Before we talk about more of the technology in a law practice, let’s look at how you start to secure the information you are gathering. The legal profession is largely solo and small law firms and face the same challenges that other small businesses do. One big difference is that they tend to hold valuable information on the part of other people. It is one reason that law firms have been called the soft underbelly of cyber security. A criminal may not be able to breach a corporation’s security, but they may be able to get through a law firm’s and get access to the same information.
There’s nothing magical about law practice security. It revolves around just a few basic functions that need to be used properly and consistently.
Any device containing client information should be encrypted. It was once tricky to encrypt a Windows computer or a smartphone but that has changed in the last few years. Now you just purchase a business version of Windows with its BitLocker encryption built in and turn it on. Macintosh has FileVault 2. Both provide full disk encryption so that as soon as you turn off your computer, you are protected.
That may seem counter intuitive if you do not understand how encryption works. It is a secure wrapper around your data. When the encryption is turned on, it hides your data within whatever container is encrypted. For you or anyone else to access the data, a password is needed to decrypt the data. While it is decrypted, anyone can access it on the device.
In practice, you type in a password on your smartphone or tablet or on your computer when it starts up. This is different from your operating system password in Microsoft Windows. In fact, Windows is a great example of how the encryption works.
If you think of encryption as a box into which you’ve put your data, then you can visualize how, when the box is closed, no-one can see what is in the box. When your whole hard drive is in the box, then nothing – from your Windows wallpaper to your client files – can be accessed without the decryption password.
Some lawyers think that they have secured their files by using a Windows password. But that only secures access to the operating system and the applications in it. If we return to the box, a Windows password leaves your hard drive outside the secured box. I do not need to be able to use Windows to copy files and other data off your hard drive.
Encryption is a complex security technology. But implementing it isn’t. When you have applied encryption to the device, it is a matter of “set and forget”. You set the encryption and, except for using a password to turn off the encryption, and turning it on again when you shut down your system, you can forget about it.
Recent Android-powered devices have encryption built into the operating system but not turned on by default. This is the way Windows Bitlocker and Macintosh FileVault 2 work; they are included in the operating system but have to be turned on. Apple iPhones are encrypted by default but you need to use a PIN or password to secure the device.
There are third-party encryption tools as well. You can use these instead of Bitlocker or FileVault to encrypt your entire hard disk. You can also use them to encrypt just part of your disk drive, where your confidential information is stored. This is trickier – you have to make sure confidential and private information is not stored outside of your encrypted container – and is more hassle than it’s worth unless you have a special reason to do it.
These standalone encryption tools can also be used for external hard drives and USB thumb or flash drives. In other words, if you have any portable drive to which you save your law practice information, it should be encrypted too.
It only takes a quick Web search of “unencrypted usb” to turn up hundreds of stories of USB drives that were unencrypted, lost, and potentially exposed thousands of peoples’ personal information. Imagine yourself in that position, having to notify all of your clients about the loss of their information. It’s a reputational hit that can damage your clients’ trust in you.
You might be inclined to only encrypt these portable drives. Unfortunately, every storage device is portable so only focusing on the smallest, most portable means missing other, potentially more damaging, risks. It is not difficult to pick up a laptop or even a desktop computer and walk out of an office with it. The same goes for servers, although it can be trickier to encrypt them and they should be kept physically locked away from access.
Encryption Outside Your Practice
If you place client data onto the Internet, then you need to worry about encryption there as well. Encryption reduces the likelihood of inadvertent disclosure of client private and confidential information. When you transmit or received information – uploading a file, sending an e-mail, communicating in a chat session – you can encrypt the transmission. And when that file is sitting on a remote server, or the e-mail is sitting on a remote e-mail system, it should remain encrypted.
This is harder to ensure than it may seem.
When you use a service – Google Drive, Microsoft Office 365, and so on – they should indicate what encryption they provide. For example, Google Apps for Work indicates that
Google Drive for Work and our data centers are SSAE 16 / ISAE 3402 Type II, SOC 2-audited and have achieved ISO 27001 certification. For industries or geographies subject to specific regulations, Google Drive supports FISMA, FERPA, and HIPAA and adheres to the Safe Harbor Privacy Principles.
Unfortunately, sometimes the description is military grade or bank grade encryption, which tells you exactly nothing about how secure your information is. The cloud service should use encryption that is counted in bits: 256 bit, 2056 bit, and so on. Ask them what bit encryption they use to have a sense of what it is, although many companies publish it on their Web site. Higher numbers are better.
There is no right number but it is worth noting that researchers have cracked a number of encryption levels. The question that lawyers should ask is whether their obligation to protect their client’s information using reasonable and competent methods includes securing against the types of attacks researchers have used to successfully break 4096 bit encryption. The most important thing is to confirm that your service is using encryption.
Transmissions to and from the site should be encrypted using secure sockets layer (SSL) or, more correctly, TSL (Transport Layer Security), the newest iteration of this encryption. You can see in your Web browser when a site address goes from http://… to https://. If your cloud or remote service uses an app instead of a Web browser – like Dropbox, Box, OneDrive, among others – then the connection they use should also be secured. You won’t be able to see that it is in the same way that you can with your browser URLs because it occurs within the app.
Sometimes you may need to use a service that doesn’t encrypt your content, even if you know that’s not desirable. In other cases, you may not want to rely entirely on the encryption or security provided by the service. Why? It comes down to who holds the keys.
Encryption involves some piece of information that is used to enable the encryption. In most cases, the organization holding that piece of information – the encryption key – is the service provider, not you. That means that, without your knowledge, the information that is encrypted can be decrypted by the company at the request of a government or other person. We have come a long way from the government seeking to hold these keys in escrow – don’t worry, we’ll protect them for you – but still not entirely to the point where the customer holds them.
That is changing and you can manage your own encryption increasingly. Services like JungleDisk.com, which provides file storage and sharing, or Amazon Web Services, which provides raw computing infrastructure, now enable the customer to hold their own encryption key. It increases your security and shifts the risk of managing the key to you. If you lose it, you could potentially find yourself with information that cannot be decrypted.
There are other tools that enable you to add a layer of encryption before you place the information on a remote server. These tools, like Sookasa or Boxcryptor or Viivo, leave the file decrypted on your computer but encrypt it before you synchronize it to a site like Dropbox or Box.
The comparison, above, between your operating system password and encryption should not be taken as a suggestion that you do not need both. You do. One of the most helpful habits you can get into is to lock your device screen whenever you leave it, if you are not turning it off entirely. Windows users can hit the Windows key (little wavy flag key near the ALT key) and L to invoke the lock screen. That way, even though your device is decrypted, they still need a password to get to the data. It’s not ideal but it’s just another obstacle to someone who is trying to get at your information.
Your operating system password. Your encryption password. You will soon notice the passwords piling on: e-mail, bank accounts, social media and other Web sites, and so on. Unfortunately, the number of potential passwords creates the likelihood that you will re-use a password on multiple accounts and use a simple one that you can remember.
And that can be easily determined with a brute force attack on your system. This entails a computer running through a literal dictionary of possible terms and characters until it finds a match.
Password management has emerged as a significant problem for all business owners and lawyers are no different. This has occurred, in part, because there have been huge numbers of large system breaches: at Adobe, Forbes, Snapchat, and on and on. Millions of potential passwords are available for criminals attempting to identify yours. In many of these cases, the e-mail address and password are linked. If, for example, you used a Gmail e-mail account with a password, there’s a good chance the criminals will attempt to exploit your Gmail account with that password, or use the combination together on other sites you’re likely to visit.
That may be a bit disconcerting. How do they know which sites you might be visiting? While lawyers may be one of the weaker links in security chains, most exploits are equal opportunity attacks: they’re not aimed at lawyers, but at anyone who gets caught in the net. The answer to the question “which sites” is that they will not know, probably. The data – your e-mail address and password – will be used in automated attacks on the off chance it will work.
This is the fundamental problem of re-using a password. If your password is divulged by a service in what seems to be an increasingly common attack pattern, you have compromised multiple accounts or access points to your data. The problem of using unique passwords is one of the limits of your memory.
The tension between memorable passwords and unique passwords is not new. Some experts recommend using passphrases, combinations, like portmanteaus, of two or more words that do not occur together: appleshoeshindig, for example. You can further obfuscate a passphrase by turning it into hacker leetspeak – &pple$h0e$hindig – but the underlying premise is that you will still attempt to remember this password.
I think the technology demands of law practice are too complicated to be handled by the small number of passwords that we can keep track of in our memory. Particularly when there are tools like password managers to do the heavy lifting.
A password manager is a database – secured, naturally, with a password – that stores usernames and passwords. In most cases, these free applications will generate new, complex passwords as you need them. If the site or application you want to use has specific requirements for the password, like a particular length or certain types of characters, you can choose to have those included in your passwords. Each site or service gets its own password so that, even if one of them is breached or exposed, it will not have an impact on any others.
The password manager is secured by a single, master password. This is where you should have either a memorable, strong password, or a strong, complex password that is written down and secured except when you use it. Once the password database is closed, it is encrypted against access. The only way in, just as with your encrypted computer, is by using the opening password. Once your password database is open, all passwords inside are accessible.
There are Web-based password managers as well as ones that run only on your device. I recommend the latter, so that you do not require Internet access to get to your passwords. Free password managers like KeePass can be used on pretty much any type of device or operating system. You can synchronize your encrypted password file among your devices to keep up with any changes you make on one device.
Related Readings and Resources