Data Security for Law Firms

Vol. 28 No. 4

By

Sharon D. Nelson and John W. Simek are, respectively, president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They may be reached at sensei@senseient.com.

 

Many readers remember computers—and the threats against which they must be protected—only back to the PC days and have no recollection about the evolution of data processing. Fortunately, the authors are “old” (just ask our children), and at least one of them has an excellent memory. As you’ll see from the brief history lesson below, many of the newest computer systems used by lawyers today look surprisingly similar to the earliest computers—but the threats they face are far more dangerous and pervasive.

 

The Early Days of Mainframes

The early days of computing started with massive rooms that housed large mainframe computers. The rooms were environmentally controlled and physically secured. The mainframes were expensive pieces of equipment and quite complicated to operate. Users accessed the mainframe via “dumb” terminals that were directly wired to the system. How secure was the data? Very. Besides needing a user ID and password, both of which were centrally controlled, you couldn’t even use the system unless you had physical access to one of the terminals. It was extremely difficult to gain access to the mainframe because the terminals were hard-wired to the communication network. You couldn’t just find the wires and tap into them.

Later, modems were used to “bridge” the communication lines and allow remote terminals to communicate with the mainframe. The security noose began to loosen; accessing via a telephone line was easier than directly tapping into the wires. One of the authors’ memory goes back to the acoustic coupler days, when the ear and mouth piece on a telephone were round (heavy too) and touch-tone dialing wasn’t even available. It was possible to “hack” into the system if you knew the right phone number to call and had appropriate log-on credentials. It wasn’t quite as easy as depicted in the movie War Games, but you get the idea.

The mainframes stored and processed the data, all within the secure walls of the data center. Only keystrokes and screen information were transmitted over the wires to and from the user. No files or actual data repositories were sent to the user. Any keyboard or card input was stored on disks or tapes at the data center. If you were fortunate enough to have a printer, which required special communication configuration to the mainframe, data could have been preserved in the form or a paper printout. Perhaps that was the beginning of the romance between paper and attorney. Data security was inherent in the design of the communication network. As long as you maintained control of any paper printouts, there was little chance that unauthorized personnel could access the data. Unfortunately, human beings were not so careful with the paper computer reports, and “dumpster diving” became a popular activity for hackers.

 

PCs to the Rescue

The personal computer changed the landscape for computing and data security. The storage and processing of data was moving closer to the user. The applications were now being run on the local computer and no longer on some remote “big iron” machine. Data was being stored initially on flexible disks and then on hard drives installed in the PCs. In the early days of the PC, lawyers didn’t seem too concerned with security of their clients’ information. Perhaps that’s because PCs were thousands of dollars and not too commonly found.

As the price of hardware came down, we still didn’t get too concerned with securing the data. Essentially, the early personal computers were islands, and the only way to move information around was via floppy disks or over a phone line using a modem. PCs were primarily used for word processing in a law office. The word processing files may have been saved to disk, but generally the official “record” was still the printed correspondence in the paper file.

 

Windows 95 Networking

Those of us with propeller beanies and pocket protectors experimented with early PC networks using Banyan VINES, LANtastic, or even Novell. Sharing of digital information was still done with a “sneakernet” (i.e., picking up a floppy disk from your desk, walking over to another desk, and copying the data onto the computer there). Law office networking really didn’t take off until the arrival of Windows 95, which made peer-to-peer connections extremely easy right out of the box. Now you didn’t have to pass around those floppy disks to share information.

We still weren’t too concerned about data security even though we could now network multiple PCs with relative ease. After all, the network was still contained within the walls of our law office, and external access to our clients’ data was nearly impossible.

 

Welcome the Internet

We’re not going to get into a heated battle over Al Gore’s involvement in the development of the Internet. However, the Internet truly was a game changer. Now we could connect our computers to many, many more computers around the globe. Data could freely flow from one machine to another without regard to physical location. With this newfound interconnection, data security became a huge concern.

Thankfully, the early days of the Internet were achieved using a dial-up modem. You would use some sort of service provider that gave you a bank of phone numbers and computer systems to connect to the Internet. The good news is that data transfers were slow because of the connection speeds, so there wasn’t a lot of file movement going on. The early websites were primarily text-based—graphic downloads would take the slow modem connection and make it crawl like molasses. We didn’t worry about hackers getting access to our client data because we were the ones that initiated the Internet connection.

As the Internet developed and expanded, so did our vulnerability to data compromise. We moved from dial-up modem connections to always-on, high-speed communications. Now our computers were potentially accessible whenever they were turned on. There was a growing concern about viruses, worms, Trojans, and other malware. We needed to provide some level of secure access to our data, so we turned to firewalls (software and hardware) to try to block the bad activity that was coming from the Internet.

 

Mobility

Today we’re an extremely mobile population. Laptops are the norm in most law offices, and smart phone use is growing. For once, attorneys are at the front of the technology curve, with over 70 percent using smart phones. This increase in mobile devices brings even more concern for data security. Loss of the physical device is at the top of the list.

If you use a laptop, the data needs to be protected while in transit. Secure mobile computing must contain some method of encryption to protect the valuable personal and client data. The authors of this article prefer whole-disk encryption. This means that everything on the hard drive is encrypted. We don’t have to remember to put files into special folders or on the encrypted virtual drive. All too often, humans are in a big hurry and may not save the data in the special protected encrypted areas.

Many of the newer laptops have built-in whole-disk encryption. To state the obvious, make sure you enable the encryption or your data won’t be protected. Also, encryption may be used in conjunction with biometric access. As an example, our laptops require a fingerprint swipe at power on. Failure at that point leaves the computer hard drive fully encrypted—a very comforting thought if laptop thieves, who constitute a large club these days, make off with your laptop. If you think we are being too cautious, bear in mind that a laptop is stolen every 53 seconds in the United States. Digg.com reported in 2008 that more than 10,000 laptops were lost or stolen at U.S. airports. We mean it when we say, “be careful out there.” (And don’t forget to encrypt the contents on your flash/thumb drives.)

If laptops are at risk for loss or theft, the danger only increases with smart phones. How many readers out there have already lost one? In essence, smart phones are really small computers that happen to make phone calls. They synchronize and hold law firm data such as client information and calendar schedules. They store e-mail messages and even attachments that may contain confidential information.

The absolute minimum safeguard you should enact with your smart phone is to configure a PIN or pass code to gain access to the phone. It absolutely amazes us that attorneys are carrying around confidential client information on their smart phones without a simple unlock code. Lose the phone . . . lose the data. (And, once again, don’t forget to encrypt any memory expansion cards that may be inserted into the phone.)

This same suggestion holds true for the popular iPad. We are seeing more and more attorneys using iPads in their practices. Now that the iPad 2 can mirror the entire display through the output port, we expect to see even more of them in the courtroom for evidence display. As with your smart phone, make sure you configure your iPad with a pass code to protect the stored data as a first line of defense. We could go on and on about the insecurity of Apple’s iOS devices, but we’ll save that for another article. For now, at least start with a pass code.

 

Passwords

Passwords might seem a tired subject to some, but the rules of the security game have changed—and it is high time to say goodbye to those wimpy, eight-character passwords. (And if you are using fewer than eight characters, shame on you!)

According to a report recently published by the Georgia Institute of Technology, it is time to move to 12-character passwords. Why the major change? In essence, researchers there were able to use clusters of graphic cards to crack eight-character passwords in less than two hours. And trust us, if researchers are doing this, so are the cybercriminals of the world.

The researchers discovered that, when they applied the same processing power to 12-character passwords, it would take 17,134 years to crack them. Cybercriminals, even when highly motivated, are going to skip the 12-character passwords—there are just too many folks out there asking for their security to be violated with less secure passwords.

 

Wireless Security

To help facilitate our thirst for mobile devices, wireless access will become more and more critical. As those zeros and ones fly through the air, securing the transmission should be high on your list of priorities. Certainly we want to be using encrypted connections. Websites that use https:// as the beginning of their URL are using secure connections.

Wireless networks should be set up with the proper security. First and foremost, encryption should be enabled on the wireless device. Whether using wired equivalent privacy (WEP) or WiFi protected access (WPA) encryption, make sure that all communications are secure. WEP is the weaker of the two and can be cracked if sufficient data is captured, though the reality is that hackers will go for unsecured networks before going after any secured one. Frankly, the Federal Trade Commission and the Canadian Privacy Commissioner have both found WEP insufficient to secure credit card information, so we suggest it not be used at all. Recently, WPA using the temporal key integrity protocol (TKIP) algorithm was cracked by a group of Japanese scientists in about a minute. This means that you only should be encrypting using WPA with the advanced encryption standard (AES) or WPA2 (the second-generation version).

Wireless 3G and (so-called) 4G networks are already encrypted by default. That means you don’t need to do any additional configuration of your smart phone, iPad, air card, etc., to secure the communication. Why is that? You have to register your device with the cellular provider in order to even connect to the network. Once your device is authorized by your carrier, all of the data communications between your device and the carrier tower is sent in an encrypted form. So that’s good news. (Now, if the carriers would just stop marketing 3.5G speeds as “4G” and actually deliver true 4G service, we’d be happy campers.)

 

To SaaS or Not to SaaS?

There is much momentum for computing service “in the cloud.” Remember the old days of the mainframe? The computing resources were held in some remote data center and we connected our terminals to a wire. My, how things have almost come full circle. Cloud computing is similar to the old mainframe days, but the data center is now owned by somebody else instead of your firm or company. Typically you get to it via the Internet instead of that coaxial cable connected to a communications controller.

A traditional client/server model puts total control in the hands of the law firm. The data is held internally and access is controlled by the firm. You can choose to encrypt the data locally, which we recommend, or leave it in plain text. Either way, it is within the technology walls of the law firm and not directly accessible by any third party.

In contrast, the SaaS model puts your data in the hands of a third party. This is not necessarily a bad thing, but do you really know if the information is safe? Your contract with the provider may specify that the data be stored in encrypted form, but what if a disgruntled employee of the provider has access to tools that allow her to decrypt the data and sell your client data to the other side in a major litigation?

When you contract with a SaaS provider, you are required to accept the service as it delivers it to you. This means that any upgrades or bug fixes will be implemented by the provider. Sound like a good thing? Maybe so, but perhaps the upgrade requires you to pay additional fees or takes your old data through a conversion process that drops two very important field values, which have to be added back manually. The traditional client/server model leaves the upgrade decision to you. You may elect to keep your current version because the upgrade doesn’t offer any significant functionality. Or, you may be forced to upgrade in order to maintain compatibility with other important systems. This is a constant irritant for laws firms, as very few are crazy about being forced into upgrades that cost money and/or require relearning some aspects of the software.

Despite the potential security issues revolving around SaaS implementations, we do see the world moving in that direction. We really are going back to the mainframe days. The difference is that we owned and controlled the “big iron” back then. The “mainframe” is now shared among multiple entities, which means that the designs and security controls have to be even more stringent than the old days of direct, dumb terminal connections. There are ways to minimize your risk of data compromise, which really is the end game. Just make sure you have a trusted information security advisor if you don’t understand the technology yourself.

Advertisement

  • About GPSolo magazine

  • Subscriptions

  • More Information

  • Contact Us