Protect a Digital Law Practice

My presentation at the 2017 Solo and Small Firm conference yesterday covered the basics of protecting your digital law practice.  It’s a familiar theme but I’ve noticed that I spend less time talking about technology these days, and far more talking about changing behavior and training.  This time was no different.

My slides are below, as is my paper, if it’s of any interest.  There’s nothing earth-shattering, and it’s similar to other papers I’ve done on confidentiality.  I tried to emphasize that there are three “T”s – training, trust, and trade-offs – to keep in mind.  The trade offs are the hang up, I think.

When you’re talking to an audience of lawyers, the trade off balance is about risk management.  It’s easy for lawyers to lose perspective, and get stymied by a perfect approach rather than a reasonable one.  In particular, I think password maintenance is a challenge:

  • I think lawyers can get down to remembering – and writing down – 3 passwords:  encryption at startup, the operating system password, and the master password for a password manager.  There’s an additional screen lock code or password for each phone or tablet, but it’s a manageable number of memorized passwords.  Unlike the 27 average passwords people have.
  • One question focused on my recommendation NOT to regularly change passwords, a recommendation I’ve adopted after reading people who know better than I do, and are now being included in NIST guidelines.  If you’ve got strong passwords but are forced to change them regularly, it won’t improve security.  The questioner made the point that, if your password was discovered in a breach AND you didn’t know it had been disclosed, a change would limit the damage.  Sure.  If you’re using a password manager and want to create a process where you change all your passwords every 3 or 6 months, you can be proactive that way.  I see that as tipping the balance, though, because it’s that sort of approach that people find cumbersome or time-consuming, and, at this point, I’d rather them create one strong password per site once.

I enjoy talking with solos and small firm lawyers in particular.  You get an immediate sense that you’re telling them something (a) they already know and feel better for the gut check or (b) they’re going to be able to immediately use.