4 ways to mitigate data security risk at your law firm
We covered Information Governance basics and why you need to have an IG plan (Part 1 and Part 2) in our first two posts. Make sure to check out the multiple resources we linked, especially in the first one, to jumpstart your thought process on putting together an IG plan that fits your firms needs.
While there’s no dearth of information about IG, it helps to have a starting point to understand how to apply some of the IG principles we’ve discussed to your own firm. This is a concise IG “Dirty Dozen” list that should point you in the right direction, but we’ve broken it down even more to a handful of places where you can start to think about integrating responsible IG into every day technology management.
First, let’s consider the rules. Rule 1.6 of the ABA Model Rules of Professional Conduct requires attorneys to maintain the confidentiality of information relating to client representation. In this era of virtual offices, shared office spaces, and ever-evolving technologies, there are some commonly accepted practices for securing client data.
We’ll start with communications technologies since they’re used by pretty much everyone at your firm regardless of position. These technologies include email, your WiFi network, VoIP phone systems, “web access” to email accounts or client files, and cloud storage.
Look at the following examples as low hanging fruit – you can make immediate changes, sometimes with free programs:
- Emails: encryption and confidentiality disclaimers
- Metadata: housing client files on cloud storage systems, working documents
- WiFi Networks: requiring network and workstation passwords to protect access to files
- Restricting voicemail access on shared telephone systems
When you send an email, the data is divided into packets of information that are first sent to your Internet service provider (ISP), where it’s stored or forwarded until it reaches the recipient’s ISP in digital time. Email doesn’t follow a set path to its final destination – it can actually travel any number of routes, in any number of packets, and still end up in the intended place. Unfortunately, email can be intercepted whenever it’s sitting on a third party’s server. Even worse, knowing when an email has been compromised is nearly impossible.
Despite this security risk, the ABA issued an ethics opinion that states email should be treated the same as traditional mail. When a particular email transmission is at a heightened risk of interception or where the confidential information is highly sensitive in nature, it behooves you to select a more secure means of communication than un-encrypted Internet email.
Mitigating email risks:
Relatively simple steps can be taken to ensure that your e–mails have additional protection. Microsoft Outlook has the capacity to encrypt e–mail using a process called Pretty Good Privacy. In addition, you can put a confidentiality notice on emails containing confidential or sensitive information. But watch for changes in the law as it pertains to email confidentiality notices, which have become so common that they’re often ignored (this kind of notice may not suffice).
You need to take reasonable care and be aware of the hidden information contained in your documents. Microsoft Word and other word processing programs contain hidden information known as metadata. Metadata keeps track of potentially confidential material such as edits and comments and the identities of the parties who made them and stores the information automatically. But awareness of metadata is not where the duty stops. You must ensure that you don’t inadvertently disclose the client’s confidential information. At a minimum, reasonable care requires a lawyer to stay on top of technological advances and the potential risks in transmission with respect to transmitting data.
Mitigating metadata risks:
The most effective method is using a tool (dedicated “metadata scrubber” programs) that automatically removes all metadata from MS documents. Another solution is saving the document in the Rich Text Format. While this will compromise formatting of footnotes, it’s a cost effective alternative.
Wireless networks come with additional security concerns. Standard WiFi networks use a form of encryption called WEP to transmit the data wirelessly but the encryption code can be broken. Additionally, some wireless networks have open access and no encryption compatibility at all. Hackers can gain access to the information you transmit over the wireless network, as well as to information stored on the devices also on the network. Wired networks on the other hand are much more difficult to hack into because hackers generally must break through firewalls or gain physical access through a network jack.
Mitigating WiFi risks:
Avoid using a wireless router with your network without its built–in encryption software. Renaming the router network after installation is also another tactic that might deter potential hackers. Additionally, periodically changing the password ensures that only those who are supposed to have access are actually the only ones using or accessing the WiFi network.
Another increasingly popular technology is voice–over–Internet–protocol (VoIP), which uses data lines rather than traditional phone lines to make calls by breaking down conversations into data packets. The method raises the same security concerns as email. It’s susceptible to the interception of a person’s identifying information through poorly protected web connections. There are two different types of VoIP systems, an open system and a closed system. A closed system doesn’t access the Internet and is generally used as an internal tool to call between office locations. An open system travels on the Internet and can transmit to mobile devices and transfer data through the connection.
Mitigating VoIP risks:
Open VoIP systems present a greater risk and attorneys should avoid peer–to–peer VoIP software such as Skype or Google Talk because they transfer data through the Internet and are inherently insecure. Using a virtual private network (VPN) ensures that data is transferred over a VPN can be encrypted multiple times for added security.
Most attorneys use many of these technologies without fully understanding their capabilities and their security drawbacks. Every technology comes with new security risks and doing due diligence to learn about them can significantly curb future problems. As we’ve pointed out, the mechanisms needed to add increased protection are sometimes free. Putting together an IG plan and being aware of risks in your law firm fits into delivering the best service to your clients. You have an obligation to periodically review the technologies in your office, update them based on developing information, and shape your IG to protect client privacy and confidentiality to the best of your ability.