In my first post of this series on securing your data, I addressed the Massachusetts Data Privacy Laws, which provide standards for businesses that keep certain types of personal information. Part of the my discussion followed the insights of a panel of experts at a data security program held at the Social Law Library in May 2014. One panelist noted that solo and small firms tend to be easy targets for hackers because they typically don’t have proper security safeguards in place.
While hackers certainly pose a security risk to your practice, so do lost mobile devices, emails mistakenly sent to the wrong party, unrecoverable data due to faulty or non-existent backups, and use of free wifi at your local Starbucks. In this post, I’ve given you my top security tips so that you can start to implement better security safeguards in your practice today. Drum roll . . .
#1 Strong Passwords. A strong password can drastically reduce the risk of unauthorized access to your firm’s data. It’s probably the single most important step you can take now to protect your data (ok, finish reading this post first). And, if you need any convincing, try out a few of your current passwords on this site: https://howsecureismypassword.net.
What are the essential elements of a strong password?
- It is unique; used for one service only .
- It is long and uses multiple characters.
- It is not a common word or phrase (i.e. “password” or “monkey”); or, one of the passwords on this list of common passwords.
The best password is one that is randomly generated. A password manager can generate random passwords, as well as store and organize all your passwords, requiring only one master password to access your safe. Thus, you need not remember all your passwords nor do you need to keep them on sticky notes next to your computer (not exactly the safest option). Some of the top password manager programs include 1Password, LastPass, KeePass, and Dashlane. If it helps, I’ve forced every member of my immediate (and some extended) family onto one of these programs. That’s how much I value these services.
Read more about Strong Passwords here.
#2 Two-Factor Authentication. When you store data in the cloud, you lose some control over that data. Thus, you want to take extra steps to protect that data. Using two-factor authentication provides that extra protection. A basic example of two-factor authentication is the use of your ATM card to retrieve money from an ATM – first, you must swipe your card, then you must enter your PIN number. Two-factor authentication access requires something you know (i.e. PIN or password), in addition to something you have in your physical possession (i.e. your ATM card or cell phone), thus creating a stronger security barrier. Popular cloud-services, such as Google, Dropbox, and Evernote, all provide two-factor authentication for users.
#3 Backups. A scenario more likely to hit your law office than a breach is the loss of data due to some disaster or computer failure. You should have a redundant backup system as a failsafe. Ideally, electronic data should be backed up regularly through a combination of physical hard drives and cloud providers. Seagate, Western Digital, and Drobo are some of the top external hard drive brands. A few cloud back-up providers include Mozy, Carbonite, Crashplan, and Backblaze . Further, there are services that offer combo packages for physical plus cloud components, such as SpaceMonkey. Don’t confuse cloud storage services like Dropbox and Google Drive with a dedicated backup cloud service. Using a cloud storage service as your backup is akin to having a real estate attorney draft a special needs trust. The purpose of Dropbox and Google Drive services is to sync files across systems, not to act as a backup system. If you delete a file on one device, it will be deleted on all other devices (including in the cloud). And, you shouldn’t count on it remaining in your trash folder (ex. Dropbox permanently deletes files in the trash after 30 days). Once you’ve secured your backups, remember that they won’t do you any good unless you test them by conducting periodic restores of non-essential data. In the event of an unexpected data loss, you should know precisely how to access and restore your data in just a few simple steps .
#4 Computer Updates. Your computer and mobile devices should be running the most up-to-date systems, software, and anti-virus programs. Developers constantly update software to both increase performance and to enhance security. Set your computer to automatically check for system and software updates, and then install those updates when prompted. This applies to your mobile devices as well. Pay attention to notifications on your device and install updates when they become available.
#5 Secured Networks. Ensure that your wireless network is set up securely. Change your router’s default password and enable WPA or WPA2 encryption. Confirm that your router is running the most up-to-date firmware. For extra protection, configure your router to whitelist all your office computers and devices (using their MAC address – Media Access Control Address) so that even if a hacker was within range of your network it would need to break the encryption in addition to have the MAC address of one of your devices listed. When you are out of your office, don’t use unsecure networks (read: free wifi). If you must, at the very least set up your computer’s firewall protection (see this article for Mac and this one for PC). Alternatives to using free wifi include setting up your own private VPN connection with a service such as Cloak, using a portable router to establish a private connection, such as with the D-Link DIR-510L, buying a MiFi device from a mobile carrier, or activating your mobile phone’s tethering plan.
#6 Encryption. Encryption is one of the best methods of protecting your electronic data. It takes the contents of a document and scrambles it such that it is rendered unreadable. What can and should be encrypted? According to the Massachusetts Data Privacy Laws (see M.G.L. c.93H and 93I, and implementing regulations, 201 CMR 17.00), certain personal information that travels wirelessly must be encrypted. That might include transmission of emails and documents, documents stored in the cloud, laptop hard drives, and USB storage devices. The simplest way to send encrypted data over email is to encrypt and attach a document to an email. Fortunately, it is not difficult to encrypt electronic information. You can encrypt documents with tools native to a Mac computer and with programs such as Adobe Acrobat for a PC. Both Mac and PC computers also have tools (FileVault and BitLocker, respectively) to enable full-disk encryption, that is, encryption of your entire hard drive and attached external drives such as a USB device or external backup drive. You can look forward to more on encryption later in this series.
Read more about Encryption here.
#7 Vetting Providers. Due diligence is warranted before using a third-party service that may have access to confidential client information. This applies to both physical and electronic data, but my focus here is solely on electronic data, particularly that which is stored in the cloud. The Massachusetts Data Privacy Laws require that a business maintaining the statutorily protected personal information contract with third parties to provide assurances that their service complies with the statute. But, as we’ve written about previously, here and here, it may be difficult to do so, and thus in those situations the most practical course of action (albeit not strictly compliant with the statute) is to vet the provider and then document the steps you’ve taken. Furthermore, you have ethical obligations to protect your client’s electronic information. Based on guidance by the Massachusetts Bar Association Ethic’s Committee, see Opinion 12:03, storing confidential client data in the cloud does not violate the rules as long as the attorney “undertakes reasonable efforts to ensure that the provider’s data privacy policies, practices and procedures are compatible with the Lawyer’s professional obligations” (i.e. the vetting process). Here is what the Committee indicates are “reasonable efforts” (along with my own explanatory comments):
- “prohibit unauthorized access to data” and allow access by the provider only to “convey or display the data to authorized users;” [You don’t want the vendor’s employees or other third parties snooping through your data, nor do you want the company to quickly (without notice to you) hand over your data if served with a subpoena.]
- provide sufficient access to the attorney user in the event of a service disruption [You own your data, and the vendor’s policies should confirm that. If the vendor goes out of business or you terminate the service, you should be able to get your data out.]
- examination of the provider’s reputation and history, including encryption, password protection, backups, and history of breaches; and [Rather than starting from scratch, find a service that other attorneys and/or practice advisors recommend. Then engage in your own due diligence.]
- conducting a periodic review of the provider’s policies to ensure continued compliance. [Most vendors draft their policies with a provision subjecting it to infinite change. Review your provider’s policies at least on an annual basis and whenever you are notified by your provider that their policies have changed.]
#8 Policy and Training. Your firm should have a policy that sets out how your it safeguards confidential information, which might include necessary training for staff on how to manage firm-wide network security as well as training for individual staff computer use (i.e. passwords, computer updates, logoff requirements), encryption procedures, protocols for protecting mobile devices that access firm information, handling of third-party access to data (i.e. cloud storage providers), and remediation procedures in the event of a data breach. Moreover, this type of policy (a “Written Information Security Program”) is indeed required by the Massachusetts Data Privacy Laws for businesses that keep certain personal information as implicated by the statute.
While it is impossible to ensure that your data (whether physical or electronic) is 100% safe, taking the foregoing steps to protect your digital data will help you significantly mitigate security risks. Later in this series, I will expand upon some of these topics as well as discuss specific protections for a variety of computer systems and devices. I know that you will be eagerly awaiting . . .
TextExpander Touch: Create custom shortcuts for frequently used words and phrases. Makes drafting on a small device much more efficient.
Songza: A Pandora replica, but with less advertisements. Curating playlists based on mood, activity, and day/time.
Drafts: An integrated note-taking app. Draft a note and export to a variety of services or create your own custom actions.