Smartphone Data Security: Keep Data Confidential During and After Device Use

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someone

Smartphones and tablets have become critical tools for delivering efficient and effective client service. Mobile devices enable attorneys to manage their cases and review information wherever they are, whenever they need to. The power and sophistication of mobile technology allows attorneys to work from anywhere as if they were sitting at their desks. However, this evolving technology carries risks. These devices are always-on, Internet-connected, pocket-sized computers that contain confidential client information, and steps need to be taken to maintain security throughout their life cycle. Attorneys often trade in their older devices for new ones without fully realizing that the content, including names of clients, case materials that have been viewed with document viewing tools, and communications through text messaging or email, can be recovered with easy-to-use digital forensic tools.

Researchers recently proved this, finding that they were able to recover data on Android phones that was thought to have been securely wiped after the devices were decommissioned. A simple factory reset, it turns out, will not wipe data. The process simply resets the file table for the device, making the actual files simple to recover even after the phone has been re-purposed.

However, there are procedures that can be followed to securely manage data when mobile devices are issued and when they are decommissioned. One of these is the implementation of device encryption. This scrambles the data in a way that makes the recovery of old data difficult once devices are redeployed and also secures the data if the device is lost or stolen. Apps, likewise, make certain tasks easier for attorneys but introduce risk, especially when they come from questionable developers. Even known developers create apps that ask permission to access data, such as your address book, and that are themselves vulnerable to attack. A recent report by McAfee for example, cites examples of malicious software exploiting flaws in a legitimate digital wallet service to steal money. The report also explores the potential for abuse by apps that download, install, and launch other apps without the user’s permission.

Users need to have apps properly vetted by their IT teams, through proper research of the software or through a Mobile Device Management (MDM) platform. Mobile device users should also utilize antivirus and anti-malware software which automatically updates and checks the code base for apps to avoid infection. We believe that it is critical that law firms implement comprehensive information security and governance policies and procedures. Kraft Kennedy works with law firms to ensure that client and firm information is protected at all times, both when devices are in active use and when they are disposed of.

Kraft Kennedy’s Information Security & Governance group addresses a wide variety of security, governance and compliance challenges for our clients. From security testing to policy and procedure development to digital forensic services, we can help you secure your critical business processes. To learn more, please contact us at security@kraftkennedy.com or call (212) 986-4700.