Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Lawyers may receive sensitive documents from clients quite often, depending on their specialization. Whether you’re a real estate lawyer receiving mortgage documents, or a criminal lawyer looking at death certificates and other important legal documents, you likely deal with sensitive information on a regular basis—information that might be useful for hackers and fraudsters in some way. The importance of keeping a client’s information secure isn’t lost on most professionals, but many may not know how to make this happen in practice. The world of cyber security changes pretty quickly, and unscrupulous individuals are always looking for new angles to gain access to information. While certain criminals may use complex tools to force their way into computer systems, some of these methods may be more “low tech” than you might expect.
Short of hiring a dedicated cyber security staff to your team, the following habits and actions can make email communications much more secure.
Password Security
Passwords prevent unauthorized use of email accounts and other online accounts. Easy to guess passwords leave lawyers (and the clients they’re communicating with) vulnerable to discovery by cyber criminals. If an account is ever compromised, the password needs to be changed.
Two factor authentication can be a great failsafe for any password that is cracked, as it will add another level of security to an account. However, it is important to understand that this is not a cure-all solution. If a criminal is able to take control of your phone or the account for your cell phone plan, they may be able to bypass this security measure.
Avoid writing passwords down, and never record their password openly on your phone. All other security measures are pointless if someone can walk by your desk and learn your password.
Regularly changing passwords, while a good practice in an ideal setting, can present security risks if these passwords are not remembered. Lawyers having a hard time remembering their password should use a reputable encrypted password manager. This secure software generates, retrieves and tracks passwords for users.
Lawyers who choose not to use a password manager and who instead generate their own passwords should make those passwords very challenging yet memorable. This means using passwords that have a variety of uppercase and lowercase letters, special characters, and numbers. It is typically suggested to not use words found in the dictionary, but that doesn’t mean memorable variations cannot be utilized. A password like “Numb3r_1_L4wy3r!” might be a bit funny-looking, but it is quite strong as a password while being relatively easy to memorize.
According to a Verizon Data Breach Investigations Report, over 70% of employees re-use passwords and 81% of breaches were due to “stolen and/or weak passwords”. Re-using the same passwords across multiple applications or platforms just gives hackers the ability to access sensitive data in multiple locations. Lawyers must take care to ensure that their email password is unique.
Education and Avoiding Social Engineering
Even if a lawyer is doing their part to make their email secure, their efforts could be for nothing if they aren’t educating people who work in their office. It’s also vitally important to educate clients about email best practices. No matter what security measures are in place, email is not a completely secure medium. Lawyers can protect their clients by avoiding use of email for sensitive information.
This requires the client to never send anything over email that contains a social security number, bank account number, credit card number or another piece of sensitive identifying information. These instructions should be given to clients on their first communication with the lawyer, and repeatedly thereafter. They can be told what requests they might expect or not expect to receive from your email.
One popular way that sensitive information is obtained is frighteningly simple—the criminal simply asks for it. Fraud often occurs when clients receive an email from a similar address to your own that asks for sensitive information. Firms and clients may be targeted by fraudsters posing as legitimate businesses with emails requesting payments for services or simply a log-in verification using similar tactics. If a vendor’s email is sales@vendor1.com, someone looking to pull off this scheme may use an address like sales@vendor01.com in an attempt to trick the reader.
Lawyers can teach the people who work in their office, from the receptionist to the other lawyers, to have a critical eye when emails like this come through. Sending reminder emails periodically, and training all new employees about the best practices for protecting client information, can help prevent a breach.
Your clients must know their information is safe with your office. By training your employees, educating clients, and taking proper measures to protect client information, you can help stop cyber criminals from accessing your firm’s data.
