Attorneys are ethically obligated to safeguard their clients’ data. In spite of this, there are several important first-line-of-defense measures that a surprising amount of firms neglect to take and some common risky behaviors that many practice. We advise remediation in the following areas to our clients as “quick fixes” they can make to immediately improve security.
Firms should clearly communicate the point of these policies, and the serious risks of not taking basic security precautions, which can result in damaged reputations and ultimately less business for law firms, who cannot afford to give up their highly valuable data on intellectual property, mergers and acquisitions, and a host of other areas.
Dropbox and other unsecured file-sharing applications are simply not appropriate for enterprise use, especially not for law firms. Dropbox has had several public security breaches and the company itself admits that it does not meet many of the certifications that some careful clients seek from their representation: “Dropbox does not currently have HIPAA, FERPA, SAS 70/SSAE 16, ISO 9001, ISO 27001, or PCI certifications.”
Firms use Dropbox for sharing large files with colleagues and with clients. We have seen IT teams disallow the application from being downloaded, though this still leaves the online version. The most effective way to stop its use is to communicate the dangers firm-wide and to offer an alternative. We often recommend a solution from Citrix called ShareFile that mimics Dropbox’s functions while providing comprehensive security features, and there are other similar platforms out there for business use. ShareFile is focused on security and has an ISO 27001 certification.
2. Personal email addresses
This is a common practice—sending documents to personal email addresses for review outside the office or to avoid a slow remote access connection or Outlook Inbox. Personal email addresses should not be regarded as a backup for business email. Information is much safer within the bounds of the firm’s network, where IT can keep it secure. We recommend to our clients that they use a backup email solution such as Mimecast for emergencies and encourage Outlook Web Access for remote use rather than reverting to using personal email addresses.
3. Physical security
While many Firms take this extremely seriously, requiring several checkpoints before granting visitors access to their offices, some have a surprisingly relaxed stance on this. If you are a Firm housed in a building in New York City, it should not be totally easy to stroll in, take the elevator up to your floor, and walk around your offices.
Granted, this is controlled more by the building’s administration than by its tenants. Firms should vet their visitors at reception and make sure that they are supposed to be there.
4. No passcodes on mobile devices
Mobile data is at much more risk than secured data at rest (such as on a desktop computer). It can be lost, stolen, or rifled through much more easily. This is why we recommend that firms mandate a passcode on mobile devices. A fingerprint reader, such as the one on the latest iPhone, makes this safety precaution less of an inconvenience for lawyers and staff.
Most Firms have the ability to take advantage of ActiveSync, a basic mobile device management tool that is available to companies running Exchange servers. ActiveSync gives IT more control over dispersed mobile data, allowing them to force passwords and wipe lost or stolen devices to keep privileged data from proliferating.
Passwords are undoubtedly a hassle, but the risks of neglecting them are just not worth it. We see many firms with users that do not change their original passwords that came with the desktop, or who otherwise don’t require complex passwords (password1 anyone?), changing passwords periodically, or having a password at all. This leaves information exposed to hacking, physical theft, and terminated (and possibly disgruntled) employees who have access to the Firm’s systems long after it should have been revoked. Firms should decide on and require change of passwords after certain intervals and on locking desktops when a user is inactive, despite any resistance they may encounter. Colleagues should also avoid sharing passwords with each other.
6. Local administrators
When a lawyer or staff member is a local administrator on their desktop computer, they can make changes to the basic setup of the computer, and often inadvertently introduce security risks to the entire network. Users can also download whatever application from the Internet, whether it is reputable and safe or not. Local administrator rights are hardly ever necessary, and we recommend to many of our clients that they do not give such access firm-wide, though this can be a complex issue and depends on the individual needs of each firm.
7. Not communicating
While most of the precautions described above are free or inexpensive, they can nevertheless be met with resistance in some workplaces. However, the risk is simply not worth it. All of these basic security precautions hinge on having proper policies in place and communicating the reasons for them to lawyers and staff and the dangerous consequences of not adhering to them. User education is of utmost importance, as evidenced by recent hacks of the New York Times and Twitter caused by one employee opening an email with a virus. We recommend that firms draft policies on all areas touching the treatment of client data, including methods of information-sharing, Internet and social media use, and mobile device usage.