Ideas and suggestions are always welcome. Please let us know how we can improve your newsletter! We welcome your feedback.
LexisNexis® for Corporate Counsel
LexisNexis® Webinar Center
LexisNexis® Legal Newsroom
Live CLE Webinars | OnDemand Webinars
By Kristin Casler, featuring Jennifer Ellis of Lowenthal & Abrams PC and Mitchell Matorin of Matorin Law Office LLC.
You’re required by Rules of Professional Conduct to keep abreast of technological changes and their impact on your duties and your practice. Do you know where the greatest pitfalls lie? You need to take specific steps to minimize the risks associated with WiFi, email, cloud computing and more. No matter what type of device you are on or whether you are working at the office, at home or on the road, security and client confidentiality must forever be on your action list.
When the American Bar Association Commission on Ethics 20/20 issued a new comment to Rule 1.1, requiring lawyers to keep abreast of the benefits and risks of technology they use in their practice, many were alarmed, said Jennifer Ellis of Lowenthal & Abrams. Did attorneys now need to become coders or IT specialists? No, but the requirement is significant, Ellis said. “You and everyone who works for you must know how to use the technology properly,” Ellis said. “The buck stops with you.”
“Why do you take these security measures?” asked Mitchell Matorin of Matorin Law Office LLC. “To protect your own private information and your client information. It’s not just a professional responsibility issue, it’s a personal security issue.” He said hackers not only mine data, they can place information on your system and cause a legal problem for you.
This means having the proper tools and securing client data, Ellis said. Of course, the first item you need is a computer. Don’t laugh — Ellis said some attorneys still refuse to use them. Others only use computers in a limited way. If you know someone like that, be sure to get them a copy of this article.
“I don’t see how you can possibly conduct research with anything but an electronic resource,” Ellis said. “For nitty-gritty research and up-to-the-minute case law, there is no substitute.”
For attorneys who already are connected, you need to ensure you are operating securely. Security is not a once-and-done action. Hackers are constantly inventing new ways to break in, so you need to regularly do a security checkup. Ethics rules require you to take reasonable steps to protect client data and information. To not properly secure your WiFi is a violation of ethics rules.
Your system is only as secure as the weakest link, Ellis said. So be sure to cover all points of access. If you have staff connecting to your system from home or from coffee shops, you have to make sure they are using a secure connection. It’s not a bad idea to pay a security expert to visit your employees’ home offices to verify compliance, Ellis said. You should have a written computer use and security policy, she said.
Your router must be set for encryption. New routers do this automatically and probably use the most secure setting, WPA2. If you have an older computer or router, you may be using the easily hackable WPA security, or, heaven forbid, WEP. It’s probably time to upgrade if you don’t have top-of-the-line security in your router. And don’t forget, if you use a repeater, you need to make sure it is using the best protocol, too.
Your Service Set Identifier (SSID)—the name assigned to your wireless network—should be a complex combination of upper and lowercase letters and numbers, Ellis said. Your password or key, which should be changed often, should be equally complex. Typically, a new router uses “admin” and “password” as temporary logins. If someone has your IP address, they’ll be able to change your router. To change them, log into your router using its IP address, which is usually on the device, and look under wireless settings. Additionally, Ellis said your SSID should not tell everyone what brand of router it is.
Matorin advised not using your law firm name as the SSID. You really want it inaccessible to outsiders, so don’t use children’s or pets’ names as passwords. If your computers automatically connect to the router, best practice is to tell your router not to broadcast your SSID. That way, no one else will know the WiFi is there, he said. If you must broadcast, locate your router so that the signal doesn’t travel far outside of your home or office. When you travel, turn your router off.
On the computer itself, you’ll need to ensure your firewall is turned on, Ellis said.
When you are working on free WiFi at coffee shops, airports, in-flight, or anywhere, it’s quite easy for someone sitting next to you to pick up the personal and client data and the passwords you are transmitting, Matorin said. It’s OK to use public WiFi, just never log into your bank account or do anything that requires confidentiality. Avoid having your device automatically log into websites with your password. If you use public WiFi, be sure your device has good malware protection with software or an app.
Beware of honeypots. These websites are set up to look like other sites, but with a slightly different URL address. When you try to log into your account, you inadvertently give your password to the illegal site operators, Matorin said. Similarly, Ellis warned about so-called “pineapples” — inexpensive tools that fool users because they are often set to look like a hotel or other businesses’ WiFi. Everything you do when you connect is tracked by people who want to steal your data. “Suddenly, they’ve got your passwords and your client data, and you’ve got an ethical problem,” she said.
Alternatively, you could get a Virtual Private Network. A VPN encrypts your data. So, if you are using public WiFi, you are better protected, Ellis said. Matorin said he uses a desktop at work and then uses a VPN on his laptop to connect to client data on his desktop. This way, he is not carrying client data on his device.
You could also purchase a WiFi hot spot plan on your cell phone. This function is built in to most phones now, Matorin said, and allows you to create your own password-protected access to the Internet without the need for public WiFi.
Email, Ellis said, is not a secure form of communication. And some providers are considerably worse than others. Google and Yahoo, for instance, scan your emails.
“I’m always stunned when I meet a new lawyer and he hands me a card and it has a Gmail or other free email,” Matorin said. “It tells people you’re not taking your security seriously. You can get your own domain for very little money. Anything that you’re using because it’s free is not the best for your security.”
You also need to make it clear in writing to your clients that email is vulnerable. Plus, clients might share email accounts with spouses, leave themselves logged in or write on employers’ email, and the employer has a right to see everything. For sharing documents, you could send a password-protected .PDF, and then call the client with the password. If it’s that important, Ellis said, fax or hand-deliver it. “It sounds funny for me to say it, but technology is not always the answer,” Ellis laughed.
Matorin noted that from a litigation perspective, there are attorney-client privilege issues. You need to do your best to be sure the client keeps a private email account. For sending documents, Matorin said he uses ShareFile from Adobe, which allows secure transfer of files to and from clients or between attorneys. Both he and Ellis pointed out that sharing services like Dropbox and Google Drive are not secure because they don’t encrypt documents when they are transmitted.
Both experts touted Microsoft’s new online Office 365 suite. It provides cost-effective access to email and files and is great for synching email, calendar and contacts.
Speaking of the cloud, it’s a great place to store all of your client data, and with client-specific portals you can share documents with them. You just have to be careful what provider you choose. Matorin advised going with a known name. New providers may be cheaper, but also less reliable and may not be here in a year. And you MUST read the terms and conditions and privacy policy. Who owns the data? Can you move it easily? Can you delete it from the server permanently? Is it encrypted? Where is it being stored? Normal protections that apply here don’t always apply overseas, he said.
Whether you use the cloud or a PC, backing up your data is key. Matorin suggested using at least two methods. He uses three. And make sure it is automated and backing up all of the folders you need, so you don’t have to think about doing it. Both Matorin and Ellis recommend using a combination of at least one local backup and a cloud backup service such as Carbonite.
You also can create a mirror of your hard drive, Ellis said. It copies all of your software and how it is set up. A mirror makes it easier to move it to a new computer if your hard drive crashes. Matorin also recommends making at least a baseline mirror image of your hard drive, with all of your programs and existing client files, and periodically making a new mirror image. If your hard drive fails suddenly (and it’s just a matter of time until it does), having a relatively recent mirror image can greatly simplify the process of getting back up and running, and means that only later files need to be restored from the local or cloud backup.
With all the talk of computer security, it’s easy to forget about your phone. Use good passcodes on your phones. Don’t allow texts to pop up on your lock screen, but do put your name and another phone number on that screen in case a kind person finds your phone. Be sure you have a “find my phone” app that allows you to wipe the data or lock it if it goes missing, Matorin said. Don’t let your staff jailbreak, or unlock, their phones so that they can load damaging apps or malware that the manufacturer’s original settings would not have allowed. And all employees should be looking at what the apps say they are accessing. It’s too easy to just click “Accept.”
This article is based on a complimentary LexisNexis webinar.