Why, then, was ‘The Jetsons’ all one big lie?  Why has your childhood been destroyed?  And, what can you do about it?

I suppose that curling up into the fetal position and crying uncontrollably for several days is one option.  Another is to embrace your data security responsibilities, and determine to kick ass at managing your clients’ data better than your rival law firms, and to use that as a competitive advantage.  That latter choice seems like the better opportunity to me.

Let’s then discuss the practical responsibilities you should be crushing, so you can present yourself as a modern and secure law firm, in order to slake the thirst of a consumer public hungry for lawyers that understand and apply data security tactics.

Putting Software Providers to the Test

Some states, like my home commonwealth of Massachusetts, require small business owners, including law firms, to vet software providers for effectiveness of data security.  But, even if you’re not required to do so by state or federal law, you may be required to do so by your local ethics rules or ethics opinions related to the use of cloud-based software — or, at least, the implication that you must do so will arise.  And, even if it’s not a requirement, it’s still probably a good idea.  Choose the wrong software vendor, don’t do enough to secure your data, and your professional reputation is at stake.  And, the maintenance of your professional reputation is likely even more important than any short-term fines or penalties you may have to pay for a data breach, since that black mark on your effectiveness as a business owner is likely to last forever.

So, the necessary first step, before you look to additional measures for securing your data, is to find a software provider that already provides a highly secure environment for your law firm information.  To that end, here is a list of questions you should ask of your potential software vendors:

(1) Does the provider offer two-factor authentication for login?

(2) Does the provider restrict IP addresses?

(3) Does the provider include features related to the setting of user roles and permissions within the software?

(4) Does the provider ‘lock’ the login process after multiple failed attempts?

(5) Does the provider utilize 256 bit SSL encryption?

(6) Does the provider encrypt data both when it is in transit and when it is at rest?

(7) Is the software HIPAA-compliant?

(8) Does the provider utilize a geo-redundant server architecture with real-time data backup?

(9) Does the provider maintain ‘five 9s’ uptime?

Asking these questions of any potential vendor, and getting a ‘yes’ for all of them, is a beautiful start to your new life as a data security-aware lawyer.

Protecting Yourself . . . um, from Yourself 

Of course, that’s only a start because, even if your chosen software vendor provides you with all the tools possible to run a secure and stable law firm, user error is the most common entry point for a data breach.  Consider that, even if your software vendor is able to answer all of the above questions in the affirmative, that your secretary who chooses ‘password123’ for her password remains a security breach waiting to happen.  So, in order to effectively secure your law firm data, it’s not just about relying on your software partners, it’s also about training your staff, and maintaining security rules within your law office.

To that end, here are some tips for better securing your law office data, and preventing user error, also known as boneheadedness:

(1) Make sure you have a password for your computers that is complex, and preferably that requires capitalization, numbers and/or special characters.

(2) Make sure your password hint is not an obvious giveaway for your actual password.

(3) Make sure that your computer is set to ‘auto-lock’ after two minutes of inactivity.

(4) Make sure to manually lock your computer every time you leave your desk.  (For Windows machines, press the Windows button + L simultaneously.  And, for Macs, use Control + Shift + Power simultaneously.)

(5) Make sure you encrypt your hard drive.  (Here’s how to do it on Windows; and, here’s how to do it on a Mac.)

(6) Make sure to have two-factor authentication actually enabled on all software, including your law practice management software, productivity software, accounting software and CRM.

(7) Do not use the same password for every login.  (If your passwords are becoming overburdensome, consider a password management tool.)

(8) Beware of ‘phishing’ emails that ask you to download a file — even when those emails appear to come from clients or colleagues you have worked with before.  (Remember that email addresses can be masked.)

(9) Moreover, never download a file that comes from a questionable source. 

(10) Make sure to regularly run your system updates on all of your computers.

(11) Use reputable antivirus and malware software, with up-to-date virus definitions.

. . .

If you’re looking for a technology partner who’s as concerned about law firm data security as you are, consider Practice Panther for law practice management.  If you want to find out what they’re all about, schedule a product demo via this link.

If you’ve watched Amazon’s excellent ‘The Man in the High Castle’ (or read the book it’s based on), you’ll know that an examination of alternatives will not always yield a palatable option.  The fact is, cloud security is relative.  Take the time to analyze it against the operations of a traditional law office, and accessing a remote server suddenly seems a whole heck of a lot safer.

Think about some of the obvious ways that law firms compromise their own data security.  Files are left out on desks.  Staff and clients and others walk around, with scant monitoring, while sensitive data is visible, and susceptible to theft.  There is no formal tracking system for files.  Strings of passwords are written on sticky notes, in plain view.  Devices with sensitive information saved to them can be lost, or stolen.  Dozens of emails are sent, across multitudes of servers to various parties, in order to capture revisions to one document.  Devices and drives are unencrypted.  I could go on; but, I tire of this game.

The truth of the matter is that a traditional law office operating in the modern world is far more prone to data breach than a virtual law practice, or something close to it.  An effective cloud array serves to eliminate paper, could reduce your passwords to a memorable few, removes software and files from the devices you use, promotes collaborative document management and offers feasible encryption options.

At this point, just about every one of the United States has on its books a data protection law.  The way those laws are written, the use of cloud-based technology that features encryption and security updates will pass muster, assuming a documented vetting process has taken place.  Managing a system, or systems, in the cloud is a far more practical way to secure data than attempting to close various, gaping loopholes present in traditional paper-based or hybrid paper file/electronic file office settings.

So, as it turns out, managing a cloud-based technology platform makes law firms more efficient and more secure.

Who knew?  (Well, I did; but, that’s beside the point.)

. . .

Liner Notes

I usually try to throw down some back catalogue gems here; but, I have to say, there is much love in the Red Cave for a mainstream jam every now and then.

‘Kind and Generous’ by Natalie Merchant

I’ve been listening to a lot of Natalie Merchant lately.  So, sue me.

10,000 Maniacs had a lot of hits you remember, okay.

But, you know what’s alien to a not insignificant number of small law firms?  Effective data controls.

To that end, I intend to examine three potential security loopholes, and then the methods to close them.

Logging In.  There are a number of ways you may be failing to properly secure your hardware and software — the chief access points for the majority of your law firm data.  The good news (if this is bad news for you) is that tweaking some of your existing protocols can go a long way to beefing up your existing protections against data breach.  The most obvious method is to create more secure passwords, and require your team to do the same.  People use simplistic passwords because they’re easy to remember; but, those same passwords are easy to crack.  Many lawyers operate on the thesis that, if one simple password is easy to remember for one program or device, then that same simple password will be similarly easy to remember across multiple programs and devices.  If you’re using the same password across a number of programs and devices, you’re exposing a large swath of your data in what would otherwise be a single, controlled breach — there’s a reason jailors have massive key rings and for each cell being tied to a single key.  If you’re having trouble remembering the multitudes of passwords you must recall, try a password manager.  This is a good guide for crafting more complex passwords — which don’t, by the way, have to include a bunch of special characters.  Beyond passwords, adding a second factor of authentication, where available, will better secure your accounts.  The most common second factor (in addition to a password) is a texted access code.  The theory behind this measure is that, even if a hacker does figure out your password, that same hacker is not very likely to also possess your phone — though, there are potentially stronger options available.

Screening.  Controlling access to internal systems is also important, especially given the rising use of case management programs by law firms.  While this is often an issue viewed through the prism of ethics, there are other concerns at play, as well.  A driving theory behind data management is that access should be given to those who require it to perform a job, to the exclusion of others.   Limiting engagement on matters only to those who need to access those matters limits the possibility of breach by limiting the number of parties who could easily effectuate it.  Reducing associate access to only those matters on which associates are directly working offers less exposure to your complete client lists and contacts, which would otherwise be more easily accessible by a break-off firm.  Effectively screening support staff from accounting features and reports could save you from becoming the victim of embezzlement.  It may go without saying that eliminating access for departing staff as soon as practicable is a protective measure that law firms would be negligent in waiting on employing.

Let’s Get Physical.  Even at this late date, most law firms are not entirely paperless, such that access controls should extend to the paper files that law firms maintain — even where there exist a limited number of those files.  Paper files are not subject to global exposure, like electronic data is; but, paper files are far easier to remove from a physical space, and are much harder to track if lost, mislaid or stolen.  Lawyers tend to leave paper files that they work on out on their desks.  Those documents are prime targets for being swiped; so, file all your paper documents before going home for the night.  Use file cabinets that lock, and actually lock them.   Make sure that associates and staff are aware of the need for securing confidential paper-based data, too; create a policy respecting the firm’s treatment of such documents.

It’s easy to overlook information security — until you’ve had a breach.  Not every breach is preventable; but, if you can stop those that are, and install a response and recovery plan for those that aren’t, you will have shown your commitment to your clients, and will have met your ethical and legal obligations.

. . .

Liner Notes

Speaking of aliens . . .

‘David Duchovny’ by Bree Sharp

Shout out to my boy, Glenn Dennis.

The below review is written by Nerino Petro, CIO at Holmstrom Kennedy PC, and a former practice management consultant for the state bar of Wisconsin.

. . .

Here’s a wakeup call for lawyers — you DO need to know about information technology!  As more and more states adopt the American Bar Association Commission on Ethics 20/20 recommendations requiring lawyers and firms to understand the technology used in their offices, lawyers and their staff need to have at least a basic understanding of how to secure their digital information and computer systems.  To that end, you need to buy and read ‘Locked Down: Practical Information Security for Lawyers’.

The authors have created a terrific resource that covers all aspects of law office digital security in a well-organized and detailed book.  To meet your ethical obligations and educate yourself about the dangers facing your practice and the steps you need to take to protect yourself, you need to have a basic understanding of the fundamentals of information security and how those affect you and the technology you use.  If you want to acquire that understanding: This. Is. The. Book. To. Own.

You can read the book from start to finish, or you can start with the first several chapters, and jump around thereafter.  Since it is organized into clearly-titled, standalone chapters, this book can serve as a go-to resource for you and your law firm staff.  It’s full of practical examples, resources for accessing additional information and sample policies for small firms that can be easily adapted for your practice.  This is the best resource I’ve found to get you and your staff up to speed on protecting your digital assets.

You can buy the paper book or ebook here, direct from the ABA.