Data Security Is Your Responsibility Even if You Don’t Understand How it Works
In April 2016, hundreds of media outlets published articles revealing the use of offshore corporations by public figures around the world. The reports derived from an anonymous source that acquired data from Panamanian law firm Mossack Fonseca. They exposed sensitive and confidential client information to the public. Already, this breach has affected senior government leaders, celebrities and family members of prominent citizens. Shortly after the start of coverage of the Panama Papers, as they would come to be known, the Prime Minister of Iceland was forced to resign. Soon enough, civil liability and criminal responsibility will likely follow for at least some of Mossack Fonseca’s clients. Perhaps the bigger worry for the firm, however, should be the professional consequences.
Maintaining client confidences is a bedrock ethical obligation of attorneys in every jurisdiction. So, too, is competence. In today’s world, both of those obligations extend to the use of technology by attorneys and law firms. Modern law practice cannot be conducted without the benefit of basic computer technologies like file storage and email. When using these technologies, however, lawyers and law firms can no longer rely solely on the physical security of offices and carrier networks to protect client confidences: The eras of the post and the telephone have ended. This has serious ethical implications for every attorney and law firm, regardless of size. Yet for lawyers who work as solo practitioners or in small firms, information security is often an afterthought. It shouldn’t be.
Except in certain narrow specialties like patent law, most lawyers do not have technical backgrounds. When it comes to discharging ethical obligations, however, the Rules of Professional Responsibility do not distinguish between electrical engineers and those who majored in English Lit: Every lawyer must take reasonable steps to protect the confidentiality, integrity and availability of client information, regardless of how well or how poorly they understand computer or network technologies.
National and international media give the impression that all is lost when it comes to security: that unstoppable nation-state actors and genius-level “black hat” hackers lurk around every corner of the internet. For most practitioners, however, the reality is somewhat less dire. Solo practitioners and small firms usually face fewer and less-sophisticated threats than do giant global law firms. But “fewer” isn’t “none.” Rather, it means that the scope and scale of what constitutes “reasonable” information security practices are somewhat different for the average firm than they are for megafirms.
Most real-world breaches occur because of lapses in basic security hygiene. Even with advanced security products available to enormous firms with dedicated IT security staff, these flaws can allow an attacker to penetrate and move through a network, stealing or destroying sensitive data along the way. Fortunately, lawyers don’t have to be technical experts to provide appropriate protections for most client information.
This article provides basic advice to help solo practitioners and smaller firms meet their ethical data protection obligations. It uses an absolute minimum of technical jargon, providing concrete instructions that apply to common software and hardware.
Have a written security policy that you review twice a year
Even for a solo practitioner, it’s important to actively think about securing client and firm information. Doing so regularly provides some evidence of diligence, should any ethical question arise. The best way to ensure you do this is to create a formal process to periodically assess your use of technology and the threats your practice could face as a result. This doesn’t have to be burdensome or time-consuming! Just re-checking that you’re routinely following the advice in this article is a decent start. But, this is also an opportunity to review any changes in how you use technology. If you bought a new laptop, signed-up for a new cloud service, or took on a new practice area, you may need to make changes in your security posture to ensure that you’re still protecting your clients’ confidences appropriately.
Set this review as a recurring event on your calendar, and attach the policy to the calendar item. That way, you won’t have any excuse for putting-off this critical first step in securing your practice.
Use separate devices for work and personal purposes
This should go without saying, but having separate PCs for home and work life is a major security requirement. Clients can consent to your use of specific communications means, like the telephone or email, but their consent is only valid if it is informed. Imagine you just hired a lawyer. Would you agree to communicate with her via email, if you knew that her teenage son occasionally accesses websites with less-than-perfect security histories using your lawyer’s dual-use laptop? Probably not. Even for lawyers, home-use computers often access everything from bootlegged sports streams to online gambling and pornography sites, all of which are common attack vectors for hackers looking to access protected information. Moreover, allowing a family member to use a computer that contains work files or email could risk destroying attorney-client privilege and exposing sensitive client communications to discovery.
For mobile devices, this is a tougher point. Most lawyers do not want to carry two smartphones and shuffle back-and-forth between them for work and personal uses. Some larger firms insist on this practice, however, for the same reasons discussed above. If you choose to use your device for personal and business purposes, at least make sure you lock your device with a passcode of at least 10 characters, and do not share it with members of your family or others.
Set strong, unique passwords for every device and service, and store them in a password manager
Competently using any computer, network, or online service almost always involves securing it with a password. Using strong passwords is the most basic security measure, but it’s often dismissed as too burdensome or time-consuming. As a result, an enormous body of rules has grown up that makes “good” passwords difficult for computers to guess but impossible for humans to remember. This often leads users to write down passwords on easily stolen notepads. Worse yet, many users store passwords in web browsers like Chrome, Internet Explorer or Firefox where they could be accessible through malicious software or unauthorized use of a PC. Unless you’re using Safari on a Mac, you should never allow your browser to save passwords for you: most don’t do so securely. Fortunately, there are new tools available at low or no cost that make setting and managing strong passwords much easier.
Start by getting a secure password manager. Password managers learn and securely store all your passwords, sync them across devices, automatically fill them in on websites and in mobile apps, and help you generate strong passwords to start with. Apple devices have one built-in, which is why it’s OK to create and save passwords in Safari. This password manager, called iCloud Keychain has exquisite security, and can even use your fingerprints to automatically fill-in your passwords on some mobile devices. If you use Windows or Android devices, however, or a mix of Apple and other devices, a third-party solution like 1Password, LastPass or KeePass may be a better option. Each of these uses excellent encryption by default and has features that integrate with your workflow in browsers and mobile devices. Once you set up a password manager, you’ll find it’s a huge time-saver! After installing the manager of your choice, let the app generate long and complex passwords for you, and don’t bother trying to remember them.
To secure the password manager itself, create a long but memorable pass phrase. This phrase should consist of 5-6 words random English words. Better password managers can help you do this automatically. Once you get used to it, typing this phrase each morning and afternoon will become like second nature.
In addition to strong passwords, many online services now support “Two-Factor Authentication.” Activating this feature allows you to download an app to your smartphone that will generate a new, one-time code every 30 seconds. You’ll enter the current code, in addition to your password, each time you log-in to an enabled service. This increases security dramatically, for zero cost and minimal effort. If a service supports two-factor authentication, turn it on!
Automatically update operating systems and apps
Every modern operating system, app store and productivity software suite has an automatic-update feature. These features help to patch security vulnerabilities as they are discovered by researchers and software engineers. This helps to prevent attackers from exploiting newly discovered vulnerabilities as software ages. Find this feature on every device and piece of software, and turn it on immediately. If your OS or office software is old enough that it no longer receives routine updates, it’s time to upgrade.
Enable full-disk encryption on every PC and mobile device
Both Windows and Macintosh operating systems come with built-in tools for full-disk encryption: BitLocker and File Vault, respectively. These tools protect data stored on the computer’s hard drive, in case it’s lost or stolen. Turning on this feature should be the first thing a lawyer does after buying a new computer. Omitting this step is tantamount to leaving sensitive client files in an unlocked briefcase at a local bar: It’s guaranteed to get you in trouble, eventually.
The initial encryption process may take some time if a machine is older or already contains a large number of files, so consider doing it over a weekend. At the end, the operating system will display a “Recovery Key.” This should be printed out or carefully written down, sealed in an envelope, and placed in a safe deposit box at your bank. The key can be used to decrypt your data, should you ever lose or forget your password.
For mobile devices, the process can be more or less complicated, depending on your choice of ecosystem. Apple’s iPhones and iPads encrypt everything by default, once you set a passcode. (You used a long one, right?) Many android devices can encrypt some or all of the operating system, application files, and user data. The process, however, varies significantly from vendor to vendor. Fortunately, best practices documents for android device security are available with a quick web search. Find one for each device, and follow it meticulously.
Secure your WiFi
This section uses a few tech-y terms, but don’t worry: You don’t need a deep understanding of WiFi protocols to improve the security of your wireless network. You just need to follow these instructions.
Every modern WiFi router includes several security features that should be enabled by default. Start by changing the log-in password for the router’s web page. This prevents someone from altering your security settings without your knowledge or permission. Next, turn on any firewall features that your router may have. This can prevent attackers from accessing computers on your network from the internet.
Finally, encrypt your WiFi signals. There are three options when doing this: WEP, WPA and WPA-2. Always use WPA-2. The other options are older and no longer considered secure. Choose “Pre-Shared Key” or “PSK” for the WPA-2 mode, and change the encryption type to “AES.” This uses government-grade encryption to protect data as it moves through the air.
When choosing an encryption key or “WiFi Password,” longer is better. Use a 30-40 character password, and store it in your password manager. On newer PCs and almost all Macs, this shouldn’t be too burdensome: Windows 10 and all Apple devices support syncing WiFi passwords across devices, so you may only have to enter it once for each user. Even if you have to enter the password many times, though, the added security it provides is well worth the hassle.
Most importantly, NEVER share your WiFi password or a wired network connection with anyone who is not employed by your firm. Many routers feature a “Guest Network” capability. Turn this feature off! With rare exceptions, guest networks make it significantly easier for attackers to access files on your supposedly separate staff network. That litigant who just used your WiFi during settlement negotiations? He might have been reading your client file the entire time.
Finally, repeat this process for your home WiFi network and any mobile hotspots you use. Having even one network operating “in the clear” is a serious threat to data security if your devices routinely connect to it.
Restrict file sharing to firm employees with a clear business need to access client information
Shared network drives and cloud services like Google Drive, iCloud Files and Dropbox can be huge time savers. If you use features or services like these, however, it’s important to actively monitor and manage who has access to which files. Start by finding the “Permissions” or “Sharing” settings for your drive or service. Learn how the interface works, and review it often. For shared drives on an office network, good policy starts with making sure everyone has their own personal account name and password. These should never be shared. Using separate accounts ensures that forensic security firms or law enforcement can trace the evolution of an attack or breach, should one occur. Once you’ve done this, it’s relatively straightforward to specify who can see and/or change specific files and folders.
For especially sensitive files, consider creating separate folders that either aren’t shared at all or are only shared with a smaller number of users. Firms with unusual or high-profile criminal or business matters should seriously consider accessing the most sensitive files only from PCs that are not attached to a network at all (ever). This makes work somewhat more difficult but radically reduces the odds of a data breach.
Backup frequently, and keep one backup “offline”
Keeping backups is no longer just about ensuring that data is not lost through fire, flood, theft or carelessness. For the last several years, so-called “ransomware” attacks have had debilitating consequences for businesses everywhere. These attacks encrypt data on a compromised computer system, and demand payment — often in untraceable cryptocurrencies like BitCoin — in exchange for the decryption key. In many cases, victims pay the ransom to retrieve their business-critical data. Keeping regular backups can allow you to restore all or most of your data from a time before an attacker embedded ransomware in your system.
Both Mac and Windows operating systems, as well as iOS and Android, come with basic backup features built-in. After disk encryption, this should be the next feature that is turned on for every new computer or mobile device. When you begin making regular backups, consider buying two backup drives and swapping them out weekly. This limits the amount of newer data that will be lost if you ever need to restore from a backup. Keeping the drive that is not in use in a safety deposit box, or at least at home, is good insurance against natural disasters or theft. Also, encrypting your backups is always best, just as for the drives inside your computers.
Cloud-based storage services like Dropbox, BackBlaze, Google Drive or Carbonite can give you an added measure of assurance that your files are protected against loss. But, as with any service, be careful to think about how you use these services and what possible privilege or confidentiality “gotchas” you might encounter as a result.
Install antivirus software, and set it to run automatically
Antivirus software isn’t nearly the panacea many believe it to be. In fact, many security researchers believe that even the best antivirus software detects only about 4 percent of malicious software. Much of that software, however, is easy to access and easy to use: just the kind of attack vector that solo practitioners and small firms might expect to see. As a result, it would be a serious omission to forego this protection.
Since Windows 7, Microsoft has offered a free and well-reviewed antivirus suite with all of its operating system software. Look for Microsoft Security Essentials or Windows Defender, and turn on whatever you find.
Contrary to popular belief, there are viruses that affect Mac computers. Apple doesn’t provide antivirus software directly, so you’ll need to buy a commercial product. (Free antivirus products can be good, but many aren’t. Telling the difference is often difficult, even for techies, so buying is probably a better option here.)
Better offerings for both platforms include real-time protection in addition to scheduled scans, and automatic scanning of email attachments and web downloads. Additionally, however, Apple does offer one software security feature you should always enable: On the “General” tab of the “Security & Privacy Settings” control panel, make sure you’ve selected “App Store only” or “App Store and Identified Developers” under “Allow apps downloaded from”: This helps to prevent malicious or adulterated software from infecting your system.
Now that you have antivirus software, make sure it’s set to automatically update its virus definition files and scan for infections. A quick scan once a day and an in-depth scan each weekend should be sufficient.
Avoid using software and services that are not business-oriented
This is a broad admonition, but it’s necessary to prevent some very basic security lapses. For example, many small firms and solo practitioners rely on free web-based services such as Gmail or Dropbox. But the free “consumer” versions of those and many other services may not include security features appropriate to the threats faced by a law firm. For example, “business” accounts may include features like encryption, two-factor authentication, permissions management and access logging that help to prevent or detect unauthorized access, and that can avoid creating discovery loopholes due to third-parties holding confidential information. Fortunately, most such services have low-cost professional options for small businesses. Many web services are priced at $10 per user per month. Compared to the monetary and professional costs of a breach, that is a small price to pay.
Communicate with clients securely
Despite decades of effort by some of the brightest security minds, end-to-end security for business and consumer email is still a far-off dream. At best, most lawyers can only be certain that email will be encrypted during one half of its trip from sender to receiver. As a result, lawyers should avoid using email for any sensitive communication with clients where privilege or confidentiality might be important considerations. This does limit the utility of email, but it’s a critical point, both from a security perspective and from an ethical perspective.
Fortunately, there are a number of PC, Mac and smartphone apps that feature excellent security. Apple’s iMessage, FaceTime and FaceTime Audio are all end-to-end encrypted with government-grade security. Likewise, popular cross-platform messengers like WhatsApp now feature end-to-end encryption, too. For the most secure communications, voice and text apps like Signal, Telegramand Wickr also provide free or low-cost, high-security options that are easy to use. Most have options for desktop, phone and tablet use. Whatever app you choose, use it consistentlyand explain to your clients the importance of communicating with you only over secure channels when discussing confidential matters.
Help clients protect themselves and your representation of them In today’s threat environment, Information Security counseling should be part of every client engagement. Particularly where information leakage related to a representation could jeopardize a client’s interests, safety or liberty, attorneys have an obligation to help their clients protect themselves. Here again, having a checklist helps: At the start of each representation, lawyers should help clients take four steps:
- Secure devices used for attorney-client communications with a new long, strong password.
- Install or enable one or more secure communications features or apps for voice, text and files (e.g., iMessage, Signal, Wickr, etc.).
- Change to secure passwords and enable two-factor authentication for any social media, email or other accounts that could be relevant to the representation.
- Reduce or remove access to social media information for all third parties (not just spouses, abusers, counterparties, opposing litigants, etc.).
These steps will help to prevent breaches of confidence or privilege and will reduce attorneys’ risk of ethical and legal exposure. While neither perfect nor complete, they at least provide a starting point for an informed, practical conversation about security.
* * *
For Mossack Fonseca, and hundreds of the firm’s clients, it’s too late. For your firm and your clients, it may not be. None of these steps will keep your firm perfectly safe. Together, however, they will reduce the likelihood of a disruption to your business. More importantly, though, they will also help you avoid potentially damaging consequences for your clients and your reputation.
TREY FORGETY (@cincvolflt) is director of government affairs and regulatory counsel to NENA: The 9-1-1 Association. A frequent speaker on information security issues in the public sector, Forgety recently presented at DefCon 24, the world’s largest underground hacker convention. He holds a bachelor’s degree in applied physics and a law degree, both from the University of Tennessee.