Go to the gym more: check. Finish writing the novel that’s stashed in the old desk drawer: check. Spend more time on what’s really important in life: check. These are all great and oft-repeated refrains this time of year. How about a tech resolution for the New Year? Here’s an easy one that all lawyers should be embracing but few of us are: Do something about those tired, old and unsecure passwords, and give some real thought to technological vulnerabilities.
Despite the warnings and the headlines, 2012 was clearly not the year that firms finally got serious about securing networks and protecting sensitive client data. When 2012 began, most firms were aware of abstract warnings from law enforcement and vague (and mostly underreported) incidents of firms being targeted. By the end of the year, reports of firms being hacked were becoming more commonplace.
As 2013 beckons with promise and lawyers look forward to a productive and prosperous year ahead, now is an ideal time to examine changes to improve security. Here in no particular order are some things that all lawyers should do.
1. Plan for the worst. Even some of the best managed and most secure organizations get hacked, so no lawyer should be surprised when his firm is targeted. Now is the time to think about what a data breach would look like and develop a response plan.
Lawyers need to understand that, not only are their networks vulnerable to traditional hacking via the computer network, but data thieves use social engineering to trick victims into voluntarily turning over sensitive financial information. The firm must educate attorneys and staff about the need to be inherently distrustful of email communications, particularly when it involves revealing sensitive information.
2. Know where information is located. It’s hard to know what data intruders have taken without having a good grasp on where that data is to start with. Is there a reason the firm’s most sensitive financial information is on a network for all to see?
Like it or not, lawyers and clients live in a multi-device world and juggle multiple personal electronic devices. These tech tools are great for productivity, but firm management must set some ground rules regarding the kind of data users may store on these devices. Also, IT should make sure that they are password-protected and can be wiped remotely in the event that one is lost or stolen.
3. Understand the cloud. Before lawyers decide to use a cloud-based service for data storage, they need to understand the provider’s obligations to protect data. How quickly will the firm receive an alert if a data breach occurs? Who will be in charge of the investigation?
4. Stay informed. Firm security finally may have come into clearer focus in 2012 as a basic and essential cost of doing business. So, too, did broader security trends with which businesses of all kinds are wrestling. The march of Big Data continues to gain ground, as companies manage increasingly larger amounts of data from an growing range of sources.
5. Don’t get too comfortable. The experience of former CIA director Gen. David Petraeus serves as just another reminder: Even people who should know better are capable of career-ending errors in judgment and using email for sensitive communications. Not to condone the general’s behavior at the root of this case, but the rule of thumb for email communication has been the same for a long time: Don’t push “send” on any communication that would be embarrassing if the local newspaper spread it across a banner headline. Want to really shake things up in today’s digital era where both basic and sensitive communications leave a digital trail? Pick up the phone.
Looking forward to 2013, attorneys should expect to see more headlines about high-profile data breaches. But they need to keep in mind that many, many more incidents will occur that will never get reported.
The bring-your-own-device phenomenon will only increase, as lawyers, staff and clients use personal electronic devices like tablets, smartphones and notebook computers to do business, increasing the opportunity to lose sensitive data and client communications.
While social media is no longer new and clearly is here to stay, it will continue its rapid evolution, presenting challenges for those who have adapted voluntarily as well as the remainder of lawyers who have been dragged into the fray. Look for more attorneys to learn — the hard way — about how social media creates an even more porous data security perimeter, complicates e-discovery and intersects with ethical duties to protect client confidentiality.
My hope for 2013 is that the legal profession has reached a tipping point in which lawyers will begin to think that they should (nay, must) become more involved in securing the perimeters of their digital environment. After all, the experience of 2012 shows that the threat to firms and lawyers is, in fact, real. By preparing for the worst, the savvy firm perhaps can minimize the damage when the inevitable does happen. That would make 2013 a year of good luck not bad.