With 18 chapters and 170 pages of core materials and another 126 pages of appendices, “Locked Down: Information Security for Lawyers,” by Sharon Nelson, David Ries and John W. Simek should be required reading for any managing partner, risk partner, technology committee chair or interested attorney in a law firm. I don’t say that lightly. In a day and age of seemingly laissez-faire attitude toward information security and privacy, the authors provide ample evidence as to why this topic should be taken seriously by every lawyer as well as every law firm employee.
Whether you are interfacing with your internal technology security staff, have to hire external security experts, or simply are “doing it yourself,” “Locked Down” has something for you. Nelson and Simek are president and vice president of Sensei Enterprises Inc., a digital forensics and security firm. Ries, a partner in Thorp Reed & Armstrong, chairs the firm’s e-discovery and records management group.
The book has a good balance of overview and detail. Some of the more specific details will be out of date in short order, but the core concepts will remain valid for some time to come. I particularly like the fact that the authors take a comprehensive look at information security, addressing the physical, procedural, ethical, technical and cultural aspects of the topic. Many such sources will go into the electronics but bypass physical security or fail to address the telephone system or disposal of assets. I feel strongly about the issues of culture and attitude, and, as such, I would have recommended an entire chapter devoted to socially engineered attacks.
The authors introduce information security with the warning that “one of the greatest difficulties of information security is that it is a moving target.” They stress “eternal vigilance,” which is excellent advice. I’ve written about this before and the dangerous attitude some administrative people develop that once you’ve “addressed” security, you’re done. Security is not a Ronco Rotisserie where you can “set it and forget it.”
In the first chapter, “Data Breach Nightmares and How to Prevent Them,” the authors set the tone for why security is important. If you weren’t a true believer at the beginning, I sincerely hope you will be by the end of the chapter. As passwords are one of the most basic elements of electronic security, and often the most abused, it’s worth noting the Georgia Institute of Technology report that the authors cite. Many lawyers equate password strength with inconvenience. Despite the inconvenience, the authors recommend 12-character passwords. They also provide tips on how to remember and maintain those passwords.
The next area addressed by the authors is the ABA’s Model Rules of Professional Conduct, which should be familiar to all attorneys. The next three chapters cover aspects of physical security, standards, people, policies, procedures, hardware and software.
Email security and encryption and modern day smartphones and tablets are the next two subjects discussed. Given the number of client communications and documents that travel through the ether of electronic mail, it’s not surprising that the authors have devoted a whole chapter to email. Of course with the rapid rise of smartphones and tablets and the impact of consumerization on the enterprise, knowing how to manage and secure these devices is critical.
Telephones, thumb drives, wired and wireless networks, and remote access are the next areas the authors cover. Diskettes, writable CDs and DVDs are all passé. As “big data” grows bigger, and data moves to the cloud, peripheral storage as been dropped from many modern computers. Transportation (covert and otherwise) of massive amounts of data is still very possible via simple thumb drives. (I recently purchased a new 32 gigabyte thumb drive that is smaller than its USB connector.)
Many businesses and even government agencies don’t equate backup or business continuity with security. Little thought is given to how to dispose of electronic assets (PCs, laptops, copiers and more), whether selling them or returning them to the leasing company. The authors address both these points. So much is the shame when you read about lost tapes and drives full of unencrypted data. While tape may be passé, encrypting your backup is not.
The subjects of outsourcing and cloud computing could be books unto themselves. The authors devote one small chapter to both subjects, the bulk of which is focused on the cloud. This is a missed opportunity to discuss tactical and strategic personnel outsourcing. While larger firms have their own dedicated staff from CIOs to security officers, smaller firms can benefit from outsourcing these areas to professionals who they otherwise would not be able to afford to hire internally. The basics of the cloud and ethics of the cloud are discussed briefly, but you’ll need more information to make well-informed cloud security choices.
Few attorneys like to take extra steps in any process, and to the authors that includes securing documents. Understanding how to secure your Word document, when and how to use PDFs, metadata and your document management system are all things every lawyer should be aware of.
No discussion about security would be complete without a talk on insurance, the costs and coverages available. The authors address it in Chapter 17 on “Cyberinsurance.” I like the way the authors start out trying to disabuse the reader of “it can’t happen here.” It can and it will. Or worse yet, it already has and you don’t know about it.
The last chapter contains a healthy list of additional resources, but I didn’t see such sources as International Legal Technology Standards Organization, Carlson & Wolf LLC security blog and the International Legal Technology Association’s fairly new LegalSEC initiative.
Regardless of your firm’s size, do yourself a favor and pick up a copy. If you’re in a larger firm, pick up several copies and pass the book to other attorneys in the firm. General counsel may also want to pick up a copy and quiz their outside counsel on its contents.