April 29, 2025

🚨 BOLO: Zoom Remote Access Attacks – Critical Security Alert for Legal Professionals 🚨

April 29, 2025/ The Tech-Savvy Lawyer.Page/ Michael Eisenberg

Zoom Attack Exposes Lawyers to Major Cyber Risk: Why Vigilance Is Now an Ethical Imperative!

Lawyers need to be able to Spot fake Zoom invites—protect your client data now!

A sophisticated cyberattack targeting Zoom users has recently emerged, with direct implications for lawyers and legal professionals. The attack, detailed by Malwarebytes, involves a crime group dubbed ELUSIVE COMET that lures victims into Zoom meetings and tricks them into granting remote access. This enables the installation of malware and theft of sensitive data, including financial assets and confidential client information, e.g., PII.

How the Attack Works

Attackers pose as reputable contacts (e.g., media invitations) and set up Zoom calls.
During the meeting, the attacker often sends a remote control request with their camera off, disguising their screen name as “Zoom” to appear legitimate.
If the victim approves, the attacker gains full control of the victim’s system, installs malware, and can access files, emails, and even financial accounts.

Why Lawyers Must Be Extra Cautious

Ethical Duties Under ABA Model Rules

You need to be careful who you let into your zoom conferences!

Competence (Rule 1.1): Lawyers must provide competent representation, which now explicitly includes technological competence. Comment 8 to Rule 1.1 states:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Confidentiality (Rule 1.6): Attorneys are ethically obligated to protect client information from unauthorized disclosure. Allowing remote access to your device can expose privileged communications, work product, and sensitive client data to malicious actors.
Failing to maintain technological competence or safeguard client data can result in ethical violations, malpractice claims, and reputational harm.

Best Practices to Prevent Zoom-Based Attacks

Never accept remote control requests from unknown or unverified participants.
Use Zoom via your web browser when possible, as the browser version does not support remote control, reducing risk.
Enable meeting passwords and waiting rooms to control access.
Restrict screen sharing and disable remote control features unless absolutely necessary.
Verify all meeting invitations-scrutinize the sender’s identity, and be wary of unsolicited requests, especially those involving media opportunities or unfamiliar contacts.
Keep Zoom and all security software updated to address known vulnerabilities.
Educate staff and colleagues about the risks and proper protocols for virtual meetings.

What to Do If You Suspect a Breach

You control access—deny hackers, defend your practice.

Disconnect from the internet immediately to limit further access.
Contact your IT or cybersecurity team and initiate your incident response plan.
Notify affected clients and relevant authorities as required by law and ethical rules.
Document the incident and steps taken for compliance and potential reporting obligations.
Review and update your security protocols to prevent future incidents.

Let’s be careful out there - it could cost you your job or, worse yet, your bar license if you don’t!

Happy Lawyering!!!

March 31, 2025

MTC: The Critical Role of Lawyers in Protecting Sensitive Data in an Era of Digital Vulnerability

March 31, 2025/ The Tech-Savvy Lawyer.Page/ Michael Eisenberg

Lawyers, ARE YOU AWARE OF where your client’s pii may have been exposed or is vulnerable?

The march on the fragility of personal data in our hyperconnected world continues from my editorial three weeks ago! From Elon Musk’s DOGE team attempting to access Social Security Administration (SSA) records, to Cabinet officials discussing military strike details on Signal, to 23andMe’s bankruptcy risking genetic data exposure, these incidents underscore systemic vulnerabilities. Lawyers now operate on the front lines of this crisis, bound by ethical mandates and legal obligations to shield personally identifiable information (PII) from misuse. Let’s discuss how the legal profession must adapt to safeguard client trust in the digital age.

The Expanding Threat Landscape

DOGE’s Overreach at SSA
A federal judge halted Elon Musk’s DOGE team from accessing SSA databases containing sensitive PII—including Social Security numbers and employment histories—after finding “unbridled access” violated privacy laws. Judge Hollander condemned the operation as a “fishing expedition” lacking justification, ordering the deletion of improperly obtained data. This case highlights risks when private entities bypass oversight to exploit bulk data repositories like SSA’s “crown jewel” Numident database.
Signal’s False Sense of Security
The Atlantic’s release of Signal chats among Trump administration officials revealed shockingly detailed military plans, including F-18 strike windows and target coordinates. While Signal offers encryption, experts warn it’s no substitute for secure government systems. Former NSA analyst Jacob Williams noted that desktop-linked Signal accounts create vulnerabilities via malware-prone devices. The incident illustrates how convenience-driven tools can jeopardize national security and client confidentiality alike.
23andMe’s Genetic Gamble
23andMe’s bankruptcy filing exposes 12 million users’ DNA data to sale, raising fears of insurance discrimination and identity theft. Despite the protections of the Genetic Information Non-Discrimination Act (GINA) against health insurer bias, gaps remain in life/disability coverage. Lawyers must now confront novel risks as biometric data enters commercial markets.

Legal and Ethical Imperatives for Practitioners

Lawyers have to balance the convenience of a hyperconnected world and maintaining client PII!

A. Foundational Duties
Under ABA Model Rule 1.6(c), attorneys must employ “reasonable efforts” to prevent unauthorized PII disclosure.1, 2 This requires:

Risk assessments: Evaluate data sensitivity, threat likelihood, and safeguard costs - Rule 1.6 Confidentiality of Information - Comment.
Encryption: Protect communications and stored files, especially when using third-party platforms.
Access controls: Limit PII exposure through role-based permissions and audit trails.3, 4

B. Emerging Best Practices

Client Consent & Transparency

Disclose data collection purposes per FTC Act/GDPR principles. 5, 6
Obtain explicit authorization for third-party transfers. 7, 8

Incident Response

Conduct breach analyses under ABA Opinion 498.
Notify affected clients promptly.

Tech Competence

Track compliance across the jurisdictions where you practice.
Train staff on phishing/social engineering risks highlighted in the SSA and Signal breaches.

A Call to Action

GIven third-party activity, lawyers may be the publics best line of defense to maintaining PII!

The DOGE, Signal, and 23andMe cases are not outliers—they signal a paradigm shift. As Perkins Coie’s privacy team emphasizes, “reasonable efforts” now demand proactive measures:

Audit legacy systems: Identify where PII resides, as SSA failed to do.
Purge obsolete data: Align retention policies with storage limits in ABA guidelines.
Leverage AI cautiously: While predictive tools aid fraud detection (“ironically” DOGE’s stated goal), they risk algorithmic bias without human oversight.

Lawyers who treat data security as an afterthought risk disciplinary action, malpractice claims, and reputational harm. The alternative? Embrace plans to transform from reactive advisors to strategic guardians of the digital trust ecosystem.

MTC