The risks associated with hacking and other cyber threats are well-publicized and are rightly understood to be a serious concern for law firms. Although many law firms are exercising increased vigilance in response to such threats, the greater threat to law firm security may be closer to home. Indeed, there is a far less sophisticated but equally dangerous risk posed by an attorney simply losing her or his cell phone or laptop.
This risk has been exacerbated by the fact that devices now can essentially act as portals into all of the law firm’s confidential files. One lost device could risk the loss of enormous amounts of client information. Moreover, attorneys may carry multiple devices with such access, including a cell phone, laptop, or a tablet, and such devices are easy to misplace, especially when traveling.
The good news is that, while this risk is common, it can also be one of the easiest to address. Many law firms may feel that the solution is to throw money at the problem by hiring consultants, who then sell the firm on complicated and expensive systems. However, such technology does not always isolate the risk, especially when individuals fail to use the technology properly.
While consultants and other professionals can certainly assist firms and may be critical to ensure that the firm has the proper technology in place, as a general matter, law practices can consider taking the following steps to ensure that the risks posed by the most common threats are addressed.
In most circumstances, all devices with access to law firm data should be password-protected. A system providing for two-step authentication to access the law firm network can provide additional protection.
Indeed, even something as simple as an unlisted phone number in the wrong hands (especially in domestic relations or criminal defense practices) can be a breach of the duty to maintain confidences and secrets and can result in serious consequences for both the attorney and the client.
In practice, a requirement that devices be password-protected has two implications. First, every device with access to law firm data should have the capability to securely provide password protections. The cost of upgrading existing equipment pales in comparison to the potential risks if confidential information is accessed through an unprotected device.
Second, as referenced, the password requirement should be for every device, from phones to computers to tablets. With the constant advent of new devices, law firms should be careful to assess whether the device can be sufficiently protected before allowing attorneys to use the device to access firm data.
Consider Location and Remote-Erase Options
Devices now commonly include a feature that allows users the ability to locate the device if lost or stolen and, if necessary, remotely erase all content on the device. This feature may require just a few minutes to activate. Although such features are not required to meet the standard of care, they can be helpful in minimizing the risks to the firm posed by lost devices.
Consider Protocols for Thumb Drives and Portable Storage Devices
Attorneys also regularly use other technology to store and transport confidential client information, including thumb drives, external hard drives, and other devices. These devices are perhaps even easier to lose given their size.
While enforcing a password or passcode requirement for portable electronic devices is possible, policing password or passcode requirements for portable storage devices can be difficult in practice. Firms can employ practices, however, that require law firm personnel to establish security members when downloading information to the drive. After that, it may be too late.
Consider the Risks of Wi-Fi
Attorneys working remotely require an internet connection. When on the road, the internet connection may come from a publicly accessibly wireless network in a coffee shop, hotel, or airport. Even a home wireless network may be freely accessible by neighbors unless steps are taken to secure the network.
Data transferred over public networks can be accessed by third parties without adequate protections. The biggest threat for attorneys using free Wi-Fi security is the ability for someone else to hijack a signal—positioning the third party between the attorney and the connection point. Instead of talking directly with the hot spot, the attorney is sending information to the third party.
In such an event, the intercepting person could have access to every piece of information that an attorney sends out on the Internet, including client information, important emails, credit card information, and even security credentials to the law firm’s computer network.
Once someone else has all of that information, they have the potential to access the law firm’s systems at any time. There is also the risk of computer vandalism through malware aimed at disrupting and/or damaging an attorney’s computer systems.
While law firms may be tempted to prohibit the use of unsecured Wi-Fi hotspots, such a drastic step may be unnecessarily draconian and could limit the ability of attorneys to work while traveling. Instead, an effective step for many is to mitigate the risks posed by such networks by using software that ensures that all data transmitted over a public network is encrypted.
Another step many law firms require for remote access is to use a VPN (virtual private network) for communicating confidential information. Assuming the law practice’s network is encrypted, the VPN effectively imports the encryption into all communications. In effect, a VPN, even when used over a public network, operates as if the attorney is the office using the office computer. Security protocols at the office are then imported wherever the attorney may be accessing law firm information.
Although these steps may require some initial investment by the law firm, they ultimately benefit the firm in allowing attorneys the convenience of accessing client information from anywhere while ensuring that such information does not get into the wrong hands.
Randy Evans is a partner and Shari Klevens is a partner and deputy general counsel at Dentons, which has six offices throughout California. The authors represent attorneys and law firms and regularly speak and write on issues regarding the practice of law, including “The Lawyer’s Handbook: Ethics Compliance and Claim Avoidance” (ALM 2013) and “California Legal Malpractice Law” (ALM 2014).