Well, I finally was bitten by the Bad Security Bug. I received an e-mail message from AT&T, my cell phone carrier, that indicated someone had used my Social Security Number to create a new account. AT&T did not open the account; they marked it as a fraudulent attempt and informed me promptly. I then took steps that I probably should’ve taken long ago to make sure that this didn’t happen—closing that barn door maybe a bit late but, hopefully, effectively.
First, I contacted my banker and informed her of the use of my Social Security Number.
Then, I spent a good part of two days contacting the three major credit bureaus (Experian, TransUnion, and Equifax) to freeze or lock my accounts with them. What that does is prevent anyone from using my personal information to open an account without my own clear approval. It was a bit of a cumbersome process, but I finally got it done. I also ordered my free annual credit report from these bureaus, which now I’ll review and correct as necessary.
As I was going through these various steps to secure credit bureau access, I came upon a method where you can opt out of solicitations for credit cards and other financially related offers. The credit bureaus have created a website to assist in this process: optoutprescreen.com. You can opt out for five years by doing so electronically at the website; if you do it in writing, it is a permanent opt-out. I don’t want any offers foisted upon me, and this seemed a good way to stop this from happening as I was working on improving my security.
Before I go further, I should stress that these precautions and those that follow are not only necessary for normal human beings, but lawyers as well and particularly. It is now clearly an ethical violation for a lawyer not to be reasonably informed about technology and security risks (ABA Model Rule of Professional Conduct, hereafter Model Rule, 1 et seq. and Comments). First, the lawyer must provide competent representation to a client and not reveal the client’s confidential information even beyond the end of the relationship (Model Rule 1.6). And this competent representation must include “the benefits and risks associated with relevant technology” (Model Rule 1.1, Comment 8). In light of this and what I outlined above, I embarked on the process of improving my information security.
Unsubscribing from E-Mails
I have a number of New Year’s resolutions, and one that I try to do each turn of the year is to cut down on incoming e-mail and update and change passwords. I was off the Internet for about a week over the holidays, and this allowed me on return to do a massive unsubscribe from the host of newsletters and other pieces flooding my e-mail daily. First, I use only one of my e-mail addresses as the address for subscriptions, so unsubscribing can be done automatically. I use Mailbutler (mailbutler.io) as a plug-in for Mail on my Mac, and it allows me more control over e-mail coming in and going out of Mail. One feature is that it permits easy unsubscribing from lists.
But the more potent method is to use the online service unroll.me. Basically, it monitors your e-mail account, which can be Outlook, Gmail, or a number of other services, and allows you to create rules for your subscriptions. First, a subscription e-mail comes in and goes into your “Rollup” on the site (it is delivered to your e-mail and goes into an “unrollme” folder there). The Rollup online and the folder in your e-mail client contain all the e-mails that result from a subscription. You can either just go through the unroll.me folder every now and then in your e-mail client and save or trash what you want, or, as I did in early January, go to the website and do a massive nuke of all the subscriptions. On the website those you unsubscribed from en masse go into the list of those items, and if you need them back, you can move them into the Rollup or in-box later. So, if you do decide you want to keep reading some law journal you unsubscribed from, you can put it in your Rollup. On the other hand, how many of your subscriptions can you actually read rather than just research and find as needed? Thus, time to unsubscribe from most. (For more on unroll.me, I suggest you review the FAQs at the site.)
When I came back into town, unroll.me had caught close to 1,000 possible rollup-able e-mails. It took me all of ten to 15 minutes to go through them and either keep them in the in-box, add to the Rollup, or totally unsubscribe. (I did the latter for the most part.)
Another step I took at the turn of the year was to improve the security of my passwords. As I’ve written before, good passwords are needed on your accounts, but the more complex (and harder to break), the less they will be used. The issue for normal human beings and lawyers as well is to determine the actual risk presented of a hack of your password on Account A versus that risk on Account B. Your comments on Twitter may not need the same protection as your investments and bank accounts.
A good article on Lifehacker last year (tinyurl.com/yavog33w) discussed the breach of a massive database. The article notes that the breach involved millions of e-mails and passwords, meaning that hackers could access your e-mail accounts and then move on from there to access more important data. It also provides an excellent resource to test whether someone has accessed your e-mail account password, in which case you must change those passwords as well. Go to the Troy Hunt website (haveibeenpwned.com), put in your e-mail address, and it’ll tell you whether your credentials have been breached and subject to hacking; read the excellent FAQs on the website for further explanation. I put in my e-mail addresses (I have three main ones), and each one has been “pwnd” (which means defeated in geek terms). I’ve since changed my passwords. I suggest you run the test yourself.
People need to find a good mix of security and convenience. But any data location that might contain important information (your e-mail accounts, your bank account, your investments, etc.) must have an exceptionally secure password, which most people would say is a hassle. Necessary, but a hassle nonetheless. And because many of us have more than 100 accounts that call for improved/increased security, that’s just too much to remember. An excellent discussion on this topic may be found at tinyurl.com/y99t3pue (to remember your comical passwords).
The first and perhaps easiest thing to do is put two-factor authentication (or some other re-authentication method) on your accounts. Hackers don’t care about your forum comments, and they don’t want the time and hassle of getting around the re-authentication process.
More importantly, harden all your passwords. The best way to do this is to use a password manager to retain and create good passwords. A helpful article on this topic may be found at tinyurl.com/yar6kdxb. All the security writers say that you need to have different passwords for your especially valuable accounts (banking, investments, your e-mail). But the only way to remember/use all these passwords is to be able to access them through a password manager. A good discussion of this can be found at Lifehacker (tinyurl.com/yb9udmmc); Lifehacker articles are an excellent resource for all sorts of useful ideas and guides.
I use 1Password (agilebits.com) as a password manager, but there are a number of solid products (LastPass, lastpass.com; Dashlane, dashlane.com) out there worth exploring. See the discussion at tinyurl.com/y7xefbcs or other such articles. A good resource on the topic of passwords and password managers is Troy Hunt’s blog, troyhunt.com, already cited above.
One topic I covered a few years ago was how to handle your “digital end” (tinyurl.com/y75s2b2w). I also cited Mike Vardy’s 1Password Emergency Kit, which has since been updated (tinyurl.com/y9hwekj8). There is an excellent downloadable PDF document linked in that article, although the original one would work just fine. In any event, if you are using any computers or devices with passwords for them and for the accounts you access online, you would be wise to fill out the Emergency Kit and put the document somewhere safe for the time if and when the passwords need to be found.
I’m hoping this essay will spark others to order their free credit report, to lock their credit report credit bureau information, to improve their passwords, and to use a password manager to make that even possible.