Watch It Now: Data Security for the Modern Law Firm

Remember when George Jetson was tooling around in his mini-spacecraft with his boy Elroy?  That seemed pretty sweet, right?  Well, 21st century lawyers don’t have it nearly so easy.  It turns out that progress rides along with information security concerns.  Not only that, but regulators (federal, state, courts and ethics authorities) are catching up to the fact that lawyers, like any other small business owners, should effectively vet software providers for reasonable security applications, and also share responsibility in maintaining their law firm data (really, their clients’ data) in a reasonably secure manner.

Why, then, was ‘The Jetsons’ all one big lie?  Why has your childhood been destroyed?  And, what can you do about it?

I suppose that curling up into the fetal position and crying uncontrollably for several days is one option.  Another is to embrace your data security responsibilities, and determine to kick ass at managing your clients’ data better than your rival law firms, and to use that as a competitive advantage.  That latter choice seems like the better opportunity to me.

Let’s then discuss the practical responsibilities you should be crushing, so you can present yourself as a modern and secure law firm, in order to slake the thirst of a consumer public hungry for lawyers that understand and apply data security tactics.

Putting Software Providers to the Test

Some states, like my home commonwealth of Massachusetts, require small business owners, including law firms, to vet software providers for effectiveness of data security.  But, even if you’re not required to do so by state or federal law, you may be required to do so by your local ethics rules or ethics opinions related to the use of cloud-based software — or, at least, the implication that you must do so will arise.  And, even if it’s not a requirement, it’s still probably a good idea.  Choose the wrong software vendor, don’t do enough to secure your data, and your professional reputation is at stake.  And, the maintenance of your professional reputation is likely even more important than any short-term fines or penalties you may have to pay for a data breach, since that black mark on your effectiveness as a business owner is likely to last forever.

So, the necessary first step, before you look to additional measures for securing your data, is to find a software provider that already provides a highly secure environment for your law firm information.  To that end, here is a list of questions you should ask of your potential software vendors:

(1) Does the provider offer two-factor authentication for login?

(2) Does the provider restrict IP addresses?

(3) Does the provider include features related to the setting of user roles and permissions within the software?

(4) Does the provider ‘lock’ the login process after multiple failed attempts?

(5) Does the provider utilize 256 bit SSL encryption?

(6) Does the provider encrypt data both when it is in transit and when it is at rest?

(7) Is the software HIPAA-compliant?

(8) Does the provider utilize a geo-redundant server architecture with real-time data backup?

(9) Does the provider maintain ‘five 9s’ uptime?

Asking these questions of any potential vendor, and getting a ‘yes’ for all of them, is a beautiful start to your new life as a data security-aware lawyer.

Protecting Yourself . . . um, from Yourself 

Of course, that’s only a start because, even if your chosen software vendor provides you with all the tools possible to run a secure and stable law firm, user error is the most common entry point for a data breach.  Consider that, even if your software vendor is able to answer all of the above questions in the affirmative, that your secretary who chooses ‘password123’ for her password remains a security breach waiting to happen.  So, in order to effectively secure your law firm data, it’s not just about relying on your software partners, it’s also about training your staff, and maintaining security rules within your law office.

To that end, here are some tips for better securing your law office data, and preventing user error, also known as boneheadedness:

(1) Make sure you have a password for your computers that is complex, and preferably that requires capitalization, numbers and/or special characters.

(2) Make sure your password hint is not an obvious giveaway for your actual password.

(3) Make sure that your computer is set to ‘auto-lock’ after two minutes of inactivity.

(4) Make sure to manually lock your computer every time you leave your desk.  (For Windows machines, press the Windows button + L simultaneously.  And, for Macs, use Control + Shift + Power simultaneously.)

(5) Make sure you encrypt your hard drive.  (Here’s how to do it on Windows; and, here’s how to do it on a Mac.)

(6) Make sure to have two-factor authentication actually enabled on all software, including your law practice management software, productivity software, accounting software and CRM.

(7) Do not use the same password for every login.  (If your passwords are becoming overburdensome, consider a password management tool.)

(8) Beware of ‘phishing’ emails that ask you to download a file — even when those emails appear to come from clients or colleagues you have worked with before.  (Remember that email addresses can be masked.)

(9) Moreover, never download a file that comes from a questionable source. 

(10) Make sure to regularly run your system updates on all of your computers.

(11) Use reputable antivirus and malware software, with up-to-date virus definitions.

. . .

If you’re looking for a technology partner who’s as concerned about law firm data security as you are, consider Practice Panther for law practice management.  If you want to find out what they’re all about, schedule a product demo via this link.