ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
4 Threats to Confidential Data on Mobile Devices
Law Technology News
Paul is a brilliant, tech-savvy junior partner nearing the end of his 12-hour day. He responds to dozens of emails from a midtown cab, finalizes a settlement agreement at the corner Starbucks, and researches case law on a the firm's largest-ever M&A deal on the train ride home, moving effortlessly from iPhone to tablet to laptop. As he arrives at his stop, his phone rings.
"What is the value of the Jefferson-Stokes acquisition?" the caller asks.
Paul stares down the crowded aisle as the train pulls to a stop.
"Who is this?"
"You're the partner handling this very confidential matter," the man replies, "Six million?"
"Wait a minute "
"I'll call you at home tonight. Enjoy your latte." Click.
Never before have law firms been at a greater risk of exposing confidential information than with today's mobile devices. Faster than you can say iPhone 5, firms are suddenly supporting hundreds or thousands of mobile devices up to two and three each for lawyers like Paul. It's as if our secured network walls are being stormed by an army of wireless device owners demanding access to everything inside. Technology leaders must be ready for this fight or they risk losing everything.
Mobile device security issues fall into four key categories. One is an accident; the others are criminal.
The most common mobility battle is the accidental loss of a device. If you're lucky, the user will know right where he or she left the device: the seat back pocket of the airplane, the cab, the hotel room. More often, they'll have no idea. Whatever your fortune, you must impress upon users to report losses immediately so you can make an attempt to quickly locate the device then remotely wipe its data. Sounds easy enough, but for each minute that passes, the risk grows. While the ultimate risk here is much less than those described below, the loss of a device occurs far more often.
The other three battles involve criminals often enterprises who are after your data. Your security arsenal must be able to combat each of these threats: extortion, espionage, and sabotage.
2. GIVE US YOUR MONEY!
A writer once asked a literary agent, "What kind of writing pays the most?" Her answer was simple: "Ransom notes." That's sort of what's happening in the cybercrime world sensitive data in the wrong hands is used to extort money.
Confidential attorney-client data is a prime target because it can include anything documents, emails, voicemails, text messages. Cyberthieves don't have to find that "one critical document" because of the compliance and ethical responsibility factors for all attorney-client communication. Privileged information, stolen or otherwise recovered by outsiders, can result in losing a client, being sued for negligence, incurring court sanctions even facing disbarment if an attorney didn't take reasonable precautions to protect data.
3. GIVE US YOUR DATA!
All the data in your firm might have a "confidential value," but some of it also has a business value. While Paul's new friend was more interested in extortion, others may just want the information. "Data has become the hacker's currency," says Security Week. "More data, more money." From competitive information to client lists to secret formulas there's often someone who wants to steal your secrets.
How can someone obtain that data? By breaking into your mobile device through a Wi-Fi connection; by having malware on your device steal a password into your corporate network; by stealing the device and accessing the data on it or the data accessible with automatic logins to your firm's systems.
4. FIRM, INTERRUPTED
The final cyberbattlefield is where someone, somewhere, for some reason wants to sabotage your systems. We hear about Denial of Service attacks where your network or website is hit with millions of simulated requests that takes the automation out of your systems.
Who would do this? And why? Was it something we said? We used to ask these questions about computer viruses. It probably started with juvenile whiz kids in the basement. Today, however, we're fighting huge, multi-national operations with HR and marketing departments, and thousands of well-paid employees. So while these attacks may appear to be random, they may be targeting your law firm even a specific case you're handling.
But we have a firewall, so how do the wrong hands get on the data? Unsecured public Wi-Fi spots found in coffee houses, restaurants, bars, bookstores, and shopping malls to name a few. Try enabling Wi-Fi on your phone and walking along a busy downtown street. Dozens of networks will create an electronic web that connects you automatically. Like the public Wi-Fi spot Paul passed somewhere between the coffee shop and the train.
That cool, new app you just downloaded might contain key-logging malware, enabling hackers to steal your passwords used to access the firm network. Or that new smartphone you had "jail-broken" to free you from the limits of your cellular carrier may have just opened up access for everyone else. You may have done a "jail-break," but you also unlocked every door at the prison. Finally, don't make the mistake of thinking the security controls on your traditional corporate network will keep your mobile devices secure. Those controls can't help you when an iPad full of emails and documents has just been nabbed outside baggage claim.
If lawyers insist that firm data must reside on a device anywhere IT must build a comprehensive management structure to minimize risk. (Note that I didn't say eliminate risk, because you can't.)
Here's the more important tasks to get you started:
Steve Fletcher is CIO of Parker Poe, based in Charlotte, N.C. He serves on LTN's advisory board. Email: firstname.lastname@example.org.
This article originally appeared in Law Technology News.