Practice Tips, by Dave Bilinsky, Practice Management Advisor
Tech security for lawyers
I don’t know ‘bout the plans
That I have to save
My security has never
Been enough for me…
Lyrics, music and recorded by Pete Murray
At a recent presentation, BC lawyer Nicole Garton-Jones stated that technology is changing the way we, as lawyers, think. I think Nicole is onto something. No longer is technology just a tool that we use – it is now so integrated into how we work that it is effectively rewiring our brains. This change is both positive and negative. On the positive side, technology, particularly the Internet, has given lawyers an incredible tool for research, communication, marketing and delivering legal services. A lawyer in a small community can develop (and indeed in many cases, already has) a national reputation and practice, courtesy of the reach of the Internet.
The negative side of technology is the onus that it has placed on all of us to be and remain competent with technological tools in order to meet our professional responsibility, confidentiality, competence and ethical duties to our clients.
Indeed, Bloomberg reporting on the hack of Toronto Bay Street law firms concerning a potash acquisition deal, stated on February 8 (tinyurl.com/7yqrek3) that: “As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry,” according to Mary Galligan, head of the cyber division in the New York City office of the US Federal Bureau of Investigation.
The article went on to state that 80 law firms were hacked in the US: “… the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.”
Forbes.com (tinyurl.com/6swdbc6) on January 31, 2012 reported on two partners of a New York firm who were contacted by the FBI after all of their client files were found on a server in another country – this particular server was used to send information “to a large Asian country.”
In this column, I will run through some tools that we use, highlight potential security issues, and suggest ways to help deal with these issues.
Desktops and laptops
I have received many calls from lawyers who have had a computer stolen. My first question is: “What information did you have stored on that computer, including remote access capability?” My second question is: “What security did you have in place on that computer?”
Invariably, lawyers tell me that all sorts of confidential client information (as well as confidential information regarding their own practice) was on that stolen laptop. This is particularly acute for family law lawyers, who may have detailed financial records of their clients, including tax returns containing SIN numbers, banking, credit card and business information. They may also have remote access software installed that can access the office network, thereby opening up even more information to prying eyes.
When it comes to the security on that computer, typically I am told that it has a “Windows password.” Unfortunately, tools such as the Ophcrack (a free download on the Internet) can crack a 10-character Windows password in about 40 seconds (pcsupport.about.com/od/toolsofthetrade/tp/passrecovery.htm).
Solution? Turn on full hard drive encryption combined with a strong and safe password.
Wikipedia states that the benefits of full disk encryption are as follows:
“Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption:
1. Nearly everything including the swap space and the temporary files is encrypted. Encrypting these files is important, as they can reveal important confidential data. With a software implementation, the bootstrapping code cannot be encrypted however. (For example, BitLocker drive encryption leaves an unencrypted volume to boot from, while the volume containing the operating system is fully encrypted.)
2. With full disk encryption, the decision of which individual files to encrypt is not left up to users’ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
3. Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, purging or physical destruction is advised.”
Full disk encryption is built into the Ultimate and Enterprise versions of Windows 7, into Mac software (upgrade to version 10.7 “Lion”) and is available as third-party add-on software. A comparison of full disk encryption software can be found at en.wikipedia.org/wiki/Comparison_of_disk_encryption_software.
These devices, which include USB flash drives, portable hard drives, CD-roms, smart phones, iPads and other tablet computers, can become lost or stolen. USB drives in particular can easily fall out of a pocket and be lost.
Solution? Here is a good and short article by Stanford University that summarizes mobile computing guidelines (stanford.edu/group/security/securecomputing/mobile_devices.html). When it comes to USB flash drives, it is a good idea to encrypt the data to prevent anyone from plugging the drive into a computer and accessing the information.
The Law Society has issued the final report of the Cloud Computing Working Group and is currently working on a checklist for lawyers looking to work in the cloud. In the meantime, the recommendations in the cloud report is a great place to start when considering the security implications of moving to the cloud (lawsociety.bc.ca/docs/publications/reports/CloudComputing_2012.pdf).
Outside the organization
A CBC article addressed those hackers who attempted to gain access to a Canadian law firm’s confidential information: cbc.ca/news/politics/story/2011/11/29/pol-weston-hacking-firms.html.
There are free firewall testing tools on the web such as grc.com (Shields Up! And LeakTest – that look for both incoming and outgoing holes in your firewall) and SecurityMetrics home office and business server firewall tests (securitymetrics.com/portscan.adp), among others. Of course, adequate security measures should be more than just firewall tests – consider seeking the advice of a computer security expert regarding your law firm’s security practices, hardware and software.
Inside the organization
It is unfortunate, but there are occasionally insiders or disgruntled staff who seek to damage the IT systems of a business, before or even after leaving the organization. The Electronic Frontier Foundation details several such examples in this article: ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_(CFAA).
The solution? Change the access capabilities of anyone who is leaving the firm – immediately. If you get an inkling that someone is leaving on bad terms, you may want to quietly restrict their ability to erase valuable files.
All of us have been reminded, time and time again, to use “secure” passwords. This article “How secure is your email password?” is a frightening look into how an adjunct professor of software security – on a challenge – set out to “steal” a CNET reporter’s email password (news.cnet.com/8301-27080_3-20016442-245.html) at the request of the reporter.
The solution? Get a secure password and a secure password-keeper program. grc.com offers the “Perfect Passwords” service that will generate a 64 random character password each time you visit. Password Safe (passwordsafe.sourceforge.net) is a free open-source password manager, but there are many others available as well.
Malware, viruses and trojans
Even if you use a Mac, you are susceptible to malware, viruses, trojans and other malicious software. No one security system can fully protect you, but having a good and up-to-date software security suite can at least stop the vast majority of attacks in their tracks. “Top 10 Reviews” has been testing internet security suites for years now – the 2012 report “Best Internet Security Suites Software Comparison” is a great resource when you are looking at changing your suite (and useful in terms of checking out how your current suite stacks up against the competition) (internet-security-suite-review.toptenreviews.com).
When it comes to confidential information, your security can never be enough …