Why, then, was ‘The Jetsons’ all one big lie?  Why has your childhood been destroyed?  And, what can you do about it?

I suppose that curling up into the fetal position and crying uncontrollably for several days is one option.  Another is to embrace your data security responsibilities, and determine to kick ass at managing your clients’ data better than your rival law firms, and to use that as a competitive advantage.  That latter choice seems like the better opportunity to me.

Let’s then discuss the practical responsibilities you should be crushing, so you can present yourself as a modern and secure law firm, in order to slake the thirst of a consumer public hungry for lawyers that understand and apply data security tactics.

Putting Software Providers to the Test

Some states, like my home commonwealth of Massachusetts, require small business owners, including law firms, to vet software providers for effectiveness of data security.  But, even if you’re not required to do so by state or federal law, you may be required to do so by your local ethics rules or ethics opinions related to the use of cloud-based software — or, at least, the implication that you must do so will arise.  And, even if it’s not a requirement, it’s still probably a good idea.  Choose the wrong software vendor, don’t do enough to secure your data, and your professional reputation is at stake.  And, the maintenance of your professional reputation is likely even more important than any short-term fines or penalties you may have to pay for a data breach, since that black mark on your effectiveness as a business owner is likely to last forever.

So, the necessary first step, before you look to additional measures for securing your data, is to find a software provider that already provides a highly secure environment for your law firm information.  To that end, here is a list of questions you should ask of your potential software vendors:

(1) Does the provider offer two-factor authentication for login?

(2) Does the provider restrict IP addresses?

(3) Does the provider include features related to the setting of user roles and permissions within the software?

(4) Does the provider ‘lock’ the login process after multiple failed attempts?

(5) Does the provider utilize 256 bit SSL encryption?

(6) Does the provider encrypt data both when it is in transit and when it is at rest?

(7) Is the software HIPAA-compliant?

(8) Does the provider utilize a geo-redundant server architecture with real-time data backup?

(9) Does the provider maintain ‘five 9s’ uptime?

Asking these questions of any potential vendor, and getting a ‘yes’ for all of them, is a beautiful start to your new life as a data security-aware lawyer.

Protecting Yourself . . . um, from Yourself 

Of course, that’s only a start because, even if your chosen software vendor provides you with all the tools possible to run a secure and stable law firm, user error is the most common entry point for a data breach.  Consider that, even if your software vendor is able to answer all of the above questions in the affirmative, that your secretary who chooses ‘password123’ for her password remains a security breach waiting to happen.  So, in order to effectively secure your law firm data, it’s not just about relying on your software partners, it’s also about training your staff, and maintaining security rules within your law office.

To that end, here are some tips for better securing your law office data, and preventing user error, also known as boneheadedness:

(1) Make sure you have a password for your computers that is complex, and preferably that requires capitalization, numbers and/or special characters.

(2) Make sure your password hint is not an obvious giveaway for your actual password.

(3) Make sure that your computer is set to ‘auto-lock’ after two minutes of inactivity.

(4) Make sure to manually lock your computer every time you leave your desk.  (For Windows machines, press the Windows button + L simultaneously.  And, for Macs, use Control + Shift + Power simultaneously.)

(5) Make sure you encrypt your hard drive.  (Here’s how to do it on Windows; and, here’s how to do it on a Mac.)

(6) Make sure to have two-factor authentication actually enabled on all software, including your law practice management software, productivity software, accounting software and CRM.

(7) Do not use the same password for every login.  (If your passwords are becoming overburdensome, consider a password management tool.)

(8) Beware of ‘phishing’ emails that ask you to download a file — even when those emails appear to come from clients or colleagues you have worked with before.  (Remember that email addresses can be masked.)

(9) Moreover, never download a file that comes from a questionable source. 

(10) Make sure to regularly run your system updates on all of your computers.

(11) Use reputable antivirus and malware software, with up-to-date virus definitions.

. . .

If you’re looking for a technology partner who’s as concerned about law firm data security as you are, consider Practice Panther for law practice management.  If you want to find out what they’re all about, schedule a product demo via this link.

If you’ve watched Amazon’s excellent ‘The Man in the High Castle’ (or read the book it’s based on), you’ll know that an examination of alternatives will not always yield a palatable option.  The fact is, cloud security is relative.  Take the time to analyze it against the operations of a traditional law office, and accessing a remote server suddenly seems a whole heck of a lot safer.

Think about some of the obvious ways that law firms compromise their own data security.  Files are left out on desks.  Staff and clients and others walk around, with scant monitoring, while sensitive data is visible, and susceptible to theft.  There is no formal tracking system for files.  Strings of passwords are written on sticky notes, in plain view.  Devices with sensitive information saved to them can be lost, or stolen.  Dozens of emails are sent, across multitudes of servers to various parties, in order to capture revisions to one document.  Devices and drives are unencrypted.  I could go on; but, I tire of this game.

The truth of the matter is that a traditional law office operating in the modern world is far more prone to data breach than a virtual law practice, or something close to it.  An effective cloud array serves to eliminate paper, could reduce your passwords to a memorable few, removes software and files from the devices you use, promotes collaborative document management and offers feasible encryption options.

At this point, just about every one of the United States has on its books a data protection law.  The way those laws are written, the use of cloud-based technology that features encryption and security updates will pass muster, assuming a documented vetting process has taken place.  Managing a system, or systems, in the cloud is a far more practical way to secure data than attempting to close various, gaping loopholes present in traditional paper-based or hybrid paper file/electronic file office settings.

So, as it turns out, managing a cloud-based technology platform makes law firms more efficient and more secure.

Who knew?  (Well, I did; but, that’s beside the point.)

. . .

Liner Notes

I usually try to throw down some back catalogue gems here; but, I have to say, there is much love in the Red Cave for a mainstream jam every now and then.

‘Kind and Generous’ by Natalie Merchant

I’ve been listening to a lot of Natalie Merchant lately.  So, sue me.

10,000 Maniacs had a lot of hits you remember, okay.

When you return, to the smoking carcass of the device you had relied upon for so very long, it’s easy to feel like all is lost.  But, it isn’t — as long as you’ve backed up your data.

Many law firms still run on traditional, physical servers, housed in-firm.  When those devices break down, those firms are left with a basic decision to make: Get another one, or find another option.  When those firm managers begin to explore the costs of replacing a server, it is then that they start thinking about cloud-based options.  Replacing a server is expensive; and, in addition to acquiring the hardware itself, there are related costs in play: like allocation of storage space and fans using electricity to make sure the whole operation is cool.  In both the short- and long-term, it is more cost-effective to rent space on a sever that someone else maintains — and, that’s really all that the cloud is: a server rental.

When lawyers start talking about replacing servers, that’s when they start getting serious about the cloud.  Of course, the relationship status between most lawyers and the cloud is: ‘It’s complicated’.  The initial excitement related to the additional mobility and flexibility that cloud services offer can wilt in the face of lawyerly questions, like: ‘Is it ethical?’  ‘Is it safe?’

At this point, more than half of American jurisdictions have passed judgment on the ethics question, and all have come to the same conclusion: Reasonable use of cloud services is permissible.  And, really, what else could they have said?  Attorneys are going to use it anyway; and, the application of a general reasonableness standard seems like a fair approach.  As to the related question of security, consider, first, the traditional law office: files left out, passwords written on post-it notes, shared log-ins for local applications.  Paperless law firms operating in the cloud are inherently more secure than their paper-based, server-based counterparts.  The remaining security questions relate to a combination of vendor features and user hacks.  Most reputable vendors will feature high-level encryption, as well as access controls — including for log-in (e.g–dual factor authentication) and for screening (conflicted attorneys, non-participating attorneys and staff) users from particular matters.  There are also methods individual users can apply to increase the security of law firm data stored in the cloud, including the selection of strong passwords and the use of pre-encryption techniques.  Reaching a reasonably secure use of cloud products, then, is a matter of thoroughly vetting potential providers and effecting additional, personal security measures, as appropriate.

Good, I’m glad we cleared that up.

Once a law firm has appropriately mourned its deceased server, and after said law firm begins to feel comfortable about making the jump to the cloud, the real fun begins.  Now, a decision must be made about which products to buy.  Most law firms (rightly, I think) will start (and end) with a cloud-based case management program, which could serve as a holistic solution for the running of the majority of law firm tasks and as a retention center for all law firm data.  A productivity software would sync with a case management system, across a number of functions.  Some case management products feature document automation and management tools; but, law firms could opt to utilize standalone programs in each regard.  As I recently wrote about at Attorney at Work, there are a lot of choices for building out a law firm technology platform — and, law firms can choose to try to utilize a complete system, or select a collection of constituent parts that will play well together.  No matter what array the law firm ultimately chooses, there is a cloud-based product, or products, that will suit the need.

See, now that wasn’t so bad, was it?

Your server dying was not an end, but a beginning.

(Of course, if your law firm does retain a server, you don’t have to wait for it to die, before you make the switch to the cloud.  Just sayin’.)

Liner Notes

‘The End’ by The Beatles

But, not really.