Lawyers have an ethical obligation to understand risks
The phone rings.
On the line is the Federal Bureau of Investigation, calling to let a lawyer know that the entire contents of the firm’s server were found in a foreign country, where the data has been sitting for the past eight months.
Because of the information law firms have about their clients, they are ideal targets, said Claudia Rast, a Michigan lawyer whose practice focuses on data security and information technology.
Family law attorneys have detailed information about clients’ assets while personal injury attorneys might have treasure troves of data, including Social Security numbers and credit card information. And law firms representing corporations might be an easier target than the company itself for data-seeking hackers, particularly if the firm lists its clients on the website.
“For a lot of people, a breach is a question of when, not if,” warned Norbert Kugele, a partner at Warner, Norcross & Judd LLP in Grand Rapids, Mich.
He advised lawyers to immediately take action when they learn of a breach.
Start an investigation, he said, to understand the scope of the incident: how many people were affected, how the data was accessed and how long it went on. He also suggested getting help from a forensic expert or others with technical expertise.
From there, try to fix the problem, said Michael Khoury of Southfield, Mich.-based Jaffe Raitt Heuer & Weiss PC. Identify the weakness in the system and perform the necessary remediation.
Then be prepared to face the additional challenges of providing the appropriate notice to clients and trying to reduce the risk of it happening again.
“Conduct a post-mortem review of policies and procedures,” Khoury suggested, “and ask, ‘Is there something we could have done better? What else do we need to do?’”
The law and ethical obligations
State laws vary, but lawyers should determine whether out-of-state residents were affected by the breach. Forty-six states have data breach notification laws in place, said Rast, a member of the American Bar Association’s Presidential Cybersecurity Legal Task Force.
5 tips for better data security
Imagine getting up in front of your peers to make a presentation. The next thing you know, pornography pops up on the screen.
Sound impossible? John Simek, vice-president of Sensei Enterprises, a digital forensics and information security company in Fairfax, Va., said it happened to a colleague.
An investigation revealed that a member of the cleaning crew had been using office computers to surf adult websites. He was able to do so because computers that were left on did not require a password for access, nor did they time out after a period of inactivity.
“This is an egregious example,” Simek acknowledged. “But it can happen if your system is not secure.”
And the embarrassing twist to the presentation easily could have been prevented with the addition of an inactivity timer requiring a password to log back onto the system. Simek recommends setting the timers between five and 10 minutes.
Here are five other quick and inexpensive security tips he offered:
“I should not be able to walk down the hall at a law firm and open doors to reveal servers or routers,” Simek said. Put a lock on doors and cabinets that contain important technology and limit access to just a few employees.
Secure the network
Offering free Wi-Fi in the office might seem like a client-friendly move, but it only heightens the security risks and invites unwanted guests onto the system. Add a password, Simek said, and change it frequently.
Law firms should require system users to change their passwords on a 30- to 45-day cycle, Simek recommended. “It’s a simple thing to do and yes, it’s a pain, but that little thing is going to go a long way towards improving security.”
Change the defaults
Never use the defaults provided with software or hardware. Whether default user ID or password, change it immediately. The defaults are well known, Simek explained, and a Google search can reveal what the defaults are for a given product. — making access for a hacker that much easier.
Patch and stay current
Staying on top of security patches and updates may get pushed to the bottom of the priority list but being out-of-date can also be a security risk. “There is a reason why they release this stuff,” Simek noted. Remember to remain current not just with systems like Windows but also for any apps, he added.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.