Minimize your risk of a data breach with these five steps

Issue March/April 2017 By Heidi S. Alexander

Let's start with this premise. Your data (regardless of where you store it - electronic or physical) is never 100% safe. This is a concept that lawyers should easily comprehend. Do you ever guarantee a win or even a specific result for your client? No, of course you don't. Instead, you weigh the options and come up with a strategy that will be most likely to lead to the result the client desires.

The same is true with when protecting sensitive law firm data. Pursuant to your ethical duties, you must take "reasonable efforts" to prevent unauthorized access or disclosure of client data. See Rule 1.6(c). However, there is no clearly defined list of measures that comprise reasonable efforts, and indeed the comments to the rule take into account a variety of factors that include the cost and hardship of implementing safeguards in your practice.

While every firm needs to undergo its own security and risk analysis, you can start with the five basic steps below to help minimize your risk of a breach, thus minimizing a violation of ethical duties and a multitude of other problems unrelated to your professional obligations.

1. Get proper training. Create and follow policies and procedures.

There are many different ways in which your data might be breached, but the simplest is through human error. Take for example, ransomware, a popular type of malware that locks up users' files until a ransom is paid. Ransomware is allowed by users to run. You must take some action, for example, click on a suspicious link in an email which then allows the software to execute. With proper training, you can prevent this. While more comprehensive and regular training is advisable, here are a few tips: 1) be thoughtful before you click on any link in an e-mail, particularly if you do not recognize the sender and/or the request is urgent, if you haven't requested this information, or if you are unlikely to receive the email; 2) hover over the email address and any links to ensure that the link address matches the address or name of the file; and 3) be wary of links ending in .zip or .exe.

Take responsibility for your actions and your employees. Have policies and procedures, including a Written Information Security Program (WISP), which addresses risks, training, safeguards and response. Then, follow those policies and procedures and review them regularly with your staff. Keep updated on the most current trends and variations in scams and malicious attacks. If you don't have time (and, why would you?), pay someone (such as an IT professional) to keep you up-to-date.

2. Passwords, passwords, passwords.

Passwords can make all the difference. Strong passwords can prevent unauthorized access and prevent hackers from impersonating you to gain access to others. You must have unique passwords. No one password should be used for more than one account. To keep track of all your passwords, don't keep them on a sticky note next to your computer, rather use a password manager, which is an electronic program that saves all your passwords in an encrypted vault and requires only one master password to gain access. Password managers can also generate random long multi-character passwords, which are the strongest types of password.

Also, use two-factor authentication if and when possible. For services like Dropbox and Google, this is an absolute must, and it's not difficult to set up. It requires both a password and a physical device to receive a code. If you do online banking, you should be using two-factor authentication.

3. Back up your data - in at least one place!

A backup will save you in the event of a hard drive failure, or a stolen or lost laptop (which, by the way is one of the most frequent causes of a data breach claim); accidental overwrite of data; or a malicious attack. Indeed, it is the best way to handle ransomware. Rather than paying the ransom, which can be extremely time consuming (not to mention costly) and stressful, restore your data from a backup.

Having redundant backups and testing your backups are key elements to a strong backup system. If something goes wrong and you need your backup, you'll be kicking yourself if that backup is corrupt. Moreover, ensure that at least one of your backups is offsite. Using a cloud backup service is one option. Consider also what you are backing up. Are you only backing up files (i.e. file backup)? Or, are you backing up your entire file system (i.e. disk image)? The latter will allow you to restore everything just the way you left it.

4. Encrypt sensitive data.

Encryption is becoming more and more mainstream. Your doctor uses it when you sign into their secure client portal to access your records. Your CPA uses to transfer tax returns via email. You should be using it as well. There are products for every size of firm. Indeed, if you use Microsoft Office or own a Mac, you already have the capability to encrypt files. Both the PC and Mac also offer tools to encrypt your hard drive, a must for anyone carrying around a laptop with sensitive information. Mobile devices should also be encrypted; fortunately, all iPhones and more recent Android models are encrypted by default, as long as you turn on the passcode lock (and, make sure the passcode is multi character, or at least longer than four digits).

Consider replacing email with an encrypted client portal to communicate and share documents with clients and colleagues. While legal-specific software typically provides better safeguards, even Dropbox (which is an encrypted portal) is better than nothing (assuming you are using strong passwords and using two-factor authentication).

5. Keep your software updated.

When your computer, tablet or mobile device signals you that a software update or security patch is available, just do it! These updates and patches are for the purpose of protecting your technology and data. Further, when your software stops being supported by the developer and no more upgrades are available, then it's time to move to other software or systems.

Heidi S. Alexander, Esq. is the director of Practice Management Services for Lawyers Concerned for Lawyers, where she advises lawyers on practice management matters, provides guidance in implementing new law office technologies, and helps lawyers develop healthy and sustainable practices. She frequently makes presentations to the legal community and contributes to publications on law practice management and technology. She is the author of the ABA Law Practice Division's, Evernote as a Law Practice Tool, and serves on the ABA's TECHSHOW Planning Board. Heidi previously practiced at a small firm and owned a technology consulting business. She also clerked for a justice on the highest court of New Jersey and served as the editor-in-chief of the Rutgers Law Review. She is a native Minnesotan, former collegiate ice hockey goaltender for the Amherst College Women's Ice Hockey Team, and mother of three young children.

Other Articles in this Issue: