By Jennifer Ellis, Esquire
Data breaches and identity theft are both serious and growing problems. Yet, many law firms fail to take the steps necessary to keep their clients’ information safe. Failure to protect not only your clients’ data, but the data of opposing parties, can lead to ethical issues, fines from government agencies and public relations nightmares. The question, then, is how do law firms protect themselves and their clients? The answer is that firms need to be prepared. They do this by setting up a secure environment and preparing for the inevitable occasion when something goes wrong.
Audit Your Firm
The first step to securing a firm is to conduct an internal audit. This means taking an exhaustive look at both the physical and electronic security of a firm. The process will depend on the size and complexity of the firm.
- Large firms — hire a privacy and security company that has experience auditing business of a similar size and complexity.
- Mid-sized firms — depending on complexity and size, consider hiring a privacy and security company, or a good-sized IT company with a security expert.
- Solo and small firms — most likely can retain a good IT firm with experience in performing IT audits and securing law firms. The exception would be if the firm is especially complex. If it is, go to a security auditing expert like larger firms.
In any case, everything should be audited. It is critical to understand that the weakest part of a firm’s security may not be contained within the law firm. It may be someone who keeps losing their cell phone. Or someone who does not have a properly secured WiFi network at home. Every aspect of the firm’s operations should be reviewed, not just the technology.
Review the Results
Once the audit is complete, it is critical to review the results with an open mind. Willingness to acknowledge and repair problems is paramount.
Fix the Problems
The next step is to fix the problems. Those problems are likely to be in a variety of places. Here are some common examples:
- Outdated equipment. All technology should be replaced as appropriate not only so that it can meet a law firm’s needs, but so it can run modern operating systems that are still being supported.
- Malware protection. Computers, smart phones and other devices should have malware protection. That protection should monitor not only files the user downloads, but other areas such as websites the user visits. If the firm has a BYOD policy, it should mandate that all devices are required to have appropriate malware protection.
- Networks should be secure. Networks need strong firewalls and other security. Everything that connects to the network, whether it is in-house or out-of-house, should be properly secured. Those out of the office should be required to use a VPN or other secure method to connect.
- Make certain to have an appropriate backup system. The practices of old, such as using tapes or external hard drives and taking them out of the office, no longer suffice. Make sure that there are at least two forms of secure backup, at least one of which is in the cloud, so it is automatically offsite
- Consider PBA Opinion 2011-200 on Cloud Computing.
- Passwords — all devices and programs should be password protected. This includes computers, cell phones and tablets. Make sure passwords meet modern conventions and are not used on more than one device or website.
- Check https://howsecureismypassword.net/ to learn the strength of your password.
- For help creating a strong password, use a tool such as https://identitysafe.norton.com/password-generator/.
- For cellphones and tablets, use the strongest option available. Make certain you will be required to re-enter your password after a short period of inactivity.
- Advise employees on proper use of WiFi at home and when traveling. Home WiFi should be properly secured. When traveling, either provide a portable hotspot or require use of a software VPN such as Nord. If guests can access WiFi in the office, make sure they are not able to access the firm’s computer network.
- Email is inherently insecure, and it is important not to send critical data via email without taking appropriate steps to secure the data. This means adding encryption or attaching encrypted files instead of putting data in the body of the email.
- Email should be securely backed up. When creating a backup plan for office technology, it is easy to overlook email.
- Be careful about discarding old technology. It is critical to either physically shred hard drives or take steps to make sure they are properly wiped. The same is true for phones and other types of technology that might be returned. Don’t forget that modern copiers have memories.
- Offices need to be secured and have alarm systems. Employees who keep files at home also should have alarm systems. Wireless alarm systems are a relatively inexpensive option for home use.
- Create a safe environment for paper files. Discuss the proper storage of documents with all employees. Documents with confidential information should be shredded and not just thrown out.
- Make sure employees are properly trained to identify the various forms of social engineering that are used to manipulate people into providing sensitive information that is then used to gain unauthorized access to systems or networks.
- Create a technology and security policy that addresses all security obligations of each employee. It should include any employee-supplied devices.
- Create a written rapid response plan that addresses what will happen in response to various types of data breaches. Someone should serve as the main point of contact who can then make sure all technological and legal issues are managed appropriately. The plan should also include how to deal with public relations, in case the breach is large or one that will draw attention.
- Look into data breach insurance. Most malpractice and business insurance policies do not automatically have appropriate insurance. It is likely a rider will be necessary. PBA’s preferred provider, USI Affinity, offers data breach insurance.
There are many steps necessary to securing technology and client data. Hopefully the above list of common problems and solutions will help you get started.
Jennifer Ellis is an ethics attorney who also advises law firms on their technology and online marketing. Find her at https://jlellis.net.
 Consider these articles written by security professionals: Planning for When Your Law Firm Suffers a Data Breach, https://senseient.com/wp-content/uploads/Be-Prepared-Planning-for-Breaches.pdf; Why You Need a Law Firm Data Breach Response Plan (addresses public relations), http://www.natlawreview.com/article/why-you-need-law-firm-data-breach-response-plan; Security Breach Response Plan Toolkit, https://iapp.org/resources/article/security-breach-response-plan-toolkit/.
 Review the FTC’s broad recommendations for a place to begin, http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A126.96.36.199.38&idno=16.