Protecting and Securing Digital Assets
We all should take steps to secure our personal and professional digital assets and protect them from the bad guys. Lawyers have legal and ethical obligations that require them to take such steps. Lawyers must protect and secure digital assets related to their practice to maintain client confidentiality, comply with legal regulations, and safeguard their professional reputation. That obligation continues, and we need to address it both while we practice actively and after we stop practicing, whether due to death, illness, or retirement. Here’s a deeper dive into the key security measures:
- Strong passwords. Using strong passwords can help you prevent hackers, cybercriminals, and identity thieves from accessing your digital assets. You should use long, complex, and unique passwords for each account.
- Biometric authentication. Consider using a form of biometric authentication, such as a fingerprint scan, instead of a password to access your accounts.
- Password managers. Use a password manager or a digital vault that can generate, store, and autofill your passwords and other credentials. You will need a master password or biometric authentication to access your password manager or digital vault. Prefer biometric authentication as you won’t have to memorize anything and won’t have anything to record somewhere that might get discovered.
- Encryption. As to our personal information, all of us should, and, at least as to client information, lawyers must encrypt sensitive data, both in transit and at rest. Encryption involves converting data into a protected code to prevent unauthorized access. Emails containing confidential information should use encrypted email services, and we should store files in encrypted drives or cloud storage.
- Hardware encryption. Devices such as laptops, smartphones, and external drives should have full-disk encryption enabled to protect data if the device is lost or stolen. This functions as a recommendation for personal information and a requirement for devices containing confidential client data.
- Multifactor authentication (MFA). Beyond just a password, MFA requires additional verification, such as a text message code, biometric scan, or hardware token, to access accounts. This significantly reduces the risk of unauthorized access resulting from compromised passwords.
- Password management. Use password managers to generate and store complex passwords securely. Regularly updating passwords and avoiding reuse across multiple accounts further reduces vulnerability.
- Strong authentication (recommended for all but required for attorneys respecting confidential client data).
- Automated backups. Implement automated backup solutions that regularly save copies of all digital assets to a secure location, such as an encrypted cloud service or an off-site physical server. This ensures the ability to quickly restore data in case of a cyberattack, accidental deletion, or hardware failure.
- Backup verification. Regularly test backup systems to verify the ability to successfully restore data. Backup systems should also maintain version histories to recover previous versions of files if needed.
- Regular backups.
- Access control.
- Role-based access control (RBAC). Implementing RBAC allows the lawyer to restrict access to digital assets based on a person’s role within the law firm. For example, paralegals might have access to certain client files but not to financial records or case management software.
- Audit trails. Maintain detailed logs of who accessed which digital assets and when. This helps monitor for unauthorized access and ensures that any potential security breaches can be quickly identified and addressed.
- Cybersecurity awareness.
- Training programs. Regularly obtain cybersecurity training for yourself and conduct or make it available to all staff, focusing on recognizing phishing attempts, securing personal devices, and maintaining best practices for password management and data handling. At a personal level, take steps to ensure that you have such information and that you maintain currency in your knowledge.
- Incident response plan. Develop and regularly update an incident response plan that outlines the steps to take in case of a cybersecurity breach. This plan should include procedures for containing the breach, notifying affected clients, and expeditiously restoring services.
- Regular updates. Regularly update your software and antivirus programs to avoid malware and hacking. This can help you protect your digital assets from viruses, worms, ransomware, and other malicious software. You should update your software and antivirus programs regularly to fix any bugs, vulnerabilities, or security issues. You should also regularly scan your devices and accounts for any malware and hacking attempts.
- Regular review of settings. Regularly review the privacy and security settings of your accounts and platforms. This can help you control who can access, view, or use your digital assets. You should review the privacy and security settings of your accounts and platforms to adjust your permissions, preferences, and notifications. You should also opt out of any unwanted or unnecessary features, services, or sharing.
- Awareness of social engineering attacks. Avoid phishing, spam, and suspicious links or attachments designed to trick you into revealing your personal or financial information or downloading malware or ransomware. You should also report any suspicious or fraudulent activity to the relevant authorities or platforms.
- Secure disposal of devices and accounts. Dispose of your old devices and accounts securely by wiping or deleting your data. This can help you prevent your digital assets from being accessed, used, or acquired by others. You should also recycle or donate your devices responsibly. You likely comply with your ethical obligations by securely wiping and reformatting the hard drive, but we prefer the more conservative approach of removing and destroying the drive and donating the equipment without a hard drive or installing a new drive. Note that “wiping” and reformatting the hard drive or solid-state drive (SSD) differs from deleting the contents. Simple deletion of the contents generally means that the system removed the directory entries so that it cannot locate the data still found on the drive. Wiping and reformatting the drive means the removal of all data from the drive and writing over it with zeroes.
- Legal compliance.
- Data protection regulations. Lawyers must ensure compliance with data protection regulations such as the General Data Protection Regulation (GDPR) in Europe or the California Consumer Privacy Act (CCPA) in the United States. This includes obtaining explicit consent from clients for the processing of their data and ensuring that data is stored securely and only for as long as necessary.
- Ethical obligations. Lawyers must adhere to the ethical guidelines established by bar associations and other regulatory bodies, which often include specific rules on the protection and confidentiality of client information.
Planning for Digital Assets upon Death
In today’s world, we should all plan for the disposition of our digital assets upon our death. For lawyers, such planning respecting their law practice’s data is crucial for ensuring the continuity of their firm’s practice and protecting their clients’ interests. Here’s a more detailed look at the steps involved:
- Inventory your digital assets.
- Comprehensive listing. Create a detailed inventory of all digital assets, including account names, URLs, login credentials, security questions, and recovery options. This inventory should also note any subscriptions or licenses associated with these assets. You should also categorize your digital assets by type, value, and priority. Always store this inventory securely in an encrypted and password-protected form.
- Regular updates. Regularly review and update your inventory to reflect any changes in digital assets, such as new accounts created, passwords changed, or services discontinued or added.
- Decide what happens to your digital assets after your death. Address questions such as who will inherit them or take responsibility for them, what gets deleted, and what gets memorialized. This can help you express your wishes and intentions for your digital assets for your heirs as well as protect your clients’ confidentalities. You should consider the legal, financial, and emotional implications of your decisions.
- Check the terms of service and policies of your service providers and platforms. Find out what options and limitations they have imposed on transferring or deleting your digital assets. This can help you understand and comply with the rules and regulations of your service providers and platforms for your digital assets. Look for features or tools that can help the management of your digital assets after your death, such as legacy contacts, inactive account managers, or memorialization settings.
- Appoint a digital executor.
- Selection criteria. Identify someone trustworthy and tech-savvy to serve as your digital executor. If your digital estate includes practice and/or client-related data, you will also want someone knowledgeable about the legal field. Think about a colleague within your law firm, a trusted family member, or a professional fiduciary. You can use more than one (for example, by allocating personal assets to one and client information to another).
- Duties and powers. Clearly define the digital executor’s duties, such as accessing digital accounts, securing client files, and managing the transfer or closure of online accounts. The digital executor should also have the legal authority to act on behalf of the deceased, which may require specific legal provisions in your will.
- Formalize legal instructions in a will.
- Authorization. Include provisions in the will that authorize the digital executor to access, manage, erase, and transfer digital assets. This might include specific instructions on handling client files, closing or transferring online accounts, and distributing any valuable digital assets (e.g., proprietary software or intellectual property). Make sure your digital will or executor complies with applicable law.
- Confidentiality. Ensure that instructions in the will comply with your ethical duty of confidentiality as a lawyer. This might involve requiring the destruction of certain digital assets or transferring them to another licensed attorney to maintain client confidentiality.
- Establish client notification and transfer protocols.
- Advance planning. Develop protocols for notifying clients of your death and the steps to transfer your cases. This should include identifying another attorney or law firm that can take over the representation if necessary.
- Client consent. Where possible, obtain advance written consent from clients regarding the transfer of their files to another attorney in the event of your death. You can include this consent as a part of the initial retainer agreement or add it later as part of ongoing client communication
- Review and update the plan.
- Regular review. Review the plan for managing digital assets at least annually or whenever significant changes take place, such as adopting new technology, changing the structure of the law firm, or updating legal obligations.
- Incorporating new technologies. As technology evolves, the plan should incorporate new tools and practices for securing and managing digital assets. This might include transitioning to more secure cloud storage options, adopting new encryption standards, or integrating artificial intelligence tools into case management systems.
- Seek professional guidance.
- Legal and IT consultation. Consider consulting with a professional IT expert and an estate planning attorney to ensure adequate protection of digital assets and the legal soundness of the plan for their disposition upon death.
- Bar association resources. Many bar associations offer resources and guidelines on managing digital assets, particularly concerning ethical obligations and client confidentiality. Lawyers should take advantage of these resources to ensure they follow best practices.