Area 51: How To Restrict Law Firm Data

Sure, I believe in aliens.  I love ‘The X-Files’.  I’ve even been to Roswell.

But, you know what’s alien to a not insignificant number of small law firms?  Effective data controls.

To that end, I intend to examine three potential security loopholes, and then the methods to close them.

Logging In.  There are a number of ways you may be failing to properly secure your hardware and software — the chief access points for the majority of your law firm data.  The good news (if this is bad news for you) is that tweaking some of your existing protocols can go a long way to beefing up your existing protections against data breach.  The most obvious method is to create more secure passwords, and require your team to do the same.  People use simplistic passwords because they’re easy to remember; but, those same passwords are easy to crack.  Many lawyers operate on the thesis that, if one simple password is easy to remember for one program or device, then that same simple password will be similarly easy to remember across multiple programs and devices.  If you’re using the same password across a number of programs and devices, you’re exposing a large swath of your data in what would otherwise be a single, controlled breach — there’s a reason jailors have massive key rings and for each cell being tied to a single key.  If you’re having trouble remembering the multitudes of passwords you must recall, try a password manager.  This is a good guide for crafting more complex passwords — which don’t, by the way, have to include a bunch of special characters.  Beyond passwords, adding a second factor of authentication, where available, will better secure your accounts.  The most common second factor (in addition to a password) is a texted access code.  The theory behind this measure is that, even if a hacker does figure out your password, that same hacker is not very likely to also possess your phone — though, there are potentially stronger options available.

Screening.  Controlling access to internal systems is also important, especially given the rising use of case management programs by law firms.  While this is often an issue viewed through the prism of ethics, there are other concerns at play, as well.  A driving theory behind data management is that access should be given to those who require it to perform a job, to the exclusion of others.   Limiting engagement on matters only to those who need to access those matters limits the possibility of breach by limiting the number of parties who could easily effectuate it.  Reducing associate access to only those matters on which associates are directly working offers less exposure to your complete client lists and contacts, which would otherwise be more easily accessible by a break-off firm.  Effectively screening support staff from accounting features and reports could save you from becoming the victim of embezzlement.  It may go without saying that eliminating access for departing staff as soon as practicable is a protective measure that law firms would be negligent in waiting on employing.

Let’s Get Physical.  Even at this late date, most law firms are not entirely paperless, such that access controls should extend to the paper files that law firms maintain — even where there exist a limited number of those files.  Paper files are not subject to global exposure, like electronic data is; but, paper files are far easier to remove from a physical space, and are much harder to track if lost, mislaid or stolen.  Lawyers tend to leave paper files that they work on out on their desks.  Those documents are prime targets for being swiped; so, file all your paper documents before going home for the night.  Use file cabinets that lock, and actually lock them.   Make sure that associates and staff are aware of the need for securing confidential paper-based data, too; create a policy respecting the firm’s treatment of such documents.

It’s easy to overlook information security — until you’ve had a breach.  Not every breach is preventable; but, if you can stop those that are, and install a response and recovery plan for those that aren’t, you will have shown your commitment to your clients, and will have met your ethical and legal obligations.

. . .

Liner Notes

Speaking of aliens . . .

‘David Duchovny’ by Bree Sharp

Shout out to my boy, Glenn Dennis.