Law Firm Security Gaps and How To Fill Them
While most everyone else is focused on trying to avoid getting a ‘Bit o’ Honey’ (those are disgusting candies, in case you are unaware) in their Halloween bags this time of year, those in charge of law firm information security don’t notice much difference between this time of year, or any other. For the gatekeepers, the next security alert is potentially around every corner. The real truth behind technology is that, the question of whether it’s secure or unsecure has more to do with the people using it than anything else. Therefore, the following suggestions will address methods for empowering your staff with tools and tactics for better securing your massive corpus of law firm data. Addressing these security loopholes means you’ll find more treats than tricks; and, you won’t have to clean egg from your house . . . or your face.
It’s hard enough to get people to select strong passwords in the first place, since that’s a continuing battle fought at the crossroads of the limitations of our memory, convenience, due care and best practice -- but an often-unsung danger of passwords is what happens when they become stale. Since the majority of password attacks are by some measure of brute force, the more cracks a hacker gets at a particular password, the more likely he is to crack it. To combat this, users should be forced to change their main device password every quarter; and, it makes sense to option that as a general best practice, across all applications. If the non-compliance argument reduces to those problems surrounding the necessity of remembering new passwords on a recurring basis, a password management service, like LastPass, may be just what you need to assuage the natives.
The En-Crypt Kickers.
Not all sensitive data gets encrypted, even when the mandates of state law require it. However, lawyers may be reluctant to encrypt data, because it reduces their own efficiency, or because it increases steps for clients. But, you know what they say: the road to hell is paved with good intentions. For those lawyers and staffpersons who are unwilling to encrypt, when they should, there are ways to coerce participation. Perhaps the easiest method to manage the process is by targeting the most common communication method: use an email encryption service, through which triggers can be established (tied to ethics rules, or state laws) that will automatically encrypt emails based on words or phrases in email text and attached documents.
Think of the number of smartphones and cellphones you’ve lost throughout the course of your lifetime. It’s probably a lot. The backseats of taxicabs are lands of the lost (device). Of course, it’s not just smartphones -- as the devices we use proliferate in number, and get smaller in size, they’re easier to lose. Protecting the data available on a lost device means that you will have selected a strong password for device access to begin with, but also that you are able to remotely wipe the device of all its contents, if you are unable to locate it. This becomes a particularly vexing problem for law firms, where the order of the day is ‘Bring Your Own Device’. Even if you let your lawyers and staff BYOD, that doesn’t mean that you cannot ascribe appropriate uses, and/or let your IT staff build more effective security protocols into your employees’ devices.
While much of the consternation over data breach is focused on external culprits, accidents can happen at home, too. Whereas much of the concern over data acquisition reflects the specter of unauthorized use, there are troubling consequences to unauthorized access. Law firms that effectively safeguard their data don’t only keep out external users -- they appropriately seal off internal users. Every employee of a law firm can be said to be an ‘authorized user’, in the broad sense of that term; but, within applications, there are times when users will need to be screened from certain cases and clients. Allowing the wrong person access to a file can get you conflicted out of a lucrative case. Beyond the access limitations that may be imposed on employees, law firms must also effectively limit the permissions available to third party vendors, who need to use law firm applications, e.g.--accountants, who do not need access to the full slate of client case information to perform their work.
Unless your law firm is more aggressive about getting paperless than the vast majority of the law firms in America, you are likely to maintain some paper files around the office, if only in archive form. It’s easy to forget about inactive files like those; but, until you have made a final disposition of those files, you are still required to maintain them in a way that preserves the confidentiality of the information they contain. That most often means keeping paper files out of exposed areas (conference rooms, on top of copiers, on the kitchen counter), and relegating closed files to lockable file cabinets, that are waterproof, fireproof and smokeproof -- remember, Mother Nature devised all of the original small office hacks. If you do decide to destroy paper files, prefer a cross-cut shredder, or use a service that provides a certificate of destruction; but, before you dispose of anything, make sure you acquired the informed consent of the client whose files you are getting rid of -- it’s best to take care of that in the engagement agreement.