In a mobile world lawyers and their teams can enjoy freedom of movement when answering email, editing a document, or reviewing case notes. However, depending on the contents of the device, the loss or theft of a laptop, tablet, or smartphone may result in data breach or exposure of client confidential information. What can lawyers do to reduce risk of exposure from mobile devices?
Plans and Policies
Law firms should develop an Incident Response Plan to help determine what should be done if there is a risk of data breach or exposure of client information. Know what you don’t know and employ an expert to help determine next steps. An Incident Response Plan can help identify those steps, including documenting experts, cyber-security policies, help from law enforcement and more.
Additionally, law firms should have policies in place to help safeguard data. For instance, an associate should be obligated by policy to immediately report a misplaced mobile device, passphrase encryption on smartphones must be enabled, portable data storage devices such as thumb drives or external drives must be approved by the firm with encryption enabled, etc. Lawyer’s Mutual has identified many computing risks and provides sample policies in this document.
Encrypt Your Devices
According to the Breach Level Index, only 4% of breaches were “secure breaches” where encryption was used and the stolen data was rendered useless. All mobile devices should have encryption enabled to protect data on the installed drive or storage. So, how do you do that?
On iPhones and iPads you should set up a passphrase and make sure that “data protection enabled” is turned on in the settings. On Android phones and tablets enable a PIN to access the phone’s features and on older versions go into the security settings to enable encryption. It is worth noting that you should upgrade your phone and install the latest operating system version, as additional security enhancements are included. Older phones often cannot support updated mobile operating systems, thus can’t be patched and adequately secured.
On laptops, Windows mobile devices that are running Windows 10 (excluding Home edition) have an encryption tool called BitLocker already installed. Just search for it on the computer and follow the instructions to enable encryption protection on the laptop or convertible device like the Microsoft Surface Pro.
Mac users will find an encryption tool called FileVault already installed. Simply go to System Preferences from the Apple menu, then click Security and Privacy then “FileVault”. Follow the instructions to enable.
To enable encryption of external hard drives and thumb drives look for encryption software built into external hard drives and thumb drives.
Remote Wiping and Mobile Device Management
Do you know how to remotely wipe the drive of a mobile device if it is lost or stolen? IT departments can help deploy Mobile Device Management. Law firms using Microsoft Office 365 Business Premium and above can also enable Mobile Device Management, which includes multi-factor authentication, device security policies and remotely wiping selective data from a firm approved device.
For solos and small firms without IT help individual lawyers can take steps to enable remote wiping of data.
On an iPhone or iPad enable “Find My Phone”. If you lose your phone just log into iCloud.com and you can try to use the phone’s built-in GPS location to ping the phone and show the location on a map. You can also erase the phone’s data. Your GPS does not have to be on, this will turn on the GPS on the phone.
Similarly, on Android devices go into your Google account in any browser to the “Find My Device” section. Select your device and then you can sign out of your phone, lock your phone, locate it or erase the data.
Third party applications like Lookout Mobile have similar features, plus anti-virus, safe browsing, privacy advisor, backup, and more for $3 per month.
An additional aspect to consider is whether your phone is properly backed up. The prospect of remotely wiping your device isn’t daunting if you know that your data is backed up to the cloud. If your phone isn’t presently backed up, check out this wonderfully detailed Wired article with instructions for securing and backing up your phone.
Also, for online services that are linked to a device, including LinkedIn, Facebook, Twitter, Google, iCloud and others log on from a browser, go into your settings and “forget” the lost or stolen device.
When you are getting rid of an old laptop or smartphone it is important to wipe the drive before recycling, re-purposing or gifting it. Wired has an excellent tutorial on how to clean up old devices, which may include completely destroying it if the information on the drive is of a very sensitive nature. DBAN’s personal version may be “good enough” for personal devices, but for complete erasure their fee-based Blancco Solutions offers certification of erasure. For iPhones and iPads you can Erase All Content and Settings and for Android you can Reset the device and then “erase everything”.
Data security is a complex and ever moving target. In security it is often said “there are only two types of companies: those that have been hacked and those that will be”. For more information talk to an IT professional who specializes in computer security, join NCBA’s new Privacy & Data Security Section and follow their blog, and sign up for the CPM’s upcoming Learning Objectives webinar “Encryption at Rest and In Transit”.