[This paper was prepared for the State Bar of Montana’s annual meeting.]
Updated: here is the Prezi presentation I used for this session.
You must provide a Prezi ID for the embedded presentation to work.
Technology dominates the law practice and requires lawyers to secure their electronic information as well as their paper files. Unauthorized or unintentional access to client information can breach your confidentiality duty as well as invoke other legal obligations, such as those that arise from credit card data protection or privacy laws.
The first place to focus is the physical security of your equipment. Just as you currently safeguard your papers – in locked file cabinets or file rooms, for example, or off-site storage – your technology equipment is the most susceptible to unauthorized access. As the technology we use gets smaller, it becomes easier for a piece of hardware to be picked up and carried out. Be sure that you:
- Keep your law office’s servers (the main computers that store your firm’s documents, e-mail, etc.) in a locked, air conditioned room that is inaccessible in the normal course of business. It should not be a shared space, like broom closet or a junior associate’s office.
- You may want to attach a security cable to any laptops and desktops in your office so that, if the opportunity arises for them to be stolen, the cable inhibits the ability to carry them away. Desktops are just as portable as laptops and both can be secured with a cable worth about $15-$30. Laptop cables should be portable, so that the laptop can be secured anywhere.
- Smartphones and tablets and other portable devices may carry your client list, calendar, and other information both vital to your practice and to your clients’ cases. These are hard to secure because they need to be accessible – the whole point is for them to be easy to use. Try to create a habit – always put it in the same place when you carry it, for example, to increase the likelihood you will become aware if it is not there. Place it in pockets or bags that are unlikely to tip in such a way, when placed on the ground or seated in a taxi, that your device will fall out.
- Limit your use of portable storage devices. They can handle huge amounts of data and are extremely easy to use. If you do have portable media, like a small USB flash drive, make sure it is attached to something larger (like a rope lanyard or your wallet) to make it harder to accidentally drop.
Keep it Secret
How many times have you read in a professional legal publication that you need to have a strong password to protect your client information? Once more! It is a remarkably easy step that creates an obstacle for those who are trying to access your systems without authorization. Unlike your paper documents, which are unlocked as soon as they are picked up and accessed, you can make your electronic information more difficult to access by creating a password.
Make it Memorable
The length of the password reduces the ability for it to be discovered using brute technical force. For example, your 4 digit bank pin is exceptionally easy to work out which one of 10,000 possible combinations you use. If it weren’t combined with a second piece of authentication – your ATM card for example – it would not provide adequate security for your personal and financial information. Some online systems are moving towards so-called two-factor authentication as well, requiring a password and a second piece of information to gain access to an account.
A password of 8 to 12 characters is recommended. There is no perfect length. At some point the length makes it hard to remember and some security tools will have an upper limit of characters. The longer you can make the password, the better.
Remember that the bar for using a strong password is quite low. Zonealarm, a software security company known for its firewall product, reported survey results that indicate that the top passwords start with 123456 and the most popular word password is Password. In the top 20 most popular passwords were a number of personal names (Nicole, Daniel, Jessica, etc.). A quick look at the most popular baby name lists at the Social Security Administration shows that these are popular childrens’ names, and the lists could act as a resource for those trying to guess a password.
Passwordmeter.com can help you to generate a strong password. You type in the password you want to use and it provides suggestions. For example, if you typed in
as your password, it would tell you that this was a very weak password and suggest that you add an uppercase letter and numeric and special characters. If you changed it so that it became
replacing the “o”s with zeroes, the “a” with an ampersand, and capitalizing the C, you now have a very strong password. You could probably stop there but if you want to make it really hard, extend the password (in this case, using a slang version of rules)
This password doesn’t exist in any dictionary or phrase book but is visually easy to understand and remember. Approaching password creation this way – taking a phrase or author name or other item of information and swapping in other symbols or characters – can create a good balance between a password that is both strong and memorable.
Write it Down
Write your passwords down. The problem with writing down your password is not the writing. It is what you do with the writing. Just as your ATM card enables access to your banking information and money, your password is a key to your information, and should be kept just as safely. If you write down your password, put it in a safe place. Either carry it with you, with your other valuables (credit cards, drivers license, etc.) or lock it in a safe place so that you can get access to it if you forget it.
You may want to lock it up in a safe place in any event. If you are incapacitated or need to have someone else take over your practice or access your client or office information in an emergency, it is helpful for your passwords to be accessible to those people. Otherwise, they will need to try to gain access to systems that have been secured, which may require authorization from you to third party companies (like your Internet service provider (ISP)) before they will make your practice information available. Your inability to give that authorization may expose your clients’ cases to missed deadlines or other negative consequences.
Encrypt Your Systems
Physical security and passwords are straightforward compared to encryption. This may explain why so few lawyers report using encryption. The latest ABA Legal Technology Survey report shows that only 31% of lawyers encrypt files (54% at large firms, 22% at small firms) but even fewer – only 13% – use whole or partial disk encryption. But it is your last resort if those first two layers fail and it is worth doing to ensure the security of your client’s personal and confidential information. Remember that, even if you have physically secured the desktop or laptop, the hard drive inside the machine can probably still be removed and taken, bypassing your physical security.
Encryption has two hurdles. First, it sounds complicated and a bit overkill. Second, the irrevocable nature of encrypted data means you have to be sure it will work. The reality is that news reports of security breaches usually deal with unencrypted data. As encryption has become more common and easier to implement, lawyers will have to look at encryption from a risk management perspective.
There are two types of what is now called endpoint encryption. The term endpoint is used because we can now encrypt desktops, laptops, smartphones, and portable media. You can encrypt the whole of your endpoint’s disk – called whole disk encryption – or you can encrypt just part of it.
The benefit of using whole or partial disk encryption is that you can turn it on and forget about it. Whole disk encryption is active as soon as you turn on your computer. It creates a shell around the data on your hard drive. Until you unlock the encryption – you type in a password when your computer starts – everything on the hard drive is encrypted. Contrast that with partial disk encryption. You start your computer and put in your Windows or Macintosh system password and then see your desktop. At that point, you open up the encrypted folder or portion of your hard drive and unlock it. Anything that you place in that part of your hard drive will be encrypted when you re-lock it at the end of the day. But everything else on your computer remains unencrypted.
The most efficient method for a lawyer is to use whole disk encryption, which removes the need for you to manage where information is placed on your hard drive. While this can be relatively straightforward with files, it becomes less so with your Web browser history, your e-mail, and with other files that are created by your computer and may have information that needs to be secured.
You can purchase endpoint encryption software from many companies, but the free Truecrypt encryption tool works on both Windows and Macintosh and can be used to encrypt portable media (USB, etc.) as well.
 For example, MCA §30-14-1704(2) creates a duty to notify clients if your computer files containing their credit card information are acquired by an unauthorized person.
 Google accounts now support two-factor authentication, for example: http://googleblog.blogspot.com/2011/07/2-step-verification-stay-safe-around.html
 Checkpoint Zonealarm security survey infographic: http://blog.zonealarm.com/2011/01/securing-yourself-from-a-world-of-hackers.html?view=infographic
 Social Security Administration Top Baby Names of the 2000s: http://www.ssa.gov/oact/babynames/decades/names2000s.html
 Bruce Schneier (“Schneier on Security”): http://www.schneier.com/blog/archives/2005/06/write_down_your.html
 2011 ABA Legal Technology Survey Report, Volume I, page 37, Security Tools
 Truecrypt.org. You can also purchase encryption software from Mcafee.com, Symantec.com, and Checkpoint.com