Attorneys and law firms are targets for cyber-attack. We collect large volumes of valuable personal information, and many of us have devoted insufficient time and resources to the security of that information. The purpose of this recurring column in the Bar News is to inform attorneys and firms about the safeguards we should implement to protect information, as well as the threats we face from cyber-attack/crime and the measures we should take to mitigate those threats. Thus, we start with a key concept of information security – encryption.
If sensitive information is transported or transmitted electronically, it must be protected properly. This is not optional. It is a tenet of information security law, as well as an ethical obligation we have as attorneys to deploy appropriate safeguards to protect our clients’ information.
Common examples of electronic transportation of information are on computers, mobile devices (like cell phones, tablets, and watches), and external drives that connect to a universal serial bus (USB) or micro-USB drive. The most common examples of electronic transmission are sending via email, uploading or inputting information on a website, using a file transfer protocol (FTP) site, transferring information via a cloud storage service (like Drop Box), linking using record management applications that integrate with email (like Microsoft SharePoint, Google Drive, and iManage), and transacting information on a portal controlled by the sender or receiver (like court e-filing systems and online systems deployed by many hospitals and banks).
Encryption is the standard to protect electronically transported or transmitted information, and is universally available for doing so. For example, computers either have encryption technology integrated into their operating systems that must be activated (like BitLocker for the Microsoft Windows 10 and newer operating systems, and File Vault for the Apple operating system), or encryption applications can be purchased and implemented on computers. Apple and Android mobile devices with updated operating systems are encrypted as long as users employ passwords or biometrics to access them. Attorneys and law firms should configure their email systems to technologically force users who connect devices to the email systems to use passwords or biometrics for the devices. Encrypted external drives are readily available, and applications can be deployed that either reject certain external drives inserted into computers or encrypt unencrypted drives.
Similarly, all email systems either have encryption technology already integrated into them that must be activated, or encryption “plug-in” applications can be implemented. Users must be trained about how to use email encryption and what email to encrypt, and applications can be deployed to monitor email sent unencrypted that may contain certain personal information. Because accessing encrypted email can be challenging for some technologically unsophisticated recipients, attorneys and law firms should look to transition to readily available record management applications that integrate into their email systems. Such applications offer a wide range of security and usability features, including encrypted transmission of information bi-directionally using links, collaboration with clients and other third parties within records, and maintaining information inside the attorneys’ and law firms’ information systems (instead of clients’ systems) either on premises or in the cloud.
Cyber-security is daunting for attorneys and law firms because it is so new to most of us. But it does not have to be complex, difficult, or even necessarily costly, particularly if you seek guidance from an experienced information security lawyer or other professional. What is most important is that we all begin to make ourselves and our firms more information secure – and encryption is a great place to start.