Microsoft has announced it will no longer support Windows 7 beginning January 14, 2020. So, what does that mean? Will all machines running Windows 7 turn into pumpkins at midnight? No. The practical effect is that those computers will no longer receive security updates, which help prevent cyber criminals from exploiting known weaknesses in the operating system. For those of us who procrastinate when it comes to software updates… you know who you are… we know that the computers will keep working, but it’s not recommended. While the consequences for everyone, including the possibility of identity theft and equipment failures, should be enough to encourage anyone to stay up to date, the consequences for the legal community can be even more severe.
Why Legal Professionals Should Take This Seriously
Lawyers and law firms, in particular, have an interest in keeping cyber criminals and other bad actors at bay. As noted in a recent Texas Bar CLE ethics article titled “Managing Your Firm’s Cybersecurity Risks: The Intersection of Cybersecurity and Lawyer Ethics” PDF, attorneys must protect the digital data of their firm and their clients under a duty that arises from a matrix of federal and state law, court rules, rules of professional responsibility, and terms of representation negotiated with their clients. A recent article in the NYSBA Journal titled “Why Lawyers Should Take the Windows 7 End-of-Support Seriously” details how cyber criminals use operating system end-of-support events as an opening to exploit law firm security. The author drives the point home with an example of legal liability under HIPAA that stemmed from a failure to update computers running Windows XP well after support ended in 2014.
What Do We Do?
The ABA Cybersecurity Handbook contains wide-ranging advice on protecting firm and client data for practices of all sizes. For small firms, the Handbook authors suggest keeping an inventory of all software installed on all computers on the firm’s network, and a log of all security updates and patches applied to each. The authors further note that while keeping such records may seem like a daunting task, especially for solo practitioners who may not have dedicated IT staff, the prospect of facing a cyber incident without the information should serve as sufficient motivation to get going.
Further Reading/Viewing
PDF Shawn E. Tuma, Cybersecurity for Your Law Firm: Data Security and Data Encryption, Essentials of Business Law: Four Modules for a Robust Practice, State Bar of Texas CLE Coursebook.
On-Demand Video CLE from the Harris County Law Library: Practical Cybersecurity for Lawyers