Let's start with this premise. Your data (regardless of where
you store it - electronic or physical) is never 100% safe. This is
a concept that lawyers should easily comprehend. Do you ever
guarantee a win or even a specific result for your client? No, of
course you don't. Instead, you weigh the options and come up with a
strategy that will be most likely to lead to the result the client
desires.
The same is true with when protecting sensitive law firm data.
Pursuant to your ethical duties, you must take "reasonable efforts"
to prevent unauthorized access or disclosure of client data. See
Rule 1.6(c). However, there is no clearly defined list of measures
that comprise reasonable efforts, and indeed the comments to the
rule take into account a variety of factors that include the cost
and hardship of implementing safeguards in your practice.
While every firm needs to undergo its own security and risk
analysis, you can start with the five basic steps below to help
minimize your risk of a breach, thus minimizing a violation of
ethical duties and a multitude of other problems unrelated to your
professional obligations.
1. Get proper training. Create and follow policies and
procedures.
There are many different ways in which your data might be
breached, but the simplest is through human error. Take for
example, ransomware, a popular type of malware that locks up users'
files until a ransom is paid. Ransomware is allowed by users to
run. You must take some action, for example, click on a suspicious
link in an email which then allows the software to execute. With
proper training, you can prevent this. While more comprehensive and
regular training is advisable, here are a few tips: 1) be
thoughtful before you click on any link in an e-mail, particularly
if you do not recognize the sender and/or the request is urgent, if
you haven't requested this information, or if you are unlikely to
receive the email; 2) hover over the email address and any links to
ensure that the link address matches the address or name of the
file; and 3) be wary of links ending in .zip or .exe.
Take responsibility for your actions and your employees. Have
policies and procedures, including a Written Information Security
Program (WISP), which addresses risks, training, safeguards and
response. Then, follow those policies and procedures and review
them regularly with your staff. Keep updated on the most current
trends and variations in scams and malicious attacks. If you don't
have time (and, why would you?), pay someone (such as an IT
professional) to keep you up-to-date.
2. Passwords, passwords, passwords.
Passwords can make all the difference. Strong passwords can
prevent unauthorized access and prevent hackers from impersonating
you to gain access to others. You must have unique
passwords. No one password should be used for more than one
account. To keep track of all your passwords, don't keep them on a
sticky note next to your computer, rather use a password manager,
which is an electronic program that saves all your passwords in an
encrypted vault and requires only one master password to gain
access. Password managers can also generate random long
multi-character passwords, which are the strongest types of
password.
Also, use two-factor authentication if and when possible. For
services like Dropbox and Google, this is an absolute must, and
it's not difficult to set up. It requires both a password and a
physical device to receive a code. If you do online banking, you
should be using two-factor authentication.
3. Back up your data - in at least one
place!
A backup will save you in the event of a hard drive failure, or
a stolen or lost laptop (which, by the way is one of the most
frequent causes of a data breach claim); accidental overwrite of
data; or a malicious attack. Indeed, it is the best way to handle
ransomware. Rather than paying the ransom, which can be extremely
time consuming (not to mention costly) and stressful, restore your
data from a backup.
Having redundant backups and testing your backups are key
elements to a strong backup system. If something goes wrong and you
need your backup, you'll be kicking yourself if that backup is
corrupt. Moreover, ensure that at least one of your backups is
offsite. Using a cloud backup service is one option. Consider also
what you are backing up. Are you only backing up files (i.e. file
backup)? Or, are you backing up your entire file system (i.e. disk
image)? The latter will allow you to restore everything just the
way you left it.
4. Encrypt sensitive data.
Encryption is becoming more and more mainstream. Your doctor
uses it when you sign into their secure client portal to access
your records. Your CPA uses to transfer tax returns via email. You
should be using it as well. There are products for every size of
firm. Indeed, if you use Microsoft Office or own a Mac, you already
have the capability to encrypt files. Both the PC and Mac also
offer tools to encrypt your hard drive, a must for anyone carrying
around a laptop with sensitive information. Mobile devices should
also be encrypted; fortunately, all iPhones and more recent Android
models are encrypted by default, as long as you turn on the
passcode lock (and, make sure the passcode is multi character, or
at least longer than four digits).
Consider replacing email with an encrypted client portal to
communicate and share documents with clients and colleagues. While
legal-specific software typically provides better safeguards, even
Dropbox (which is an encrypted portal) is better than nothing
(assuming you are using strong passwords and using two-factor
authentication).
5. Keep your software updated.
When your computer, tablet or mobile device signals you that a
software update or security patch is available, just do it! These
updates and patches are for the purpose of protecting your
technology and data. Further, when your software stops being
supported by the developer and no more upgrades are available, then
it's time to move to other software or systems.
Heidi S. Alexander, Esq. is the director of Practice
Management Services for Lawyers Concerned for Lawyers, where she
advises lawyers on practice management matters, provides guidance
in implementing new law office technologies, and helps lawyers
develop healthy and sustainable practices. She frequently makes
presentations to the legal community and contributes to
publications on law practice management and technology. She is the
author of the ABA Law Practice Division's, Evernote as a Law
Practice Tool, and serves on the ABA's TECHSHOW Planning Board.
Heidi previously practiced at a small firm and owned a technology
consulting business. She also clerked for a justice on the highest
court of New Jersey and served as the editor-in-chief of the
Rutgers Law Review. She is a native Minnesotan, former collegiate
ice hockey goaltender for the Amherst College Women's Ice Hockey
Team, and mother of three young children.