Cybersecurity: Is Client Data Safe?

Written by Jim Worthington on October 14, 2018

October is National Cybersecurity Awareness Month and lawyers should be paying attention to the need to protect their clients’ data. In fact, the Kentucky Bar Association released Ethics Op. E-446 on July 20, 2018, affirming the lawyer’s ethical duty to do so. This opinion follows American Bar Association Formal Opinion 477R, which was released in its revised form on May 22, 2017.

Lawyers needing to protect client information is nothing new. Cleaning your desk before someone comes in your office or only letting clients into selected areas of the firm’s offices are both time-honored ways to maintain privacy. Moreover, the files for especially sensitive cases can be kept behind locked doors with limited access. Cybersecurity updates these traditional solutions with 21st century technology.

The problem with cybersecurity is the same as with traditional client security. One hundred percent safety is impossible to achieve. Indeed, many cybersecurity experts—and some state bar ethics opinions—address data breaches in terms of when not if one will happen. We must, however, be vigilant to try and avoid them. Some tools for doing so follow:

1. Own your data and know your cloud vendor. The law firm staff should be the only ones to have access to the data; the vendor doesn’t need to see it. The vendor should have policies about what happens to the data if the contract is terminated. The vendor should publish its security standards and backup protocols.
2. Encrypt your data both at rest and in transit. Both Windows and Mac operating systems make it relatively easy to encrypt the hard drive. Most cloud providers encrypt data on their servers. Data should also be encrypted when it is being sent to and from a remote server. Unsecured public Wi-Fi networks in hotels, airports, and coffee shops are one of the biggest threats because data is not encrypted in transit.
3. Use strong passwords and keep them secret. Strong passwords can’t be found in the dictionary. Really strong passwords include upper and lower cases letters, numbers, and symbols. A password manager allows use of those really strong passwords without having to memorize something that looks like “3A)76wy-B*8sK” for each of your accounts.
4. Consider multi-factor authentication. Multi-factor authentication means that after logging in, the system sends a numeric or other code to a second device, such as your cell phone. This code must be entered to access the system. It would therefore not be enough for someone to guess or learn your password; he or she would also have to access more than one of your devices.

At Worthington Law Firm, Box and OneDrive for Business are used for cloud data storage because of their proven security. Encrypt.me is automatically turned on anytime a public Wi-Fi network is used. Devices that leave the office do not contain the actual file but just link to cloud storage. The transmission of that data is encrypted. All devices can be remotely wiped of data and locked. 1Password allows for the use of robust passwords. Multi-factor authentication is used for any particularly sensitive data. These product mentions aren’t endorsements but simply provide transparency about the security measures at Worthington Law Firm.