REVIEW | SOCIAL MEDIA

Departments: 2 In the news 4 Editorial 34 TitlePLUS announcement ! 37 Social Media LAW PRO has a LinkedIn page, does your firm?

Social media profile: Kathleen Waters

Features: In practice: 6 Cybercrime and law firms 30 Tech Tip The risks and dangers are real Keeping your passwords strong and secure

10 Protecting yourself from cybercrime dangers 32 Could this happen to you? The steps you need to take Would you take the bait on a phishing scam?

25 The LAW PRO $250,00 cybercrime coverage 35 Practice Tip What it covers and why Draw clients a roadmap to avoid communication claims

26 Other cyber risk insurance options 36 Book Review Do you have the coverage you need?

28 Be ready with an Incident Response Plan

Publications Mail Agreement No. 40026252

Return undeliverable Canadian addresses to: LAW PRO ® (Lawyers’ Professional Indemnity Company) LAW PRO Trademarks 250 Yonge Street ®LAW PRO, TitlePLUS and practicePRO are registered trademarks of Lawyers’ Professional Indemnity Company; other marks are registered trademarks of the respective owner. Suite 3101, P.O. Box 3 Toronto, ON M5B 2L7 Copyright ©2013 Lawyers’ Professional Indemnity Company, except certain portions which are copyright in favour of external authors.

< PREVIOUS NEXT > IN T HE news

New hire in the LAW PRO finance department

LAW PRO is pleased to welcome Steve Onona to our finance department as the new director of actuarial services. Before joining LAW PRO Mr. Onona worked at Northbridge Financial Corporation in the actuarial department. Mr. Onona attended the University College of London where he graduated with his BSc (Hons) statistics, computing, operational research and economics.

We’re hiring: Two claims counsel positions and practicePRO counsel

We are currently seeking two claims counsel to join the LAW PRO claims team. Both are permanent full-time positions in LAW PRO ’s primary professional liability claims department. The successful candidates will have the opportunity to handle interesting cases in a variety of areas of law. LAW PRO claims counsel interact with insured lawyers in investigating, evaluating, and resolving errors and omissions claims against them. They manage these claims in-house or direct external legal counsel and professionals in resolving them.

LAW PRO is also looking for a dynamic and resourceful team player for our practicePRO program, our internationally recognized risk management and claims prevention initiative. As practicePRO counsel you will develop, implement and support all aspects of practicePRO operations.

Think you would be a perfect fit, or know a colleague or friend that would? Please visit lawpro.ca/Career/default.asp for information about how to apply.

LAW PRO external counsel recognized for their achievements, briefed on trends and procedures

In October of this year, LAW PRO held its biennial seminar for its outside counsel. At this meeting, several LAW PRO claims professionals and executives delivered presentations detailing emerging claims trends, provided information about changes to procedures for working on LAW PRO matters, and answered questions about recently-introduced improvements to the technology we use to connect with external counsel. As always, this meeting also provided an important opportunity to recognize the efforts and successes of our outside counsel for their important work on behalf of Ontario lawyers.

LAW PRO employees put their charity day to good use

As part of LAW PRO ’s corporate social responsibility initiative, the company grants employees one charity day every year to use in lieu of working at the office. As an example of how our employees have used that charity day, the group pictured at right spent a day in October preparing over 300 sandwiches to be served through the Lawyers Feed the Hungry program operated by the Law Society of Upper Canada.

For more information on our charity efforts please visit: lawpro.ca/AboutLawpro/lscsr.asp

2 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > IN T HE news eBRIEFS Below is a summary of electronic communications you should have received from LAW PRO this fall. The full content of these newsletters is available at practicepro.ca/enews .

To ensure that you receive timely information from LAW PRO about deadlines, news and other insurance program developments, please make sure you have whitelisted [email protected] .

Webzines Renew your LAW PRO exemption status for 2014: File online now practicePRO 15 th anniversary edition of LAW PRO Magazine September 26, October 9 September 30 A reminder and instructions for renewing your exemption status LAW PRO ’s practicePRO program, created to support lawyers in before November 8, 2013. building thriving practices while managing risks, was launched 15 years ago! This webzine includes links to specific articles of the magazine. Convocation approves LAW PRO ’s insurance program for 2014 2014 LAW PRO policy responds to changes in the September 27 profession and related risks For the fourth consecutive year, LAW PRO will hold the base premium October 17 for the mandatory insurance program steady at $3,350. This webzine In late September, Convocation of the Law Society of Upper Canada includes additional details on the insurance program for 2014, along approved LAW PRO ’s program of insurance for 2014. This webzine with the media release and report to Convocation. includes links to our October Insurance Issue of the LAW PRO Magazine , along with links to job postings. Renew your professional liability insurance for 2014 starting October 1 October 1, 15, 25; November 4, 18 Insurance News A message to lawyers to E-file your 2014 insurance application by November 1 to save $25. 2nd REMINDER: Apply for your LAW PRO Risk Management Credit by September 15 Renew your firm’s professional liability insurance for September 11 2014 now Reminder for lawyers to apply for the LAW PRO Risk Management Credit by September 15 th to save $100. October 2, 16, 28; November 5, 18 A message to all firms to E-file their 2014 insurance application by November 1 to save $25. 2013 Second quarter transaction levy filings overdue September 18 A reminder to lawyers that we have not yet received their transaction levy filings for the second quarter of 2013.

AW Lmagaz ınePRO

President & CEO: Kathleen A. Waters

LAW PRO Magazine is published by Lawyers’ Professional Indemnity Company (L AW PRO) to Design & Production: Freeman Communications [email protected] update practitioners about L AW PRO’s activities and insurance programs, and to provide practical advice on ways lawyers can minimize their exposure to potential claims. Photography: Rick Chard [email protected] lawpro.ca Disclaimer: Tel: 416-598-5800 or 1-800-410-1013 Fax: 416-599-8341 or 1-800-286-7639 This publication includes techniques which are designed to minimize the likelihood of being sued for professional liability. The material presented does not establish, report, or create the Editors: Dan Pinnington [email protected] standard of care for lawyers. The material is not a complete analysis of any of the topics covered, Nora Rock [email protected] and readers should conduct their own appropriate legal research.

< PREVIOUS NEXT > Interesting times (and cybercrimes) call for active risk reduction efforts, not just insurance coverage

Legal systems and and in doing so, touched on some of the their participants technologies driving that evolution. In this have a reputation issue, we turn our attention to the “black hats” – perhaps no longer of the high tech world: the perpetrators just – for being slow of cybercrime. to embrace techno - logical change. But Cyber criminals have lawyers and law firms while good lawyers in their sights. For one thing, lawyers’ know that technology tools are not (at least computer systems often harbour valuable not yet!) a full replacement for the exercise of information – not just clients’ personal professional judgment and the application information, but also information about of legal knowledge, they also know that a pending commercial deals, trade secrets, head-in-the-sand approach to the hurtling and intellectual property: information that evolution of computer technology is a recipe is worth money. Lawyers’ computers also, for being trampled. in many cases, provide access to actual funds, in the form of trust account monies The stampede, in this analogy, involves two accessible via electronic banking. different herds: the first is comprised of honest competitors who, using technology Not only do law office computers contain to their own and their clients’ advantage, will valuable information, but they can also be claim an ever-increasing share of the legal fairly vulnerable from a security perspective. services market. The second herd is more Smaller firms may not have staff with the sinister: tech-savvy criminals increasingly knowledge needed to build state-of-the-art use the Internet to exploit both human and security systems, and generally do not have technological vulnerabilities in their quest in-house computing professionals available to steal money and valuable information. to monitor and respond to immediate threats. While good-quality security products are In the previous issue of LAW PRO Magazine available at a cost that is affordable for most we explored the future of legal services, small firms, the extent to which firms have

4 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > actually invested in and implemented these An insurance “band-aid” is not enough. awareness is growing, and my behaviours are protections varies widely. Cyber criminals Preventing cybercrime requires an active, evolving. These days, when I encounter a site prey on the most vulnerable firms. When a vigilant, and multi-faceted approach. It is that does not allow (or require) me to choose firm’s security system is weak, the firm can the responsibility of each of us to reduce a “strong” password (don’t know what that easily become a target. our vulnerability to cybercrime, both in means? See the “Tech Tip: Keeping your our professional and in our personal lives. passwords strong and secure” on page 30! ), We know that law firms are targeted by Cyber security is a complex discipline that I find myself wondering about other aspects cybercriminals, because these attacks are requires not only technical protections of the site’s security, and about what risks I often in the news, and even directly re - (such as antivirus and anti-malware might be incurring by doing business there. ported to us via the practicePRO program’s programs), but also the learning, adoption, I know that I’m gradually developing the AvoidAClaim blog or in the form of claims. and consistent application of protective cyber safety instincts that will reduce my risk We reviewed the issue of cyber risk in 2013, behaviours like using strong passwords of becoming a victim of cybercrime. I hope and have introduced a $250,000 sublimit of and changing them regularly. that the articles in this issue will help other coverage for eligible cybercrime claims in our lawyers do the same. Relying on insurance 2014 policy. See “ The LAW PRO $250,000 The first step in improving your firm’s cyber coverage to prevent or “solve” cybercrime is cybercrime coverage: What it covers and security is to educate yourself about the tantamount to shutting the stable door after why” at page 25 for more information on nature of the risks and the approaches the horse has bolted. Only active risk this coverage. available for dealing with them. In this issue, reduction will give us a fighting chance we introduce some of the most important against those who would threaten our funds, While “coverage” can be a comforting word, cyber risks in “Cybercrime and law firms: our privacy, and our professional reputations. lawyers would be making a big mistake in The risks and dangers are real” at page 6 . feeling comfortably complacent about In “ Protecting yourself from cybercrime cybercrime. The potential for losses from dangers: The steps you need to take” at cybercrime for any firm is equal to or greater page 10 , we review some of the best strategie s Kathleen A. Waters than the balance in the firm’s trust accounts that firms can use to reduce their exposure President & CEO plus the value of the confidential information to those threats. contained in its computer systems. Why greater? Because cybercrime can lead to But lawyers must not stop there. Each of us reputational, equipment, and business must come to embrace cyber security as an interruption losses, too. These losses are important aspect of life-long learning. While not covered by your LAW PRO policy. I don’t count myself an expert quite yet, I’ve had my share of learning experiences. In the article “ Other cyber risk insurance For example, when I needed to have a options: Do you have the coverage you need?” new wireless network established on page 26 , we discuss types of cybercrime for my home computer, I watched insurance coverage, other than professional with interest as the technician indemnity coverage, that you may want to stepped outside to see if he consider. But this information – and those could gain unauthorized types of coverage – come with a very access to my system. important caveat: no form of insurance He couldn’t, but I was coverage should be seen as a complete shocked to discover the answer to cybercrime. number of unprotected networks in my own In fact, to the extent that overly rich insurance neighbourhood. More recently, I coverage for cyber losses creates a disincentive learned about the differences between an to law firms to invest in appropriate security antivirus program and an anti-malware protections, such coverage actually encourages program – the biggest take-away being, cyber attacks. In introducing modest sublimit it’s not a question of choosing one or coverage, we hope to provide a small safety the other – you need both! But while net, without inspiring dangerous complacency there are doubtless many other on the part of lawyers and exploitative aspects of cyber security that I will behaviour on the part of criminals. need to investigate further, my

lawpro.ca LAWPRO Magazine | Volume 1 2 Issue 4 5 < PREVIOUS NEXT > Cybercrime and law firms: The risks and dangers are real

Historians may well look back and call 2013 “The year of the hacker.” There have been numerous high-profile data breaches involving major corporations and online services: Facebook, Apple, Twitter, Adobe, NASDAQ, The New York Times and LexisNexis, to name just a few. Everyone reading this article likely has information stored by at least one, if not several, of these companies.

And it doesn’t stop there. Millions of other business entities and to be seeking information on a multi-billion-dollar commercial trans - individuals have experienced data breaches this year, either directly action. In late 2012, LAW PRO handled a claim involving a significant on their own computers or systems, or indirectly where there was a theft from a firm trust account by a Trojan banker virus (see sidebar data breach involving information about them that was stored with on facing page ). There have likely been thousands of attempts to a third party. Countless others will have lost money after being duped breach Ontario law firm systems this year, and probably some actual in various online scams. breaches as well. But we will likely never hear about them because firms that experience breaches usually try to keep their names out Law firms and lawyers take notice: cyber criminals are specifically of the news. targeting you because they want your data or the money in your trust account. Law firms are actually very appealing and sought-after Information on cybercrime tools and techniques is widely available targets for cyber criminals for three reasons. Firstly, law firms have online, making it easy for even non-technical people to undertake large amounts of sensitive and confidential information that can be malicious cyber activities. But make no mistake, while rank amateurs very valuable. Secondly, law firms tend to have very large sums of may launch attacks on law firms, industrial espionage on high value money in their bank accounts. Lastly, and not the least, relative to their targets can involve the most skilled hackers in the world including, clients and based on anecdotal information, law firms tend to have potentially, foreign governments. weaker security protection in place on their networks and systems. Cyber criminals will use every tool at their disposal to attack law Cybercrime has hit very close to home. In 2011, several major Bay firms. They will send spam and phishing messages. They will try to Street firms were targeted by hackers traced to China who appeared install malware and create backdoors into your firm’s computers.

6 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > LAW PRO claim involving significant theft from firm trust account by Trojan banker virus

In December, 2012, an Ontario law firm provided notice of a claim and stated that the site had been down for maintenance. The caller said the involving the infection of one of its computers by a Trojan banker site had been fixed and asked the bookkeeper to try logging in again. The virus. This was a very sophisticated fraud in which the firm’s bookkeeper did so, entering the primary and secondary login passwords for bookkeeper was induced, by a fraudster posing over the phone the account on screens that appeared on her computer – the passwords were as a bank representative, to key in account and password not given to the person on the phone. The second password came from a information on her infected computer. Through the virus, the key fob password generator. This appears to have given the hacker both fraudsters were able to capture this information which they then passwords and access to the firm’s trust account. used to access the firm’s bank account. Over the course of several days, fraudsters wired several hundred thousand On each of the following two days there were similar phone calls to the dollars from the firm’s trust account to offshore accounts. bookkeeper from the woman who allegedly worked for the bank to “follow up on the website access problems.” On each occasion, the bookkeeper tried A more detailed review of how this fraud happened will help to log in again and entered the primary and secondary passwords on screens you appreciate how sophisticated these frauds can be. It that appeared on her computer. appears the bookkeeper’s computer was infected when she clicked on a link on a popular news website. Despite being the The fraudsters went into the account during or immediately after each of the most current version with all updates, the antivirus software three phone calls and wired funds overseas. An amount less than the balance running on her computer did not recognize or stop the infection. in the account was wired out each time. This was an infrequently used trust account and the firm had never done wire transfers from the account. The After being infected, the bookkeeper’s computer appeared to have bank did not detect these frauds or stop the wires. The people behind this difficulties accessing the bank’s website. She got a “This site is fraud appear to have had intimate knowledge of how to send wires from a down for maintenance” message. This was actually not a page from bank account. By the terms of the banking agreements the firm had signed the bank’s website; rather, it was a fake or “spoofed” page pretending with the bank, the firm was responsible for replacing the funds that were to be the bank’s website. On another screen that appeared on her taken out of the firm’s bank account. computer – which also looked like it was the bank’s real website – she was asked to enter her name and phone number. This appears to have Lawyers should not underestimate the sophistication of frauds targeting given the fraudsters her contact information, as later that day the trust accounts. To better protect yourself from one of these frauds, see bookkeeper received a telephone call from someone, allegedly from “Increasing your online banking safety” on page 14 . the firm’s bank. That caller said she was aware of the login attempts

They will look for weaknesses in security configurations and exploit • How would your firm respond if one of its servers was hacked? them in order to access firm networks. In very devious ways, they • Is your anti-malware software the most current version and is will try to trick you or your staff into helping them. It is quite possible it updated? they would target you individually, including attacking your home computer to hack into your office systems. • Could you tell if your computer had malware on it? • Are your computer’s security settings adequate? The bottom line: cybercrime is a real and present danger for law firms. All firms should work to understand the cybercrime risks they • Is there a backdoor into your network? are exposed to and take steps to reduce the likelihood they will • What would happen if a firm laptop or smartphone were lost experience a data breach at the hands of cyber criminals. or stolen? • How would you deal with a major data theft by an ex-employee? How prepared are you? • Is your home computer safe? To assess your cybercrime preparedness, see if you can answer the following questions: The remainder of this article, and the next one, will start you on the journey to help you understand and answer these questions. Tread • Are your passwords secure enough? carefully and thoughtfully as the health and the future of your • Would you or your staff be duped by a phishing message? practice could well rely on how well you address cybercrime risks.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 7 < PREVIOUS NEXT > The menace of malware • Triggering a download by clicking on a link on a website. Mal icious soft ware (“malware”) is one of the most common ways law • Triggering a download by clicking on a link in an email, instant firm computers and networks are infiltrated and compromised by message or social media post. cyber criminals. The malicious intent behind malware usually involves • Plugging an infected USB stick or external hard drive into your gaining unauthorized access to computers or networks to steal money, computer. passwords or valuable information, or to cause disruptions or destroy data. Malware can affect individual computers, firm networks and • Downloading a program to your computer, or an app for your even the operation of the Internet. In many cases, people will not tablet or smartphone. know their computer is infected with malware (see “How to recognize • Installing a toolbar or other add-on to your browser. if your computer is infected with malware” on page 16 ). Worse yet, removing malware from a computer is often very difficult. Documents created on an infected computer can be silently infected, and if those documents are sent as an email attachment, anyone There are many types of malware and they usually do one or more opening them can be infected. USB sticks or external hard drives of the following tasks or damaging things: that are plugged into an infected computer can become infected, and • Record your keystrokes to capture usernames, passwords, credit they in turn can infect other computers they are then plugged into. card numbers and other personal information you enter while Once malware gets into a firm network, it will often spread to other making purchases or doing online banking. This information is computers on the same network. As they often have mixes of people then sent to cyber criminals who will use it to hack your online from many different firms or online communities, deal rooms and accounts or systems. document sharing sites can be a breeding ground for malware. • Create a “backdoor” that allows hackers to access your computer In some cases the computer user doesn’t have to do anything – some or network without your knowledge by bypassing normal types of malware (e.g., worms) can spread on their own without authentication and security mechanisms. any user actions. • Disable your security settings and anti-malware software so the malware won’t be detected. While viruses and worms are the most common types of malware, there are many other types which are described in more detail in the • Use your computer to hack into other computers on your adjacent “Common types of malware” sidebar. firm’s network. • Take control of individual programs and even an entire computer. Cybercrime dangers can originate inside your • Use your computer to send email messages to the people in your address book, who will in turn become infected if they click on firm too links or open attachments in these messages. Many people assume, incorrectly, that the biggest cyber dangers • Use your computer to send spam to thousands of people, usually come from outside a law office. Statistics actually show that the with the intent of infecting them. majority of incidents involving the destruction or loss of data are perpetrated by current, soon-to-be dismissed or recently dismissed • Steal the data on your computer. employees. Few, if any, know more about your firm’s systems than • Alter or delete your files and data. your employees; and few, if any, are in a better position to cause major damage. In particular, your IT staff, employees with advanced • Display unwanted pop-up windows or advertisements. technology knowledge, and outside technology support people are • Slow down your computer or network or prevent access to your potentially the greatest threat. They have the greatest knowledge about firm website. your system configurations, the technical know-how to be very destructive, and they are often savvy enough to cover their • Allow someone to secretly watch you through your webcam. tracks – erasing evidence of their presence and activities. Your cybercrime prevention efforts should address these internal Malware employs varying mechanisms to self-replicate and infect dangers as well. other computers. Malware often requires some kind of deliberate action by a user to infect a computer or hijack an online account. Now that you are familiar with basic cybercrime dangers, review For example, you can become infected with malware by doing the the next article to gain an understanding of the steps you need to following things – most of them are common tasks that occur many take to reduce your exposures to the cybercrime dangers that times a day in every law firm: occur in law firms. I

• Opening an infected email attachment. Dan Pinnington is vice president, claims prevention and stakeholder relations at LAW PRO . • Just visiting a website (no need to click on a link).

8 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Common types of malware

Malware is classified by how it propagates itself or what it does. The names and a brief description of the common types of malware appear below:

Viruses: Adware: Viruses are one of the most common types of malware Adware works like spyware, but will focus on your and will do one or more of the tasks and damaging things surfing habits and will slow down or stop your browsing by taking listed in the adjacent text. Like their biological namesakes, computer you to unwanted sites and/or inundating you with uncontrollable viruses propagate by making copies of themselves. When an infected pop-up ads while you are browsing the web. program runs, the virus will attempt to replicate itself by copying itself into other programs, usually while completing the malicious actions it is designed to do. Viruses often arrive in infected email attachments Botnets: or via a download triggered by a click on a link in an email or on a website. Even just visiting a website can start an automatic download A botnet is a collection of software robots of a virus. Some viruses will send themselves to everyone in your (“bots”) that together create an army of infected contact list; others will use your computer to infect strangers as they computers (known as “zombies”) that are remotely controlled by the come with their own address lists. originator. Your computer may be part of a botnet and you may not even know it. On an individual level, bots will do most of the typical malware tasks and damaging activities. When working together, botnets Worms: are used to execute denial-of-service attacks (DoS attack) or distributed denial-of-service attacks (DDoS attack). A DoS attack is accomplished After viruses, worms are one of the next most common when thousands of computers are told to visit a particular website or types of malware. Unlike a virus, a worm goes to work server at the same time, thereby crashing it and/or making it impossible on its own without attaching itself to programs or files. Worms live in for regular users to access it. a computer’s memory and can propagate by sending themselves to other computers in a network or across the Internet itself. As they spread on their own, they can very quickly infect large numbers of Rootkits: computers and may cause a firm’s network – or even parts of the Internet – to be overwhelmed with traffic and slow down or stop Once malware is installed on a system, it is helpful if it working all together. stays concealed to avoid detection. Rootkits accomplish this by hiding inside the host computer’s operating system. They can be very hard to detect and will do most of the typical malware tasks Trojans: and damaging activities. Trojans are named after the wooden horse the Greeks YES used to infiltrate Troy. A Trojan is a malicious program Scareware: that is disguised as, or embedded within, otherwise legitimate-looking software. Computer users often unwittingly infect Scareware is plain devious. While visiting a website, a themselves with Trojans when they download games, screensavers, pop-up advertisement will appear with a “Your computer may be infected utilities, rogue security software or other enticing and usually “free” with harmful spyware programs. Immediate removal may be required. software from the Internet. Once installed on a computer, Trojans will To scan, click ‘Yes’ below.” If you click “yes,” you download malware automatically run in the background. Trojans are used for a variety onto your computer. of purposes, but most frequently they will open a backdoor to a computer or capture keystrokes so that sensitive information can be collected and sent to cyber criminals. See the sidebar on page 7 Ransomware: for details of a large fraud involving a Trojan infection. Ransomware infections are becoming much more common recently and are usually spread by infected email attachments or Spyware: website links that trigger a download. The most common type, Cryptolocker, will scramble all the data files on your computer with Like Trojans, spyware also often comes in the form virtually unbreakable encryption. You learn you are infected when a of a “free” download, but can also be installed pop-up window tells you that your data has been scrambled and will be automatically when you click on a link or open an deleted unless you pay a ransom within a very short period of time, attachment. Spyware will do many different things, but usually it will typically 48 hours or so. The ransom is typically in the range of $100 collect keystrokes or other information about you that will be shared to $300 and payable only in Bitcoins, a type of virtual currency that with third parties without your consent. This can include usernames, makes payments untraceable. It is a relatively low amount so you have passwords and surfing habits. an incentive to pay it as a nuisance; but as you are dealing with criminals, paying it does not guarantee that you will get your data back.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 9 < PREVIOUS NEXT > Protecting yourself from cybercrime dangers: The steps you need to take

Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cyber criminals have considerable resources and expertise, and can cause significant damage to their targets. Cyber criminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LAW PRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber-related dangers. This article reviews the specific cybercrime dangers law firms need to be concerned about, and how they can mitigate their risks.

It starts with support from senior management lawyers’ Rules of Professional Conduct and the Paralegal Rules of Conduct . These rules provide that you should have a reasonable Any effort to tackle cybercrime must start at the top. Senior partners understanding of the technology used in your practice, or access to and firm management must be advocates of cyber security, support someone who has such an understanding [Rule 2.01 of the lawyers’ the implementation of appropriate practices and policies, and allocate Rules, Rule 3.01 of the Paralegal Rules]. sufficient resources to address cybercrime exposures. While there are some quick fixes that can help make your office and systems more It is unlikely that sole practitioners and smaller firms will have secure (to find them see "quick fixes" opposite ), most firms will someone on staff who has the technical expertise to properly address need to spend some time and money to better protect themselves all relevant cyber security issues. With their larger and more complex from cybercrime. This may include upgrading or installing new technology infrastructures, even medium and larger firms may also technology, training staff, and changing how some tasks are done. need to seek outside help. One of the biggest dangers here is that people just don’t realize what they don’t know when it comes to Firms should also put some thought into how a cyber breach – the cybercrime dangers and how to prevent them. LAW PRO encourages loss of client data or hacking of a firm server – would be handled. firms to seek appropriate help from knowledgeable experts when Firms should have a formal incident response plan so they can avoid required. To identify vulnerabilities, firms may want to consider making bad decisions on an ad hoc basis in the middle of a crisis. engaging an outside expert to do a formal security assessment. See page 28 for an article on incident response plan s.

Staff education and technology use policies You likely need expert help As you will learn in this article, despite being technology-based, many Beyond the very practical issue of wanting to avoid being the victim cybercrime dangers involve a human element. Cyber criminals create of cybercrime, remember that when using technology, lawyers and situations in which law firm staff and lawyers will unintentionally paralegals must meet their professional obligations as outlined by the and unknowingly facilitate cybercrimes as they go about their

10 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Immediately increase your 3. Avoid infections with antivirus and/or anti-malware software security with these “quick fixes” 4. Lock things up by using passwords properly While some of the work that must be done to protect 5. Address security vulnerabilities by installing operating system a firm from cybercrime will take time and effort to and program updates implement, there are a number of things you can do QUICK that are fast and easy and that can be done at little or 6. Keep the bad guys out with a firewall on your Internet connection no cost. These “quick fixes” are highlighted throughout FIX this issue with this quick fix logo. 7. Stump hackers by changing key default settings 8. Lock down and protect your data wherever it is 9. Scrub confidential client information on discarded equipment common daily tasks. Educating staff to help them understand, recognize and avoid cybercrime dangers is a critical part of reducing 10. Be safe when using remote access and public computers cybercrime risk. 11. Secure your mobile devices to protect the data on them Written policies that clearly establish guidelines and requirements 12. Harden your wireless and Bluetooth connections and use public governing the acceptable use of all firm technology resources can also Wi-Fi with extreme caution help reduce cyber exposures. Through technology use policies, law 13. Be careful about putting your firm’s data in the cloud firm staff should be given clear direction on what they are permitted and not permitted to do with law firm technology resources. These 14. Inside people can be the most dangerous policies should use simple and non-technical language that all 15. Be careful of the dangers of BYOD and family computers employees can understand. They should be reviewed with new employees at the commencement of employment, and on an annual 16. A backup could save your practice after a cybercrime incident basis with all staff. It is also essential that these policies be consistently and strictly enforced. As they can be used as a point of access to your firm’s systems, it is critical to address the above issues on your personal smartphones Every technology use policy should cover some basics. They should and tablets, as well as your home computers and networks. clearly state that technology resources provided by the firm, including Internet and email access, are to be used for legitimate firm activities. Staff should understand that they have an obligation to use resources You must address all the dangers properly and appropriately. Technology use policies should also direct Don’t be tempted to ignore any of the dangers listed above, or to skip firm staff to ensure that the confidentiality of firm and client or skimp on the steps suggested to deal with them. Remember, your information is protected at all times, that there is compliance with data and systems are only as safe as the weakest link in your security network system security mechanisms, and that resources are not used plan. When you leave on vacation, you lock every door and window in a manner that would negatively affect others on the system. in your house. Leaving just one door or window open gives a thief easy Technology use policies should also indicate that the firm retains the and instant access. To protect yourself from cybercrime, it is critical right to monitor any and all electronic communications and use of the that you fully and properly address all cybercrime dangers. Cyber Internet to ensure the integrity of the firm’s systems and compliance criminals will look for and exploit holes in your security plan. with the firm’s technology use policy. As well, the policy should indicate that there may be sanctions for failure to comply. Note that some of the configuration changes suggested in this article will require you to have “administrator” access to your device or You can find some sample technology use policies you can use and systems. Operating your computer or device with the administrator adapt for your firm on practicePRO.ca . account (or an account that has administrator status) will allow you to freely change your configuration or settings. A regular “user” The cybercrime dangers you need to address account will not have the ability to change many device or software settings. To prevent regular staff from changing their settings and The cybercrime dangers firms need to address are many and varied. intentionally or unintentionally causing damage to your systems, This article reviews these dangers in more detail and will help you everyone in your office should be using a “user” account, not an start on the work that is necessary to address them so you can reduce administrator account or accounts with administrator status. Doing the likelihood that cyber criminals will breach your law firm’s systems. your day-to-day work while logged into a “user” account can also These topics covered in the sections to follow are: reduce the damage that a malware infection will cause. Without administrator access, the malware will be restricted in its abilities 1. Avoid the dangers of email to change settings on your computer. 2. Lock down your browser and avoid surfing dangers

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 11 < PREVIOUS NEXT > As a final note, you may find yourself unable to change your config - known to send spam, etc. Anti-spam products also use “blacklists” uration if your firm centrally administers and controls the settings for that intercept messages from recognized spammers, and “whitelists” computers and other devices. Speak to your technology support that let messages through only if they come from your personal list person if you have questions or concerns. of recognized email addresses or domains (the domain is the main part of an email address or website, for example, lawpro.ca or gmail.com).

Avoid the dangers of email If your email program includes a spam or junk mail feature, you should turn it on. For additional protection, consider installing a QUICK Email has become a primary communications tool for FIX third party spam filter. They are often included in anti-malware suites. the legal profession. It allows virtually instant sharing See page 14-15 for more information on anti-malware software . of information and documents between lawyers and 1 their clients. Email is also one of the most dangerous While spam filters can significantly reduce the amount of spam you tools in a modern law office. Infected attachments, receive, they are not perfect. They will sometimes let spam messages spam and phishing attacks delivered by email make it easy for cyber through. Advise firm staff not to open or respond to spam messages, criminals to deliver malware and breach law firm security protections. and to flag them as spam so that the spam filter can learn to recognize QUICK It is essential that you educate your lawyers and staff about these FIX and prevent a similar message from getting through in the future. dangers and the steps they should take to use email safely.

Be wary of attachments Links in spam messages will often cause malware to be downloaded to your computer. For this reason, everyone at a law firm should While email attachments are frequently used to share documents QUICK be told to never click on links in spam messages, no matter how FIX between lawyers, law firm staff, and clients, they are also one of the interesting or enticing they appear to be. most common delivery mechanisms for malware. While most messages that have infected attachments will be stopped if your Don’t be fooled by phishing anti-malware software and/or spam filter are working properly and Did you know that emails appearing to come from companies you updated, some will make it through. For this reason, everyone at a trust may actually be from criminals trying to steal your money or QUICK law firm should follow these two simple rules: FIX identity? Because they are so successful at duping people, “phishing” 1. No matter how interesting or enticing they appear to be (e.g., emails have quickly become one of the most common and devastating jokes, celebrity gossip or pictures), never open attachments scams on the Internet. from strangers. Phishing scams use spoofed (meaning faked or hoax) emails and 2. No matter how interesting or enticing they appear to be, never websites to trick you into revealing your personal and financial open attachments unexpectedly sent to you by people you know. information. By using the trusted brands and logos of online retailers, banks, or credit card companies, phishing scammers trick The reason for Rule #1 should be obvious – enticing attachments from surprisingly large numbers of people. The phishing email directs strangers usually have a malware payload. The reason for Rule #2 users to visit a website where they are asked to confirm or update might be less obvious: to trick you into feeling comfortable about personal information such as: passwords; and credit card, social opening an attachment, some types of malware will send an email insurance and bank account numbers. In doing so, people are tricked with an infected attachment to all the address book contacts it finds into giving this information directly to cyber criminals, who, in on a computer that it has just successfully infected. This is done turn, use it for identity theft, financial theft or other cybercrimes. intentionally with hope that people getting such a message will be comfortable opening the attachment as it came from someone they Legitimate companies will never ask you to update your personal know – and bingo – the person opening the attachment will become information via an email message. Don’t get tricked by phishing infected and all their contacts will get a similar message. scams. See the “Could it happen to you” column on page 32 to Use spam filters to avoid annoying and dangerous spam learn how to recognize and avoid phishing scams. On a daily basis you undoubtedly receive unsolicited commercial junk email, advertising or other offensive messages commonly known Lock down your browser as spam. Spam is not only annoying – it is also very dangerous as it is commonly used to deliver malware (if you click on a link in the and avoid surfing dangers message) and phishing scams (see the next heading). After email, your Internet browser is probably the second most dangerous technology tool in your office. Even 2 To combat spam, many firms use spam filters that are intended to casual surfing on the web can expose you to malware detect unsolicited and unwanted email and prevent those messages and other cyber security issues. You and your staff need from getting into a user’s inbox. Spam filters use various criteria to to know how to safely surf the web and configure your browsers identify spam messages, including watching for particular words or so that surfing is less dangerous. suspicious word patterns, messages that come from websites that are

12 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Safely surf the web hacked since your login credentials and connection are encrypted, Teaching your staff the following surfing “don’ts” will help you making it harder for someone to intercept them. QUICK FIX reduce cyber-related surfing risks, and reduce the likelihood of a malware infection: Lock down your browser Malware programs can automatically and secretly install themselves • Don’t complete online transactions involving account information, while you are browsing. These are called “drive-by downloads.” This passwords, credit card numbers or other personal information, occurs when websites run scripts (small bodies of code designed to unless you are on a secure connection as indicated by an “https” perform a specific action) or ActiveX controls (a module of code in the website address (see sidebar on page 14 ). that adds extended functionality to the browser). • Don’t visit unknown websites, and especially music, video, or pornography sites because they are often loaded with malware. All browsers allow you to change individual configuration settings, many of which can deal with these and other security issues. Some • Don’t use file sharing sites, or services unless you are familiar browsers let you easily change multiple security or privacy settings with them and know the people you are sharing files with. by choosing from different levels of security (Medium-high or high • Don’t download software, unless it’s from a reputable and are best). While changing browser settings can provide greater trusted site. protection, it may also prevent some websites from running properly. While the options and terminology will change slightly between the • Don’t download new apps (wait until downloads hit the thousands various browsers, these are some of the settings you should change and it is likely any malware in the app has been detected). to lock down your browser: • Don’t download browser add-ons, plug-ins or toolbars, especially • prevent pop-ups from loading (or prompt you before loading from unknown or untrusted sites. a pop-up). • Don’t click on “OK,” “Yes” or anything else in browser “pop-ups” • disable JavaScript. (the small windows that sometimes open within a browser). These are sometimes made to look like “dialog boxes” (the windows • don’t accept third party cookies. you change settings or options in) to make you think you are • delete cookies on exit. clicking on options or settings you normally deal with. Quickly closing all browser windows and tabs can help, especially if you • clear history at close. are being flooded with multiple pop-ups. On Windows-based • disable ActiveX controls (or prompt to run ActiveX controls). browsers use Ctrl+W or Alt+F4 to repeatedly close the top-most tab or browser window. In Safari, +Shift+w will close all tabs • enable automatic updates. in the current window and +q w⌘ill close all Safari windows and tabs. ⌘ See the “ Browser Security Settings for Chrome, Firefox and Internet Explorer: Cybersecurity 101” webpage for detailed instruction on how Run an antivirus or anti-malware program that runs in the back - to lock down these three browsers. “iOS: Safari web settings” on the ground and scans for dangers (see below for more information Apple Support site has information on Safari security settings . on anti-malware software). There are also various browser plug-ins and add-ons that can increase If you are doing online banking for your firm trust or general browser security and warn you about suspicious activity. Widely used accounts, it is critical that you ensure all security risks are addressed. WOT (Web of Trust) will warn you about untrustworthy sites See the “ Increasing your online banking safety” sidebar on page 14 (available for all browsers). for the extra steps you need to take. Pharming Beware the dangers of social media “Pharming” is another common trick used to perpetrate scams. Many people are comfortable sharing a great deal of personal infor - Pharming takes you to a malicious and illegitimate website by mation on Facebook, Twitter, Instagram and other similar social redirecting a legitimate website address. Even if the website address media tools. While family and friends may enjoy this information, is entered correctly, it can still be redirected to a fake website. The people should keep in mind that cyber criminals could use the same fake site is intended to convince you that it is real and legitimate by information to assist them in personal identity theft or the hacking spoofing or looking almost identical to the actual site. When you of online accounts. Be cautious about the amount and type of QUICK complete a transaction on the fake site, thinking you are on the FIX information you share on social media. Posting vacation pictures legitimate site, you unknowingly give your personal information while you are away or using apps that broadcast your location (e.g. to someone with malicious intent. Foursquare) tells the world you are away from your home and office. You can avoid pharming sites by carefully inspecting the website Facebook, Twitter, LinkedIn and some other sites can be configured QUICK QUICK address in the address bar. Make sure you are on the site you intended FIX FIX to only let you login on a secure connection (see the adjacent sidebar to visit and look for “https” (see sidebar on next page ) before you on https connections). This can prevent your account from being enter any personal information, passwords, credit card numbers, etc.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 13 < PREVIOUS NEXT > Avoid infections with antivirus and/or anti-malware software The S in https means QUICK Good behaviour alone will not protect you from viruses FIX you are on a safe and or other malware infections. You must run software 3 secure connection that will prevent and/or detect infections on your When logging in on any website, you should always check for a computers, and you may want to consider it for your secure connection by checking to see if the web address be - tablets and smartphones too. gins with https://..., as opposed to http://... Look for the “s” which signals that your connection to the website is encrypted But what is the difference between antivirus and anti-malware and more resistant to snooping or tampering. software? As explained in the “Common types of malware” sidebar on page 9 , viruses are a specific type of malware. Malware is a

Increasing your online banking safety Many law firms manage their trust and regular bank accounts on the Internet, and some firms have the ability to initiate various banking transactions online, including account transfers and wiring funds. While the convenience and efficiency of online banking are huge benefits, the downside is that online banking exposes you to security risks. The steps outlined below will help law firms to understand, address and reduce online banking risks – for both your firm and personal accounts.

• Know and understand the terms of your banking agree - on the computer or captured by malware making it accessible ments: As a starting point, carefully read your bank account to others. and electronic banking services agreements. Make sure you • Never conduct financial transactions over an unsecured understand the obligations these agreements place on you with public Wi-Fi network: Communications on an unsecured Wi-Fi respect to using the account. In particular, make sure you are connection can easily be intercepted. See additional comments familiar with the notice requirements for unauthorized transactions, on Wi-Fi at page 20-22. and who is responsible for unauthorized transactions. In most circumstances it will be you, unless in specified and usually narrow • Use a secure and unique password that is changed circumstances you give prompt notice to the bank. regularly: Your online bank account should not have the same password as any other account. It should be a strong password • Remove account features you won’t use: If hackers ever (see the Tech Tip on page 30 to learn how to create a strong managed to get into your account, the ability to access multiple password). Online banking passwords should never be stored on accounts or to initiate transfers or send wires could allow them a mobile device or anywhere else that could make them easily to easily remove funds from your account. If you don’t intend to accessible by another person. use your online banking facility for these types of transactions, have this functionality removed from your account. • Check your online bank account every day: By monitoring your daily account activity, you’ll be able to promptly identify any • Only do online banking from a secure firm computer: The unauthorized transactions or other indications that your account computer used for online firm banking should be a firm computer has been hacked. Check the last login time and make sure it is that has all software updates installed, is running updated anti- consistent with the last time someone from your office accessed malware software, and is behind a firewall. To reduce the potential the account. Immediately report suspicious or unexplained activity for other cyber risks, consider restricting the activities that occur to your bank. on the computer used for online banking. • Configure email or text message activity alerts: Most • Have real-time protection running and run regular malware banking websites allow users to sign up for notifications. You scans on your banking computer: This should hopefully help will then receive an email or a text message whenever a specified detect an infection as it is happening, or detect one that occurred amount of money is withdrawn or deposited to your account, without triggering the real-time protection warnings. See "Avoid or if there is unusual activity such as international transactions. infections with antivirus and/or anti-malware software" on page 14. Some banks will also phone a firm for confirmation that a • Never use public computers to do banking for the firm: If transaction that was initiated online is to go through. doing so, passwords or account data may be accidentally stored

14 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > broad term used to describe many different types of malicious code, But note, it is important to make sure you do not run two antivirus including viruses, but also Trojans, worms, spyware, and other threats. applications simultaneously. Anti-malware programs do not usually play well together, and running two at the same time can often Does this mean antivirus software will only protect you from viruses lead to one identifying the other as a virus, or in some cases, file and anti-malware software will protect you from all kinds of malware, corruption. Running two at the same time will likely also slow your including viruses? The answer is, unfortunately, it depends. While computer down. most of the more popular tools will scan for many types of malware, you need to look at the specific functionality of each product to know Malware can be extremely difficult to remove from a computer, so for sure what it will protect you from. From this point forward this it is best to prevent infections. However, if you do get an infection, QUICK article will refer to the broader category of anti-malware software. Malwarebytes Anti-Malware is a good free tool for removing malware FIX from a Windows computer. The options Windows computers are prone to infections so you must run Installing anti-malware software updates is a must anti-malware software on them. Microsoft Security Essentials is a Installing anti-malware software is only the start. You also need free product you can download to help protect computers running to regularly update your virus definition or signature files. Anti- Windows XP, Windows Vista, and Windows 7. Windows 8 includes malware programs use the information in these files to recognize Windows Defender, also free. Both offer good real-time anti-malware virus infections when they are occurring. As there are new viruses protection. being created every day, you need to have the most recently released virus signature file to be protected against all known infections. These There are a number of widely used commercial anti-malware pro - updates are available on your anti-malware vendor’s website. Expect grams, some that come in suites that include other functionality like to pay about $30-$40 per year for these updates. anti-spam, firewalls, remote access, device location and scrubbing. Most anti-malware programs can be configured to download these The two most widely used antivirus programs are Norton™ AntiVirus updates automatically, without user intervention. Make sure the QUICK (symantec.com ) and VirusScan ( mcafee.com ). Expect to pay $40-$60 automatic update feature is enabled as this helps ensure that your FIX per computer to buy the software, plus an additional annual fee for protection is always up-to-date. virus signature file updates (see opposite). Buying antivirus software that is bundled with other products, such as firewall and anti-spam Staff can help you spot malware infections software, will save you money. Sometimes anti-malware software will not detect that an infection has occurred. While malware can be on a computer and never give Until recently, it was generally felt it was not necessary to run anti- any hint of its presence, in many cases there are clues that a computer malware software on Apple computers as the Mac OS architecture is infected with malware. See the “How to recognize your computer prevented infections and there were no real malware threats targeting is infected with malware” sidebar for a list of these symptoms. Macs. There are now potential malware threats, and consider Teaching your staff to recognize these symptoms could aid in ClamXav , an effective and free antivirus program for Mac OS X the earlier detection of an infection. computers. Note: If you run a Windows emulator on a Mac computer you open yourself to the full gamut of Windows malware risks and you must use a Windows anti-malware tool. Lock things up by using passwords properly Tablets and smartphones are, in general, much less likely to get malware infections, but you may want to run anti-malware apps Like the keys that start your car or open the front door of your home or office, computer passwords are the keys 4 on them for greater protection. that “unlock” your computer, your mobile devices and As no one tool will catch everything, you may want to consider using access to all the data on your network systems. We all more than one anti-malware tool. To better protect yourself, install have more passwords than we can remember. This tends to make one security tool that scans for as much as possible and that runs all us a bit lazy. We use obvious and easy to remember passwords – the time in the background with an on-access scanning engine. This even the word “password” itself. Or worse: We don’t use them at all. will protect you from threats as you surf the web, install applications, open files and complete your other daily activities. Then, install Cyber criminals know and exploit bad password habits as they are another anti-malware tool that you can occasionally use on demand often one of the weakest links in data security schemes. For this to make sure nothing got through or was overlooked. Scan your en - reason, it is critical that all lawyers and staff in a law office use tire hard disk(s) at least weekly, either manually or automatically passwords properly. The Tech Tip in this issue, “ Keeping your (automatic is better as you don’t have to remember to do it). passwords strong and secure” (see page 30 ), reviews the steps you can take to properly use and protect the confidentiality of your Bitdefender QuickScan is a free online scan that is handy if you need passwords, and how you can create passwords that are harder to a second opinion on a Windows computer. guess or determine.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 15 < PREVIOUS NEXT > Address security vulnerabilities Amongst all these settings and features, cyber criminals look for by installing operating system “exploits.” An exploit is a particular setting, feature or sequence of and program updates commands that will cause an unintended or unanticipated behaviour 5 to occur on a computer or other device. Exploits create security There are millions of lines of computer code in the vulnerabilities because cyber criminals can use them to open a back - operating systems and programs that run on your door to your network, allow malware to run, or do other damaging computers, tablets and smartphones. These operating things. New exploits are discovered on a weekly or even daily basis. systems and programs will have hundreds or even thousands of settings and features. These settings and features are intended to Updates allow you to do all the things you want to on these different devices. When an exploit is discovered, software companies quickly rewrite their code and release updates or patches to stop the exploit from working. To protect against newly discovered exploits, devices must be updated with the latest versions of operating systems and programs.

To keep your computers and other devices safe, you should be How to recognize checking for and installing updates regularly, ideally on a weekly your computer is basis. This is particularly the case for Microsoft products, which are prone to security vulnerabilities. While not as prone to vulnerabilities infected with malware as Microsoft products, Apple products should be updated regularly Ideally you have one or more types of properly updated anti-malware as well. Don’t forget to update the other non-Microsoft or non-Apple software running on your computers and networks. And hopefully software running on your devices. Sometimes direct links to an that software detects and prevents any malware infections from updates webpage can be found on the Help menu. Otherwise, you occurring. However, because anti-malware software may not detect should be able to find the software product’s site with a search an infection, watch for the symptoms that can indicate a computer on Google. is infected with malware. These include: If you are using Windows XP or Office 2003, note that Microsoft will • It takes longer than usual for your computer to start up, it restarts on its own or doesn’t start up at all; no longer be supporting these products as of April 8, 2014. Using these products after this date will expose you to greater security dangers. • It takes a long time for one or more programs to launch; See the “Stop using Windows XP and Office 2003 on or before • Your computer and/or programs frequently lock up or crash; April 8, 2014” sidebar if this applies to you or your firm.

• Programs are starting and running by themselves; Automatic updates • Your hard drive runs continuously, even when you aren’t Enabling automatic updates can help keep your computers and working on the computer; QUICK other devices up-to-date. Both Windows and Apple operating FIX • Your files or data have disappeared; systems have an “automatic update” feature that automatically notifies you when updates are available for your devices. Once • You find files with new or unfamiliar filenames; activated, the device will periodically check for updates. Available • Space on your hard drive(s) is disappearing; updates will be downloaded, and depending how you configure • The homepage on your web browser has changed; things, installed with or without your knowledge. Some people prefer to set the automatic updates feature to ask for permission to install • Your browser starts launching multiple tabs; updates to avoid problems that might arise due to an update • Web pages are slow to load; installation. Others prefer to have updates installed without • There is a lot of network or web traffic, even when you are intervention from the computer user (this can help make sure not browsing the web or using the computer; and/or updates get installed).

• Parts, or all, of your computer screen look distorted. The Ninite.com site can help Windows computer users check for and install updates (for free). Note, in some firms individual users QUICK If one or more of the above things are happening, make sure your FIX will have no control over updates as the installation of updates will security software is up to date and run it to check for an infection. If the first scan finds nothing, try running a scan with a second be centrally controlled and managed. The paid version of Ninite product. If the odd behaviours continue or there are other problems, can be used for this purpose for Windows computers. seek technical help.

16 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Back up before you install updates Every computer operating system, program, and app, and every It is very important to remember that installing updates can piece of hardware has certain preset or default settings. These are unintentionally interfere with the way your computer/device or necessary to make them operate out of the box in a consistent individual programs/apps operate. It is possible that a program/app manner that the vendor and user will expect. may not operate properly or at all, that data could be lost, or that a device will fail to restart after an update is installed. Creating However, these default settings are common knowledge (and if you QUICK FIX a restore point (a temporary backup of your configuration and don’t know them, you can find them with Google in about five data) and/or making a proper backup of all the programs and data seconds), and hackers can use them to compromise a network, on a device before you install updates can help you recover if there computer or other device. For example, if the administrator account are unanticipated problems. See page 24 for more information on a computer is named “Administrator” (it frequently is), a cyber on backups. criminal only has to work on figuring out the password to hack into a system or device. If you change the name of the Administrator account to something different, your computer is much safer as Keep the bad guys out with a firewall the hacker has to work much harder to figure out both the name on your Internet connection of the administrator account and its password.

When you are connected to the Internet, the Internet You can make your systems much safer by changing the following is connected to you. For computers to transmit data 6 key default settings: back and forth over the Internet, lines of communication must be established. These communications work • administrator account names through “ports” that are opened on each computer. The problem is • server names that all the computers on the Internet can see one another, and these ports can allow unauthorized people to access the data on a • network or workgroup names computer and even take control of it. • ports (change to non-standard ports and close standard ports that you don’t use) Regardless of how your office connects to the Internet, your computer systems must be protected by a firewall – a type of electronic gate - • standard share names keeper that ensures all incoming and outgoing communications are legitimate. A firewall watches these ports and will warn you about or prevent unauthorized communications. Window XP Firewalls come in two varieties: software and hardware. Software ce 2003 firewalls are easier to set up, usually protect a single computer, and Stop using Windows XP Offi are adequate for personal or small firm use. Hardware firewalls are and Office 2003 on or usually used to protect an entire network of computers. The more QUICK before April 8, 2014 FIX recent versions of both the Windows and Mac operating systems have a built-in firewall that you should enable. High-speed modems Microsoft will no longer be supporting Windows XP SP3 (Service generally include a basic firewall. If you are using remote access Pack 3) and Office 2003 (SP3) as of April 8, 2014. After this date, software, you should consider using a hardware firewall to better there will be no new security updates, non-security hotfixes, support protect the ports that must be opened for the remote access software or online technical content updates from Microsoft for these to work. products. Your computer will still operate, but if you continue to use Windows XP or Office 2003, you will become more vulnerable to security risks and malware infections. Undoubtedly, cyber Stump hackers by changing key criminals will target computers that are still using these programs. For this reason, you should immediately start planning to migrate default settings to more current versions of Windows and Office on all law firm and Changing the default settings for the hardware and home computers running Windows XP or Office 2003. Note that software used in your office is another critical step in 7 most current versions of these products are Windows XP SP3 and Office 2003 SP3. If you are using SP2 or earlier versions of these safeguarding the security of your data and protecting products, you already have greater security vulnerabilities; as a yourself from cybercrime. This is probably the most short-term fix, you should update to SP3 if you don’t already have technical of the steps outlined in this article and you may need plans to move off Windows XP or Office 2003. expert help.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 17 < PREVIOUS NEXT > Lock down and protect your data servers, making it accessible to everyone in the office. To better protect wherever it is information from unauthorized access, take time to understand what information is stored on your network servers, and who has access Long gone are the days when you had to worry about to that information. a single file folder that held all the documents for a 8 particular matter, which you could easily secure by “Network shares” make folders available and visible across a network. keeping it locked in a file cabinet. Today, client data “Permissions” control what people can do with the data in a folder. can exist in electronic form in many different places inside and Someone with “full access” can create, change or delete a file, whereas outside your office. You need to know where that data exists, who someone with “read only” access can open and copy a file, but not can access it, and what steps should be taken to secure and protect delete it. Segment your data and set appropriate access levels (e.g., it from cyber criminals. public, sensitive, very private) so that access to sensitive information is limited or prevented. Remember that privacy legislation requires Physical access to servers, routers and phone switches that you limit access to some types of personal information (e.g., Protecting your server(s) and other key telecommunications financial and health-related data) on a need-to-know basis. equipment such as phone switches and routers starts with physical security. Intruders who have physical access to a server can get direct Restricting access to more sensitive data can help protect it in the access to files and data on the server’s hard drives, enabling them to event your network is hacked or an unhappy employee with bad extract the usernames and passwords of every user on the system, intentions goes looking for data. destroy data, or give themselves a backdoor for accessing the server remotely. Even curious employees who want to change settings can Your desktop or laptop computer can act like a server in some cases, unintentionally cause serious problems. Put your servers and other and content on your hard drive could be shared and accessible to key telecommunications equipment in a locked room to protect them someone across a network or through the Internet. To prevent this from unauthorized access. Be cautious about any wall jacks for your QUICK from happening, you need to make sure that file and printer sharing FIX network in unsecured areas of your office. is turned off on your computer. Access to devices on startup To protect the information on them, and the information on any Scrub confidential client information QUICK network they connect to, every computer, tablet and smartphone FIX on discarded equipment should be configured to require a password at startup. Devices without a startup password allow free and unfettered access to Many of the technology devices used today are anyone that turns them on. essentially disposable. When they get old or break 9 down, they are simply discarded as it is too expensive Better yet, in addition to a startup password, consider encrypting to upgrade or repair them. As a result, law offices will the data on devices. Passwords will prevent the average person from frequently find themselves discarding older computers and other accessing your device, but can be bypassed by people with greater devices. This is problematic as these devices often have confidential expertise. Encryption will make information on devices far more client information on them. secure. The operating systems on some devices have built-in QUICK FIX encryption capabilities or you can install third party encryption There are risks in donating your old computers to charity or a local programs or apps. school where a classroom of technology-savvy students will be itching to recover your data. Be sure to remove the hard drive from any Put a password on your screensaver computer you donate, or make sure the data on the drive has been Activating a password-protected screensaver is a simple and very thoroughly removed (see below). QUICK FIX effective way to prevent an unauthorized person from rifling through the data on a computer or other device that’s been inadvertently left Third party access to confidential client or firm information can also on. All versions of Windows and Apple operating systems allow be an issue if you are sending your electronic equipment outside you to add a password to a screensaver. Remember to log out of the office for repair or maintenance. QUICK FIX any applications containing sensitive data and lock your screen when you leave your desk, or set a fairly short wait time on your screensaver Client information can be in unexpected places. Most modern so that it locks automatically if you step away. BlackBerry, Android, photocopiers and printers actually have hard drives on board that iOS and Windows mobile devices also have an automatic screen- store copies of the images that go through them. This data can easily locking feature. be found on, or recovered from, the hard drives on these devices.

Access across a network Deleted doesn’t mean deleted Almost every law office has a computer network with one or more It’s a common misconception that deleted files are gone for good. central servers. Client and firm information can be stored on these In fact, the deleted files on most devices (e.g., computers, tablets ,

18 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > smartphones, etc.) are easy to recover • Review firewall and other server logs to monitor remote access using widely available forensic and watch for unusual activity. recovery tools. Even reformatting or repartitioning a hard drive will not Do the following to secure remote access: completely destroy all the data on it. • Ensure installation of remote access clients is done properly. Keep in mind that forensic technology can also be used to restore • Restrict access to the minimum services and functions necessary QUICK FIX deleted files on portable media (e.g., CDs, DVDs, USB sticks, SD for staff to carry out their roles. cards), so you should always use new media when sending data out - • Ensure that all staff use strong passwords on devices accessing side your firm. your network remotely (see page 30 ). Physically destroying a hard drive or other device with a hammer is • Change remote access passwords regularly. the free and low-tech option. You can also use specialized software QUICK • Make sure that staff do not set their devices to login automatically FIX that will “scrub” all data from a hard drive so that it is not recoverable. and that they never store their passwords on them. Widely used free tools for this task include CCleaner , Darik's Boot And Nuke ( DBAN ), and File Shredder . • Use strong authentication that requires both a password and token-based authentication. Being safer when using remote • Have a formal remote access policy that clearly describes what staff are to do or not do with remote access. access and public computers • Delete staff remote access privileges if they are no longer needed, Being able to access your work network while and immediately when a person leaves or is terminated (see you are out of the office can provide increased 10 “Inside people can be the most dangerous” at page 23 ). productivity and flexibility. However, opening your systems to remote access creates a number The extreme dangers of using public computers of security risks as external network connections are a ripe target Public computers in libraries, Internet cafes, airports, and copy shops for cyber criminals. And you should think twice about using public are an extreme security risk. While you can take steps to reduce these computers for firm work. risks, it is still very dangerous to access sensitive client information on them. Start with the assumption that most public computers will Setting up safe remote access have malware on them and let this govern your activities accordingly. There are many tools that allow you to easily set up remote access (e.g., PCAnywhere, GoToMyPC, LogMeIn, TeamViewer, SplashTop). The following steps can reduce some of the risks associated with If properly configured, these are suitable for a smaller law office or QUICK public computers: FIX home setting. Virtual private networks or VPNs may make remote access more secure. A VPN is a network connection constructed by • Try to turn on the “private browsing” feature. connecting computers together over the Internet on an encrypted • Watch for over-the-shoulder thieves who may be peeking as communications channel. VPNs are secure and fast, but may be you enter sensitive passwords to collect your information. expensive and harder to configure. • Uncheck or disable the “remember me” or “log in automatically Securing remote access may require a degree of technical knowledge next time” option. and advice from a computer expert. To make your remote access • Always log out of websites clicking "log out" on the site. It's safe, you must secure your network and your remote access devices. not enough to simply close the browser window or type in another address. Do the following to secure your network: • Delete your temporary Internet files, cookies and your history. • Use a firewall and security software to keep out unwanted connections. • Never leave the computer unattended with sensitive information on the screen, even for a moment. • Only give remote access to people who really need it. • Never save documents on a public computer. • In order to protect sensitive information, restrict the type of data that can be accessed remotely. These measures will provide some protection against a casual hacker • Make sure all computers connecting to your network, including who searches a public computer you have used for any information personal home computers, have up-to-date security software that may remain on it. But keep in mind, a more sophisticated hacker installed. may have installed a keylogger to capture passwords and other personal information entered on a public computer. In this scenario

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 19 < PREVIOUS NEXT > the above steps won’t prevent your information from falling into One other option to consider: if you allow remote access, have the hands of the hacker. This is why it is not a good idea to access people travel with a device that has no client data or other sensitive sensitive client information or enter credit card numbers or other information on it. They can use it to access client data in the office banking information on a public computer. via remote access and if the device is lost or stolen there is no lost information to be concerned about.

Secure your mobile devices to You may want to keep in mind that current case law provides that protect the data on them law enforcement does not need the permission of a device owner to access information on a device that is not password protected. Lost or stolen laptops, smartphones and USB sticks are frequently involved in major data 11 Device locators and remote wipe breaches. This is because they often contain To prepare for the eventuality that of one of your smartphones, large amounts of confidential or sensitive tablets or laptops gets lost or stolen, you should enable or install information (e.g., client data, firm and personal information, device locator and remote wipe functionalities. These features are usernames and passwords, etc.) and they are also easily lost or built in on some devices, and there are many third party programs stolen as they are small and very portable. You can significantly and apps that do the same things. Using GPS technology or the reduce your exposure to breach involving a mobile device by tracing of IP addresses, you can potentially view the location of doing the following things: your device on a web-based map, sometimes along with where and • Take steps to prevent mobile device theft or loss; when it was last used. Just in case the device is lost in your residence, you can also trigger a high volume ring to help you locate it, even • Make it harder to access information on the device; and if the device is on silent or vibrate. If the worst has happened and • Configure remote “find and wipe.” it appears that the device is permanently lost or was stolen, you can usually lock the device so no one can use it or access the data, and Preventing theft or loss you can also remotely tell the device to do a factory reset, which Here are some very easy ways to prevent the loss or theft of your will delete all data on it. mobile devices: Beware of data theft with USB sticks • Never leave your portable devices unattended in a public place. Tiny, high-capacity USB sticks are commonly used for moving data QUICK FIX In particular, don’t leave them in your vehicle – even locked in around. A combination of three things makes them a major security the trunk is not safe; concern: (1) they are very easy to use, (2) they are compact, light - • To be a less obvious target, use a briefcase or bag that does not weight and ultra-portable, and (3) they can store huge amounts QUICK FIX look like a standard laptop bag; of information. They are, in other words, the perfect tool for a disgruntled or soon-to-be ex-employee who plans to easily and • Inexpensive cable locks from Targus (targus.com ) and others can quickly steal firm data. QUICK FIX help deter a casual thief, but are no obstacle for a determined thief with cable cutters; and How do you protect yourself? Make sure you have appropriate security • If you are staying at a hotel, put the device in a safe in your and access rights to confidential client and firm information on QUICK FIX room or at the front desk. your firm’s computers and servers. Auditing file access may help you spot someone who is accessing information they should not. Consider Making it harder to access data on the device disabling USB ports on firm computers used by people that have If a device is lost or stolen, you want to make it as difficult as possible no reason to use USB sticks. Lastly, take extra care with employees for someone to access the information on it. This is very easy to do. who may be leaving the firm (see page 23) . As a first line of defence, you can enable the startup password. After QUICK FIX enabling this feature, anyone turning the device on will be challenged for a password and they won’t be able to see any information on the Harden your wireless and device. Most laptops and smartphones have this feature. However, Bluetooth connections and use while this should protect the data on the device from the average thief public Wi-Fi with extreme caution or person that might find a lost device, someone with specialized 12 knowledge can bypass these built-in password-protection features. At home, coffee shops, restaurants, hotels, conference centers, airport terminals and For an extra level of security you can use encryption, which scrambles many other locations, many of us use wireless the data on a device making it very difficult for someone to access it. and Bluetooth for our smartphones, tablets and even our computers Some devices have an encryption feature in the device operating without a second thought. While very convenient, anyone using QUICK wireless and Bluetooth should know that they are fraught with serious FIX system , and, if not, you can use a third party encryption program or app. Truecrypt is a widely used encryption tool that works on security issues. Unless you lock down your wireless network and many different platforms.

20 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > devices, someone sitting in a car across from your office or home • disable guest networks; could easily find and connect to them. Hackers known as “wardrivers” • turn on MAC filtering; actually cruise around looking for networks they can hack into. There are even websites that list “open” networks by street address. • change default router name and password; and

Hardening your wireless networks • disable remote administration. Use wireless with caution, and only after you enable all possible More detailed directions for completing these steps can be found security features on your wireless routers and devices. The hub of on the practicePRO website in the “ How to enable the security your wireless network is a router. It connects to your Internet service settings on a wireless router ” checklist. provider through a telephone line or other wired connection. Anyone connecting to your wireless network through your router can Bluetooth vulnerabilities likely connect to the web and quite possibly access other devices Bluetooth technology makes it easy for keyboards, headsets and on your network. other peripherals to connect to smartphones, tablets and computers wirelessly. Although security is available for Bluetooth, many vendors Completing these steps will make it much harder for strangers to ship Bluetooth devices in Mode 1 (discovery/visible-to-all mode) connect to your wireless network: to make it much easier for people using the devices to connect to • use WPA or WPA2 (WPA2 is better) or 802.1x wireless encryption. them. In this mode they will respond to all connection requests. WEP encryption is found on older devices and it is recommended This introduces a number of vulnerabilities, including making that you not use it as it can easily be cracked; information on the device more accessible to hackers and making the device more vulnerable to malware installation. • turn off SSID broadcasting;

LAW PRO FAQ

How do I get LaW PRO insurance coverage, now that I’ve been called to the bar?

I have just been called to the Ontario bar, and will begin work for a law firm in a few weeks. I know I need insurance from Q. LaW PRO – but that’s all I know! How do I get started? The LAW PRO program of professional indemnity insurance is approved each year by the Law Society of Upper Canada, and A. coverage under the program is mandatory for lawyers in private practice. When new lawyers are called to the Ontario bar, the Law Society provides LAW PRO with their contact information, and LAW PRO sends each new call a package of materials that includes information about the LAW PRO program and how to apply for coverage or, in certain cases, exemption from the coverage requirement. Please note that you will not be automatically signed up for LaW PRO insurance coverage simply by virtue of being called to the bar. LAW PRO and the Law Society of Upper Canada operate independently of each other, and you must contact each entity separately if you need to report a change in contact information or a change in practice status.

Applications for coverage or for exemption can be made online via a secure portal at lawpro.ca .

If you are a new call and you have NOT received a package (for example, because you have recently moved), please contact LAW PRO ’s customer service department to request a package.

More information

For more information about insurance requirements, exemption eligibility, run-off coverage, and other insurance issues, please visit the FAQ section of the LAW PRO website at lawpro.ca/faqs

If you have any questions regarding your coverage or practice status, please contact LAW PRO ’s customer service department by email at [email protected] , or by phone at 416-598-5899 or 1- 80 0- 41 0-1013.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 21 < PREVIOUS NEXT > To make your Bluetooth devices more secure, you should do • Enable the firewall and run updated antivirus software on QUICK FIX the following: your device. • Configure devices so that the user has to approve any • Turn file, printer and other device sharing off. connection request; • Disable auto-connecting so network connections always happen QUICK • Turn off Bluetooth when not in use; with your express permission. FIX • Do not operate Bluetooth devices in Mode 1 and ensure discovery • Confirm the network name in your location before you connect QUICK mode is enabled only when necessary to pair trusted devices; (i.e., avoid the Starbucks imposter). FIX • Pair trusted devices in safe environments out of the reach of • Use sites that have “https” in the address bar as they will encrypt QUICK potentially malicious people; data traffic (See “The S in https means you are on a safe and secure FIX connection” on page 14). • Minimize the range of devices to the shortest reasonable distance; • “http” sites transfer data in plain text and should be avoided as a QUICK hacker can easily read the data transmissions. You could use FIX • Educate your staff about how to safely use Bluetooth devices; and browser extensions or plugins to create https connections on • Consider installing antivirus and personal firewall software on http sites. each Bluetooth device. • Follow the best practices for safe and secure passwords (see Be extremely cautious with public Wi-Fi page 30). Public Wi-Fi has become ubiquitous and a lot of people use it By taking these steps you can reduce your Wi-Fi risks, but you should without a second thought. Unfortunately, there are major security save sensitive tasks like online banking for when you are on a network issues with it. If you connect to a Wi-Fi network without giving a you know is safe and secure. password, you are on an unsecured and unencrypted connection. On an unencrypted or “open” wireless network, anyone in your proximity can intercept your data and see where you are surfing (except if you Be careful about putting your are on an https website). Using an unencrypted connection to check the news or a flight status might be acceptable, but keep in mind firm data in the cloud that performing other activities is akin to using your speakerphone Almost everyone has data in the cloud, in the middle of a crowd. although many people may not realize it. 13 If you are using Gmail or another free email Even worse, hackers will create fake Wi-Fi hotspots in public places service, iTunes, Facebook, LinkedIn or other to trick unwitting Wi-Fi users. “Free Starbucks Wi-Fi” may not be social media tools, Dropbox, or doing online banking, your data is the legitimate Starbucks network. Connecting to a fake network in the cloud. The “cloud” is the very large number of computers that puts your data in the hands of a hacker. are all connected and sharing information with each other across the Internet. If you create or post information that ends up outside And don’t equate subscription (paid-for) Wi-Fi Internet with secure your office, you are most likely in the cloud. browsing. It may be no more secure than open Wi-Fi. Cloud computing offers many benefits to lawyers. There is a vast To be avoid these dangers, it is best avoid using public Wi-Fi hotspots selection of services, software and applications that can assist with altogether. Get a device that has mobile cellular capability, tether just about every task in a modern law office, in many cases allowing to your smartphone, or use a mobile Wi-Fi hotspot. This is a small those tasks to be accomplished more efficiently and quickly. Many Wi-Fi router you carry around that has mobile cellular functionality. of these services permit remote access, thereby allowing lawyers and It gives you a personal and private Wi-Fi cloud you can configure staff to work from anywhere with full access to all documents and to securely connect your other devices to. information for a matter. Using these services is usually economical as they can significantly reduce hardware and software maintenance If you are going to use public Wi-Fi, here are some steps you can costs and capital outlays. Storing data with suitable cloud service take to connect your device as securely as possible: providers will likely mean that it is more secure and better backed • If your firm has a Virtual Private Network or VPN, use it. This up than it might be in a typical law office. will encrypt your data and make it harder for it to be intercepted. However, placing your client or firm data in the hands of third parties • Never connect without using a password (this means you are on raises issues of security, privacy, regulatory compliance, and risk QUICK FIX an unencrypted network) and avoid using Wi-Fi that uses WEP management, among others. Firms should have a process in place encryption as it can easily be cracked. Use networks that have WPA, to ensure due diligence is performed and all risks and benefits are WPA2 (WPA2 is better) or 802.1x wireless encryption. considered before any firm data is moved to the cloud. The evolving

22 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > standard from U.S. ethics rules and opinions seems to be that lawyers If you have given vendors, IT consultants, contract or temp staff access must make reasonable efforts to ensure any data they place in the to your systems or networks, remember to change system passwords cloud is reasonably secure. Contracts with any third party that is and revoke access rights when they have finished their work. in possession of confidential client information should deal with relevant security and ethical issues, including having specific pro - visions that require all information is properly stored and secured to Be careful of the dangers of prevent inappropriate access. BYOD and family computers

The Law Society of British Columbia has a “Cloud Computing In many firms, it is common for lawyers to use personal smartphones or tablets for work 15 Checklist” that will assist firms in identifying the issues that should be considered when performing the due diligence on a cloud provider. purposes. This is often referred to as “Bring When considering your options, keep in mind that a cloud product Your Own Device” or “BYOD.” Lawyers or staff or service designed for lawyers may have been developed with the may also work at home and even access the office network from a professional, ethical and privacy requirements of lawyers in mind. personal home computer. Both of these practices raise significant cyber risks.

Inside people can be the BYOD most dangerous Permitting staff to use their own smartphones or tablets makes great practical sense. They already own and are comfortable with the People inside your office have the greatest devices so the firm does not have to incur the cost of buying them knowledge of your systems and where the 14 or paying for wireless plans. However, if these devices connect to important data is located. Many of the largest the office Wi-Fi or network, or if they are used to create documents and most damaging cyber breaches have been that will be sent to the office, they can potentially deliver a malware caused by rogue or soon-to-be-departing infection to the office network. employees. You should take steps to reduce the likelihood that a cyber breach will be caused by someone inside your office. Family computers Young people have a very high exposure to malware as they are When hiring a new employee, make sure you are diligent. Carefully more likely to engage in many of the most dangerous online activities, check their background and speak to references. Look for any red including using social media, downloading programs, and file sharing. flags on an application letter or résumé, and watch for issues during As a result, it is far more likely that any device children or teenagers the interview process. Watch for someone who is withholding relevant are using is infected with malware. This is a concern because using information, or who has falsified information on the application. a compromised computer for remote access to your office can bypass Assess the overall integrity and trustworthiness of the candidate. the firewall and other security mechanisms, potentially delivering Consider doing police and credit checks (after obtaining consent) a malware infection to the heart of your network. as persons in financial difficulty may be under pressure and become tempted to steal your firm’s financial or information resources. Doing To be absolutely safe, avoid using a home computer or other device all these things can help you avoid hiring an employee who could for work purposes if it is used by others. Where a home computer be a problem. is being used for work purposes, the steps outlined in this article must be followed to protect the office network and systems from cyber When any employee leaves your firm, regardless of whether they are risks. Creating separate user accounts will make things more secure, leaving of their own accord or are being terminated, ensure that your but a better alternative is to have two partitions on your home systems are protected. Keep a log of any mobile devices held by your computer. This essentially means there are two complete sets of staff (e.g., laptops, smartphones, USB drives, etc.) and ensure that software on the computer: one that only you would use, and one they are recovered immediately upon termination. Immediately close that others in the house would use. all points of access to your office and computer systems, including keys and access cards, login accounts and passwords, email accounts, Where a home computer or other BYOD device is being used for and − in particular − remote access facilities. If you discharge an work purposes, the steps outlined in this article must be followed employee who has access to critical company data, let them go with - to protect the office network and systems from cyber risks. Staff out warning (you may have to give them a payment in lieu of notice), education is key for reducing the risks associated with the use of and don’t allow them any access to a computer after termination. personal equipment. Technology use policies should be in place to ensure all necessary steps are taken to address relevant cyber risks. There are literally dozens of steps you should complete systematically See the practicePRO Technology Use Policies Resource page for to make sure all points of access for departed employees are closed sample BYOD and remote access policies. down. See the practicePRO website for a detailed “ Employee departure checklist ”.

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 23 < PREVIOUS NEXT > A backup could save media, or the cloud. Apple users can easily set up an automatic QUICK your practice after a backup with Time Machine. FIX cybercrime incident 16 Our “Data backup options and best practices” article, available on the Every law firm has huge amounts of practicePRO website, can help ensure you have a current and full irreplaceable data on its servers, desktop backup of all the data in your office. computers, laptops, tablets and smartphones. A cybercrime incident such as a malware infection or the hacking of firm systems could result in the destruction or loss of firm data. Conclusion Having a current and full backup of all firm data will be essential for recovering from such an incident with the least possible interruption Cybercrime is a real and present danger to you and your firm. to a firm’s operations. And beyond any concern about a cybercrime LAW PRO strongly encourages Ontario lawyers to take this danger incident, every law firm should have a current full backup of firm seriously and to take appropriate steps to reduce exposures to all data as part of its disaster recovery plan. relevant cyber risks. The “quick fixes” highlighted in the feature articles in this issue of LAW PRO Magazine will get you off to a good When keeping past copies of backups, consider that firm systems start with minimal cost and effort. At many firms, further time and could have an undetected malware infection for a considerable period. work will be necessary. This extra effort is worth the investment as, If you have an undetected infection, you may have to go back in time at the very least, a cybercrime incident will be a costly and significant to get a backup that is clean or has uncorrupted data. For this reason, interruption to your firm’s business. And in a worst-case scenario, you may want to keep a series of past backups (e.g., daily for last the financial and business interruption associated with a cyber I week, end of week for last month, end of month for last 3 months, breach could destroy your firm. quarterly, etc.) so that you can do a complete and clean restoration Dan Pinnington is vice president, claims prevention and stakeholder relations of your data. at LAW PRO .

Thanks to David Reid, CIO at LAW PRO , and Mike Seto, of Mike Seto Professional There are many options for doing data backups, including using a Corporation for their invaluable assistance. dedicated backup system, external hard drives or other portable

Resources

Cyber security resources

Get Cyber Safe Guide for Small and Medium Businesses from PCThreat.com : Comprehensive list of malware threats, tips on how Government of Canada: Practical information and guidance for firms to spot them and commentary on how to clean up if you are infected. on cyber security risks and how to avoid them. There are other helpful resources and checklists on the GetCyberSafe.gc.ca website. Snopes.com – The Urban Legends page: A website that lists common email scams and hoaxes. Cyber Security Self-Assessment Guidance Checklist: A self-assessment template of cyber-security practices from OSFI that would be suitable ICSPA Canada Cyber Crime Study: Statistics and background for larger firms. information about cybercrime.

Cyber Security Resources for Teachers page on Media Smarts Managing Cyber Security as a Business Risk: Cyber Insurance in the website: Various information and tips sheets for consumer and Digital Age Report : A report by the Ponemon Institute that contains personal cyber-safety. an overview of cyber dangers.

StaySafeOnline.org : Good general information and resources for staying Security Resources page on SANS.org: Extensive security information safe while online. and resources on the site of this research and education organization.

Microsoft Safety and Security Center page: General information on cyber-security. Note: Live Links for these resources are available in the electronic version of this issue.

General technology resources

Technology page on practicePRO website: Large collection of technology topics. Many of these books are available in the article on the use of technology in the practice of law. practicePRO Lending Library ( practicepro.ca/library ).

Technology books published by American Bar Association’s Law Society of Upper Canada’s Technology Practice Management Law Practice Division: Large collection of books on many Guideline: General guide on use of technology in a law practice.

24 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > CYBERCRIME means an incursion, intrusion, penetration, impairment, use or attack of a COMPUTER SYSTEM(S) by electronic means by a third party, other than the INSURED or the INSURED’S LAW FIRM.

COMPUTER SYSTEM means any electronic device, component, The LAW PRO network or system, or any protocol, portal, storage device, media, or electronic document, or any computer software, firmware or microcode, or any associated technology which receives, processes, stores, transmits or retrieves data either locally or remotely, or any part thereof, whether stand-alone, interconnected or operating as part $250,000 of an integrated system or process, for use by or on behalf of the INSURED and/or the INSURED’S LAW FIRM.

cybercrime AW In late 2012, L PRO learned of a high-value cyber attack on an Ontario firm. The attack was highly sophisticated and complex, and was designed to permit the fraudster to gain direct access to a firm’s trust account using online banking privileges. This attack, and media coverage: reports of many others, have served to demonstrate the potential exposure of the insurance program to losses arising out of cybercrime.

What it covers and why After careful consideration of the potential risk, including the potential for clusters of such claims across law firms, it became clear to us that a two-pronged response was warranted. For the 2014 policy year, we As of the 2014 policy year, the LAW PRO mandatory insurance program have opted to 1) explicitly address cybercrime risk in the mandatory will include express coverage in the amount of $250,000 for losses insurance program policy, and 2) take steps to educate the bar about related to cybercrime, as defined in the policy. This sublimit (or cap) cyber risks and to recommend that all lawyers take active steps to of coverage provides a modest “safety net” for lawyers in the area of prevent cybercrime before it happens. cybercrime exposure. We say modest because like the fraud risks the profession has faced over the years, there is no way to predict the total Thus, as of the 2014 policy year, the LAW PRO mandatory insurance possible exposure, and prevention is a far better tool to deal with this program will include a sublimit of coverage in the amount of $250,000 societal risk than insurance. for losses related to cybercrime as defined in the policy. See the sidebar for the definition of cybercrime, and the related definition In the specialized world of Canadian lawyers’ professional indemnity of a computer system. insurance, the most common approach so far has been to expressly exclude coverage for cybercrime losses. In considering what LAW PRO The LAW PRO insurance coverage for cybercrime claims is only one program protection should be made available to Ontario lawyers in of several aspects of a fulsome and responsible response to a complex 2014 regarding claims involving cybercrime, and what steps should problem. We urge you to carefully reflect on the extent to which, be taken to better ensure that lawyers and law firms are aware of this despite the coverage available under our policy, you remain vulnerable growing exposure and what they might do to better protect their to the potentially serious consequences of a cyber attack. clients and themselves, consideration has been given to: • The threat that cybercrime represents to clients and the viability Remember that any losses from cybercrime that are not connected of law practices in Ontario; with the provision of professional legal services will not be covered under the LAW PRO policy. These losses could include damage to • The limited technology resources adopted to date by many members equipment or software, business interruption, and reputational harm. of the bar to comprehensively address cybercrime risks; See “Other cyber risk insurance options: Do you have the coverage • The increasing availability of commercial business insurance to you need?” on page 26 for a basic overview of other types of address the broader aspects of cyber risks; insurance that firms may wish to consider to cover those risks or loss amounts that fall outside the LAW PRO policy. • The growing and evolving nature of cyber risks and related need for increased awareness and active risk management by lawyers However, even where a firm chooses to obtain other coverage, and law firms; insurance against cyber losses should be viewed as a worst-case • The choices and options available to lawyers and law firms to remedy, and not a regime of prevention. If businesses insure them - reduce their vulnerability to cybercrime through adopting selves without taking active steps to secure their computers and technology and security best practices; networks, cyber criminals will continue their efforts undeterred. • The potential impact of a systemic or catastrophic loss on the Law firms and individual staff members and lawyers who work in LAW PRO program and premiums charged to lawyers, especially them must educate themselves about cyber risks and take all reason - if a group of law firms experiences a loss; and able steps to ensure that data and funds are securely protected. We • The need for LAW PRO to continue operating in a commercially hope that the content in this issue will serve as a useful resource in reasonable manner and ensuring that risk-rating is maintained. that regard. I lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 25 < PREVIOUS NEXT > Other cyber risk insurance options:

Do you have the coverage you need?

The prevalence of cyber-related crime has been steadily extended to include first-party costs to comply with breach notification increasing for a number of years. Many businesses laws in different jurisdictions. Finally, cover can also be included invest heavily in the necessary IT infrastructure to for voluntary security breach notification which will help mitigate protect their data, but despite best efforts and an impact upon the company’s brand or reputation. intentions, the frequent news stories in the press Coverage has also evolved to take into consideration the outsourcing should serve as confirmation that breaches do occur. of data storage to third-party cloud providers. While this endorsed coverage is still in its infancy, there are some insurers that are able The cost implications of having personal or financial information to consider this type of risk. stolen are significant, especially for law firms, because the information they hold can be confidential and even privileged, and is often very Canadian Underwriter Magazine recently reported on a 2011 research sensitive. When you consider all the potential first- and third-party study from NetDiligence, which found that the average cost of a data liabilities a major breach could place on a law firm, the extreme breach was $3.7M. The study found that the largest component of cost could put a financial burden on a firm that could destroy it. the costs related to the legal damages, with the average defence costs being $582,000, and the average cost of settlement being $2.1M. Thus, from an insurance standpoint, it is paramount to consider The implications of not handling a breach properly, measured by whether your coverage is adequate. Keep in mind that the coverage way of reputational harm to your organization, are costly. If that afforded under the LAW PRO policy is subject to eligibility criteria client trust is lost, it will certainly impact the gross revenue of your and to a modest sublimit of coverage. firm in terms of lost clients. With client acquisition being far more costly than client retention, having a plan in place to mitigate that The evolution of the cyber insurance policy has made significant reputational risk is very important. strides in recent years. The most common element of coverage found within cyber and privacy liability policies is for claims brought Cyber and network liability policies have built in a solution for these against you arising as a result of a breach. This would include legal types of situations. Many policies commonly offer limits of coverage defence costs and indemnity payments, and is provided on an “all for crisis management. The costs associated with hiring public relations risks basis.” Some current extensions of coverage include protection consultants and costs to conduct advertising or PR activities are all against the spread of computer viruses, or in the event that your things that can be built into a cyber policy. systems are used to hack a third party. Many policies have been

26 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Traditional insurance policies may offer a limited amount of coverage for cyber-related exposures, but it is important to understand the While there are variations from provider to provider, implications of relying on coverage that is not necessarily designed insurance companies that offer cyber risk policies for a specific exposure. Property policies may not cover the loss of may include coverage for: “data” because it may not be considered real or personal property. General liability policies are intended to cover bodily injury and Lawsuits or claims relating to property damage scenarios, and would not extend to cover network • inadvertent disclosure of confidential information implications. Finally, in addressing these exposures, you should take into consideration liabilities that will fall outside the coverage offered • intellectual property and/or business secrets infringement by LAW PRO ’s cybercrime sublimit. • damage to reputation As legislation changes and the breach notification requirements in • liability related to damage to third party systems Canada evolve, so too will the costs associated with damage from hackers, breaches, cyber extortion, and other cyber-related crimes. • impairment to access to systems or information

Don’t underestimate the costs your firm might incur in the event of a data breach. Reinforce the long-term security of your firm And/or costs related to by ensuring it has taken adequate precautionary measures, has • privacy notifications, if required contingency plans in the event that something does occur, and has • crisis management activities appropriate insurance in place to transfer and avoid the financial risks of a data breach. I • online and/or electronic business interruptions

Greg Markell, FCIP, CRM is an account executive with Jones Brown Inc. • electronic theft, communication, threats and/ ([email protected] ) or vandalism

LAW PRO FAQ

Reporting changes to information and changes in status to LaW PRO and to the Law Society of Upper Canada (LSUC)

as of last month, I have left private practice to become a law professor. I advised the Law Society of this change, and have been Q. advised that I will be eligible to pay the non-practising lawyer membership fee. However, I continue to receive emails from LaW PRO reminding me to renew my professional indemnity insurance. I thought that as an educator, I was exempt from the insurance requirement. What’s going on?

It appears that you have not notified LAW PRO of your change in practice status. If you’re changing firms, contact information, or A. changing your status (going into or out of private practice), you should be sure to notify both LAW PRO and the Law Society separately of these changes. LAW PRO and LSUC maintain completely separate information databases and, in keeping with their respective mandates, generally do not share information that lawyers may consider confidential or proprietary. If you meet the exemption criteria, you should amend your status by completing an Application for Exemption, and forward it to LAW PRO for processing.

More information

For more information about insurance requirements, exemption eligibility, run-off coverage, and other insurance issues, please visit the FAQ section of the LAW PRO website at lawpro.ca/faqs

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 27 < PREVIOUS NEXT > Be ready with an Incident Response Plan

Because a cybercrime attack can cause irreparable harm, law firms should be prepared to take action immediately. Being able to do this requires an Incident Response Plan, or IRP.

An effective IRP can put a firm in a position to effectively and efficiently manage a breach by protecting sensitive data, systems, and networks, and to quickly investigate the extent and source of the breach so that operations can be maintained or promptly restored. Many firms design IRPs so that they address inadvertent breaches as well – for example, a lost USB key, or a misdirected email. An IRP can help avoid many of the pitfalls of an ad hoc response, such as slow containment (leading to more widespread impacts and damage), lost productivity, bad press, client frustration, and even malpractice claims or discipline complaints.

A complete IRP addresses the detection, containment, and eradication of a cyber breach, recovery of normal operations, and follow-up analysis. When creating your plan, we encourage you to address the following issues:

Build an IRP team. Establish priorities. The size and composition of the team will In the event of a cyber attack, what should the vary depending on the size of your firm, but firm’s first priorities be? Presuming no staff are teams of all sizes should have a leader. If the in physical danger, a firm’s first priority is often firm employs IT staff, they will be key protecting the confidentiality of client information. members of the team. There should also Identify and rank your priorities (be sure to be representation from senior management, include the need to notify LAW PRO and/or your from the firm’s main practice groups, and from the communications cyber risk insurer), and design your response and human resources departments, if these exist. Roles and accordingly. For example, the IRP may specify the order in which responsibilities for all team members should be documented in servers and services will be restored. Ensure that business objectives the firm’s plan. Where necessary, team members should be trained and priorities are met while negative effects on users are minimized. in the procedures required under the plan.

28 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Be ready to investigate. • log and audit processes; To be able to respond appropriately, you will • use automated intrusion detection systems and a secure firewall; and need to understand the nature and extent of • use secure mechanisms for communication. the cyber attack or breach. If you have an IT department, there may be individuals on your staff with sufficient knowledge of forensic Have a containment plan. investigation to isolate the problem. Firms without an IT department should identify, in As soon as a problem is identified, be prepared to advance, the provider that would be contacted make decisions about how to contain damage. IRP to investigate a breach, and record this contact team members should have authority to lock down information in the IRP. accounts and change passwords, to determine whether and which systems need to be shut down Remember – non-IT staff may be the first to discover a cyber incident. or isolated, and how to decide when it’s safe to Encourage your staff to report indications of trouble. See “How to restore operation. It is useful for IRP members to recognize your computer is infected with malware” on page 16 . In document events and responses as they unfold – the event that a third party (for example, a client) detects a problem – this record will be invaluable for the analysis of the attack once it’s for example, by receiving a phishing email – you should ensure that over. it’s easy for third parties to identify the appropriate contact person to whom to report the issue. Effectively eradicate threats.

Have a communication plan. Once the damage is contained, the firm will need to be prepared to resolve the incident by Prompt and effective internal communication identifying and correcting all breach points, is essential to an effective incident response. and eradicating all intruder leavings (malware, The IRP should have a “call tree” with current etc.). This is a complex and sometimes tedious contact information that will govern commu - process that may require external help. nication between staff should an incident occur when many are out of the office. Contact information for outside IT and other service Analyze the incident and the effectiveness of providers should be documented in the plan and kept up to date. your response to help prepare It is useful, where the firm is trying not to immediately tip off the for the next event. intruder, to avoid email communications – in these cases, phone, text, BlackBerry Messenger, or fax communication should be preferred. Once the threat has been contained and then eradicated, the incident should be It is useful to have a list ready in advance of outside parties who thoroughly analyzed. How did the intruder should be notified, along with current contact information. These get in? What was he/she looking for? What parties may include the police, clients, insurers, credit card companies, did he/she accomplish? a public relations firm, and your Internet service provider (be sure you have a current contact list saved outside your usual system). You should also review the effectiveness of the firm’s response. If there were any areas Be technically prepared. While the details of breach prevention of confusion or parts of the plan that didn’t protocol are beyond the scope of this article, some of the basic work well, consider how those aspects of protective steps firms can take are: the IRP might be improved, so you’ll be better prepared for the next attack when • create an inventory of computing resources; it happens. • back up systems and data daily; While it takes some time and effort to create an IRP, being ready to • create an offsite record, updated regularly, of client and respond to an incident in a coordinated and effective way can reduce service provider contact details; damage to records and systems and minimize the impact of a cyber • create a software archive and a resource kit of tools and attack on your firm’s productivity. Because the panic associated with hardware devices; a crisis can lead to errors and missed steps, it is much better to have thought these issues through calmly beforehand. I • create redundancy capacity for key systems; Nora Rock is corporate writer and policy analyst at LAW PRO • prepare a checklist of response steps;

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 29 < PREVIOUS NEXT > tech tip

Keeping your passwords strong and secure Computer passwords are the keys that “unlock” our computer and Don’t save passwords on your computer hard drive: It is not network systems. We all have more passwords than we can remember. uncommon for people to create a document with all their passwords This tends to make us a bit lazy. We use obvious and easy-to-remember in it on their computer. This file can be located in seconds with a hard passwords – even the word “password” itself. Or worse: we don’t use drive search, especially if it is called password.doc or if it contains them at all. Bad password habits are often one of the weakest links in the word “password” or other related terms like “username.” data security schemes. Cyber criminals know and exploit this fact. Use a password manager: If you must store passwords on your For this reason it is critical that all lawyers and staff in a law office computer or smartphone, use a password manager. These handy use passwords, and use them properly. This article reviews the steps programs remember and enter passwords for you and they are stored you need to take to protect the confidentiality of your passwords, and in an encrypted form so that they can’t easily be accessed. Widely how you can create passwords that are harder to guess or determine. used password managers include 1Password, LastPass, and Robo - Form. Some password managers let you sync and use your passwords Many of the password best practices mentioned in this article are on multiple platforms and devices across the web. Very convenient, QUICK FIX very easy to implement – review them with your lawyers and staff. but depending on your personal preference and the work you do, you may want to be cautious about putting your passwords in the cloud. Can you keep a secret? Make your password manager password extra complex! (And make sure you don’t forget it.) Passwords don’t work if they aren’t secret. Unfortunately, people get careless and don’t always keep their passwords confidential. These Use biometric scanners: Some laptops and the most recent iPhone are the things you can do to keep your passwords secret. have built-in biometric scanners that give you access to a device or other logins with a swipe of your finger or by facial recognition. Never ever tell anyone your passwords: This includes your IS support These scanners help you avoid the need to remember passwords. person (they can force a reset if they really need to access your account). And, make sure no one is looking over your shoulder Don’t use the same password for everything: This is very tempting, when you are typing a password. If more than one person knows but is also very dangerous as anyone that figures out your password about a password, it isn’t a secret anymore. can get easy and instant access to all your other accounts. Use a unique password for each program, especially for very sensitive Never write down your passwords, especially on your monitor: things like your network logon, remote access to networks or bank Is this not the same as leaving the keys for your car in the ignition? account logons. You also shouldn’t use the same passwords for home Take a walk around your office and see how many passwords you can and work purposes or on the administrator and user profiles on find on little notes taped to monitors or keyboards. If you absolutely the same computer. have to write down some of your passwords to remember them, don’t write them out exactly. Write without an obvious reference to the Change passwords on important accounts on a regular basis: For account they apply to, and so they have to be translated in some way. critical things like your computer and bank account, you should Add or delete a character, transpose letters, or vary them some other change your password every 60 to 90 days. This will foil a lurking consistent way which only you can figure out. hacker that has your password unbeknownst to you.

30 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > tec htip

Change any compromised password immediately: Do this even if of letter, numbers and other characters. Given enough time, the you only suspect a password has been compromised. Again, this is automated method can crack any password. The computers we have to foil a lurking hacker. today are much more powerful so passwords that used to take months to crack can now be cracked in days or hours. Don’t use the “remember password” feature: Be wary of dialog boxes that present you with an option to save or remember your So, your challenge is picking a password that is hard to break because password. These can appear in your web browser and for remote it isn’t short, obvious or a common word. This is called a “strong” access. By selecting this option you give unchallenged access to password. For a password to be strong it should: accounts to anyone sitting down at your computer. • Not contain your name or your computer user name; Use two-step authentication • Not be a word associated with you (e.g., your spouse or child’s name, street name, etc.) Using two-step authentication on sites that offer it will help to increase the security of your online information. Two-step authentication • Not be a common word, name or phrase; is a process involving two stages to verify the identity of someone • Be significantly different from any passwords you have used trying to access online services. previously;

You are already using two-step authentication if you withdraw money • Be at least 12 characters long, and longer is even better; from an ATM. To access an ATM, you need two things: the ATM • Have at least one symbol character in a position other than the card and a personal identification number or PIN. If you lose your first and last; ATM card, your money is still safe; anyone who finds the card cannot withdraw money if they do not know your PIN. The same is • Contain at least one character from each of the following four true if someone knows your PIN and does not have the card. This groups: second layer of security is what makes two-step authentication a. uppercase letters A, B, C, ... more secure. b. lowercase letters a, b, c, ... c. numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 More and more websites are offering two-step authentication, d. symbols (all characters not defined as letters or numerals, including Google, Facebook, Apple, Dropbox, Twitter, Microsoft, including: ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : “ ; ‘ < > ? , . / Amazon, Evernote, WordPress and Yahoo! Mail. You should enable two-step authentication if you are using one of these services. The best practice is to create a unique, complex and random password for every service you use. There are online tools that will create pass - Many of these sites have also added a feature that notifies you by words with totally random characters. While these will be stronger, email or text message if your configuration has been changed. In you will likely have to use a password manager to remember them. some cases you have to confirm the change for it to remain in effect. This protects you in the event a hacker gets into your account. If Passphrases can help you remember complex passwords the hacker changes your password or other settings on the account, If you follow the advice in the previous section, your password will you get an email or text message notifying you of the change and be an unreadable mix of letters, numbers and characters. While you have the ability to prevent it from happening. Enabling this good for security, they will be hard to remember. Consider using feature on any of your accounts that have it will help prevent those a “passphrase” to remember complex passwords. A passphrase is a QUICK accounts from being taken over by a hacker. FIX mix of letters, numbers and characters that has a translation that makes it easier for you to remember the correct sequence. Here Creating “strong” passwords are some sample passphrases: When you pick a password, you can’t just use any password. It • !am@#1DJ!nuSSr “I’m a number one DJ in Russia” shouldn’t be anything obvious and easy to guess, either by a human or a computer. Password-cracking tools continue to improve and • Rm@j0risKrayz “Our major is crazy” they use one of three approaches: intelligent guessing, dictionary • l@wPR0!sgr8! “ LAW PRO is great!” attacks and automation. Using strong passwords can help you better protect the confidentiality Intelligent guessing involves using words, phrases and key combi - of client and firm data and systems. Encourage everyone at your nations that people commonly use as passwords. Intelligent guessing firm to make sure all their passwords are strong and secure. I works reasonably well because most people use simple and obvious passwords (e.g., password, 12345, qwert, etc.). Dictionary attacks Dan Pinnington is vice president, claims prevention and stakeholder relations at LAW PRO . cycle through a complete list of words from one or more languages. Automated (or “brute force”) attacks try every possible combination

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 31 < PREVIOUS NEXT > Could this happen to you? Would you take the bait on a phishing scam?

“Phishing” is one of the most common scams supposedly from someone you know (see the • The promise of receiving money or that cyber criminals use because it can “stuck in London” example on the next page). another big prize. produce spectacular results with very little • Anyone asking for money – even if you effort or expense on the part of the hacker. Many phishing messages will include a link or know them (see the “stuck in London” Phishing involves the use of an email, text attachment that you are asked to click so you message on the next page). message or phone call that appears to come can update your information. After doing so, from a trusted source or institution, vendor the webpage or attachment you will see Checking the link you are asked to go to is or company, but is actually from a third-party (which will also have text and logos to make QUICK one of the best ways to confirm that a mes- FIX impostor. Phishing messages are intended to it look official) will prompt you to enter your sage is a phishing scam. Place your mouse trick you into giving cyber criminals your name, account number, password and other over the link you are asked to go to (but information by asking you to update or personal information – thereby giving it to don’t click on it!) and look at the taskbar in confirm personal or online account infor- cyber criminals. your browser window (usually at the lower mation. Personal information and identity left). It will show you the URL of the link. theft and/or payment scams are the motives To make matters worse, clicking on links or It should start with the proper characters behind most phishing scams. Thousands are attachments in phishing messages often in the proper website (e.g., lawpro.ca) and phished – criminals only need one or two causes malware to be downloaded to your not a URL that appears unrelated (e.g., dupes to make it pay off. computer as well. http:://12.67.876/aed/1234/bnklogin). An unrelated URL virtually guarantees it is a Cyber criminals do their best to make Could it happen to you? Would you fall for phishing scam. Watch for small differences: phishing messages look official and legitimate. a phishing scam? “lawpro.com.tv” seems close, but is different! They will mimic real communications from the company or entity they are supposedly As you consider these questions, see the next Never respond to “phishing” requests for from by using the same layout, fonts, wording, page for some sample phishing messages. QUICK personal information in the mail, over the FIX message footers and copyright notices, etc. phone or online. Most importantly – this as official messages. They will often include How to spot phishing messages is probably the most common way that corporate logos and even one or more links personal information is stolen – never to the alleged sender’s real website. Phishing scams work because some people are gullible. If you get a phishing message ever reply to unsolicited or suspicious emails, instant messages or web pages To make it more likely you will fall for the from a bank and you don’t have an account asking for your personal information (e.g., scam, phishing messages commonly involve there, you aren’t likely to fall for the scam. usernames, passwords, SIN number, bank urgent scenarios. They may suggest that you However, if you have an account at that bank, account numbers, PINs, credit card num- must reset your password because your the message may look legitimate to you and bers, mother’s birth name or birthday), account has been compromised by hackers you are more likely to fall for the scam. Here even if they appear to be from a known or or they may request that you login to your are some clues that can help you recognize trusted person or business. Legitimate account to review an invoice or deal with an a phishing message: businesses should never send you an email outstanding payment. Another common • The link you are asked to visit is different message asking to send your username, phishing scam is a call from someone claim- from the company’s usual website URL password or other information to them in ing to be from Microsoft who will tell you (see the next paragraph). an email message. If in doubt, call the your computer is infected and that you must company yourself using a phone number go to a special website to download an update • The main part of the sender’s email from a trusted source. Don’t use the num- that will fix the problem. Phishing scams can address is not the same as the company’s ber in the email – it could be fake too! I also be a request to complete a survey or to usual email address. give information to collect a prize you have • Bad spelling and poor grammar. Dan Pinnington is vice president, claims prevention won. They can also be requests for money and stakeholder relations at LAWPRO. • Nonsensical or rambling content.

32 LAWPRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > Sample phishing scam messages

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 33 < PREVIOUS NEXT > < PREVIOUS NEXT > practice tip Draw clients a roadmap to avoid communication claims

Our readers should now be well aware that legal services before, for a completely • The fact that, in a litigation matter, an problems with lawyer-client communication different type of matter, and may be unsuccessful party may be required to are the number one cause of malpractice assuming that this one will work the same pay part of the successful party’s costs. claims. Managing communication takes way. You may find yourself explaining that patience and effort: at one extreme of the a labour grievance is as similar to estate This is just a suggested list, and deciding spectrum, responding to calls and messages litigation as a goat is to a gorilla… they’re what belongs in the roadmap you draw will from clients who want constant contact can both mammals, but beyond that…; necessarily vary depending on what kind of be frustrating; while at the other end, trying legal work you do. For clues about what you • An explanation of with whom the client to get absentee clients to update instructions need to include, pay attention to what kinds will work at each stage. For example, if or produce necessary documents can be of questions you find yourself answering over your legal assistant typically assists in time-consuming. How can you get the lawyer- and over in your communications. If you do the data-and-document-gathering stage client exchange off on the right foot from the legal work that follows a fairly predictable of matters, let the client know that she beginning of a retainer, so that you don’t feel pattern (for example, residential real estate), will be hearing from the assistant; or if either bombarded or ignored? you may even want to commit portions of this you handle family law agreements but roadmap discussion to writing, in the form refer away cases headed for trial, make It helps to remember that the reason clients of a client handout – as long as you realize sure the client knows this; may communicate too much – or too little – that handouts can never replace personal can be that you’ve left them in the dark about • A description of the assistance and communication. A handout eliminates some how their matter is likely to proceed. participation you will need from the client opportunities for clients to raise important (will she need to obtain documents from questions, and skimping on personal As lawyers, we sometimes forget that many her employer? Undergo a medical exam - communication may make a client feel clients have no frame of reference – other ination? Attend at discoveries?); ignored – a recipe for trouble. For an example than movies or television – for what will of a client handout precedent, see Hon. Carole • How long on average it takes to complete happen in a typical legal matter. They may Curtis’ (former family lawyer, now a Justice each stage in the particular kind of not know what the steps are, how long it will of the Ontario Court) “Administrative matter – as well as what the short and take, or how much it will cost. Common Information for New Clients,” available long ends of the range might be − and assumptions that lawyers make based on at practicepro.ca . whether there are delays the client should experience – for example, that the chance know about (for example, clients may not of an action going to trial is less than 20 Finally, regardless of the content of your know that a court can reserve a decision per cent (or whatever it might be, in your overview, you can improve the quality of at the end of a trial, and may be shocked practice area) – are not common knowledge your communication with clients by remem - that they won’t know the outcome until to many clients. It’s not surprising that, when bering to communicate just two pieces of weeks or months later); the progress of a matter turns out to be information at the conclusion of every slower, different, or more complicated than • Information about the impact of certain communication. No matter the reason for the client had expected, the phone starts to strategic decisions on the complexity, the call, visit, or email, always be sure that ring or the inbox to bulge. duration, and cost of a matter. Make sure by the end of the contact, the client knows that a client understands that time is the answer to these two questions: ‘what You can improve your communication with money, and he should take into account happens next?’ and ‘when will I hear from clients and at the same time avoid malpractice the costs savings associated with early you?’ Even if the answer is merely ‘now, we claims by making the effort, at the beginning settlement when assessing the adequacy wait; you’ll hear from me when the other of each retainer, to provide the client with an of settlement offers; party makes a move’, knowing where things overview or “roadmap” of how the matter are going reduces uncertainty, leaves the • The difference between fees and disburse - can be expected to proceed. A good overview impression that a strategy is unfolding, and ments, and the general range for the includes the following information: reaffirms that the lawyer will be in touch. I expected overall costs (but be careful • The typical steps and stages involved in the – many clients may hear and remember Nora Rock is corporate writer and policy analyst particular type of matter. Remember that what you say about the lower end of the at LAW PRO . a client may have had occasion to obtain range more clearly than they remember the high end!); and lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 35 < PREVIOUS NEXT > book review e aBa Cybersecurity Handbook: a Resource for attorneys, Law Firms, and Business Professionals Jill D. Rhodes and Vincent I. Polley

“There are two types of firms: those that At the same time, the authors point out that lawyers fundamentally know they’ve been (cyber) attacked and understand the importance of client confidentiality, and that’s a good those that don’t,” says Jill Rhodes, co-author starting point to make them embrace the importance of improved along with Vincent Polley of the The ABA cybersecurity. Also, clients will increasingly press firms to have Cybersecurity Handbook . The book is an security systems as strong as their own. initiative of the ABA Cybersecurity Legal Task Force that was created in 2012 to bring The book describes how firms should do a risk assessment and together the legal community and private sector to help secure law develop plans to not only prevent security breaches, but also deal with firm computer systems. them when they happen (and firms should make the assumption that breaches will happen). This assessment would cover all of a firm’s data As described throughout this issue of LAW PRO Magazine , law firms usage policies and the ways in which staff use and access confidential (as well as government and in-house lawyers) are tempting targets data. How to have a conversation with clients about data security (in because of the wealth of confidential information they have about terms of potential added costs and what to do in the event of a breach) their clients, such as strategic business data, proposed mergers and would also be considered. acquisitions, intellectual property and information obtained through e-discovery in the course of litigation. And it isn’t just hackers that can The next section of the book is an in-depth look at the legal and cause these breaches: it could be disgruntled or duped employees, lost ethical obligations lawyers have to protect clients’ data. As the mobile phones with lax passwords, or accidental damage (e.g. a flood) book was written for a U.S. audience, the rules and laws described to computer hardware resulting in a malfunction of security systems. apply to American lawyers. However the basic principles would apply to Ontario lawyers, who will want to consider the Law Society This book was written as a resource for lawyers in all practice settings Rules of Professional Conduct and bylaws as well. to help them develop a cybersecurity strategy. There is no single solution for every firm, and developing measures to increase security The remainder of the book looks at how firms of various sizes can and respond to breaches requires balancing legal requirements, firm implement cybersecurity strategies. Small firms will have the flexibility resources, staff training, investments in technology and client needs. to adopt new technologies and practices quickly, but may struggle with the costs, while large firms would have the opposite challenge. The The authors first look at why firms are vulnerable and what steps they authors also address how government and in-house lawyers can should be taking to increase their cybersecurity. The underlying improve their levels of security. problem is that lawyers are experts on law, not technology, and often don’t have the kind of security arrangements big businesses or For many firms, issues of cyber and data security have crept up on governments do. Data that was created in a secure environment can them in recent years, but recent high profile breaches of client become exposed when it moves into the hands of a law firm with information have added a sense of urgency. This book is a good inferior security systems. Firms are under pressure to find efficiencies resource for firms wanting to start a discussion with staff, clients and such as outsourcing, cloud storage and mobile devices, and each of technical support providers about their own state of preparedness these ways of dispersing client data adds another potential breach for a cyber attack or data breach. I point. Lawyers and staff may also resist new security arrangements and the inconveniences these can bring. Tim Lemieux is practicePRO coordinator at LAW PRO .

about the practicePRO Lending Library

The practicePRO Lending Library has more than 100 books on a wide variety of law practice management topics. Ontario lawyers can borrow books in person or via e-mail. A full catalogue of books is available online ( practicepro.ca/library ). Books can be borrowed for three weeks. L AW PRO ships loaned books to you at our expense, and you return books to us at your expense. We have books on these topics: • Billing & financial management • Career issues • Law firm management & administration • Wellness & balance issues • Marketing & client relations • Solo & small firm issues • Law office technology For full descriptions of these titles, including downloadable tables of contents, go to practicepro.ca/library .

36 LAW PRO Magazine | Volume 12 Issue 4 lawpro.ca < PREVIOUS NEXT > social media LAW PRO has a Social media profile: corporate LinkedIn Kathleen Waters page, does your firm?

Kathleen Waters President and CEO

When asked how Kathleen has seen social media shape the industry LAW PRO has had a corporate LinkedIn page for almost two years now. she works in, she responds: We find it a useful tool to connect with lawyers and other legal profession stakeholders. It allows us to easily share LAW PRO -related information with LinkedIn users. Social media allows us to be closer to our insureds and other influencers, and what As well as giving us a corporate presence and the ability to post could be better than that? We can see what updates, we have customized the “Products and Services” tab. On they are interested in and they can see this tab we list seven items including: E&O insurance for Ontario what we value as reflected in our posts. lawyers, our practicePRO risk management program, TitlePLUS title I receive more direct feedback from insurance, excess insurance, LAW PRO Magazine , our corporate social responsibility program, and the AvoidAClaim blog. Each item has a insureds about my social media efforts than brief description; together they give a good overview of our mandatory any other aspect of my work at LAW PRO . and optional insurance program options and our risk management materials and resources. Time at LAW PRO : 16 years

If you don’t have a firm page on LinkedIn you should consider creating Kathleen has been active on Twitter and LinkedIn for the past one. LinkedIn highlights and shares information about the staff and two years. lawyers from your firm that are on LinkedIn – and those that have left, as well – so it is a good idea to have a page for your firm. Did you Target audience: know that if any one of your employees has a LinkedIn account and • lawyers and paralegals has added your company as an employer, LinkedIn will automatically • real estate industry create a generic business page? With over 225 million users on LinkedIn, • political stakeholders there’s no better time to claim that page and customize it to start • insurance regulators promoting your firm, the lawyers and staff who work there, and the services you offer. LinkedIn can also be a helpful recruiting tool. Topics of interest: • professional liability insurance for lawyers, including risk management and global insights Don’t forget! Connect with L AW PRO: •LAW PRO updates, primary, excess and TitlePLUS programs • real estate issues in Canada and the U.S. • insurance industry updates Victoria Caruso is communications coordinator at LAW PRO . • lawyer and paralegal education • charity initiatives of interest to lawyers • occasional updates of interest to feminists

lawpro.ca LAW PRO Magazine | Volume 12 Issue 4 37 < PREVIOUS NEXT > lawpro.ca

Risk management Additional professional Title insurance practicepro.ca liability insurance titleplus.ca lawpro.ca/excess

AvoidAClaim.com

LAW PRO

@LAW PRO @practicePRO @TitlePLUSCanada

LAW PRO insurance TitlePLUS Home Buying Guide – Canada

Return undeliverable Canadian addresses to: LAW PRO • 250 Yonge Street • Suite 3101, P.O. Box 3 • Toronto, Ontario M5B 2L7

< PREVIOUS TECH TIP

Don’t take the bait on a spear phishing attack

By now, most lawyers are familiar with The “spear” in spear phishing alludes to the Stay off the hook phishing attacks. For those who are not, fact that messages are targeted to specific phishing is the attempt to acquire sensitive individuals. Spear phishing messages are Educate the lawyers and staff at your firm information such as usernames, passwords, more convincing because they are personally to make sure they will not fall for a spear and credit card details by masquerading addressed, appear to be from someone you phishing scam. Follow firm processes and as a trustworthy entity in an email. They already know, and may include other detailed procedures for the review and approval of take the form of a message, allegedly personalized information. financial transactions – and don’t bypass from your bank or an online retailer you them due to urgent circumstances. Never deal with, that suggests your account has In one case, a senior accounting staff share confidential client or firm information been compromised or that payment is member at a large firm received a request without being sure it is appropriate to do overdue. Phishing scams are usually bulk on an active file, purportedly from the firm’s so by getting confirmation from someone emails sent to large numbers of people. managing partner, to send a bank account familiar with the file. Be on the lookout for Even if only two or three per cent of re- number and account signatures to a person and question any last minute changes on I cipients fall for them, hundreds or even in Europe so they could verify a certified fund transfers or payments. thousands of people can be victimized. cheque was from the firm. while spear fishing scammers will sometimes use public Like convincing bait, these messages include information from social media or the web Dan Pinnington is Vice President, Claims Prevention & Stakeholder Relations at LAWPRO. the same layout, logos and links as legitimate to personalize the message, in this case, the emails from these companies. Phishing fraudster seemed to know details about the messages try to create a sense of urgency matter that were not public. The email was and ask you to login to reset your password even followed up with a phone call. or verify a payment was made, etc. However, the link you click takes you to an imposter Thankfully, the person receiving the email website that looks much like the familiar noticed some irregularities: the email company site, but when you login you are opened with an honorific and surname, actually giving your password or other notwithstanding that these two people had For more advice on keeping personal information to the hackers. They worked together for more than two decades your data safe and secure, will use your information for malicious and always addressed each other using see the Cybercrime and purposes such as ID theft or credit card fraud. their first names; the message used odd Law Firms issue of phrasing; and, on the call, the person had LAWPRO Magazine Spear phishing attacks take phishing to an accent that was incongruous with the (practicepro.ca/cybercrimemag) a higher level. They are a concern to ethnicity of the name used in the email. LawPRO as Ontario firms have been targeted as have firms elsewhere.

© 2016 Lawyers’ Professional Indemnity Company. This article originally appeared in LAWPRO Magazine “Serving Indigenous Clients” (Vol. 15 no. 1). It is available at www.lawpro.ca/magazinearchives The practicePRO and TitlePLUS programs are provided by LAWPRO 32 LAWPRO Magazine | Volume 15 Issue 1 lawpro.ca < > SOCIAL MEDIA Danger: When a hacker emails you Social media profile: instructions in the Nora Rock name of your client Nora Rock Corporate Writer & The determination and energy of hackers knows no bounds. They Policy Analyst show remarkable imagination and ingenuity in coming up with ever more devious ways to steal trust funds by duping lawyers. as an example of this, we have recently seen several instances where a fraudster hacked into a client’s email with the intent to divert Time at LAWPRO: 5 years funds coming out of a lawyer’s trust account. after gaining access to the client’s email account, the hacker surreptitiously monitors emails going back and forth between the lawyer and the client. at Nora has been active on LinkedIN and Twitter for four years. She the opportune time, usually just before a real estate deal is closing researches and writes articles, webzines, submissions and other or the loan funds are to be advanced, the hacker sends an email documents for LAWPRO. redirecting where the funds should go. This change of instructions appears to be coming from the client via the client’s email, but if Target audience: the lawyer follows these instructions, the money ends up going to • Lawyers and law clerks from all areas of practice the fraudster. • Legal and general media • Academics, universities and colleges Our malpractice insurance colleagues from across Canada and the U.S. tell us they are also seeing examples of this type of fraud. we are aware of a variation where the lawyer’s email is hacked, and Topics of interest: the instructions allegedly from the client are sent from a different • Law practice management email account that very closely mimics the client’s email address. • Risk management • Insurance industry regulations Communicating by email has become the norm for clients and • Health care policy and women’s issues their lawyers. Both lawyers and clients readily and unquestionably • Football accept the legitimacy of an email sent by their counterpart. That’s what makes this fraud work so well. When asked what role social media plays in her job, Nora shared:

How do you protect yourself? at the start of the matter, get specific Twitter offers many benefits for a writer. It allows me to written instructions as to how funds will be transferred and where take the pulse of the legal profession and to research they will be going. If those instructions change, especially via an outside my usual area of focus. Just by seeing which email at the very last minute, and/or the recipient of the funds seems accounts experts follow, I can identify issues, events and odd (a red flag of fraud), seek confirmation of the instructions community resources. Twitter can be both a tailor-made from the client through another communications channel community in which to exchange ideas with colleagues (i.e., call them on the telephone). and a starting point for exploring new concepts. and one other essential takeaway – this type of fraud can be prevented if people regularly change their passwords. Good advice for you and your clients. I

Dan Pinnington is Vice President, Claims Prevention & Stakeholder Relations at LAWPRO.

Quick stats* While the number of LAWPRO claims involving corporate and commercial law has declined in recent years, the average cost for this type of claim remains the highest of all areas of law. Average 194 claims per year Average cost: $11.1 million per year The most common source of corporate/commercial claims are lawyer/cclient communication issues. Claims occur because Average cost per claim: $57,000 there are misunderstandings or when the client’s instructions 3rdd largest claims area of law by count are not ffollowed. Complex law and complicated transactions seem to drive communication‐related errors in this area of rdd 3 largest claims area of law by cost practice. See the reverse page for common communication‐ related cclaims scenarioos.

Common errors Also, lawyers practising in this area need to be especially vigilant of conflicts of interest. As compared to most of areas of practice, conflicts of interest‐related claims are four times more frequent in the corporate/commercial area. Conflicts claims frrequently arise when work is done for closely held corporations and it becomes unclear who the lawyer’s client is (e.g. the corporation or the individual shareholders or officers.)

Costly claims also arise when tax issues are not recognized or when a lawyer underttakes tax work with insufficient expertise and/or advice from a tax expert.

See the reverse page for more steps that can be taken to reduce your exposure to a corporate/commercial‐related

claim.

Speakers and resource materials Hot topics in corporate/commercial claims  Not recognizing tax issues or undertaking tax work with insufficient experttise and/or advvice from a tax expert.  We can provide knowledgeable speakers who can address  claims prevention topics. Email [email protected] Conflicts of interest when acting for closely held corpporations and individual associated with them.  Visit practicepro.ca for resources including LAWPRO  Magazine articles, checklists, precedents, practice aids, Documents prepared or drafted do not reflect the client’s and our Checklist for Commercial Transactions. instructions and/or intentions.  Mistakes arising when shortcuts are taken, often to keep fees down at the request of clients. Resolution of corporate/commercial claims Average claims cost

All claim figurees from 2006-20116. All cost figurees are incurredcosts c (May 2017) Corporate/Commercial Claims Fact Sheet Risk management tips Most common malpractice errors

Carefully document instructions, advice and steps Communication‐related errors (41%) taken. • Failing to follow client’s instructions to file articles of Taking detailed notes and documenting client amendment or articles of amalgamation. conversations can minimize misunderstandings. Claims • Failing to specify the limits of the retainer in writing, often involve a dispute between the lawyer and client including which services the lawyer will perform and over what was said and done, or not said and done, or which actions the client or third‐party (e.g., an confusion over who was to look after which tasks. accountant) will take. LAWPRO’s “Checklist for Commercial Transactions” has a • Contents of document (e.g., a lease or shareholder detailed list of matters to consider when agreement) do not reflect the client’s instructions (or communicating with clients. those of outside expert, e.g., an accountant). • Failing to document in writing that a client instructed Follow the firm’s conflict checking system and take you to take a course of action on a transaction that was action on conflicts. different from the one you recommended. Most law firms now have rigorous conflicts checking • Retainer did not clearly specify work that was to be systems that do a good job of catching potential done by the lawyer and/or outside expert (e.g., conflicts. The problem is that these warnings are often accountant or tax expert). ignored. Listen to your instincts, and ask yourself “who • Minute book not kept up‐to‐date. is my client”? You can’t always objectively judge your • Failing to inform a franchisor client about the own conflicts, so get the opinion of someone outside disclosure requirements under the Arthur Wishart Act. the matter. Send clients for ILA when appropriate. Keep • Failing to explain to a client the consequences of a in mind that conflicts can unexpectedly arise in the personal guarantee in a commercial lease, mortgage or middle of a matter. If there’s a real or potential conflict, other transaction involving security. decline or terminate the retainer, even if it means turning down work for a good client or turning down Inadequate investigation (16%) substantial fees. Taking steps to avoid the possibility of • Provisions in lease and sublease(s) are not coordinated. an expensive claim is the preferred course of action. • Not doing a title search on a commercial lease matter. • Misreading (or not reading) information on a corporate Take time to catch and consider all the details. document or search result. Whether it is misreading (or not reading) information on a corporate document, not doing a title search on a Conflict of interest (16%) corporate lease matter, or failing to ensure that two • Acting simultaneously for members of the same family merged corporations don’t lose a ‘grandfathered’ and their business or corporate entities. exemption, rushing or taking shortcuts can come back • Not sending client for ILA when appropriate. to haunt you. Take the time to do the job right, even if it • Acting for a corporate client and providing legal takes a bit longer or involves coming back on another services on the side to an employee of the client. day. Make sure clients understand the risks if they instruct you to take shortcuts (usually to reduce fees), Error of law (14%) and that those discussions are documented. Do not be • Taking on a complex corporate transaction that the pushed into taking shortcuts that make you lawyer is not capable of handling, or failing to obtain uncomfortable. specialist advice for specialized issues (e.g., tax or IP issues). Do not dabble in areas outside your expertise. • Failing to properly protect a security interest or priority Corporate/commercial law is complex and diverse, so status under the Personal Property Security Act. don’t stray outside your area of expertise. If necessary, recommend your client retain the services of an expert ©2017 Lawyers’ Professional Indemnity Company. LAWPRO is a registered trademark of Lawyers’ Professional Indemnity Company. All rights reserved. This publication includes in specialized areas like tax, IP or franchise law if you techniques which are designed to minimize the likelihood of being sued for professional liability. The material presented does not establish, report, or create the standard of don’t have a thorough knowledge of those fields. care for lawyers. The material is not a complete analysis of any of the topics covered, and readers should conduct their own appropriate legal research.

Criminal claims Malpractice fact sheet lawpro.ca

Quick stats* LAWPRO sees a lower number of malpractice claims flowing from criminal cases as compared to other areas of law, but criminal claims have been trending up in recent years. Average 38 claims per year Lawyer/client communication errors cause 54% of the criminal Average cost $718,500 per year claims – no other area of law comes close to this figure. No doubt this reflects the nature of criminal matters. Average cost per claim: $18,800 Average 2 years before claim reported The resolution of a criminal matter can have a significant impact on a client, and clients that are unhappy with an Longest claim reporting time: 21 years outcome frequently complain that they weren’t properly informed of the implications of entering a plea. Criminal convictions are often appealed on the basis of “ineffective Common errors assistance of counsel” - whether the allegation has any merit or not. The allegations made on appeal may include failing to properly review Crown disclosure, failing to mount the defence requested by the client, not calling a particular witness, etc. See reverse page for more examples of the most common criminal claims.

Many types of criminal claims are preventable. Lawyers should take steps to ensure the client understands the strengths and weaknesses of his case and the implications of entering a plea. Because they will need to be referenced in the event of a claim, document these conversations and the instructions that were received. See reverse page for more steps that can be taken to reduce exposure to a criminal claim.

Speakers and resource materials Hot topics in criminal law claims

We can provide knowledgeable speakers who can address It is critical that clients are clearly informed of the implications claims prevention topics. Email [email protected] of plea or other outcomes of their matter.

Visit practicepro.ca for resources including LAWPRO Magazine We have seen a spike in claims where lawyers failed to articles, checklists, precedents, practice aids and more. understand the consequences of advising a guilty plea in light of the amendments to the Immigration and Refugee Protection Act.

Resolution of claims Count of criminal claims

*All claim figures from 200 5 - 2015. All costs fi gures are incurred costs (April 2016) . Criminal Claims Fact Sheet

Risk management tips Most common malpractice errors

Take the time to ensure the client understands your recommendations Lawyer/client communication errors (48%) Failing to effectively communicate with the client is the biggest claims pitfall in the criminal law area. Often a quick decision based on the lawyer’s many years of • Dispute over whether client’s instructions were experience may obscure the fact that the client doesn’t followed regarding a plea to a charge or a reduced fully understand the course of action the lawyer charge recommends and potential outcomes from it. • Failing to fully advise clients of potential consequences of pleading guilty There is a real risk that clients may later regret their • Failing to clarify court dates, with consequences for choices and make a claim against the lawyer. To guard client if lawyer or client doesn’t show up against this, provide your analysis of the case, the plea • Failing to ensure the client understands or agrees with options available, your recommendations, and a the strategy to be taken in court, often resulting in reminder that the plea decision is the client’s alone. It claims of “ineffective assistance of counsel” may not be required to document ALL your communications with the client, but it is good practice Errors of law (21%) to do so as much as possible. • Overlooking viable defences when advising a client to Discuss potential consequences of pleading guilty (and plead guilty document it) • Failing to understand consequences of advising a guilty While criminal law is traditionally a lower claims-risk plea in light of Immigration and Refugee Protection Act area of law, those claims we do see often involve a failure by the lawyer to communicate all the long term Time Management (6%) ramifications of pleading guilty to a charge. For instance, a truck driver pleading guilty to DWI may find • Failing to properly calendar a court date out later that he may have difficulties with his job if he • Failing to proceed with an appeal in the allowed time can’t cross the U.S. border. A non-Canadian client • Missed limitations for civil actions relating to the sentenced to six months or more may lose the right to criminal matter, such as suing for malicious apply for residency. Be sure to document your prosecution or appealing forfeiture of property conversations with the client in this regard. Inadequate investigation of fact or inadequate Promptly notify LAWPRO of any appeals based on discovery (6%) “ineffective assistance of counsel” A client may appeal a guilty verdict based on grounds • Failing to obtain evidence or information that could that the trial lawyer provided ineffective assistance. The assist the client at trial appellate lawyer may ask the trial lawyer to sign an • Failing to properly determine whether the client is affidavit supporting this ground of appeal. If asked to do required to attend at court so, you should call LAWPRO right away so that we can • Failing to consider whether client is fit to stand trial advise whether preparing an affidavit is necessary, and if so, how it can be done so that privilege is maintained and there is no admission of negligence.

Meet with client in your office when possible

Client meetings held at the courthouse while awaiting ©2016 Lawyers’ Professional Indemnity Company. LAWPRO is a registered trademark of appearances sometimes lead to poor documentation of Lawyers’ Professional Indemnity Company. All rights reserved. This publication includes the content of the meeting, and incomplete techniques which are designed to minimize the likelihood of being sued for professional liability. The material presented does not establish, report, or create the standard of understanding by the client of what was explained. care for lawyers. The material is not a complete analysis of any of the topics covered, and readers should conduct their own appropriate legal research. Family law claims Malpractice fact sheet lawpro.ca

Given the stress and emotions involved in their matters, family Quick stats* law clients can be among the most difficult to deal with. Many have unrealistic expectations regarding the process, timing, Average 174 claims per year costs, and potential outcomes of their matters. You can significantly reduce your claims exposure by confirming in Average cost: $3.9 million per year writing the information your client provides to you, your advice Average cost per claim $22,100 to the client, the client’s instructions to you, and what steps were taken on those instructions. #4 claims area of law by count Failure to know or apply the law is twice as likely to occur in #5 claims area of law by cost family law than in other areas of practice. It is one of the most Longest claim reporting time: 59 years complex practice areas involving dozens of federal and provincial statutes and voluminous case law. You should be aware of the limitations in your legal knowledge and expertise. Common errors You may want to engage another lawyer who has expertise in estate planning or tax issues; an accountant or actuary may be needed to help with a pension or business valuations, stocks or stock options, bonds; or an appraiser to deal with assets such as antiques.

You can substantially reduce your risk with clear lawyer/client communications and ensuring you know the relevant law. See the reverse for more steps that can be taken to reduce exposure to a family law claim.

Speakers and resource materials Hot topics in family law claims Visit practicepro.ca for resources including the Domestic In the last five years, 1 in 5 LAWPRO claims involved a domestic Contracts Toolkit, the Limited Scope Retainers Resources page, contract, and 1 in 5 involved an allegation of an improvident LAWPRO Magazine articles and other checklists, precedents, settlement. On these two types of claims, almost half resulted practice aids. from communications-related errors and 21% were due to a failure to know or apply the law. LAWPRO can provide knowledgeable speakers who can address claims prevention topics. Email [email protected]

Resolution of claims Count of family law claims

All claim figures from 2005-2015. All cost figures are incurred costs (April 2016)

Risk management tips Most common malpractice errors

Proactively direct and control client expectations Family law clients can be emotional and difficult to manage. They may also have changing and unrealistic expectations. This makes it especially important that Lawyer/client communication errors (42%) you manage their expectations from the very start of • Failing to ensure the client understands the potential the retainer. Helping clients avoid disappointment and consequences of excluding certain property from an surprises will significantly lower your claims exposure. equalization calculation in a marriage contract

Carefully explain agreement terms to clients • Failing to adequately explain the terms of a separation Carefully explain domestic contracts or settlement agreement, minutes of settlement, or that a settlement agreements so that clients cannot later allege that they is final before the client is asked to sign did not understand the contents of these agreements. • In a limited-scope retainer, not communicating clearly what you are retained to do and what you are not Be aware of the limitations of your legal knowledge going to do Family law is one of the most complex practice areas, with federal and provincial statutes and voluminous Errors of law (23%) cases. No lawyer can hope to be an expert in all aspects • Errors as to entitlement, amount or duration of spousal of this field, so it’s important to know when to seek support advice from more specialized counsel (e.g. for estate • Not complying with Federal Child Support Guidelines planning) or third party experts (e.g. tax advisors, when arrangements are made for child support accountants, appraisers or actuaries). • Unanticipated and unintended tax obligations Consider not taking on a potentially difficult client There may be cases where the client will never be Time Management (9%) satisfied. Lawyers involved in claims often tell LAWPRO • Claim for spousal support is not made for a lengthy that their instincts told them a client was going to be period of time, and ultimately an amount of support is difficult. Have they changed lawyers several times? Do lost because the court will not make a retroactive order their demands seem unreasonable? Ask yourself if it’s • Missed deadline for an equalization claim worth accepting the retainer.

Make better use of checklists and reporting letters Inadequate discovery of facts or inadequate LAWPRO’s Domestic Contract Matter Toolkit investigation (9%) (practicePRO.ca/domestictoolkit) has checklists and • Failing to properly identify all assets and liabilities for forms that contain issues lawyers should consider as the purposes of preparing financial statements and they conduct the interview on a domestic contract making net family property calculations matter and when they meet with the client to review • Failing to explore full facts and circumstances of a and sign the document. A final reporting letter detailing client’s marriage so as to appreciate issues that need to what you did and what advice you gave can be a great be dealt with in a separation agreement or litigation help in the event of a claim, which may arise long after you’ve forgotten the details of a particular file.

Don’t lower your standards for limited scope matters ©2016 Lawyers’ Professional Indemnity Company. LAWPRO is a A limited scope retainer does not mean less competent registered trademark of Lawyers’ Professional Indemnity Company. or lower quality legal services. Identify the discrete All rights reserved. This publication includes techniques which are collection of tasks that can be undertaken on a designed to minimize the likelihood of being sued for professional liability. The material presented does not establish, report, or create competent basis and confirm the scope of the retainer the standard of care for lawyers. The material is not a complete in writing. Clearly document all work and analysis of any of the topics covered, and readers should conduct communications. Recognize that unbundled legal their own appropriate legal research. services are not appropriate for all lawyers, all clients, or all legal problems. Sample retainers and checklists can be found on the Limited Scope Representation Resources page on the practicePRO website.

Franchise Law Claims Malppractice fact sheet lawpro.ca

Quick stats* Acting on franchise matters can be particularly risky for lawyers. While some franchisors are large multinationals, Average 11 claims per year many are small, relatively unsophisticated businesses. They are runnning a “mom‐and‐pop‐style” family business; they Average cost: $1.3 million per year are usually financially (and more importantly, emotionally) Average cost per claim: $113,000 investeed in the business, and they have scraped together their life savings to open the franchise. These characteristics Common errors frequently result in ““sympathetic” claimants.

The greatest area of risk involves the onerous disclosure requirements imposed upon a franchisor by the governing statute, the Arthur Wishart Act. Inadequate disclosure entitles a franchisee to rescind the franchise agreement within two years and to extensive damages, including the return of its investment in franchise fees, inventory and equipment costs, ass well as compensation for any losses incurred by it in acquiring, setting up and operating the franchisse business.

Faced with such a heavy damages claim, a franchisor will often claim against the lawyer, alleging that the lawyer either drafted an inadequate disclosure statement or failed to warn the franchisor of the consequences of inadequate disclosure.

See the reverse page for more steps that can be taken to reduce your exposure to a franchise‐related claim.

Speakers and resource materials Additional reading at AvoidaClaim.com

 We can provide knowledgeable speakers who can address  Franchise law tenet ‐ Disclosure! Disclosure! Disclosure! claims prevention topics. Email [email protected]  Practice Pitfalls – Franchise law  Visit practicepro.ca for resources including LAWPRO Magazine articles, checklists, precedents and practice aids.  Surprise! You have a franchise

Resolution of franchise claims

Average indemnity payment on a

franchise cllaim is $227,000 compared to $94,000 on all other LAWPRO claims

Average defence cost on a franchise claim is $36,000, compared to $19,000 on all other LAWPRO claims

All claim figurees from 2005-20115. All cost figurees are incurredcosts c (Dec 2016) Franchise Claims Fact Sheet Risk management tips Most common malpractice errors

Familiarize yourself with the disclosure requirements Communication‐related errors (47%) of the Arthur Wishart Act Lawyers acting for franchisors or franchisees should • Failing to inform a franchisor client about the ensure that their clients are aware of the disclosure disclosure requirements under the Arthur Wishart obligations which the Act (and the courts) place on Act, and the severe consequences of inadequate franchisors. Inadequate disclosure entitles a franchisee disclosure. to rescind the franchise agreement within two years • Failing to document in writing that a client and to receive extensive damages. instructed the lawyer to take a course of action Do not dabble in franchise law that was different from the one the lawyer Franchise law is a very complex area of law. Lawyer’s recommended. doing work in this area should have sufficient expertise • Retainer did not clearly specify work that was to to handle that work, and if not, they should refer the be done by the lawyer and/or outside expert (e.g., matter to someone that has franchise law expertise. accountant or tax expert). The client should also retain a chartered accountant familiar with franchises. The detailed financial Error of law (21%) disclosure requirements can be beyond the scope of a lawyer’s expertise. • Failing to provide proper advice to the franchisee

Beware of ‘franchises in disguise’ with regards to the information disclosed by the A lawyer might fail to identify a commercial transaction franchisor pursuant to the requirements under the as a franchise arrangement when dealing with a new Arthur Wishart Act. franchise – when the party behaving as a franchisor is • Failing to be sufficiently aware of the disclosure not yet fully aware that they are creating a franchise. requirements under the Arthur Wishart Act. This goes back to the point about not dabbling – as anyone knowledgeable in the area would immediately Inadequate investigation (18%) recognize a franchise agreement, regardless of what it’s called. • Failing to adequately review a disclosure document. Avoid limited retainers • Failing to do due diligence that might discover Limited retainers, even if they are reduced to writing, tend to be ineffective in franchise cases. In the context encumbrances, liens or outstanding debts. of a franchisee to franchisee purchase in particular, • Overlooking or failing to advise clients properly as lawyers who think they are just acting on the “closing” to their rights of rescission. may not deal with the franchise aspects of the case, which can lead to disaster. You can't treat a franchise like a typical asset purchase. Consider Excess insurance

Given the potentially significant Carefully document instructions and advice damages involved in a franchise Many of the LAWPRO’s larger franchise claims have claim, lawyers who practise in involved allegations that a lawyer failed to advise the this area should seriously franchisor or franchisee regarding proper disclosure. consider carrying excess insurance. Find out more at Regrettably, lawyers’ files often have little or no lawpro.ca/excess. documentation that the statutory provisions of the Act and the consequences of non‐compliance were explained to the client. As a result, liability is often a ©2017 Lawyers’ Professional Indemnity Company. LAWPRO is a registered trademark of foregone conclusion or turns on a credibility contest, Lawyers’ Professional Indemnity Company. All rights reserved. This publication includes techniques which are designed to minimize the likelihood of being sued for professional which commonly favours the client. liability. The material presented does not establish, report, or create the standard of care for lawyers. The material is not a complete analysis of any of the topics covered, and readers should conduct their own appropriate legal research.

IP Law Claims Malppractice fact sheet lawpro.ca

Quick stats* Clericall errors are the most common cause of IP claims, representing 1/3 of the claims in this area of law. Missed Average 46 claims per year deadlines are also a very common cause of claims. However, the actuual costs of these errors is relatively low as they can Average cost: $529,000 per year sometimes be repaired or there are no damages. The more Average cost per claim: $88,000 costly IP‐related claims involve communication issues, errors Longest time from error to claim: 17 years of law and conflicts of interest. See the next page for examplles of these claims and how to avoid them.

Common errors by count Common errors by cost

Speakers and resource materials Most common IP malpractice errors

 We can provide knowledgeable speakers who can address  Missing deadlinnes claims prevention topics. Email [email protected]   Visit practicepro.ca for resources including LAWPRO Drafting errors Magazine articles, checklists, precedents and practice aids.  Miscommunications

Resolution of IP law claims

The average indemnity payment on an IP claim is $167,000 compared to $94,000 on all other LAWPRO claims.

Average defence costs on IP claims where an indemnity is paid is $67,000, double that of non‐IP claims.

Average defence cost on an IP claim where no indemnity is paid is $19,000, in line with other LAWPRO claims.

*All claim figurres from 2006-20016. All cost figurres are incurred costs (Jan 2017) IP Law Claims Fact Sheet Risk management tips Most common malpractice errors

Ask for, and make sure you receive, acknowledgement of Clerical error (32% by count, 7% by cost) receipt on important correspondence. When sending • Errors involving dates (see Time Management below). correspondence to others, especially foreign agents, ask them • Fees not paid (e.g. missing specific fee, payment not to confirm receipt of that correspondence. If you don’t included, or wrong amount paid). receive confirmation within a reasonable time, follow up to • Mistakes made when completing application or other ensure the correspondence was received. document (e.g. wrong/missing dates, incorrect/missing information, pages missing or wrong pages included). Review delegated work. To run an efficient and profitable IP practice you must delegate appropriate work to a clerk. However, remember that as the lawyer you are ultimately Communications (27% by count, 36% by cost) responsible for the work of a clerk, so take care to review • Not responding to incoming communication delegated work, especially if there is something unusual (e.g. notices from CIPO, letters or emails from foreign involved with the matter. agents). • Miscommunications or misunderstandings with foreign Check and double‐check dates. Date related errors are one of agents (e.g. filing deadlines, insufficient information). the most common causes of claims in IP law. Encourage • Lost or undelivered communications (e.g. faxes, emails, lawyers and staff to double‐check that correct dates are courier packages or electronic filings). entered on all documents and diary systems. • Confusion as to when retainer terminated and who is

responsible for payment of maintenance fee. Proofread documents! Careful proofreading of documents will help insure client instructions are followed and catch • Action not taken when document sent without drafting errors. covering letter (e.g. filing of documents, cheque sent for payment). Document instructions, advice and steps taken. Taking detailed notes and documenting client conversations can Time Management (21% by count, 4% by cost) minimize misunderstandings and help give clients reasonable • Wrong date entered in tickler system. expectations, which in turn can help avoid fee disputes. • Deadline not entered in tickler system. • Failure to respond to tickled date. Don’t leave things to the last minute. Get in the habit of • Not knowing a deadline. making payments and completing filings well before actual deadlines. In the event there is an unexpected problem the extra time will allow you to find out about it and take Error of Law (9% by count, 35% by cost) corrective action before the deadline has passed. Document • Failure to appreciate when actions taken in one your advice to clients about the need for timely instructions. country impact on rights in another country (e.g. filings elsewhere impact on priorities) or when law in another Don’t give advice on foreign law. Remember that the jurisdiction changes. LAWPRO policy provides protection for claims that are the • Alleged error or insufficiency in drafting application. result of your “professional services” for others involving the • Improper advice on infringement. practice of the law of Canada, its provinces and territories. What will or will not be covered can be very fact‐specific, but Inadequate Investigation (7% by count, 3% by cost) you should expect you are not covered for work involving • Error in or insufficient search. non‐Canadian law. • Not getting enough information to recognize if large or Consider having your clients retain foreign agents directly. small entity. Being the conduit for communications with foreign agents increases your exposure to a claim. Consider having your Conflict of Interest (3% by count, 14% by cost) clients retain foreign agents directly. • Acting on a patent application for same or similar products for different clients • Using confidential information for benefit or another ©2017 Lawyers’ Professional Indemnity Company. LAWPRO is a registered trademark of Lawyers’ Professional Indemnity Company. All rights reserved. This publication includes client. techniques which are designed to minimize the likelihood of being sued for professional • Taking opposite position in subsequent matter for a liability. The material presented does not establish, report, or create the standard of care for lawyers. The material is not a complete analysis of any of the topics covered, different client. and readers should conduct their own appropriate legal research.

Litigation Claims Malpractice fact sheet lawpro.ca

Quick stats Litigation claims, always near the top of the LAWPRO claims count (alternating some years with real estate), saw an increase after 2009 due to Rule 48 administrative dismissals. #1 claims area by count New amendments to Rule 48.14 as of January 2015 should #2 claims area by cost reduce these claims, but there are still risks that the new processes, deadlines and transition provisions will trap unwary Average 798 claims per year lawyers. Average cost $21.7 million per year Lawyer/client communication is also a significant source of Average cost per claim: $27,100 claims in this area. Misunderstandings around what actions the client expected the lawyer to take, or the expected Average of 2 years before claim reported outcome/cost of a case, often result in claims. Limited scope retainers may increase these risks. Proper documentation of instructions, detailed notes of client conversations and Common errors reporting letters can help LAWPRO defend these claims should they arise.

Claims involving inadequate discovery of fact or inadequate investigation are the third most common source of plaintiff litigation claims. These involve the lawyer not taking extra time or thought to dig deeper and ask appropriate questions on the matter.

See reverse page for the most common plaintiff litigation errors and more steps that can be taken to reduce exposure to a malpractice claim.

Speakers and resource materials Hot topics in litigation claims

 Familiarize yourself with the changed requirements Rule 48 Transition Toolkit (practicepro.ca/Rule48) under the new Rule 48.14, and in particular, the

transition provisions. We can provide knowledgeable speakers who can address  Prevent communications claims by ensuring client claims prevention topics. Email [email protected] understands the process and likely outcomes of their

matter Visit practicePRO.ca for resources including LAWPRO Magazine  Avoid the unintentional expansion of retainers by articles, checklists, precedents, practice aids and more. having a clear intake and retainer process.

Resolution of claims Count of litigation claims

All claim figures from 2005-2015. All cost figures are incurred costs (April 2016) Litigation Claims Fact Sheet

Risk management tips Most common malpractice errors

Avoid administrative dismissals. Time management and procrastination (42%) Under the new Rule 48.14 of the Rules of Civil Procedure, matters commenced before January 1, 2012 • Failing to issue a claim within two years of the date will be automatically dismissed on January 1, 2017, and when a claimant knew or ought to have known that matters commenced after January 1, 2012 will be he/she had a cause of action/claim dismissed five years after commencement. These • Failing to commence an action for injuries sustained in dismissals will happen without notice to the parties. a motor vehicle accident before the expiry of the two- Use the Rule 48 Transition Toolkit year (from date of discovery) limitation period (practicepro.ca/Rule48) to help you avoid • Failing to prosecute an action in a timely fashion, administrative dismissal claims. leading to admin dismissal of the action for delay

Familiarize yourself with the Limitations Act, 2002. Lawyer/client communication errors (21%) We continue to see claims related to lawyers’ unfamiliarity with the new limitations rules. Take the • Failing to manage client expectations, specifically: time to review the rules and the related jurisprudence: failing to clearly explain the risks and cost implications See practicePRO’s limitations resources at of litigation; failing to realistically explain the chances practicepro.ca/limitations. of success in proposed litigation; encouraging false hopes and unrealistically high expectations Have written confirmation of instructions and advice. • Failing to ensure that the client understands your As in all areas of law, this is a crucial to helping LAWPRO advice and recommendations, and you understand defend you in the event of a claim where you may have your client’s instructions no recollection of the details years later. Take notes on • Failing to provide client with breakdown of settlement your conversations with the client, and document in monies when obtaining instructions to settle, including writing things like the details of settlement offers, the "take home" amount for how much client would scope of your retainer (especially in limited retainer receive, and how much would be paid to lawyer as cases), your advice on accepting offers, and the costs, disbursements, & HST likelihood of winning or losing a case and the costs involved. Inadequate investigation of fact or inadequate discovery (13%) Create more detailed docket notes.

Like the resolution above, this has the benefit of helping • Failing to name proper defendants due to improper protect you in the event of a claim (e.g. “Conference review or lack of corporate searches, property with client re risks and costs of litigation” is much better searches, motor vehicle accident reports, and police than just “Conference with client re lawsuit.”) It also will investigation files help you determine if you are making money on a • Failing to name proper insurer as defendant due to an particular case by giving you a better understanding of unidentified, uninsured or underinsured claim the amount of time you and your staff are spending on • Failing to name all proper plaintiffs such as corporate it. entities and Family Law Act claimants

• Failing to assess the file properly due to lack of expert Talk to clients more often. Don’t rely solely on email. reports, medical reports, and investigation reports Lawyers are increasingly using emails to communicate with clients, and this is resulting in misunderstandings.

Clients and lawyers read things into emails that aren’t ©2016 Lawyers’ Professional Indemnity Company. LAWPRO is a registered there, miss the meaning of what is said, or read trademark of Lawyers’ Professional Indemnity Company. All rights reserved. between the lines and make assumptions. During a long This publication includes techniques which are designed to minimize the likelihood of being sued for professional liability. The material presented litigation matter, arrange some face-to-face meetings, does not establish, report, or create the standard of care for lawyers. The or at least a phone call if distance is an issue. material is not a complete analysis of any of the topics covered, and readers should conduct their own appropriate legal research. Real estate claims Malpractice fact sheet lawpro.ca

Quick stats As the price of real estate in Ontario has steadily risen, so has the dollar value of real estate claims, making it the costliest area of law for LAWPRO. #1 claims area by cost #2 claims area by count Breakdown in lawyer/client communication is the most common cause of real estate claims. Busy, high-volume Average 618 claims per year practices often lead to situations where the lawyer is not Average cost $21.4 million per year taking the time to communicate with clients properly. Lawyers often rely on clerks, so the lawyer becomes removed from the Average cost per claim: $34,500 process. If a claim arises, there is frequently inadequate documentation in the lawyer’s file to back up the lawyer’s Average of 3.5 years before claim reported version of what occurred. Spending more time meeting with Longest claim reporting time: 42 years clients and documenting discussions can be of great help in both preventing and defending a claim.

Common errors There has been a sharp increase in ‘inadequate investigation’ claims in recent years. As with communication claims, these result from busy lawyers not spending enough time on a file. Important information from the client is overlooked, or crucial details missed on surveys, condo status certificates or the agreement of purchase and sale. Despite the time pressures of a real estate practice, take the time to do it right and avoid short-cuts.

See reverse page for specific examples of real estate errors and steps to reduce exposure to a malpractice claim.

Speakers and resource materials Hot topics in real estate law claims

 Take the time on each file to ensure you’ve met the We can provide knowledgeable speakers who can address client and obtained all the relevant information. Don’t claims prevention topics. Email [email protected] over rely on clerks to deal with clients  Ensure the title insurance policy addresses all the Visit practicepro.ca for resources including LAWPRO Magazine client’s needs for the property articles, checklists, precedents, practice aids and more.  Be aware of the red flags of real estate fraud (see our Fraud Fact Sheet at practicepro.ca/fraudfactsheet)

Resolution of real estate claims Count of real estate claims

All claim figures from 2005-2015. All cost figures are incurred costs (April 2016) Real Estate Claims Fact Sheet

Risk management tips Most common malpractice errors

Meet clients in person at least once. Lawyer/client communication errors (41%) Take the time to meet with the client in person to • Failing to inform a client about restrictions on land use review the transaction and understand client contained in a subdivision agreement instructions, particularly with respect to the client’s • Failing to review the survey and to discuss the risks or intended uses of the property. Not every matter is problems it reveals with the client straightforward, and you don’t want to have to be • Not inquiring about or following through on the client’s addressing a problem that was only noticed the day of intentions for future use of the property. For example, closing, or never noticed at all. not doing the necessary zoning searches or getting title insurance with a future use endorsement. The client Remember, the lender is also your client in most may intend to build a swimming pool, but sewers or residential transactions. utility easements may make this impossible. Zoning The lender is also your client and is owed a duty of care. may not permit a home-based business or multiple Provide any information to the lender that is material to dwelling units the lender’s decision to advance funds under the • Failing to ensure that the condominium unit shown on mortgage. Lending clients can sue lawyers for failing to the plan meets the client’s expectations (e.g., whether disclose all relevant information they knew or ought to it overlooks a lake or a parking lot) have known. Inadequate investigation of fact or inadequate Document your conversations with and instructions discovery (27%) from the client. • Misreading (or not reading) a survey, search, or This is the best defence against a malpractice claim. reference plan Clients may only be involved in one or two real estate • Failing to review a condo status certificate and bring transactions in their lifetime and will remember the deficiencies to the client’s attention details, while the lawyer who sees countless • On a condominium purchase, failing to ensure that the transactions will likely have little specific recollection of parking space and locker specified in the agreement of one matter. Keep notes of your conversations with the purchase and sale are actually for sale and that the client and document discussions and your actions in a legal description of both units is correct detailed reporting letter to the client. Clerical and delegation (8%) Do not give your electronic registration password to • Not meeting with the client. Delegating the entire your clerks or anyone else. file/transaction to a law clerk Only the lawyer who received the electronic registration • Failing to review the statement of adjustments for credentials provided by the Ministry of Government clerical errors Services is entitled to use the Teraview® key and password to register an instrument. As tempting as it may be in a busy real estate practice to let the clerk Errors of law (6%) register instruments requiring a lawyer’s electronic • Failing to fully understand or properly apply the part- signature…don’t. lot control provisions of the Planning Act • Not being sufficiently aware that different types of Review the title insurance policy with your client. searches are required depending on the type of You should have a solid understanding of the title property being purchased (e.g., single unit vs. multi- insurance policy and be able to explain standard unit, commercial vs. residential) coverages, exclusions and property-specific exceptions. It is also important to have a detailed ©2016 Lawyers’ Professional Indemnity Company. LAWPRO is a registered trademark of Lawyers’ Professional Indemnity Company. All rights reserved. This publication includes understanding of the client’s planned use of the techniques which are designed to minimize the likelihood of being sued for professional property to ensure the coverage obtained applies to liability. The material presented does not establish, report, or create the standard of care for lawyers. The material is not a complete analysis of any of the topics covered, those uses. and readers should conduct their own appropriate legal research. Wills & estates claims Malpractice fact sheet lawpro.ca

Quick stats Malpractice claims in wills and estates practice have increased steadily over the last decade, nearly doubling in frequency.

Average 173 claims per year Communications issues (often at the time the will is drafted) Average cost: $6 million per year are the biggest source of these claims. Too many lawyers are not truly listening to the client’s instructions and not probing Average cost per claim: $34,400 and questioning the cllient to uncover facts that may cause #4 claims area by cost problems later. It’s immportant to reaad between the lines instead of simply filling in the elements of a will template or #5 claims area by count precedent.

Average of 4 years before claim reported Wills and estates is an extraordinarilly complex area. Lawyers who practice in this area must maintain a working familiarity with wide range of statutes and must apply complex provisions Common errors of the Income Tax Act. Law‐related errors are more than twice as likelyy to occur in the wills and estates area as compared to other areas of practice.

Ensuring you understand the client’s needs, knowing the relevant law and avoiding shortcuts can help prevent claims. Detailed documentation of your conversations with, and instructiions from, the client can suppport a lawyer’s defence should a claim be made.

See reverse page for the most common wills and estates errors and morre steps that can be taken to reduce exposure to a malpractice claim.

Speakers and resource materials Hot topics in wills & estates law claims

 Proper investigation requirees that you ask yourself the We can provide knowledgeable speakers who can address question: “whhat does my client really want?” claims prevention topics. Email [email protected]  Ask your client what their assets are (and insist on an answer). Visit practicePRO.ca for resources including LAWPRO Magazine  Law‐related errors are twice as likely to occur in this articles, checklists, precedents, practice aids and more. area of practiice than in othhers. Make sure you know statute and case law.

Resolution of claims Count of wills & estates claims

All claim figures from 2005-2015. All cost figures are incurred costs (April 2016) Will & Estates Law Claims Fact Sheet

Risk management tips Most common malpractice errors Ask more probing questions when meeting with a client to prepare a will Lawyer/client communication errors (31%) Too many lawyers are not asking the questions that could uncover facts that could cause problems later, or • Failure to compare the draft will with the making clear to the client what information they need instructions notes to ensure consistency to provide. Was there a prior will? Are all the • Failing to ensure that the client understands what beneficiaries identified correctly? What about gift‐ you are telling him and that you understand what he overs? Were all assets identified, and how are they is telling you, particularly if there is a language registered? Was there a previous marriage? Ask, ask, barrier ask. And then do a reporting letter to confirm • In estate litigation: failing to communicate and everything that was discussed. document settlement options

Take time to compare the drafted will with your notes Inadequate investigation of fact or inadequate It sounds like obvious advice, but we see claims where discovery (27%) the will did not adequately reflect the client’s instructions, or overlooked some important • Failure to ask the testator what their assets are contingencies. Many of these errors could have been • Failure to ask about the existence of a prior will spotted by simply reviewing the notes from the meeting • Not digging into more detail about the status of past with the client. It can help to have another lawyer marital relationships, other children or stepchildren, or proofread the will, or set it aside for a few days and re‐ whether a spouse is a married spouse or common law read it with fresh eyes. When you review it, consider spouse the will from the position of the beneficiaries or disappointed would‐be beneficiaries. Ask yourself if you Failure to know or properly apply the law (16%) were going to challenge this will, on what basis would you do so? • Not being aware of key provisions of the Income Tax Confirm as best you can the capacity of the testator Act (and not obtaining the appropriate tax advice) and watch for undue influence • Drafting a complex will involving sophisticated estate With greater numbers of elderly clients, lawyers need to planning when you do not have the necessary be vigilant about these issues. Meet with the client expertise; separately from those benefiting from a will change, • Failing to properly execute documents and have written proof that the client understands what Time Management and procrastination (9%) they are asking and the advice you’ve given. And while it is difficult to be completely certain of capacity, be • Missing the six‐month deadline for making an sure to document what steps you’ve taken to satisfy election and issuing the necessary application under yourself that the client’s capacity has been verified. Section 6 of the Family Law Act Don’t act for family members or friends • Delay in preparing a will We see claims where lawyers didn’t make proper • Delay in converting assets into cash in an estate enquiries or take proper documentation because they administration assumed they had good knowledge of their family or friends’ personal circumstances. It’s best not to act for them, but if you must, treat them as if they were ©2016 Lawyers’ Professional Indemnity Company. LAWPRO is a registered strangers. And remember if a claim arises it will likely trademark of Lawyers’ Professional Indemnity Company. All rights reserved. not be from the friend or family member, but from a This publication includes techniques which are designed to minimize the disappointed beneficiary with no personal relationship likelihood of being sued for professional liability. The material presented does not establish, report, or create the standard of care for lawyers. The with you. material is not a complete analysis of any of the topics covered, and readers should conduct their own appropriate legal research.

The biggest malpractice

Most lawyers are surprised to learn that failures to know or apply substantive law account for a relatively small portion of L AW PRO claims. Over the last eleven years, by both count and cost, law-related errors were only the fourth ccllaaiimm rriisskkss most common cause of claims. In most areas of the law, lawyer/client commu - nication problems are the number one cause of claims, followed by basic deadline and time management issues. The pie chart on the next page illustrates the relative proportion of claims by area of law for 1997-2007.

Communications-related errors #1 claims concern Lawyer/client communication-related errors are the biggest cause of malpractice claims. Over the last eleven years, by cost and count, more than one-third of LAW PRO claims involved this type of error – almost $22 million or close to 7,200 claims. It is interesting to note that for sole, small, medium and large firms alike, one-third of claims were communi - cations-related. This is a profession-wide issue. There are three types of communication-related errors. The most common is a failure to follow the client’s instructions. Often these claims arise because the lawyer and client disagree on what was said or done – or not said or done. These claims tend to come down to credibility, and in handling claims LAW PRO finds these matters are difficult to successfully defend if the lawyer has not documented the instructions with suf - ficient notes or other documentation in the file.

Dan Pinnington 17 Causes of claims 1997 to 2007

Other 8%

Clerical 5% Communications 36% Conflict of interest 6%

Failure to know law 13%

Time management 17% Inadequate discovery 15%

The second most common communications error is a failure to Deadline and time management obtain the client’s consent or to inform the client. These claims Missed deadlines and time management-related errors are the involve the lawyer doing work or taking steps on a matter with- second biggest cause of LAWPRO claims at all sizes of firms. out client consent (e.g. seeking or agreeing to adjournment; Over the last eleven years they represented 17.3 per cent of making or accepting a settlement offer); or failing to advise the claims by count (3,566 claims) and 14.2 per cent of claims costs client of all implications or possible outcomes when decisions ($8.8 million). are made to follow a certain course of action (e.g. pleading guilty on DWI; exercising a shotgun clause). The most common time-related error is a failure to know or ascertain a deadline – missing a limitation period because you Poor communications with a client is the third most common didn’t know it. The good news is that this specific error has communications error. These claims often involve a failure to declined by almost 50 per cent over the last ten years. The bad explain to the client information about administrative things news is that the other time and deadline-related errors are holding such as the timing of steps on the matter, or fees and disburse- stable or increasing slightly. ments. This type of error also arises when there is confusion over whether the lawyer or client is responsible for do some- While in the longer term we expect that the new Limitations Act thing during or after the matter (e.g. sending lease renewal will result in fewer limitations period claims, at this stage it does notice to landlord, renewal of a registration or filing). not appear to have had any impact. Indeed, over the last year it may have resulted in more claims due to confusion over transition On top of being the most common malpractice errors, commu- provisions. (For more see the Practice Tips article, Limitation nications-related claims are also among the easiest to prevent. update on page 41.) You can significantly reduce your exposure to this type of claim by controlling client expectations from the very start of the matter, A failure to calendar is the second most common time-related actively communicating with the client at all stages of the mat- error (a limitation period was known, but it was not properly ter, creating a paper trail by carefully documenting instructions entered in a calendar or tickler system). The fourth most common and advice, and confirming what work was done on a matter at time-related error is the failure to react to calendar error. In this each step along the way. case the limitation period was known and entered into a tickler system, but was missed due to a failure to use or respond to the tickler reminder.

© 2008 Lawyers’ Professional Indemnity Company. This article originally appeared in LAWPRO Magazine “practicePRO: Helping Lawyers for 10 Years,” Summer 2008 (Vol. 7 no. 2). It is available at www.lawpro.ca/magazinearchives 18 Lawyers at firms of all sizes seem to have a dusty file or two that A failure to know or apply the law arises when a lawyer does not sits on the corner of their desks for far too long, and this makes have sufficient or current knowledge of the relevant law on the procrastination-related errors the third most common time- matter on which he or she is working. Over the past few related error. By count and costs, procrastination-related errors decades, the law has become far more complicated. There are are on an upwards trend. fewer general practitioners as more lawyers tend to specialize in a given area of law. Legislation has become more complex, These deadline and time management errors are easily prevent - there are increasingly more regulations, and new case law is able with better time management skills and the proper use of coming out of the courts at an increasingly rapid rate. For these tickler systems. Practice management software programs such reasons it is important that lawyers participate in CLE programs as Amicus Attorney and Time Matters are excellent tools for to maintain a current knowledge of the law. helping lawyers manage deadlines and tasks, and for helping them better manage client communications and relationships. Extensive federal and provincial legislation, as well as Not waiting to the last minute by building in a one-day or two-day voluminous case law, help make failure to know or apply law the cushion can also help prevent this type of error when there are most common error for family law lawyers, representing more unexpected problems that prevent you from meeting a deadline that 21 per cent of family law claims in the last eleven years. for a filing (e.g. ice storm or taxi in accident on way to court “Dabblers ,” or lawyers acting outside of their usual practice house on last day to file). area, are far more likely to commit this error. Lawyers who are asked to handle a legal matter for a family member seem to feel Digging a bit deeper obliged to help and often find themselves dabbling in an area of law they don’t know. Dabbling is dangerous – don’t do it. Inadequate investigation or discovery of facts is the third most common error at firms of all sizes (except firms of more than 75 Remember that family and friends can be the most demanding lawyers, where it was the fourth most common error) and over of clients because they can, and will, call at all hours of the day the last eleven years accounted for 3,202 claims (15.6 per cent) or night. They also tend to not pay their fees on time, if at all. and $9.8 million (15.9 per cent) of LAW PRO ’s claims costs. Given the relationship, it can also be difficult or awkward for the lawyer to give a family member or friend independent legal advice. This error has been on the rise for the last several years in many Lawyers should steer clear of representing family members. The areas of law. Perhaps it is a symptom of “ BlackBerry legal advice ”: best solution is to refer them to someone else in the firm, or, ide - quick questions and answers without context exchanged ally, to send them to another firm with expertise in the area of law. between people in a rush. It goes to the very core of what lawyers are supposed to do for their clients – give legal advice – Lawyers should also tread carefully when giving advice or and basically involves the lawyer not taking extra time or thought working on matters relating to U.S. or other foreign law. The to dig deeper and ask appropriate questions on the matter. LAW PRO policy does not cover lawyers for advice involving U.S. or other foreign law. On a real estate deal this type of claim might involve not delving into the client’s long-term plans for the property, and then failing to follow up on appropriate zoning or bylaw searches to ensure Conflicts of interest the client can use the property as intended. On a family law or Over the last eleven years, conflicts of interest claims ranked will or estates planning matter it might involve not digging into fifth by count (1,322 claims) and cost ($6.0 million), accounting more detail about the status of past marital relationships, other for 6.4 per cent of claims reported and 9.7 per cent of costs, children or step-children, or the amounts of assets or liabilities. respectively. Conflicts claims are proportionally more costly to On a merger and acquisition matter this error would arise where defend and indemnify as they tend to be complex and involve shortcuts are taken in due diligence work. multiple parties. To avoid these claims, take the time to read between the lines so There are two types of conflicts claims: The first arises when you can identify all appropriate issues and concerns. Ask conflicts occur between multiple current or past clients repre - yourself: What does the client really want? Does everything add sented by the same lawyer or firm. The second is a conflict that up? Are there any issues or concerns that should be highlighted arises when a lawyer has a personal interest in the matter. for the client? If something doesn’t add up – dig deeper. Multi-client conflicts claims have been on a general downwards trend for most of the last 10 years. During the same period, Law lawyer self-interest conflicts claims have occurred at the same Over the last eleven years failures to know or apply the law rate. However, since the Supreme Court of Canada’s decisions in accounted for approximately 2,703 claims (13.1 per cent) and R. v. Neil and Strother v. 3464920 Canada Inc ., there is clearly $9.1 million in costs (14.8 per cent).

19 increased sensitivity to the duties of loyalty and confidentiality Regardless of firm size, it is important that every firm implement that lawyers owe their clients. appropriate internal controls to ensure that funds in trust accounts are handled properly and that all transactions As they regularly act for multiple clients and/or entities, real estate involving client monies are properly documented. and corporate commercial lawyers experience more conflicts claims than other areas of law, while litigators have a relatively low rate of conflicts claims. Firms have different claims “personalities” To avoid conflicts of interest, make sure your firm has a It is interesting to note that, on an aggregate basis, the procedure and system in place for checking conflicts at the malpractice error types and proportions can vary significantly earliest possible point in time. Ideally it should be an electronic from firm to firm. Sometimes this is a reflection of practising in system and include more than just client names. A system that a different area of law, but it can also very much reflect an includes individuals and entities related to the client, including individual firm’s culture, calendaring procedures and time corporations and affiliates, officers and directors, partners, and management practices. trade names etc. will flag more real and potential conflicts. For example, firms that do a poor job of managing tasks and Often, firm conflicts-checking systems do catch real or potential deadlines have more time management and missed deadline- conflicts. Unfortunately, decisions are made to overlook these related claims. To reduce claims risks, firms should proactively conflicts, either to please the client (often to keep fees down) identify and address shortcomings in their operations practices and/or keep the matter at the firm for the fees it will generate. In and procedures. One large Toronto firm seems to have kept the end these decisions come back to haunt firms. conflicts claims very low by having excellent conflicts checking procedures and an increased sensitivity to conflicts claims LAW PRO is also seeing more conflicts arise with the lateral hiring through an annual conflicts education program that is of partners and associates. In a desire to bring on the new person, mandatory for all lawyers and staff. real or potential conflicts are also ignored or overlooked.

Clerical and delegation errors Avoiding a claim: your marching orders Over the last eleven years LAW PRO has averaged 1,846 new Clerical and delegation-related errors are the sixth most common claims each year. Over this time period LAW PRO successfully type of error by count and cost (1,093 claims and $1.6 million in defended 86 per cent of these claims (of all claims closed costs, 5.3 per cent and 2.7 per cent, respectively). during this 11-year period, 39 per cent were closed with only Delegation errors include things such as simple clerical errors, defence costs incurred, and 47 per cent with neither defence errors in mathematical calculations, work delegated to an costs nor indemnity payments). But, while only 14 per cent of employee or outsider that is not checked, and failures to file these claims ultimately involved an indemnity payment, it still document where no deadline is involved. makes sense to do everything you can to avoid the stress, time and cost of dealing with a malpractice claim. Delegation of tasks to knowledgeable support staff is an essential part of the operation of every practice as it makes The six most common malpractice errors detailed in this article lawyers more efficient and effective. However, ultimately the represent more than 92 per cent of the malpractice claims lawyer is responsible for delegated work, and steps should be handled by LAW PRO in the last eleven years. The biggest claims taken to review delegated work where appropriate. Extra care is risks, and the biggest opportunity to reduce claims exposure, lie especially warranted if there is something different or unusual in basic lawyer/client communications, and in time and deadline on the matter. management – accounting for more than 50 per cent of the claims. Taking some proactive steps to address these types of claims is your best opportunity to reduce your claims exposure. Fraud claims See the practicePRO resources centerfold for tools and As is detailed in the articles on pages two to eight, fraud-related resources that you can use to reduce your claims exposure. claims are on the rise and of significant concern to LAW PRO . Although real estate fraud has been a concern for several years, Dan Pinnington is director of practicePRO, L AW PRO’s risk and counterfeit cheques now are being used to target litigators (on practice management program. He can be reached at collection matters) and commercial lawyers (on financing [email protected] . deals), as we are seeing more frauds by firm lawyers and staff.