Follow these steps to avoid data breaches in your law practice that would make you WannaCry.
WannaCry. WannaCry. WannaCry. Yes, that’s how many lawyers feel when they think about digital data security, especially the folks over at DLA Piper who were recently hit with a type of ransomware similar to WannaCry, known as Petrwrap/Petya.
Let’s face it, we must start with this premise. Your data (regardless of where you store it – electronic or physical) is never 100% safe. This is a concept that lawyers should easily comprehend. Do you ever guarantee a win or even a specific result for your client? No, of course you don’t. Instead, you weigh the options and come up with a strategy that will be most likely to lead to the result the client desires.
The same is true when protecting sensitive law firm data. Pursuant to your ethical duties, you must take “reasonable efforts” to prevent unauthorized access or disclosure of client data. See Rule 1.6(c), Mass Bar Ethics Opinion 12-03. However, there is no clearly defined list of measures that comprise reasonable efforts, and indeed the comments to the rule take into account a variety of factors that include the cost and hardship of implementing safeguards in your practice.
While every firm needs to undergo its own security and risk analysis, you can start with the five basic steps below to help minimize your risk of a breach, thus minimizing risk of a violation of ethical duties and a multitude of other problems unrelated to your professional obligations.
Step One: Get proper training. Create and follow policies and procedures.
There are many different ways in which your data might be breached, but the simplest is through human error. Take for example, ransomware, a popular type of malware that locks up users’ files until a ransom is paid. Ransomware is allowed by users to run. You must take some action, for example, click on a suspicious link in an e-mail which then allows the software to execute. With proper training, you can prevent this. While more comprehensive and regular training is advisable, here are a few tips: 1) be thoughtful before you click on any link in an e-mail, particularly if you do not recognize the sender and/or the request is urgent, if you haven’t requested this information, or if you are unlikely to receive the email, 2) hover over the e-mail address and any links to ensure that the link address matches the address or name of the file, 3) be wary of links ending in .zip or .exe.
Take responsibility for your actions and your employees. Have policies and procedures (to get started, take a look at these sample templates), including a Written Information Security Program (WISP) which addresses risks, training, safeguards, and response. Then, follow those policies and procedures and review them regularly with your staff. Keep updated on the most current trends and variations in scams and malicious attacks. If you don’t have time (and, why would you?), pay someone (such as an IT professional) to keep you up-to-date.
Step Two: Passwords, Passwords, Passwords.
Passwords can make all the difference. Strong passwords can prevent unauthorized access and prevent hackers from impersonating you to gain access to others. You must have unique passwords. No one password should be used for more than one account. To keep track of all your passwords, don’t keep them on a sticky note next to your computer, rather use a password manager, which is an electronic program that saves all your passwords in an encrypted vault and requires only one master password to gain access. Password managers can also generate random long multi-character passwords, which are the strongest types of password.
Also, use two-factor authentication if and when possible. For services like Dropbox and Google, this is an absolute must and it’s not difficult to set up. It requires both a password and a physical device to receive a code. If you do online banking, you should be using two-factor authentication.
Step Three: Backup your data; in at least one place!
A backup will save you in the event of a hard drive failure, stolen or lost laptop (which, by the way is one of the most frequent causes of a data breach claim), accidental overwrite of data, or a malicious attack. Indeed, it is the best way to handle ransomware. Rather than paying the ransom, which can be extremely time consuming (not to mention costly) and stressful, restore your data from a backup.
Having redundant backups and testing your backups are key elements to a strong backup system. If something goes wrong and you need your backup, you’ll be kicking yourself if that backup is corrupt. Moreover, ensure that at least one of your backups is offsite. Using a cloud backup service is one option. Consider also what you are backing up. Are you only backing up files (i.e. file backup)? Or, are you backing up your entire file system (i.e. disk image)? The latter will allow you to restore everything just the way you left it.
Step Four: Encrypt Sensitive Data.
Encryption is becoming more and more mainstream. Your doctor uses it when you sign into their secure client portal to access your records. Your CPA uses to transfer tax returns via e-mail. You should be using it as well. There are products for every size of firm. Indeed, if you use Microsoft Office or own a Mac, you already have the capability to encrypt files. Both the PC and Mac also offer tools to encrypt your hard drive, a must for anyone carrying around a laptop with sensitive information. Mobile devices should also be encrypted; fortunately, all iPhones and more recent Android models are encrypted by default, as long as you turn on the passcode lock (and, make sure the passcode is multi character, or at least longer than four digits).
Consider replacing e-mail with an encrypted client portal to communicate and share documents with clients and colleagues. While legal-specific software typically provides better safeguards, even Dropbox (which is an encrypted portal) is better than nothing (assuming you are using strong passwords and using two-factor authentication).
Step Five: Keep Your Software Updated.
When your computer, tablet, or mobile device signals you that a software update or security patch is available, just do it! These updates and patches are for the purpose of protecting your technology and data. Further, when your software stops being supported by the developer and no more upgrades are available, then it’s time to move to other software or systems. Indeed, this article goes so far to say that lawyers still using Windows XP don’t meet their duty of competency under new Rule 1.1, Comment 8.
This article was originally published as “Minimize Your Risk of a Data Breach with These Five Steps” in the Massachusetts Lawyers Journal.