Rapid and dramatic changes in technology are continuing to challenge businesses of all kinds, including those of attorneys and other professionals. According to the article,” The New Normal: The Challenges Facing the Legal Profession,” the second greatest challenge facing the legal industry is the growth of technology in the legal field. “These advances increase the pace of practice and client expectations, forcing lawyers to adapt or face extinction. Understanding and implementing new technologies are difficult and time-consuming for lawyers. Clients are often ahead of lawyers in implementing new technologies; they have increased access to legal information, much of it readily available on the Internet.”
“Time is money,” according to an old adage, and most lawyers use their time and money on technology as it pertains to choosing billing software vs time management software, avoiding irregularities when using social media, and trying to navigate new legal advertising paradigms. However the security and safety of a practice’s own data as well as the maintenance of client’s personal and confidential information is often last on the list of priorities when it should be first.
Client confidentiality, attorney liability, and technology security need to be paramount when considering what programs and technology services you use and how you utilize technology for your practice. More than questioning whether your internal software and/or cloud based programs for client records, billing, and receipts correctly capture and deliver client information, you need to constantly ask yourself the following questions:
Is client information secure and how secure is it?
Is internal as well as external information, including data and other communiques protected?
Is personal information such as names, addresses, phone numbers, social security numbers, email addresses and credit card billing information secure? Who has access to these and how do you protect and correct if necessary, unauthorized and unwanted access?
I asked Jim Devon from Eagle Network Solutions of NH & ME what his clients should be asking about their IT security and was both surprised and shocked by some of his responses: surprised to know what we and our clients have been doing right, but shocked to learn what we need to fix and how much our clients’ IT companies aren’t telling them. Here’s what Jim advised that businesses should ask themselves:
- Jim begins the conversation with his clients by asking them first and foremost if they know where their data is? According to him, “Many people don’t and it could be in many places it shouldn’t be, mainly on cloud based programs such as Drop Box, gmail, mobile devices, etc. which you may not be tracking. Who is seeing your data is equally important, e.g. does your assistant or other staff have your emails on their smart phone? Do other partners who may not have secure devices have access to it? Where the data is, who has access to it, and getting control are all equally important. 9 out of 10 times it isn’t just on servers and you need to be in constant control of it. If not, it can be easily hacked.”
Jim also asks, “Is your data backed up and if so, where is it being stored? Where are the tapes – at Iron Mountain or at your home in the hall closet? Whether it’s stored on-site or off-site, security matters greatly. How is it being transported? Thrown on the front seat of your mini-van with soccer team in tow or in a secure box? Once it gets to your home, are you keeping it in a fire safe box so that if it is stolen, or in a natural disaster such as a flood, hurricane or fire, it’s less likely to be destroyed or accessed? We recommend to our clients that when possible they back-up data to a remote, secure location for several reasons:
- Tape doesn’t last long – 3 to 4 years at most. Some law firms have tapes that are 12 years old that really belong in the trash.
- The cloud is usually far away from your office, making it geographically diverse and usually accessible at multiple locations. So you could lose data at one center but it’s been replicated somewhere else in country.
- You need to be aware what happens that when you access confidential information on various devices. On your personal computer, Email Archive Folders, also known as PSTs, are often stored on local C drives. This may be done automatically without you ever realizing it, resulting in your client email being taken off the server and put onto the local C drive of whatever device you are using. Thus it might be on the computer in your study on which you’ve placed the password on a sticky note. How safe is that?”
Lastly, Jim reminds clients to ask themselves, “Are you including mobile devices in your thinking? One of our clients pulled out his Blackberry to show another client an email containing their confidential information. The clients’ response was, “Seriously, did you just do that without putting in a passcode? “ From that day on the client and his entire firm were required to use password protected mobile devices. So my point is that if you are using any mobile device, phone or laptop, you need to make sure that they too are secure. To anyone who thinks their information is totally secure, I’d like to ask them if their kids or spouse have the passwords to their phones or laptops. If so, then how secure is it really?”
- Ask yourself how secure your client’s information is. You need to find out if your confidential information is on a permissions controlled server where different departments don’t have access, or is everything available to everyone. Is it on a personal device (mobile, home PC, thumb drives?) Can it be accidentally emailed? Jim instructed me that, “Data Loss Prevention (DLP) are systems that can review emails to see if the information contained within them match certain criteria (tax ID numbers, credit card numbers, birthdates, etc.) which will then prevent the emails from going out. This is one of the most important tools you can have and will allow you to tell your clients that you will never accidentally mail out their bank account numbers because your system doesn’t allow it to happen. Case study: An older attorney stored confidential client information such as social security numbers and bank account information in the contact field of his billing program. Thus when he sent the contact field information to someone else, he also provided all of that secure information. Ensure that your information is encrypted on laptops and mobile devices. IPhones are by default, androids are not – you may even have to buy additional software.”
- Do you know how soon you could be back up and running after a disaster: Having a Disaster Recovery (DR) plan should be non-negotiable. Jim advises clients to store the plans in a three-ring binder in multiple administrators homes – templates can be found on the web. It should include contact information for everyone in the firm, including security, IT and back-up service providers, as well as the location of all backup tapes, and should indicate who is responsible for replacing the server if need be, and more.
You need to know how available are backups, (actual as well as cloud based) – where are they and how far, and how to secure tapes in transit. A DR can be a driving force to move to the cloud so that you have immediate access in case of emergency.
Has the backup data been tested? Jim advises that a “mock DR” – should be done once a year, if not quarterly, where you actually turn everything off and see how quickly you can restore from the backup. You need to go through this once to find the holes in your plan before you face an actual disaster.
How current are your backups? You need to ask yourself “what’s your grasp of how it’s being done and how often?” Is it only backed up overnight or hourly? If you get an email and accidentally delete it on the same day, can you get it back easily or do you have to use a Recoverable Items folder aka Exchange Dumpster? Find out the default for your backups and the accessibility of recovering information, remembering that if it’s done hourly you may decrease your security exposure.
Jim also suggests to “Question how far back into the past can you recover something, remembering the pros and cons of short term versus long term storage of information (you may want to set a limit and destroy after.) Some firms want to keep everything forever but if you wanted something to be undiscoverable, then you’d better make sure you don’t have it stored in a backup. Courts say if you don’t have it, you don’t have it, and can’t be litigated. Many firms are saying they don’t want limitless exposure and thus are saving information for only 7 years or less. One of our clients is actually saving backup information for only 30 days.”
- If a device (laptop or mobile) is lost, what do you do? Mobile devices can be remotely wiped but not all – iPhone and Windows mobile phones have this capability by default but not necessarily androids – you may need to install MDM (mobile device management) software to monitor, encrypt, and wipe information and other things. This can be valuable if you have a lot of mobile devices in your environment.
Eagle Network Solutions insightfully asks their clients, “How would you answer the question as to whether or not your need to disclose lost devices to a client? Your firm needs to decide how you will deal with the occasion when a laptop or cell phone is left in a cab and that’s where encryption comes into play. Many courts say you don’t have to disclose the lost item if it’s encrypted because only a master hacker could gain access. But if it’s not encrypted, you will have to tell all your clients that you don’t know where your data is. “
Which brings me back to the question of: where is your data? If Jim’s advice and questions didn’t scare you, hopefully it’s because you’ve got all the bases covered. If you didn’t have all these questions answered, you need to know where the information is, who can see it, how secure it is, and how it can be safely stored, retrieved and accessed. Not being fully informed and proactive on all these issues could seriously jeopardize the value, longevity and trustworthiness of any firm.