LAW FIRM SECURITY used to mean locking the doors and closing the blinds at the end of the day. Today, security includes technology—and lots of it. Although the concept of technological security is daunting to many attorneys, they need to address it for both in-office and mobile technology.
It’s not only good business to be security-savvy; it’s also an ethical obligation. Lawyers who ignore these concerns may discover that confidential documents aren’t nearly as safe and secure as they had assumed. As a result, every firm should have a security plan. Highlighted below are some of the issues firms should consider when creating or reviewing their security plans.
Encryption. Encryption means securing your computer so that even if an unauthorized user accesses the device, he or she won’t be able to read anything. (There is also encryption needed for other devices, discussed below.) Hardware encryption is the preferred method, but you can only implement hardware encryption if your hardware supports it, which means you may need to use software-based encryption. This is one area where many attorneys should consult with a “computer guy” (or gal) to learn which options exist and make the most sense for a particular office.
Wireless networks. We’ve all heard about hackers at Starbucks who view information on another customer’s laptop or smartphone. Is your own office’s wireless network as insecure as the coffee shop’s? A wireless network should support the WPA2 encryption scheme, a stronger and more complex encryption than the standard WEP and WPA, which have been cracked. If your office’s wireless router cannot be configured for WPA2, it’s time to buy a replacement.
Virtual networks. Attorneys who use shared office space have an ethical obligation under the ABA Model Rules of Professional Conduct to separate services and data, and some states have even more specific requirements for separation (physical or just logical) of services and data. This means creating a method to ensure that unauthorized people cannot access client-confidential data. This may mean physical separation of your network wiring. Alternatively, many shared office locations use virtual local area network (VLAN) technology to create virtual networks for specific Ethernet ports. When implementing a VLAN, remember that the network administrator controls the configuration; thus, the switch configuration should be audited periodically to make sure that someone in the next office cannot “tap” into your data stream.
Office policies. All firms should adopt and implement clear and comprehensive IT policies. The protection policy should address each aspect of end user usage and firm procedures for specific situations and should consider every type of product or technology used in the firm.
Security suite. An Internet security suite, which provides a better and more encompassing protection than stand-alone products, should be part of a firm’s security plan. A good security suite will include antivirus, malware protection, firewalls, and other protection for computers and other devices. These products may even be provided for free or at a nominal charge by your Internet provider.
Spam. Although spam email is a part of every email user’s life, it should not land in the same inbox as client email. To combat spam, many firms use hosted spam protection, which sends email through a third party. This provides the spam protection before delivering the email to the recipient. If you use such a system, you must ensure that you can review quarantined messages as well as adjust for false positives so that messages improperly tagged as spam are delivered. In addition, you should define whitelist addresses (e.g., for courts and counsel) that always bypass the spam filter and are delivered to inboxes.
Individual users. Securing your firm on an individual user level is also important. Doing so allows end users to take advantage of built-in security, permitting them to create secure passwords and comply with other security protocols.
Laptops and external hard drives. Laptops and external hard drives need to be secured in the same fashion as desktop computers. Because encryption of these devices is so important, many commentators believe that failure to encrypt mobile devices is an unethical practice for lawyers. Encryption is easy to do and must be enabled or configured on all mobile devices. Some laptops have built-in encryption, while others simply require users to install the software. External hard drives and flash drives offer similar options.
Phones and tablets. Smartphones and tablets are handled a little differently. Encryption is enabled on any Apple iOS device (iPad, iPhone, etc.) by merely configuring a lock code. Android devices need to have encryption enabled through the settings menu choice. Encrypting an Android device may take some time, so it’s best to have the device fully charged or plugged into an outlet before enabling the encryption process. Encryption for BlackBerry devices is activated by enabling content protection.
Office policies for mobile devices. In addition to encryption, firms should institute policies for devices not within the immediate control of the firm. Mobile device management (MDM) and bring-your-own-device (BYOD) policies help harness the “where” and “how” data can be used on “what” devices in the office. MDM products are available to legal IT for larger operations; solo and smaller firms can use stricter policies for BYOD to maintain more control over and secure law office data. Solo and small firm practitioners should consider using the controls for ActiveSync on the Microsoft Exchange server because many MDM solutions cost thousands of dollars to implement.
Data backup. It’s not a question of if; it’s a question of when you will need to restore data. Consider these scenarios: a hard drive fails; data was deleted, either inadvertently or maliciously; a virus corrupted a file; a file was lost; or a file was accidentally overwritten. Regardless, the current best practice is to have both on- and off-site backups, thus providing protection if local hardware fails or you cannot access the Internet.
Whatever backup system you use, it must be automated. If someone has to manually start, stop or otherwise monitor the backup, it isn’t going to happen—and certainly not regularly.
When setting up your on-site backup system, plan to keep at least two rotating copies of data with one off-site in a secure, cool and dry area. In addition, you may want to purchase a fireproof (and virtually everything-proof) drive such as an ioSafe drive, which stores a very large amount of data for only about $250.
Similarly, off-site (or really, online or cloud) backups provide an additional layer of security. But as with any cloud-based system, you must read the terms of service to be certain the vendor offering complies with your ethical duties. Fortunately, the ABA Legal Technology Resource Center (LTRC) offers links to all of the cloud computing guidance opinions issued by various state bar associations. You should read the ones relevant to the states where you practice.
Making sure that your office technology is secure is an obligation that applies to every attorney. Simply sticking your head in the sand—or maybe an old law book—won’t eliminate your obligation to protect your clients’ data and keep it confidential and secure. The steps we mention here aren’t complicated—they’re just necessary.