Volume 18, Number 8
Protecting ELECTRONIC DATA in the Shared Office Space
By Wells Anderson and Joseph M. Hartley
As real estate prices rise throughout the United States, more and more lawyers are pooling their resources and sharing office space. Some years ago, this phenomenon was limited to sole practitioners renting out individual offices in a suite, and sharing a library, photocopy machine, fax, and receptionist. Now, however, even the largest law firms are renting out their additional space to subtenants and offering use of the firm's facilities and technology as well.
Although many lawyers avoid the traditional pitfalls of the shared office space (i.e., don't yell in the halls and keep confidential information under lock and key), most lawyers don't think twice about leaving a computer unattended or available for use by anyone passing by. We have even seen suites advertised for the ease with which tenants can connect with the office network, but no discussions of the likelihood that such connections may expose a lawyer's confidential information to other lawyers in the suite.
With the advent of the personal computer, information that used to be locked away in a partner's office now resides on the hard disk of an office computer. Client confidences and confidential financial information about the firm can be available to anyone who can gain access to the computer. It may be an opponent, or a disgruntled employee. In any case, you owe it to your clients and to yourself to protect confidential information, even if it is in electronic form.
A lawyer sharing office space would never consider leaving a file containing confidential information lying around the photocopy room or in the shared library. Yet many lawyers do not realize that an unsecured computer can be opened as easily as a file.
Perhaps the reason for this oversight is that many older lawyers barely have a clue about how computers work, and assume that everyone has as much trouble using computers as they do. This assumption may have been valid 20 years ago, but it is now completely invalid. Today, computers hold much of the same confidential information contained in paper files. The firm in a shared-space arrangement is begging for trouble if it ignores the security of its computer systems.
Protecting the individual computer. We start with the case of a single computer sitting on the desktop of the firm's secretary. On the computer's hard disk we find files for all the matters the firm is handling, including confidential communications to clients. Much of it is work product. The computer's hard disk may also contain the firm's billing and expense records and financial statements. Even if the computer is off, it no longer takes a rocket scientist to find the switch.
The safest way to protect against unauthorized access to a single computer is to lock the computer away. If the secretarial bay has a small, locked closet, for example, that would be the logical place for a box containing the CPU and hard drive. No one but the firm could get access to it without creating a lot of noise, something burglars and spies dislike. As an additional benefit, a burglar inclined to carry off expensive electronic equipment would probably not want to waste the time it takes to break into a locked closet when easier targets are available. Alas, such physical arrangements rarely exist in shared office spaces.
Some lawyers recall that tiny keys came with their computer, and assume that the keys are sufficient protection. These keys only lock out the keyboard. That's not bad, but you may have noticed that the key you received in your new state-of-the-art desktop is identical to the one you had in your first XT in 1983. So much for keylock protection.
There are biometric devices on the market that have a James Bond flavor to them-for not much more than you'd pay for a modem, you can get a scanner that recognizes fingerprints, and requires a recognized fingerprint to gain access to the computer. The advantage of this device is that nobody has to remember a password or access code. The disadvantage is that an authorized fingerprint can, in theory, be lifted from anything the person touches, and used to gain access. You definitely know if someone has stolen your wallet; you may never know if someone has lifted your fingerprints.
Passwords and encryption. The best defenses you have are password protection and encryption, which provide a level of security even if an intruder can turn on your machine. The easiest to work with are passwords. The idea is simple: You need a password to get into the computer. Your computer will come with a BIOS password option, meaning that the computer will not even boot unless the word is typed in. An intruder intent on getting into your machine can pull the CMOS battery to disable the BIOS password, but that requires opening the computer case. You can purchase a case lock if the computer does not have one. Make sure your staff regularly turns off a computer protected in this fashion.
Caution: Do not assume that the "password" protection you get with Windows 95 or 98 is effective. By hitting the "escape" key, an intruder will still have access to all your files unless you're able to set up your machine up better than most.
The second defense is encryption of the entire hard drive or encryption for certain directories or files. This approach assumes that an intruder may gain access to the computer's files, and is designed to make them unintelligible. Any unauthorized user of a computer whose files are encrypted would find nothing but an unintelligible mixture of letters and numbers that, in many cases, would be unbreakable even by the most sophisticated intelligence services in the world.
Commercial software products have become sophisticated in the way they encrypt the contents of a hard drive. With today's powerful computers, they can work transparently in the background. All the computer user has to do is type in an appropriate password, and the program will automatically decrypt the file chosen for use. It will also encrypt the file before saving, and most encryption programs can be set up to encrypt e-mail as well.
Why, then, are encryption programs not in wider use? The major problem is that they are complicated to set up, and can be defeated unless the firm rigorously institutes a password protection protocol.
Whatever security option you choose-password protection on log-in or encryption-you will have to learn something about the proper use of passwords. Most passwords are easily broken because people are so terrified that they will forget their password that they write it down and tape it to an easily accessible drawer. If you are going to undertake password protection, treat it seriously and devise a protocol that will work.
The underlying problem with passwords is that we each tend to accumulate too many of them: PIN numbers for cash machines, four digits to access voice mail, lock combinations, e-mail and web services passwords-we can't keep them all in our heads. You can deal with the problem by encouraging your staff to write down their passwords, but to hide them well. You can even help them find good hiding places, because they don't need to keep their passwords secret from you. You need to have the passwords of your staff to deal with situations such as vacations, turnover, and disabilities.
A recurring problem with passwords is that people lose them. Anticipate this problem and be prepared to deal with it. Loss of a password to a single computer can be more devastating than loss of a network password, because you may have no other way into the computer. When selecting a computer encryption product, consider purchasing one that features both a user password and an administrator password. Then you will have a way to access the computer even if the primary user loses his or her password.
You also need to protect your computer during the day when you or your staff are away from the computer. After all, it's easiest to get into the system when the computer is already on and logged in. Logging off is an obvious and completely safe option, but it often takes so long to log back on that people won't use it, and an unused security measure is worse than no security at all. For short trips away from a live computer, activating your screensaver is the best solution. Most screensavers, including the one that comes with Windows, can be password protected, i.e., the user must enter a password to remove the screensaver and return to the work on the screen. The password is usually the log-on password the user already knows, so he or she does not have to remember an additional password. The screensaver usually can be configured so that it can be activated by clicking an icon.
Protecting the Network
The techniques described above will protect the individual computer. Increasingly, though, sole practitioners and small firms are networking their computers, even in shared office spaces. It really isn't that difficult to do, because cabling usually can be snaked through existing walls and over ceiling tiles to connect computers. To protect the network, you need to understand how the network is configured.
There are three possible network configurations in the shared-space office:
l. An office-wide network connecting all computers and all members of the suite;
2. A peer-to-peer network with decentralized file storage connecting only the computers used by the firm and not those used by other suitemates; and
3. A network used only by the firm, where all files are located on a single computer (the file server).
The first configuration is unacceptable unless special precautions are used. Either of the other two methods is acceptable, but they also require appropriate precautions.
The office-wide network with one file server. Some offices are already wired for an office-wide network. All the sole practitioner or small firm needs to do is install a network card and plug the PC into the network, giving it access to CD-ROMs, network printers, and even faxes. While this arrangement can offer a fair degree of convenience and savings to a small firm, it requires a network operating system expert to set up security features that will preserve client confidences and confidential firm information like financial data.
Unless the network security is very carefully configured, you will have all of the problems that an unprotected, stand-alone system would have. Indeed, the situation may be even worse, because only someone sitting at the computer can access a stand-alone system, whereas anyone on a network may be able to access the confidential files on your machine from his or her computer.Benefits that this configuration provides are:
l. Someone else serves as your network administrator (administering a network is complicated and time-consuming, and therefore expensive).
2. It may give you access to a library of CD-ROMs or other purchased materials in electronic form.
3. It allows for the easy sharing and exchange of other nonconfidential materials through the use of "public" file folders. In this configuration, no member of a firm may have full access to the shared file server, so the firms must rely on an outside network company for support.
It is good to have the file server in the care of experts, but the firms should have a clear understanding about guaranteed response time for service. When a single point of failure stops multiple firms in their tracks, emergency assistance must be available. Some companies can provide immediate assistance through a dial-up connection to the server, but this too must be highly secure.
When your vital works in progress are stored on a network file server, you can purchase software that serves as a safety net. Say you are putting the finishing touches on an agreement needed at a client meeting in one hour. The file server crashes. With document management software like Worldox installed, you don't have to worry. Worldox maintains mirrored copies of all your current documents on your computer's primary hard drive. While the network is down, you can work with these copies as if they were the originals. You will still want fast service for your network, but this safety net is reassuring.
Separate peer-to-peer networks. An alternative network layout is to connect the computers of each firm in a physically separate network where they can communicate with each other. In these networks, there is no centralized server-the computers are separate and equal. Depending on how the topology is structured, it is possible to access files on various machines and preclude access on others. Access rights can be given to some files on a machine and not to others. So in a firm with associates, the partners can shield associates from reviewing billing or accounting records.
The problems with this setup are identical to those of the stand-alone machines. They may even be worse, because a computer in a public area may be able to access any other machine that is turned on.
Separate file server networks. Under this network arrangement, all of the data files for a single firm are kept on a single machine, the file server. Each person in the firm can access the file server with a user name and password. Once again, the server should be locked away so that no one can access it directly. A server that can be accessed directly has the same problems as a stand-alone machine in a public area of a law firm.
The best solution to the networking problem is adequate password protection combined with physical security for the server. Ideally, the server would sit in a small room-preferably the size of a large walk-in closet-which would remain locked at all times and whose keys would be carried by the members of the firm. (Leaving a key around is more convenient but defeats the security of a locked door.) With such security, the server can be kept running at all times without concern that unauthorized personnel could gain access to it. A suite containing a small storeroom for the server would therefore be a decided plus for the small-firm practitioner.
Laptops have become much more common as their prices have dropped. They can be connected at long distances to the office computer or network through a modem. This raises two potential attack threats, one at the level of the file server and the other at the locations where the lawyers are trying to connect to their office.
On the file server, a modem means that the remote lawyer has an opportunity to dial in and get information. However, so does anyone else with a modem. While it is unlikely that the number on which the modem is located would be discovered if the law firm does not publicize it, hackers call numbers at random looking for an open modem. Once a modem is discovered, they will try any series of passwords to gain access. Hackers use programs that make dictionary attacks as well as number attacks that try hundreds of possible passwords.
The second attack threat is with the mobile computer itself. A stand-alone desktop or tower computer at home will be sitting where it is under lock and key. Such machines rarely present a problem, but laptops present all the problems of a stand-alone machine in a public area of shared office space, and then some.
Laptops not only are easily accessible, but also can be stolen simply by unplugging and walking off with them. Many attorneys travel with a number of confidential files on their laptops, having copied or mirrored a directory from a file server so that they can have full access to all the firm's materials.
Lawyers may use laptops in hostile territory; for example, to take a deposition in the office of the adversary's counsel. Rather than leaving a laptop unattended at a deposition, a lawyer should close it and take it along when leaving the room.
To protect the contents of a laptop, a lawyer should use a strong security program that encrypts at least the folders containing confidential information. Similar considerations should be given to handheld devices like the Palm or Visor if they contain confidential information.
Wells Anderson, a Minneapolis attorney, runs a business that helps law offices with legal technology projects. He can be reached via e-mail at email@example.com. Joe Hartley is a trial lawyer in Santa Monica, California, where he tries legal malpractice cases. He can be reached via e-mail at firstname.lastname@example.org