ROAD WARRIOR: Mobile Data Security for Lawyers

Vol. 29 No. 1

By

Jeffrey Allen is the principal of Graves & Allen, a small firm in Oakland, California, that, since 1973, has emphasized negotiation, structuring, and documentation of real estate acquisitions, loans and other business transactions, receiverships, related litigation, and bankruptcy. He also works extensively as an arbitrator and a mediator. He is Editor-in-Chief of GPSolo magazine and the GPSolo eReport and serves on the Board of Editors of the ABA Journal and as a liaison to the ABA Standing Committee on Technology and Information Services. Jeffrey Allen regularly presents at substantive law and technology-oriented programs for attorneys and writes for several legal trade magazines. In addition to being licensed as an attorney in California, he has been admitted as a Solicitor of the Supreme Court of England and Wales. He is an associate professor at California State University of the East Bay and the University of Phoenix. Jeffrey Allen blogs on technology at www.jallenlawtekblog.com.

 

As the capacity of our electronic devices grows, we tend to rely on them more and more. As we increase that reliance, we trust them with an increasing amount of sensitive, if not critical, data. As our electronics shrink in size, while concurrently expanding in capacity, we have come to carry them with us more and more often and to a larger selection of places. When, for example, did you last go to court, to dinner, to the office, home, shopping, or on a vacation without carrying your mobile phone? How often do you carry an iPad or other tablet device (or an eReader) that, in addition to whatever other functions it has, stores personal data and/or confidential information? Do you take public transportation to work and use your electronics during the commute? Simply put, data security has evolved into an area that should interest all attorneys, even those who do not do much long-distance traveling.

I think those of us who advise attorneys about technology have a moral obligation to discuss issues of data security with our audience on a regular and recurring basis. Although it may seem that some of us spend too much time on it, in truth I think we do not spend enough. In my experience, most attorneys acknowledge it as an issue but do little, if anything, to secure their data while in transit.

Data in transit has a higher level of vulnerability to both loss through inadvertence and to misappropriation. Accordingly, we must pay particular attention to protecting the information stored on or made accessible from our mobile devices—including both our own personal data and our clients’ confidential information. Given the amount of data most of us carry these days, the loss of one mobile device creates a grave risk of a confidentiality breach respecting your client information as well as identity theft issues, both for your clients and for yourself.

I recently read a study indicating that 36 percent of us have lost a cell phone at one or another time. These losses may result from theft or from our own carelessness. Nobody has immunity to either of these problems—not even those of us who advise others about technology. About 20 years ago I left my phone in a car and came back to find that someone had broken the front window and stolen it. About 15 years ago I put a phone on the car roof while I was loading things into the car in my garage and then got distracted. As a result, I forgot to take it off the roof before getting in the car and driving off. About two miles later I discovered that I did not have it in the car and remembered leaving it on the roof. I went back and looked for it, but I never found it.

Those events happened some time ago. The first example took place before we had sophisticated smartphones, so other than some telephone numbers, the stolen phone had no significant data in it. The latter event occurred after we had started to use “converged devices” (PDAs married to cell phones). That phone had more data in it, but nothing like what my (and likely your) current devices carry. Fortunately, even then, I knew enough to take basic security measures such as password protecting my phone. In those days, however, that represented more or less the apex of security for cell phones, other than simply taking care not to lose them. Today that represents only a beginning for data security.

Also remember that we no longer limit our concerns regarding the loss of mobility devices to cell phones. We carry around with us smartphones, tablets, eReaders, disk drives, and laptops, which all generally hold vast amounts of information, much of which may have confidentiality issues. People have shown as much ability to lose tablets and laptops as they have smartphones.

Most smartphones and tablets on the market today rely on applications (apps) to expand their utility and functionality. Apps serve the same purpose in smartphones and tablets that programs do in computers. In fact, Apple now sells computer software through its App Store, recognizing the similarity of that functionality.

The data you store on your electronic devices often will end up allocated to a variety of different apps. Many apps give you the ability to password protect their portion of the data and, therefore, restrict access to someone in possession of the required password. You dramatically increase the security of your data if you password protect your device and then take advantage of software capabilities to set up separate passwords for those apps in which you store your critical data (and then make sure to store your critical data in those apps rather than simply leave it otherwise unprotected on your device). As many smartphones impose limitations (such as a four-digit number) on your device password, you will want to use more sophisticated passwords on your apps. If your device allows a more advanced password than four digits, take advantage of that to enhance your data security.

Although you will have to remember your password, do not make the mistake of selecting one so obvious that someone could easily guess it. Bad choices include your address, office suite number, birthday, and birth year (or birthday or birth year of your spouse or children). Selections like “0,0,0,0”, “1,2,3,4”, or “a,b,c,d” also do not make good passwords from a security standpoint.

If you must use digits only, random selection affords the most security. If you can use alphanumeric combinations, that represents a better choice. Security improves when you mix upper- and lowercase letters and gets even better if you add symbols. Accordingly, a password like “aBc123;” offers greater security than “1234567” or even “abc123”. If you have the ability to select a pass phrase, do so, as it further augments your security, particularly if you mix upper- and lowercase letters. As you will still need to remember it, you may want to select a book or movie title or a line from a poem or play you like. For example, you could use a phrase such as “OncEUpoNAMidnighTDrearY,” or “HETALKSTOTHEanimals!!” You may even want to modify it a bit to make it more difficult for someone to guess; by way of example, you might use something like: “’TwaSThENighTBeforEXMAS…” or “whentheSTS.gomarchingin!”

Whatever passwords, pass phrases, or pin numbers you settle on, remember to (1) change them often and (2) not use the same password or pass phrase everywhere. Although it may prove more convenient for you to have but one password, it will also prove easier for the bad guys to take advantage of you if they only have to crack one password.

To the extent that your mobile device allows you to store encrypted data or has the ability to encrypt the data you store on it, take advantage of that opportunity. Evildoers will find it more difficult to get information from an encrypted file than an unencrypted one, just as they will find it easier to get information from a device you neglected to password protect.

To minimize the risk of having your data picked off by a scanner, stay off public WiFi networks. I know that you will find it tempting to use public networks, particularly when providers choose not to charge for it; but accessing such a network exposes your device and its content to interception. You should also use anti-malware software on your electronic devices to protect against the compromise of the device or its security by one of the many species of malware that hackers, mischief makers, and bad actors have generated to plague electronics device owners and/or gain access to the content of these devices. We have had effective anti-malware devices for computers for some time. You can find numerous anti-malware offerings for computers. Check for reviews on the Internet by Googling “anti-malware software.” Examples of software I have found effective include Norton, Kaspersky, and McAfee. Note that while you need anti-virus software, you want more than just anti-virus software. Anti-virus software typically does not address many other types of malware. Generally, you will find things work better if you use only one product at a time. As most of the products work by running continuously, they can get in each other’s way and slow down your device if you use two or more at the same time. You might consider leaving one on continuously and occasionally turning it off and running a sweep with a second. I make that suggestion as none of the programs works on 100 percent of the malware out there. Buying and downloading the software represents only the start of the process. If you have it and don’t use it, the software gives you little protection.

For those of you who use Mac laptops, the old saw about Macs having immunity to malware does not apply. Macs never had immunity to malware. Every device has vulnerability. Historically, Macs appeared to have had less vulnerability than computers on the Windows platform, but they still had some vulnerability. In reality, the Mac platform had a significantly smaller penetration in the market and, therefore, offered a smaller and less attractive target; accordingly, fewer people endeavored to attack computers on that platform. The Mac’s increasing popularity makes it a larger and, therefore, more attractive target now. Hopefully, a word to the wise suffices.

In the past, while we had software to protect computers, our mobile devices went unprotected. Recently, however, we have seen the development of basic protective software for mobile devices. The programs vary by virtue of the platform your phone uses. You can search for them on the Internet or in the appropriate app store. I do not make any recommendations as I have not yet found one that proved as effective as I would like. Expect to see more and better offerings in the near future. Check for them and employ them. Partially effective protection works better than no protection.

Current technology enables scanning a mobile device for information, but in truth, the likelihood of that happening to you remains small. The loss of your device remains (and likely will for the foreseeable future) the most likely reason for a breach of your security. Accordingly, while we would prefer not to incur the inconvenience and expense of replacing a device, it behooves each of us to take reasonable precautions to prevent losing the devices on which we store our information. Follow some basic rules.

  1. Do not let your device out of your sight (not even for an instant). That means do not leave it on the table at Starbucks while you go to the restroom or leave it attached to a charger at the airport while you sit with your back to it and do something else.
  2. Do not loan your device to others. That means particularly strangers, but also friends.
  3. Physically attach your device to yourself, if you can. I do not mean to suggest that you need to lock your device in a briefcase and handcuff yourself to it (although that would help reduce the risk of loss). Cell phones as among the smallest of our devices are most easily lost. I have seen tether cords for cell phones and some tablets at tech shows. Using one of those devices improves the chances of not losing your device. You may also want to look for a means of carrying it so that you have it tethered to some portion of your clothing (e.g., a belt) or to a case that is attached to your belt. You can also get hardware that tethers your briefcase to you electronically. It sounds an alarm if you get more than a few feet away from the case. That can prove very helpful as a reminder when you travel.
  4. Do not put your device down in strange places. If we pull a device out and use it or charge it in a restaurant or at an airport, we may put it down on a table after we finish using it or even on the floor while we charge it. I have seen countless unattended phones charging in airports. I often wonder how many of them get left behind. I make it a point to put my device away as soon as I have finished using it. When I charge a device at an airport or other foreign location, I leave it in my pocket or my briefcase with the cord connected to it. I stay right by it, and that way, I don’t walk off without it and it does not walk off without me.
  5. Check for your cell phone whenever you get up. Wherever you carry your phone, make sure you have it there when you get up and move around. Make it a habit.
  6. If your device has a lockout function and/or data erase on password error function, use it. Many smartphones will offer some additional protection against someone breaking into them by allowing you to set them to lockout after a set number of consecutive erroneous efforts to enter the password. A more sophisticated version of this software wipes the phone’s memory after a set number of consecutive password errors.

Knowing that you need to secure your data and your electronic devices does not solve the problem. Having the information in this column will not solve the problem. It’s like exercise: You won’t get in shape by buying a gym membership or equipment. You actually have to use them.

 

Advertisement

  • About GPSolo magazine

  • Subscriptions

  • More Information

  • Contact Us