Online Legal Tools: Essential Law Firm Data Protection Practices
As the majority of law firms continue to move much of their practice management online, there remains a serious concern. Those of us lawyering understand the importance of protecting the sanctity of attorney-client privilege and work product. That existed before we all started going digital. And now? The new concern is: how do we protect law firm data the right way?
ABA States Lawyers Should Take Reasonable Efforts to Protect Data
ABA Model Rule 1.6(c) states that lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” When you think about it, that’s a tall order. What is a reasonable effort? And how can you protect all law firm data?
Unfortunately, there’s no way to protect all of your data all of the time. Data security problems from software, malware, ransomware, viruses, phishing attempts, and data breaches happen. The digital landscape changes so fast that there is no such thing as constant protection from every existing threat.
Fulfill “Reasonable Efforts” by Using Law Firm Data Protection Best Practices
It may seem like we’re all now expected to become cybersecurity and data protection experts. That’s not the case. You always have the option to hire a reputable IT team that has verifiable experience working with law firms to protect data. Do not hire just any local IT company. You really need professionals who understand the data protection requirements set in your jurisdiction as well as the best possible current security standards to protect your data based on the type of law that you practice. For example, a lawyer who primarily handles cloudy titles and easements still needs to secure their data, but they won’t need to worry about HIPAA requirements. Whereas, a lawyer practicing personal injury law or insurance defense may have sensitive medical information about people involved in accidents of some kind.
With that being said, let’s talk about some best practices you can use to protect data while you continue to use the online legal tools that make your law firm life easier.
Know Thy Legal Tool Provider
One of the best things you can do to protect law firm data is to really know what sort of data security your online legal tool program provides to you. This information is very simple to find. Go to their webpage. The most reputable and trusted companies either have their security information on their home page or they have it in an easy to find location, such as the page devoted to features or a page devoted to how they protect data.
Then, consult Google. Look them up with the words “hack,” “data breach,” “ransomware,” “malware” or “back door.” The goal of this is to determine if the provider has known problems. This is particularly important because while the major industry software players will create patches and fixes for known issues, other companies may not do this. The best companies will make on-going data security a main concern. They know they won’t continue to have a viable future without staying on top of potential security issues.
Consider Whether Your Firm Needs a Policy Limiting Personal Device Use
Sometimes, law firm data isn’t compromised through an office workstation. It’s compromised because law firm employees use their own personal devices to work on client matters. And that can be a serious risk. Depending on the type of law that you do, you may need to create and enforce a policy that limits personal device use for firm matters. Yes, that may seem extreme in a world where everyone works from a remote location at least on an occasional basis. However, personal devices may not be secure. You may want to talk with a data security professional to assess whether this is necessary for your law firm.
Use Secured Passwords for Every Program
Everyone in your law firm should use secure passwords for different programs. Ideally, they should not use the same password for every program. Don’t use common passwords. (And please don’t participate in the “I want to learn more about you…where did you go to school in first grade? Where did you graduate? What was your first car? Favorite teacher?” social media “game.” Those ask a lot of password reset questions.)
One option is for everyone to use LastPass or 1Password to help establish and store secured passwords. Randomly generated passwords, such as those that both of the previously mentioned programs can generate, are the most secure.
Working Remote? Just Say “No” to Free Wi-Fi
Technology allows us to work from anywhere as long as we have an Internet connection. If you’re working remotely, stay off the free wi-fi. That’s where data is often stolen. If you must work remote from someplace other than your home (on a secured Internet connection), get your own secured mobile hot spot. Find out if your phone allows you to tether for data. If it does, find out how you can make your own Internet connection more secure (pro tip – turn off your Bluetooth). If you’re working from an area that is less than secure, use a VPN. They’re fairly inexpensive and they are invaluable to data protection.
Use Two-Factor Authentication
If it’s provided by the technology you use, make sure that you have two-factor authentication turned on. If you’re not sure what that means, it means that it takes more than your password and username to log-in. It may include a special code that is generated and texted to you. It makes it more difficult for someone to use your credentials to access sensitive law firm data.
Use Secured Networks
The Internet connection in your law office (and in your own home) should be secured. At its most basic, this involves changing the router’s default password and enabling WPA or WPA2 encryption. It also involves making sure that your router is running off the most updated firmware for it. You can also set up your network to only allow the computers within your law office to connect to your Internet through the use of Media Access Control Addresses.
Encrypt Your Data
Talk with an IT professional about how you can encrypt emails, documents, USB devices, and even hard drives. There are a lot of options for encryption. It’s important that you’re educated. The best possible education is by an IT professional who works with law firms. They can explain what you need and your options. There are also a lot of walk-throughs available online that can teach you how to encrypt files on your computer. However, it’s important to consider your own technical abilities before you attempt to do this. It needs to be done the right way.
Stay on Top of Phishing and Phone Scams
We’d all love to believe that email (phishing) and phone scams are obvious. Yet, there are a lot of convincing scams out there. There are IRS scams, utility scams, and bank scams. There are also remote IT support scams. You must stay on top of phishing and phone scams. If you have a question as to whether what you’ve received in an email or over the phone is legitimate, contact the actual company or agency that someone claims they are with. Remember that these companies will never ask you for a username, password, or other sensitive data. Keep in mind that some scammers know this and they’ve up their game by taking people to look-a-like sites and gaining credentials in that manner.
Stay Educated
The best possible thing you can do to protect your law firm data is to stay educated on what’s happening. You don’t have to become a tech or cybersecurity expert. Just make sure that you’re reading about what’s going on so that you are prepared to hopefully prevent it before it becomes a problem for your firm.