In an era when lawyers frequently conduct business across wireless networks using smartphones and laptops, how can attorneys safeguard client data and confidential information? The ABA Annual Meeting session “Locked down: Safeguarding client data,” sponsored by the Law Practice Management Section, explained the wide variety of information security risks facing law firms and how lawyers can best protect their data from those threats.
Panelist John Simek, vice president of Sensei Enterprises of Fairfax, Va., and a digital forensics and information security expert, said, “My biggest message concerns the use of encryption. Encryption is your friend: Learn it. It’s not that difficult. Implement it — it’s the best way to protect yourself and your clients.
The biggest new development in the field of data breaches is the emergence of wireless network penetration devices, such as the WiFi Pineapple Mark IV, available for $99 on the Internet, Simek said. “Any wireless device, when it’s powered on, seeks out networks it was previously configured to connect to,” he said. “The Pineapple answers back and connects to that network, even though you weren’t searching for it.
“Everyone likes the 3G and 4G, but you can’t see them,” he added. “You can’t know what’s going on in the cloud because you can’t see it. I used a Pineapple at my kitchen table and got into my neighbor’s email, and he’s a government security contractor.”
Panelist David Ries is a partner in the Pittsburgh office of Clark Hill Thorp Reed, focusing on environmental, commercial and technology litigation.
“My most important point is that there has to be security awareness,” Ries said. “It is the lawyer’s responsibility. It’s not something that can be passed on to others.”
The disclosed data breaches of law firms have continued, and they have increased, according to Ries. Mandiant, a data breach investigation company, estimates that 80 major U.S. law firms were hacked in 2011. At the LegalTech New York meeting this year, a retired FBI agent said that hundreds of law firms were being targeted.
“In 2005, I said this was going to happen [the hacking of U.S. law firms],” Ries said. “Now it is happening, and it’s happening with increasing frequency.”
Ries said that security starts with a risk assessment to identify anticipated threats to a firm’s information assets, including an inventory of information assets to determine what needs to be protected. The next step is a comprehensive information security program to employ reasonable safeguards against identified risks. The requirement for lawyers is reasonable security, not absolute security, Ries said, with stronger safeguards for more sensitive information.
Ries and Simek said that law firm security breaches are likely to cause disruptions, breakdowns in client relationships, public relations nightmares and great expense. Most lawyers do not have cyberinsurance, and a single data breach could be a financial disaster for a small firm. They said that their two most important recommendations are to use encryption and complex passwords of 12 or more characters.
The panelists encourage lawyers to think about who would be interested in their data. Knowledge of litigation involving large companies can be used in the stock market; the Social Security and credit card numbers held by family law practitioners are of interest to identity thieves; business intelligence is of interest to competitors; the media want all kinds of information for exclusives; and merger and acquisition details are critical to the players in that field.
Matt Kesner, chief information officer of Fenwick & West in San Francisco, told Simek and his wife, Sharon D. Nelson (president of Sensei Enterprises), that China’s rookie hackers are practicing on U.S. law firms before graduating to more advanced hacking and that Chinese students hack Western websites as part of their homework.