Avansic Whitepaper: The 5 Security Measures You Should Be Taking
10-06-2016, Dr. Gavin W. Manes, CEO of Avansic and John Barkett, Partner at Shook Hardy & Bacon LLC - Corporate
By Dr. Gavin W. Manes, CEO of Avansic and John Barkett, Partner at Shook Hardy & Bacon LLC

Security is at the top of everyone's mind. This is doubly true for legal professionals given the sensitivity and importance of the electronic information they may possess.

In 2012, the American Bar Association Model Rules of Professional Conduct were amended to address the risks associated with technology. Specifically, Model Rule 1.6(c) was added: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Twelve states (Arizona, Connecticut, Delaware, Illinois, Iowa, New Hampshire, New Mexico, North Dakota, Oregon, Pennsylvania, Virginia, and West Virginia) have already incorporated Model Rule 1.6(c) into their Rules of Professional Conduct (RPC). Other states can be expected to follow.

Knowing that security is important is a good first step towards making information more secure and to comply with the RPC. But knowing isn't enough, acting on that knowledge is required. Especially for those not technically inclined, here are some things you should do and, more importantly, should be able to do.

Have a Password on Your Mobile Devices
This applies for cell phones, tablets, or any other mobile device that may store firm or client data (such as email) because once a device is unlocked, a plethora of information is available. This includes the possibility of searching through all email, not just the information on the device.

Simple passwords are ill-advised. Have a password with at least 8 characters that is “complex”; i.e. combination of numbers, letters, and special characters. A 4-digit PIN or screen lock technology may not be enough to protect your client's or firm's information. And no password should be shared with your spouse, children, assistant, or others.

But you may ask, “what do I do with my children who are clamoring to watch a video on my tablet”? Set up a guest account. Some mobile devices allow multiple user accounts where you can have access to email, and your children may be allowed access to watch videos or go to gaming sites.

Encrypt Your Mobile Computer
If you take a laptop outside of your office, you need to encrypt it using a tool like BitLocker. That way, if the computer is stolen or lost, the data is generally secure. The use of BitLocker also means that data leaving a law firm is encrypted, which is a security best practice.

The process of BitLockering a computer takes a few hours and once complete, you need to enter an additional password every time you turn on your computer. The password should be complex, at least 8 characters with a combination of letters, numbers, and special characters.

This type of encryption and password protection is stronger than your regular computer password; if the hard drive is removed from the computer, a person cannot simply bypass the password and access the data.

Don't Forget Physical Security
Even after you've encrypted your hard drive, you should still practice physical security when on the road. Use the hotel safe, take your devices with you, and don't write the password on a sticky note and put it in your laptop bag. The common sense test should always be applied.

If your devices aren't encrypted as a matter of course, you should employ other physical security measures to ensure that data does not leave your office. This includes restricting access to your firm's offices, locking computers when not in use, and making sure security procedures are in place for any file or email servers. An area of oversight is leased equipment, including computers, copiers, or other devices with electronically stored information, because once the lease is up those devices might go somewhere outside your office.

Accept That More Security = Less Convenience
Changing this mindset is the most important step in securing information. Information workflows are more difficult and time consuming when they are secure. Integrate security into your daily work and learn to live with the fact that computer access, file use, and file management will take longer than before. Understanding the reason behind security and mitigating the substantial risks posed by insecure actions should be sufficient motivation for change even apart from RPC 1.6(c).

Be Careful with the Cloud
The cloud is a wonderful digital filing cabinet in most cases – cheap or free email, seemingly unlimited video and picture storage – and we can choose where we place this information, including on a public cloud. However, choosing to place client and firm data in the cloud may undermine the security principles of clients or the firm and may be inconsistent with rules of professional conduct.

There are private cloud services appropriate for firms and their clients' data, but services-agreement terms should be carefully scrutinized for third-party access, and data-destruction and data-retention policies and procedures. (Note that most cloud providers will not certify that data is destroyed once deleted which can make it difficult to enter into protective orders with a data destruction requirement, or handle HIPAA data).

For large law firms, there are likely a set of security principles and procedures already in place; it's just a matter of recognizing how important it is to follow them. For smaller firms that may not have dedicated IT staff, establishing good security habits is even more important. Local counsel for a large case may be targeted as the “weak link” in the information chain.

In practice, security is making an individual judgment about the level of security required for information that is being transmitted or stored electronically. Good judgment may require a change in your habits, and may be mildly inconvenient, but it is necessary to meet professional obligations and minimize the likelihood you will have to face the consequences of a security lapse.