All lawyers have a professional duty to protect their clients’ personal information. In that respect, there are two important considerations: data security and disaster recovery. We need to make sure the information doesn’t fall into the wrong hands, and we need to safeguard against potential loss or destruction of the information. Fortunately, information technology and cloud-based services make it easier than ever to comply with those duties. Today, I will discuss data security in my paperless law office, and in my next post, I will discuss disaster recovery.
Data Security Concerns
Besides lack of training, concerns about data security are perhaps the largest obstacle for attorneys who want to adopt new technology. For example, just look at this article from 1997 discussing the legal industry’s ethical concerns about using email. Without trivializing the importance of data security, I believe much of that trepidation is misplaced. Obviously, online security breaches do happen. We have all heard the stories (and perhaps been victims ourselves) of credit card numbers being stolen from online vendors, and LinkedIn recently suffered a highly publicized breach in which millions of user passwords were reportedly leaked. Practitioners are right to take data security seriously. However, I also believe that with proper security practices, a paperless office can be just as secure as a traditional paper-based office.
Data Security Guidelines
The following are some baseline security practices that are easy to implement and will go a long way toward allowing you to work securely with digital files (even if you do not have a fully paperless law office), whether locally on your computer or using an online service.
- The number one most important thing everybody – not just lawyers – should do is use different passwords for every online service. If you use the same password for multiple services, then a breach of one of those services amounts to a breach of all of them, and you will have to change your passwords across the board. If you use a unique password for each service, then any breach will be limited to that service alone.
- Second, we must get into the habit of using truly secure passwords. A secure password is one that is difficult to guess, not only for a human, but also for a computer. An infographic compiled by the security company Rapid7 following the LinkedIn password breach suggests that many people continue to fail miserably in this regard, using passwords that are not only short and easy to guess, but also very common. Presumably, people do this because short passwords are easier to remember. However, as the web comic xkcd points out, a highly secure password does not even need to be difficult to remember. In addition, password managers like 1Password make it incredibly easy to generate highly secure passwords without having to remember each and every one of them (you must still have a secure master password, of course). If you want to know how secure a particular password is, try entering a variation of it (in an abundance of caution, I do not recommend entering your exact password) at the aptly named website, How Secure Is My Password? The result may surprise you.
- Third, whenever possible, we should use full disk encryption on our computers, particularly laptops. This protects against the possibility of somebody physically stealing a lawyer’s computer, yanking the hard drive, and reading directly off the disk without having to enter a password. Because full disk encryption does not require the user to manually encrypt individual files, it is inherently more secure than file-level encryption. If you are a Mac user running OS X 10.7 (Lion) or higher, you already have a copy of FileVault 2 that will do the job; most Windows users will need to purchase third-party software. (If you are a Windows user and can recommend a particular application for full-disk encryption, please do so in the comments.)
- Fourth, we should all use up-to-date virus and malware protection. Yes, Mac users, that means you, too. The securest password in the world won’t do any good if you have malware running on your computer and snatching up sensitive data. Computers today are fast enough that the performance hit from a security suite running in the background is negligible, and it is well worth it to know you are taking the appropriate measures to properly secure your clients’ confidential data.
- Fifth, secure your wireless network, using the password guidelines above, and only give guests access to a separate guest network.
You might have noticed that I didn’t say anything above about securing email communications. That is because if you follow these guidelines, your email system will already be secured using a unique strong password, local email copies will be encrypted at the disk level, and your security suite will be monitoring your email for viruses and malware. Some lawyers also use file-level encryption for sensitive email attachments, but then you have the problem of getting the password to the client (never, ever send it by plain text in an email), and choosing a password the client can remember without making it untenably weak. To share sensitive files with a client, I recommend instead using a secure file-sharing service where the client chooses their own password.
That last point raises one important caveat to all of this security talk – you do not have any control over your clients’ security practices. For example, a client might choose to access confidential materials from a coffee shop or use an insecure password for their personal email. Therefore, you should encourage your clients to use private computers and strong passwords whenever dealing with sensitive legal information. Here’s a thought – you might even build the advice into your fee agreement.
Just a quick word about physical security, which is also an important consideration when handling client data. It turns out that cloud-based service providers are likely to have far better physical security than self-hosted servers and storage systems. For example, Dropbox uses Amazon Web Services to store users’ data, and Amazon in turn secures its data center facilities to a degree very few law offices could hope to match. Clio similarly uses what they refer to as “strict physical access and security controls” in its data centers. At the end of the day, unless your building has state-of-the-art security, you are probably better off letting your service provider host your data.
My Data Security Implementation
There are many different ways to implement the guidelines listed above. In my office, I use 1Password to generate and manage unique, strong passwords for every service I use. I use FileVault 2 for full disk encryption on my MacBook Pro, and I run avast! Antivirus for virus and malware protection. When I want to share files with clients, I either use Clio Connect or share a folder with them via Dropbox. My laptop, backup device, and printer are on a separate wireless network than the one I make available to clients and guests. All of this took an afternoon to set up, and gives me a very comfortable level of data security.
In my next post, I will discuss disaster recovery. How quickly would you be able to resume practice if your computer were stolen or your office were struck by a fire or tornado?