Basic Security Best Practices for Law Firms
“Reasonable efforts” to ensure confidentiality of client information is fact-specific. In North Carolina RPC 1.6 Comment 19 suggests that a lawyer should examine the sensitivity of the information, the risk of disclosure without additional precautions, the cost of extra measures, the difficulty of adding safeguards, and whether more safeguards adversely affect the lawyer’s ability to represent the client. By conducting this risk assessment, a lawyer will be better positioned to understand what she needs to do to protect a client’s confidences. Following are some basic best practices all lawyers should be deploying for basic security.
First, Let’s Talk About Passwords
You have heard you should be creating passwords that are between 8 and 12 characters long and include a mix of upper and lower case, numbers, letters and symbols. To help you create and remember a complex password try coming up with a passphrase – like Myd*ghasFleas! – but substitute letters with characters and numbers. Do not use common dictionary words or information about you like birthdays, children’s names, last addresses, or middle names. You may also have heard you should change your password frequently. The really important key to making a safe and secure password is that you use a UNIQUE password for each login. If one account gets broken into then any others using those credentials are vulnerable.
Following this advice is a tall order. However, using a password management application can help. These applications are a great way to generate new, complex and unique passwords that are safely stored – you just have to remember the password for the service! Some examples are LastPass, Roboform and Dashlane.
Recently the National Institute of Standards and Technology (NIST) updated their Digital Identity Guidelines. The update, in addition to other items, removed the formerly best practices recommendations of frequently changing passwords and the requirement of creating compositionally complex passwords. Why? By making the requirements onerous people simply fail to follow them or adopt other risky behaviors, like putting passwords on sticky notes taped to the monitor. In fact, Bill Burr, the NIST manager who crafted the original document suggests in hindsight the original requirements were misguided. So, current thinking suggests using long and unique passwords for each of your logins, change your passwords if you are notified or fear they have been exposed, and take advantage of the many choices in password management applications available for individuals and teams.
Also, when you can set up two factor authentication. It is available in Microsoft Office 365, Google, Facebook, LinkedIn, practice management applications and many other services you use. Two factor authentication is something you know (a password) and something that you have (usually a phone). When you set it up you may put in your cell phone number. Then when you login – say to Gmail – you put in your username and password as usual. Then you will be asked for a code. The code is texted to you and is has a one time use. Enter the code and then you can access your account. Even if hackers got your password, without your phone they will not be able to login to your account without the code. If you want to add even greater multi-factor authentication there are physical devices that you can use that the reduce risk from the SMS exploits.
Next, Let’s Consider Updates and Patches
Most hacks and exploits, including the recent ransomware attacks that have crippled essential services as well as major law firms, are perpetrated by tricking a user into clicking on a link or downloading an infected file that then uses code to attack a vulnerability in an operating system or network. It is good to stay alert and recognize dangerous emails, but even if you open one you may have a fighting chance against infections if you are keeping your systems updated and patched.
Whether you are using Windows or Mac make sure you are using up-to-date and supported versions of the operating system. “Supported” means that the companies are still issuing security patches and fixes to keep your machine protected. DO NOT IGNORE when your system notifies you that an update needs to be installed. You can even set it to automatically install if you don’t want to be bothered with it.
It isn’t just your operating system you have to keep patched. Ever seen an “update available” message for Acrobat Reader, QuickTime, Flash, Java, or ActiveX? These are background applications running on your machine that help other software do its job. They are frequently exploited because most people ignore the updates. But you aren’t, are you?
Also, don’t forget to update your browsers. If you are running any version of Internet Explorer older than version 11 you need to update it, as older versions are no longer patched or supported. Most browsers like Edge, Safari, and Google’s Chrome can be set to automatically update, so you don’t have to worry about it as much. However, keep your eye on the news for any known exploits and double check your computer (and your smart phone) to make sure the update has run.
Finally, don’t neglect to update the mobile operating system on tablets and phones, as well as the apps you have installed on them. If you are ever presented with an update that you question just copy the text of the message and search it in Google to see if it is legitimate. If you choose to keep a phone for a long time be aware sometimes the new, patched updates of the mobile operating system will not be supported on older devices.
What Else Should We Worry About?
Well, do you use free wifi on your laptop, phone or tablet? Do you also use that device to store and transmit client confidential information? Free or even limited access wifi (like coffee shops that issue the same password to everyone) are notoriously insecure because of the real risk of interception or the creation of “man in the middle” networks created to ensnare those looking for the fastest, cheapest wifi.
There are a few easy ways to protect your client data. You can use your smartphone to provide a wifi signal, either by tethering it to another device or turning on the phone’s hotspot. You can get a mifi card for internet access from your mobile carrier. Or you can subscribe to a mobile VPN (Virtual Private Network). Just don’t be tempted to use free wifi, even if it “just to check personal email” on a device you also do client work on.
You Should Protect Your Mobile Devices In Case One Is Lost Or Stolen
First, all mobile devices should have encryption enabled to protect data on the installed drive. So, how do you do that?
On iPhones you should set up a passphrase and there are new security options on iOS 12. On Android phones enable a PIN to access the phone’s features and check out new security options for Android Pie. The process is similar for iPad and Android tablets.
Windows laptops mobile devices that are running Windows 7 Ultimate and up have an encryption tool called BitLocker already installed. Just search for it on the computer and follow the instructions to enable encryption protection on the laptop or convertible device.
Mac users will find an encryption tool called FileVault already installed. Simply go to System Preferences from the Apple menu, then click Security and Privacy then “FileVault”. Follow the instructions to enable.
To enable encryption of external hard drives and thumb drives look for encryption software built into external hard drives and thumb drives as well.
Commercial encryption software from companies like Symantec, AxCrypt, or DiskUtility have encryption tools for any device.
Also, you should use software that uses GPS location tracking to locate your device and remotely wipe the drive if it is lost or stolen. For those with IT help there are some options they can help with. If you don’t have help you can easily do this yourself.
On an iPhone or iPad enable “Find My Phone”. If you lose your phone just log into iCloud.com and you can try to use the phone’s built in GPS location to ping the phone and show the location on a map. You can also erase the phone’s data. Your GPS does not have to be on, this will turn on the GPS on the phone.
Similarly, on Android devices go into your Google account in any browser to the “Find My Device” section. Select your device and then you can sign out of your phone, lock your phone, locate it or erase the data.
Third party applications like Lookout Mobile have similar features, plus anti-virus, safe browsing, privacy advisor, backup, and more for $3 per month.
Additionally to locate or remotely wipe a Windows or Mac laptop you can install and subscribe to Absolute’s LoJack for Laptops or Prey (P-R-E-Y).
Also, in online services like LinkedIn, Facebook, Twitter, Google, iCloud and others log on from a browser, go into your settings and “forget” the lost or stolen device.
Good Backup Is Also Good Security!
Having adequate computer backup will solve for a number of issues. A good backup plan can help get your firm back up and running whether your hard drive crashed, you got a ransomware infection, or lost a device.
The often-cited “3-2-1 rule” says that for appropriate backup you need at least three copies, on at least two different kinds of media, at least one of which is kept off-site. But in practice, accomplishing this can be a challenge. Business continuity experts say that one backup should be kept at least 100 miles away from the others. So an automatic online backup service satisfies two of these requirements – continuous backup and the data being stored at least 100 miles away. Dropbox, OneDrive, and other online document storage services are not complete backup. Look at business options from Mozy, Backblaze, CrashPlan or Carbonite for full and functional backup options. Then create a backup image and a periodic file backup and save it on an external drive. An image can be created in Windows and Mac and is a snapshot of your computer’s hard drive with all the settings, software, files and registry to make restoring from a backup as painless as possible.
Catherine Sanders Reach is the Director of the North Carolina Center for Practice Management. NCBA members, click here to learn more about how the Center for Practice Management can help you. NCBA CPM: Practice Smart.