Law Technology Today From the ABA Legal Technology Resource Center
Our Panelists:
Natalie Kelly (NK), Steve Embry (SE), Aaron Street (AS), Peter Roberts (PR) and Josh Poje (JP).
What are some of your favorite tools for protecting sensitive data?
NK: I like encryption products like Virtru, Absio, Viivo and Citrix ShareFile for ensuring the security of sensitive data. These products have been streamlined to get over the clumsy and cumbersome nature of past encryption products. Their ability to integrate security where users have their data just makes sense. So whether data is kept in online storage accounts, is being sent in an email, or is stored on local machines or even mobile devices, these products can keep them secure.
SE: I use encryption for most everything. I also use a vpn. When it’s not available, I make sure to use https protocols if there is anything sensitive or at least avoid open wifi networks when in public places.
AS: I encrypt all of my hard drives, use a password manager (Dashlane) for all of my online accounts, use two-factor authentication for my most important accounts, and use a VPN (Cloak) when connecting my phone and computer to the internet.
PR: I use total disk encryption with OS X FileVault. Windows 10 uses BitLocker. When emailing a document, I use a password to open the attachment. This is possible with both PDFs and Word files. Consider segregating your network from the Internet. This means having a separate workstation for the Internet but not connected to your internal network. Your smartphone can be used for email with proper precautions.
JP: For me, protecting sensitive data starts with a good password manager. LastPass, KeePass, 1Password—they’re all fine depending on how you like to work. They make it easier to have distinct passwords for each service/site, and they include tools like a password audit to ensure you’re using strong passwords.
In terms of behavior, what’s the best tip you can give to help a lawyer prevent a data security breach?
NK: Be vigilant in your security process. Be consistent in running daily backups, weekly updates, and monthly restore routines. Simple plans to make sure everything is backed up, accessible, and secure is now necessary, and with automated scheduling and consistent checking by users, the process need not be as difficult as it had been in the past.
SE: Encrypt as much as you can. Use strong passwords. Don’t use the same password for multiple programs and apps. Routinely download security patches. 2 factor authentication. And perhaps more pedestrian but no less important, protect your devices some theft: a laptop is lost or stolen every 53 seconds. (I know, that’s more than one!)
AS: Follow the four simple steps I use (encryption, password manager, two-factor authentication, and VPN).
PR: Be sure to use an online data backup service and be very alert to emails from anyone asking you to click on a link. Delete all such messages. Discuss this with all employees. And make a point of viewing the YouTube videos at Sensei Enterprises, Inc. as well as the resources of ABA’s Legal Technology Resource Center.
JP: Think seriously about what data you carry around. If you routinely throw sensitive files onto a thumb drive to move them between home and work, it’s a matter of time until that thumb drive slips out of your pocket or you accidentally leave it plugged in somewhere you shouldn’t. Storing sensitive data in a secure cloud service, preferably with two factor authentication, means that the physical devices you carry around become much less of a security risk and your data becomes accessible wherever you need it. It’s a win-win.
Are there any strategies to avoid when trying to protect sensitive data?
NK: Avoid taking short cuts because this can end up with bad results, like leaked information or worse – having information be held for ransom – and this could all happen even before you decide about how you will tell any affected parties. Take detailed and calculated steps when working with security tools and procedures you have set up for your office. Don’t cut corners and stay on top of any security tasks you have set for the firm.
SE: All of the above. But really, some common sense steps will go a long way. We are rapidly moving toward a world where inadvertence or failing to take simple precautionary steps can lead to realy problems. The guy who pocket dials and doesn’t take steps to prevent that loses any right to claim confidentially of intercepted communications (see Bertha and James Huff v. Carol Spaw, (http://www.ca6.uscourts.gov/opinions.pdf/15a0157p-06.pdf). One other strategy we don’t ussly think of in in this context is backing up data so that if there is a breach and/ or ransomware is demanded steps you have some means of retrieving what you have if your devices need to be wiped.
AS: Unless you have extremely sensitive data (which you must determine on your own), it’s best not to overcomplicate your data security processes, which would make it more likely you won’t use it them the time. Follow a few smart and simple steps and you can eliminate the vast majority of data security risk without too much time or expense.
PR: Avoid not logging out each day.
JP: Never make assumptions about how your data is being secured. We have a tendency to assume someone else is taking care of it—an assistant, paralegal, someone in IT, a vendor, etc. Always do the research and ask the questions yourself so you can feel confident that your data is safe.
Have you ever been victim of a data breach or hack? If so, how’d it happen to you?
NK: Yes, a few years ago one of my personal bank accounts was hacked and only through personal monitoring – it was an account we utilized little – and working with the bank’s Anti-Theft and Fraud units was I able to get to the bottom of the hack. Luckily this did not lead to any stolen identity issues, but it was frustrating and made me realize that even through my own vigilant efforts and the mounds of security banks have in place, it could happen. My lesson was and one for others is you have to be prepared to make bouncing back from a hack easier for yourself, because through no fault of your own they can happen – even when fighting hard to guard against them.
SE: I have only in minor ways through credit card thefts and the like. We have pretty good protection with my firm and I use primarily Apple devices otherwise.
AS: We all have, whether we know it or not. At least some of your credit card numbers and passwords are currently for sale by hackers right now.
PR: Fortunately, I have not been a victim—that I know of, and that is the really scary part today.
JP: Thankfully no! But I’ve had close friends compromised at varying levels of severity. The failure points in most cases were bad passwords or bad security questions that allowed someone to easily reset a password.
