By: Stanley Louissaint
Your law firm is a gold mine of information and everyone knows it. Cybercrime and cyber-espionage is at an all-time high and the threats grow greater each day. As an attorney, you deal with confidential and sensitive information on a daily basis. While having access to such information during the course of everyday business is normal sometimes people forget that there is an inherit duty to protect that data.
As you already know, there are many different types of law practices. Each field of law deals with its own type of sensitive information. For example a personal injury attorney has access to data that can be classified as protected health information (PHI) and/or personal identifiable information (PII). Business and corporate lawyers have access to an entirely different set of information. That information can be about the mergers, acquisitions or sellouts of publicly held companies. Yet the common trait among each dataset is that it can be used by a third party for financial gain. The ability to make money from that information is exactly what makes it a target for outsiders.
You see, I’m not telling you what you don’t already know, but sometimes we are too close to a situation to realize the value of what we have in front of us. Yes, there are legal requirements for you to attempt to protect this information but aside from that why should you care? The reason is because your clients do. Data breaches, cybercrime, and cyber espionage are all topics that have made their way to the forefront of our lives. It is even top of mind for the smallest of firms who often ask, “How do we prevent these problems from happening to us?”
Another reason is your firm’s reputation. In the event that you have a data breach the public’s perception of your firm will change and unfortunately not for the better. Reality is nobody can truly be 100% hacker proof. It’s been said that if an attacker wants to really get into your system he/she will. That holds true these days because there are state-sponsored attacks by certain government entities that sponsor hackers for their own gain. However, even with this known fact you are not absolved from your obligations to thwart an attack on your firm and its data.
So you are all shaken up now, what are some of the things you can do to curb such problems?
One of the most convenient methods used to communicate between attorneys and clients is e-mail. It is a staple in our arsenal these days. We can churn out messages and get a response from the other party almost instantaneously. But at the same time it is one of the biggest security holes that exist. E-mails that are considered sensitive should always be encrypted. Encryption allows your e-mail to be sent through a secure channel and if intercepted it cannot be deciphered. By default e-mails are not encrypted and should be viewed as a virtual postcard. If you wouldn’t want everyone reading what you’ve written in public then it shouldn’t be sent without encryption.
One of the most common ways to go about this is to have a system in place where you type in a pre-defined keyword into the subject line and the system will encrypt the e-mail based on spotting that word in the subject. This works great because it allows for all devices that are linked with your e-mail account to have access to the feature without additional software/apps to be installed.
Another method is to have a firm-wide system that will automatically scan for any sensitive information contained in any outgoing e-mails. That information can be defined as Social Security Numbers, HIPAA, credit card numbers, bank account information and so forth. This method can also be used in conjunction with the previous one for added levels.
E-mail accounts are also often tied to mobile devices. Most firms allow users to “bring your own device” (BYOD). In that circumstance your BYOD policy should state that users must have passwords on their mobile devices. This is an important step because if someone loses their phone the intruder would have to know their device password to gain access to any information on that device including e-mail.
The next thing to evaluate is user authentication methods. Most of us are familiar with a two factor authentication. This is where you input a username and password to gain access to a system. A good chunk of users do not have complex passwords. I hear the complaints all the time, “Come on another password? Do I have to use a special character? Do we have to change passwords every 90 days?” My answers are always “Yes.” Security is an inconvenience and we cannot lose sight of why we need to be more secure. Adding in a third layer of security allows for greater protection. Often times these are either hardware/software tokens or security codes. These are all one use codes that are used in addition to your username/password to authenticate you onto the network.
Employee education is mandatory. You see a lot of attacks that are socially engineered to play off of people’s missteps. You have to educate employees and hold them accountable for things that they may do on the system. At times you have to protect your employees from themselves through access limitations. If there is certain access that is not needed to complete a job function, block it.
Enable system wide auditing and monitoring so you know what’s coming in and going out of your system. But don’t just enable it, actually look at the records. There have been countless situations where things were happening on a company’s network and because nobody bothered to look at the logs they had no idea.
Backup, backup and backup. To add insult to injury nothing can be worse than having your data compromised only to realize that your firm did not have an adequate backup of it. Backups not only have to be done but they have to be tested and verified to be in working order. In the event that data is lost it is your only way to restore the missing information.
There are many different things that will help in protecting your firm from an outside intruder. Security is a multi-layered approach and it is a constant. There is no solution in a box nor can you have a set it and forget it mentality. As cybercriminals change their methodologies we have to as well. Your employees are your first line of defense. Keep them educated, informed and trained on the latest threats. If they can identify an abnormality it can save you time, money and more importantly your reputation.
Reprinted with permission from the June 6, 2016 issue of the New Jersey Law Journal. © 2016 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.