With an unprecedented ransomware attack against hospitals, universities, businesses and others in large swaths across Europe and Asia, there could hardly be a better time to think about security.
Yet, although generally aware of the need for precautions, many computer users know relatively little what specifics they should be taking to protect data and other digital assets from hackers. One place to start, various experts say, is an ISP — an information security policy meant to set up barriers around personally identifiable information.
- Know who has access to personal information.
- From contracted support staff to in-office employees, keep track of who can access databases, passwords and clients’ personally identifiable information.
- Conduct background checks on employees who have access to this information (sometimes acts of theft occur within a company or law firm).
- Train employees on the privacy risk and provide awareness training.
- Implement a security plan.
- Outline security controls and business practices for handling personal information.
- Conduct an audit of your computers, printers, scanners, copiers, wireless devices and any other electronic devices that can store personal or sensitive information to learn if personal information is unnecessarily stored in an unintended place.
- Encrypt electronic data.
- Manage your files.
- Dispose of unnecessary or outdated personal information.
- Shred paper files.
- Delete electronic files and wipe or destroy hard drives with personally identifiable information. Source: Wisconsin Lawyers Mutual Insurance Co.
But when it comes to drafting one of those policies, what’s the best first step? And what do you include?
“Here’s how I would start,” said Terry Dunst, an attorney with Bakke Norman in Menomonie and New Richmond. “I would make a list of everything you’re doing now. Just put it down on paper. You do an analysis of what steps you’ve already taken to protect your online and your physical files, your papers.”
This can include everything from virus protection software to passwords.
“Every computer should have a password to access it,” Dunst said. “If you have a phone or an iPad that you use in your office with any client information at all, is it security locked? Does it have an access code? That’s mandatory.”
Then, ask who can get at those files and devices.
“Does the cleaning company have access?” Dunst said. “Do you do your own IT work or does a third party have access? Are they trustworthy? Would they sign a confidentiality agreement?”
Third-party contractors can be vetted online, using resources like Google and the Better Business Bureau. The State Bar of Wisconsin also has checklists.
Also, look at what happens to files when they’re no longer needed.
“Are you shredding documents instead of throwing them away?” Dunst asked.
Then, start thinking about what your firm might be missing.
“What more could I do? What’s reasonable?” Dunst asked. “And there’s always a cost-benefit analysis. You could make your data so secure that it’s unusable; that’s going too far, but it would totally protect it. But somewhere between that and not doing anything at all, you can find some balance.”
Dunst understands that many attorneys don’t have the time or inclination to become technology experts. It’s not exactly at the top of his or her to-do list either. But it’s an area of expertise he’s cultivated since getting into the law in 2006, after working in Rockwell Automation’s software division.
These days, in addition to his municipal law practice, he uses his experience and knowledge to provide insights into technological changes to other lawyers.
It’s an arguably essential public service, since attorneys are now collecting unprecedented amounts of personally identifiable information — and they might not always know how to protect it.
- Maintain firewalls on any computer device connected to the Internet.
- Use anti-virus software and update it no less frequently than every 30 days.
- Adopt and carry out a written information-security plan.
- Use strong passwords.
- Store client data records in a locked file cabinet or room.
- When recycling or disposing of documents, shred or destroy any papers containing personal information.
- Encrypt your law firm’s computer network and mobile devices in a way that makes personal information only accessible to users. Source: Wisconsin Lawyers Mutual Insurance Co.
“Attorneys gather large quantities of sensitive information on clients and employees,” said Tom Watson, senior vice president of Wisconsin Lawyers Mutual Insurance Co., which offers insurance policies for cyber security.
“Attorneys sometimes process credit cards or transmit bank information,” Watson said. “… This confidential, sensitive information can be lost by something as simple as leaving a laptop or cellphone in an airplane or coffee shop, or by something as complex as a hacker attack or Botnet on a law firm’s information system. We have seen these types of hacks occur all over the country.”
Even email and network systems are vulnerable.
And, if they’re infiltrated, clients and colleagues are exposed to potential identity theft.
Insurance can be a stopgap, especially if confidential information is stolen, Watson said,
“Wisconsin, along with 48 other states, has a law requiring (personal information) to be protected and notification to affected persons if security has been breached.”
For Dunst, weighing whether attorneys need cyber security insurance is much like asking: What extent of online-security precautions do they want to take on?
“It’s a risk-benefit analysis. What’s your risk versus what’s the benefit?” Dunst said. “If you’re just a solo with a laptop, you can implement a software firewall. If you have any kind of infrastructure at all, you should have a hardware firewall. If you have employees, you should train those employees on some of the tricks people are using these days — the phishing emails that can look very, very legitimate. The bad guys can even hijack someone’s email account; if they hack into someone’s email and you happen to be in their contacts, all of a sudden you can get an email from your best friend or a legitimate business. Just look that email over.”
Another part of the cost-benefit analysis: Is it worthwhile to have an ISP at all?
“There’s a risk of putting a plan in place,” Dunst said. “If you put a plan in place and you don’t follow it, then, if you get hacked and you lose data, that can go against you. So you’re better off not having any plan, if you’re not going to follow it.”
For most people, an Internet security policy will be worth it — and maintaining it usually means a review every six months or so. But, Dunst said, “the need drives that more than, say, a schedule.”
If you do adopt an ISP, make sure there’s a plan for when things go wrong.
“What’s our response? A security plan should have a response plan in it as well,” Dunst said.
If attorneys do nothing else, Dunst advocated for at least some software protection.
“You should implement a firewall.”
After that, it’s a matter of risk tolerance.
“If you’re a solo and you have a laptop and that’s it, you don’t have any employees, you don’t have to worry about employee training,” Dunst said.
And that security consultant who will cost you $10,000 a month? You probably don’t need him either.
“If you’re a solo and all you ever do is estate planning for individuals, maybe your risk is smaller than if you’re in litigation all the time,” Dunst said.
“On the other hand, if you’re a 30-lawyer law firm, you probably do need to take some of those steps. A lot of law firms have their own IT departments,” Dunst said. “You have to analyze it based on how important is that data you’re holding and how likely is it that someone is going to want to steal it.”
Bottom line, according to Dunst: Security should be something always in lawyers’ minds, even if adopting an ISP isn’t in a particular firm’s immediate future.
“Everybody who uses a computer should develop a security attitude,” he said. “It should always be in the back of your mind that it’s up to you, the human being, to protect yourself. You can put every hardware and software protection in place, but all they have to do is trick you and all that other stuff doesn’t help.
“I hate to say everybody should be cynical. But if someone asks you to click on a link, I think you need to be skeptical. Don’t open an attachment unless you know who it came from and what it might be. All you have to have is Social Security numbers, and you’re a target.”