In Jan 2019, hackers freely distributed a collection of 2.2 billion (yes, billion) unique usernames and associated passwords online.[i] Cyber-attacks that result in such data breaches are only increasing and pose a serious threat to the data mediators promise to keep private. With the dramatic rise of Online Dispute Resolution (ODR) and virtual communication and storage in light of the recent COVID-19 restrictions, mediators must discuss the importance of cybersecurity, and update our notions about what fulfills our ethical responsibility of confidentiality.
Cybersecurity is the protection of internet-connected systems like hardware, software and data from cyber-threats and unauthorized access that can be designed to access, delete, or extort a user’s sensitive and personal data.[ii] Perhaps the most media covered threats relate to geopolitical strife, massive hacks for profit and recognition, or ransom-ware attacks, where a virus locks someone out of their computer until a ransom is paid. However, the most common threats are simpler viruses and phishing, a form of fraud where the attacker masquerades as a reputable individual to distribute malicious links or attachments, typically over email, that can perform various functions and may even extract login credentials or account information.[iii]
The consequences can be severe. When usernames and passwords are stolen, even unskilled hackers could try leaked usernames and passwords on other public websites hoping that people have reused them. More experienced hackers only need an email and can use software tools to “guess” the passwords. If they succeed, they can do anything from changing your password, locking you out, or stealing any sensitive information like medical records or legal files. Cyber attacks don’t only compromise the computer they target either. Malware on one computer can jump to others. There is evidence that law firms have been targeted simply to be a route to reach one of their clients.[iv]
Confidential Information in Mediation
Mediators have adapted quite well to the threats to confidentiality in the mediation itself by tailoring introductions to the virtual landscape and using passwords and waiting rooms to keep unwanted parties out. However, a mediator’s ethical obligation to protect confidentiality begins not at the mediation, but the moment they receive any information related to the case. Such information is a treasure trove for hackers due to its sensitive nature and the fact it is collected together. Evidence of this is seen in how law firms of any size have become a significant target for hackers because they have access to sensitive information their clients consider worth suing over, all gathered in one place.[v] While the information mediators are privy to may not always be legal, it is still sensitive and personal. Family mediators are given information about a divorce, a mediator in personal injury will be provided medical records, and a business mediator could get patent information. For mediators to hold firm to our ethical principles and speak truthfully about confidentiality, we must confirm that the privileged information received before a mediation is genuinely safe.
How to Stay Secure
- Passwords: The first question to ask is whether your password is strong enough. Do not use a password that is your name or birthday because it’s the first thing hackers or their software will try. Complicated passwords that include upper and lower case letters, numbers and symbols should be the only option to consider.
Change your passwords regularly. It’s inconvenient, but it’s necessary. The reality is you cannot expect to be informed or even aware of a data breach, so don’t rely on some notice to motivate change. LinkedIn was hacked in 2012, and passwords for nearly 6.5 million user accounts were stolen. Four years later, LinkedIn discovered that an additional 100 million email addresses and passwords had been taken in the same breach and had to forcefully invalidate many because the users had not changed their passwords over that period and were thus still compromised.[vi]
Use different passwords. If you use the same passwords for your business and personal accounts, both are essentially compromised in a breach. As I mentioned earlier, even novice hackers can simply use a username and password from one account and try it on others. Also, many websites now offer the option of logging in with your Google or Facebook account information. While that is certainly convenient, that means breaching just one of those accounts gives access to all of them. When Facebook was hacked, 50 million accounts gave access to millions more because they were all connected.[vii]
- Multi-factor-Authentication (MFA): Unfortunately, having a strong password alone is not enough. Cybersecurity is about layers, which is why MFA is so popular. Typically it takes the form of Two-Factor-Authentication (2FA), a security system that requires two distinct forms of identification to access something. Most commonly, this takes the form of receiving a code or PIN via text message to put into your computer or phone after you’ve entered your password to make sure someone can’t log in with only your username and password.
- Encryption: Encryption is the process that scrambles readable text so it can only be read by the person who has the secret code or decryption key.[viii] If an email server, cloud drive, or even a hard drive is compromised, encryption prevents anyone other than those with the key from reading the data. As a result, it protects from threats like identity theft or cyber-fraud and the financial costs and damaged reputation that follow.
- Other steps to ensure a reasonably secure network are to make sure email scanning and firewalls are set up, that you have an anti-virus program (especially if you are using a PC), and ideally a Virtual Private Network (VPN), which provides a secure connection to another network that shields your browsing activity from surveillance. It is also essential to keep everything up to date.
Cybersecurity can be overwhelming, but the threats to confidential information cannot be ignored. A cyber attack can expose the confidential information of the mediator, their clients, their colleagues, and anyone else they are digitally connected to. One of the founding ethical principles in mediation is confidentiality, and if we are going to stay true to that value, mediators must contemplate and implement cybersecurity protections to the fullest.
[i] Foote, A. (2019). Hackers are Passing Around a Megaleak of 2.2 Billion Records. Retrieved on October 13, 2020 from: https://www.wired.com/story/collection-leak-usernames-passwords-billions/?utm_source=twitter&utm_medium=social&utm_campaign=wired&utm_brand=wired&utm_social-type=owned&mbid=social_twitter
[ii] Gillis, A.; Clark, C. (2019). What is cybersecurity? Everything you need to know. Retrieved on November 24, 2020 from: https://searchsecurity.techtarget.com/definition/cybersecurity
[iii] Gillis, A.; Bedell, C.; Cobb, M.; Loshin, P.; Scheumack, M. (2019). Phising. Retrieved on November 24, 2020 from: https://searchsecurity.techtarget.com/definition/phishing
[iv] Polley, V. (2014). Cybersecurity for Lawyers and Lawfirms. Retrieved on November 24, 2020 from: https://www.americanbar.org/groups/judicial/publications/judges_journal/2014/fall/cybersecurity_for_lawyers_and_law_firms/
[v] Sullivan, C. (2020). Ransomware Hits Law Firms Hard – And It’s Worse Than Ever Before. Retrieved on October 13, 2020 from https://www.logikcull.com/blog/maze-ransomware-law-firms
[vi] Gunaratna, S. (2016). LinkeIn: 2012 data breach much worse than we thought. Retrieved on October 13, 2020 from: https://www.cbsnews.com/news/linkedin-2012-data-breach-hack-much-worse-than-we-thought-passwords-emails/
[vii] Manjoo, F. (2018). Why You Shouldn’t Use Facebook to Log In to Other Sites. Retrieved on November 24, 2020 from: https://www.nytimes.com/2018/10/02/technology/personaltech/facebook-log-in-hack.html
[viii] Johansen, A. G. (2020). What is encryption and how does it protect your data? Retrieved on November 24, 2020 from: https://us.norton.com/internetsecurity-privacy-what-is-encryption.html
Julian G. Ferguson, MA, MSc, Q.Med. is designated with his Q.Med from the ADR Institute of Ontario and Canada. He is an affiliate with A Place for Mediation, one of Toronto's original mediation firms, and serves on ADRIC’s Ethics and Professional Practice Committee.
Julian focuses on mediating in the areas of health care and emerging technologies. His career began in bioethics and he mediates throughout the health care spectrum on conflicts related to informed consent, patient rights, and many others. He is also drawn to innovation and resolves conflicts that stem from emerging technologies, like privacy breaches, and the entrepreneurial spirit that comes with them, like partnership and workplace disputes.