In 2011, several prominent Canadian law firms had their electronic data systems compromised as foreign hackers sought information on a $38-billion corporate takeover. At least seven firms were compromised, according to articles discussing the cyberattack. Fortunately, the hackers appeared to be seeking specific information and did not breach the confidentiality of clients not related to the takeover.
While your firm may not be handling mergers of the same size, when it comes to your client’s electronic data, confidentiality is still a major concern. Unfortunately, there is no single step a law firm can take to ensure perfect security. Instead, each law firm needs to commit to a series of actions and reviews that can combine to create better information security.
Use the Best Lock For Your Data
The single greatest action a lawyer can take to improve their information security is to commit to protective password practices. This consists of implementing two different password approaches. The first is using strongly designed passwords. Strongly designed passwords required certain types of characters and a minimum length. These requirements make it more difficult for an unauthorized person to guess or force the password.
Many different types of services have a setting to require strongly designed passwords. Look to turn these on in any software that can access client data, like your email, ￼￼online storage, and practice management platforms. Also, be sure to implement strong passwords on your devices as well. Computers and mobile phones should all require a strong password to gain access. Strongly designed passwords are more difficult to remember, so employing a password-locker that stores encrypted versions of all your passwords can be handy for remembering the odd combination of upper and lower-case letters, numbers, and characters that make up strongly- designed passwords.
The second protective password practice is to enable two-factor authentication. Two-factor authentication requires the person attempting to login to prove their identity. Usually, this is done by submitting a code sent to the authorized user’s email or mobile phone. Without this code, even if an unauthorized person enters the right password, they cannot login to see your files. The secondary lock of two-factor authentication is offered by many online services, like Google Mail and Clio.
Make Data Theft Useless
The second greatest action a lawyer can take to improve information security is to commit their firm to this maxim, “Data in motion must be encrypted.” Law firms’ data no longer resides in giant folders locked away in the basement of the building. Instead, client’s data exists on servers, laptops, USB drives, and mobile phones. This data is in constant motion, potentially exposed every time you take a portable hard drive home or access your data over the Internet.
To minimize the risks of having portable client data, law firms should encrypt all of their data. There are many manners in which data in motion may be encrypted. Data sent through the Internet should use SSL encryption, scrambling the data using one-time keys. This means that data is not transmitted in a readable format, but instead appears like gibberish to anyone that intercepts the data before its intended destination.
Many online services automatically enable SSL encryption when you login. Make sure that this is the standard practice for any service you use over the Internet. Data that resides in portable devices, like laptops and USB drives, should be encrypted as well. An entire law firm’s practice can now be carried in a USB drive the size of a coin. Imagine losing that drive in a taxi on the way from the courthouse.
Would your data be readable to whomever found the drive? If you used encryption on the drive, you could be reasonably sure that your client’s data is safe. Many portable storage devices now come with encryption programs built-in. Lawyers should take every effort to enable this encryption from their first use of the device.
For those devices without built-in encryption programs, the free program TrueCrypt makes it easy for a firm to preserve confidentiality by encrypting the entire device, or even just a portion of the space where files are stored. With the proper encryption in place, even if your data is intercepted or lost, you know that without your strong passwords, access to the data is nearly impossible.
Revisit and Review Often
Protective password practices and encrypting data in motion will protect law firms from many dangers that could breach confidentiality. However, these actions cannot be allowed to stagnate. Client data could still be accessed by threats like rogue ex-employees or improving cyber-attack strategies. To make sure that the actions taken by law firm cybersecurity continue to provide a high level of protection, firms should undertake a security review at least every three months.
Require passwords to be changed on every sensitive account and service. Review devices that access client data over the Internet, and do an audit on portable storage devices. The goal of these actions is to identify and eliminate any potential breach of confidentiality before it impacts the firm. Does an employee have a new mobile phone? Make sure steps were taken to erase access to the firm’s files from the old device.
Did the firm purchase new computers? Make sure the appropriate encryption programs are in use on the device. Has there been employee turnover since the last review? Go through the employee’s old accounts and make sure they no longer have access. Information security isn’t a one-off setting, but an ongoing activity. Firms must commit themselves to consistently reviewing their practices and implementing new ones when appropriate. Only when law firms make this a part of their normal business, should they consider themselves secure.
Want to learn more about cybersecurity best practices and how to protect your firm in the event of a data breach? Watch this free, on-demand webinar featuring Nextpoint CEO Rakesh Madhava and Clio’s own Joshua Lenon.