GPSOLO December 2010
Data Security in a Mobile World
By Jeffrey Allen
We start from the position that one cannot properly or efficiently practice law today without the use of appropriate technology. This statement is at least as true when we work outside the office as when we work in our office.
We want to use technology to make ourselves better, faster, stronger, and more efficient as attorneys. Today’s technology allows us to practice effectively and efficiently from almost anywhere in the world (at least anywhere we can get a broadband Internet connection). Technological innovation has dramatically changed what it means to practice on the road and has made the Road Warrior a mainstream concept rather than the bleeding edge.
As lawyers employ more and more mobile technology, the risks to data security increase. Most of us use laptop computers when we travel. That laptop undoubtedly carries personal and client data that we do not want to lose. People lose computers to theft and sometimes to carelessness. Many of us have adopted the use of smart phones instead of more simple mobile telephony devices. Smart phones provide many advantages and conveniences. They concurrently place information contained in the phone at risk. In fact, the smarter the phone, the more confidential information it likely will have on it. Even more smart phones than computers get lost, left behind, or stolen. Additionally, once these devices have an active Internet or cellular connection, they incur the risk of someone with sophisticated electronic devices reading the data they contain.
Another aspect of data security concerns the loss of the data owing to hardware failure (as opposed to loss of the computer or theft of the data by a hacker or scanner). Losing critical client information or work product owing to a failure to adopt and properly employ a reasonable and appropriate backup system would be difficult to defend in today’s world as competent legal practice, especially in light of the fact that backing up your data requires relatively little in the way of expense or effort.
Protect Your Data
Data security (or the lack of it) presents one of the most significant issues associated with our use of technology. We know hackers can break into computers accessing the Internet and steal data. We know that accessing the Internet exposes us to the risk of viral infestation or malware taking over a computer, logging keystrokes, or sending data to third parties without notice or our approval. Our ability to control our environment (and exposure to that class of risk) diminishes dramatically outside of our office. Accordingly, while technology now enables us to practice effectively and efficiently outside of the office, it also increases the security risk for our data outside of the office by comparison to inside of the office.
As attorneys, we have ethical and legal obligations to protect our clients’ information against such risks. In addition, our devices also often have our own personal information, which for many reasons we do not want to have compromised.
Below are some procedures that you can use to help protect your data on the road.
Back up your data. I find it easiest and best to back up a laptop to an external hard drive. Hard drive backups are simple, inexpensive, and generally reliable. Ideally, you will back up your critical data on a regular, if not daily, basis, using an automatic backup system.
Verify that your backup system works. Check and confirm that you can access and restore your data.
Use a redundant backup system. You can improve the success of your backup mechanism by rotating through several hard drives so that you do not depend on a single hard drive. Keep a complete backup copy of each of your computers (data and applications) on your office premises. You should also keep a complete copy of the computers in another location for safety. Storing at least the critical data in a secure location in the “cloud” (online) offers another option. Keeping your data in the cloud gives you the ability to reacquire your data from wherever you have Internet access. Consider storing at least one copy of the data on-site, one copy off-site, and one copy in the cloud at a reliable and secure location (but see the comments below respecting risks associated with cloud computing).
Encrypt your data. Encryption will protect your data in the event you are hacked or the data is stolen or otherwise lost. Encrypt your backups as well in case you lose a copy to carelessness or theft. You should encrypt sensitive data even on your own laptop to protect against someone reading it if they come into possession of your laptop.
Password-protect each device and your encrypted backup copies. The use of a password with encryption provides better protection. The use of a password to access your device is the first level of security.
Select strong passwords. A strong password consists of a combination of alphabetical, numerical, and symbolic characters (random numbers/letters/symbols work best, but you will find them harder to recall). Your initials or your name represent examples of weak passwords. A very strong password would look like “a2DFb3q7w9@#”. Someone trying to crack that password would likely find it quite difficult. Unfortunately, most of us would have a hard time trying to remember it ourselves. As not remembering it would probably mean we lost our data, we would likely want to record it and have it with us, which of course makes it vulnerable to theft. To solve this problem, I suggest that you settle for a reasonably strong password that you can easily remember. You could take the name of a street you lived on as a child or a favorite place, such as Baskin-Robbins, and surround it by a few numbers (preferably not the address) and symbols, such as “@#12Monroe65%$” (where “12” was not your address). You could also spell the name of the street backward to make it harder to guess, such as “@#12eornoM65%$”. Although not as strong as a random collection of alphanumeric and symbolic characters, this approach creates a relatively strong password. Some software and some devices limit the length and type of password you can enter; you just have to do the best you can within those restrictions. Remember, the more readily the bad guys can associate your password with you, the easier their work in cracking it.
DO NOT use unsecure networks. Using an unsecured wired or wireless network in a hotel, someone else’s office, or at your local Starbucks presents a temptation you may find hard to resist. The next time you find yourself inclined not to resist it, remember that everyone else who accesses the network while you do has potential access to your computer.
Consider what you carry. Not carrying data with you significantly reduces the risk of losing it through carelessness, hacking, or theft of your equipment. Of course, not carrying it with you means that you do not have it to work with on the road. This reduces your effectiveness on the road. To solve this problem, look to the cloud. Storing encrypted data in a secure place online allows you to travel without it in your possession and access it when you need it. This approach does not give you the convenience of having the data available at all times, but it makes it reasonably available and reasonably secure at the same time. If you need some of your data to work with on an airplane, download just that data and use it. When you finish and land, you can upload it and erase it from your computer. Granted, if someone gains possession of the computer, they may have the technology to recover the data even if you erase it, but the reality of the situation is that you can only do what you can do. As long as you take reasonable precautions, your data should be fairly safe, and you likely will have satisfied your ethical obligations to your clients respecting data security.
Install protective software on your computer. Virus protection software alone no longer satisfies this requirement. You need more sophisticated software capable of detecting many types of malware (spyware, adware, worms, etc.) and removing it from your system.
Regularly run your protective software. If you don’t use your protective software, it does not protect you (kind of a “use-it-or-lose-it” situation). To ensure that your computer is protected from unwanted software and viruses, run your anti-malware software regularly.
Scan e-mail attachments and downloadable files before opening. A downloaded file may contain an installer that will place malware into your system so that it can do whatever its creator designed it to do, whether that means transmitting information from your computer back to the sender, corrupting your data, or otherwise damaging your system.
Disconnect from the Internet. Leaving your computer connected to the Internet whether you use it or not renders your system vulnerable to attack 24/7. If you use a wireless network, just turn the wireless off. If you use a wired connection, unplug the cable from your computer.
Do not let your devices out of your sight in public locations. Unattended electronics invite theft of your equipment and all the data it contains. I am always amazed at the number of people I see leave their computers on the table at Starbucks while they go to the restroom. Asking a stranger to watch your equipment does not improve the situation significantly. Remember, the person you ask may turn into the thief.
Do not let unauthorized individuals use your electronics. Anyone using your equipment could see or copy information from it that you may not wish (or be ethically allowed) to let others view. Anyone using your equipment could load malware onto the system while using it.
Get a privacy screen. Several vendors manufacture polarized privacy screens for laptops, iPads, and even smart phones. Using a privacy screen reduces the ability of those around you to peek at your data and can prove especially useful when you work in close quarters, such as on an airplane. The privacy screens are a bit pricey and can be a little inconvenient as they reduce your angle of vision, too, but if you look straight at the screen, it should work fine for you (although your screen may appear a bit darker owing to the way a polarizing filter works).
Warn your clients. I recommend putting clients on notice of the inherent lack of security associated with mobile telephony and e-mail; let clients choose whether they wish to convey information between you and them using such devices. I am aware of at least one state that has formally imposed such disclosure as an ethical requirement for lawyers. Because of the inherent risk, it seems like a reasonable thing to do, and I include a disclosure and waiver in my representation letter, advising my clients of the risks and telling them that they have the choice. You might also point out to them that choosing not to use such devices will likely result in slower communication of information. You may also let them know that they can and should consider securing e-mail through encryption. As a practical matter, encrypted e-mail attachments may offer much better security than sending an unencrypted letter through the postal service.
Cloud Computing Considerations
The concept of cloud computing (storing information in cyberspace) raises many issues. In choosing whether or not to make use of cloud computing and, if so, what provider to use, bear in mind the following:
Different laws may apply. Different countries have different rules respecting privacy and access to information. Most European Union countries have more protection than we do in the United States. Other places may have even less. When you upload data into the cloud, you do not necessarily know where it will ultimately reside. The servers your provider uses could as easily be in Europe, Asia, or Latin America as in the United States. Accordingly, do not store data in the cloud unless you have encrypted and password-protected it first.
Loss by association. If a law enforcement agency seizes data on a server, the agency will, of necessity, take the entire server, or at least a clone of it. If the agency seizes the server and you do not have backup data, you may lose access to your data for an indeterminate period of time. If the agency takes clones of the server’s storage drives, it will have access to your data as well as the data of everyone else stored on the drive. Moreover, the agency will likely justify looking at that data on the theory that it had to do so to determine if the information relates to the person or entity that caused the issuance of the warrant. If you have encrypted the data, the agency may not have the ability to access it. If you have not, the data will be readily available to the agency.
Keep your own backup. Do not rely on the cloud exclusively, or you may have your picnic rained out. The operator of your cloud storage facility should not be trusted to provide all your backup services. If you have your own backup copy at your office, you can have someone upload it to a storage facility for you to access from wherever you have traveled.
Technology makes us more mobile and allows us to practice more effectively on the road. We need to carefully consider how we handle the data to ensure that we keep it safe and protected. If we take appropriate steps to protect it, we can avail ourselves of the technology and use it to practice efficiently and effectively out of the office as well as inside of it.
Jeffrey Allen is the principal in the small law firm of Graves & Allen in Oakland, California, with a general practice that, since 1973, has emphasized negotiation, structuring, and documentation of real estate acquisitions, loans, and other business transactions, receiverships, related litigation, and bankruptcy. He also works extensively as an arbitrator and a mediator. He serves as the editor of the Technology eReport and the Technology & Practice Guide issues of GPSolo magazine. He is also a member of the ABA Journal Board of Editors. He regularly presents at substantive law and technology-oriented programs for attorneys and writes for several legal trade magazines. In addition to being licensed as an attorney in California, he has been admitted as a Solicitor of the Supreme Court of England and Wales. He holds faculty positions at California State University of the East Bay and the University of Phoenix. You may contact him via e-mail at firstname.lastname@example.org. Jeffrey Allen blogs on technology and the practice of law at www.jallenlawtekblog.com.Copyright 2010