Management Assistance Program on www.OKbar.org

OBA-MAP

Client Confidentiality, Personal Privacy and Digital Security

By Jim Calloway

We have just emerged from a presidential election that led to more members of the general public becoming aware that email accounts can be hacked and the disclosure of stolen emails can be embarrassing and has profound consequences. Technology professionals and those who follow tech news have been aware of these facts for some time.

In November 2014 hackers announced their successful intrusion into Sony Pictures and released personal information about its employees and their families, emails between employees, information about executive salaries and copies of then-unreleased Sony films. Since the hackers demanded Sony pull the release of its film The Interview, which was about North Korean leader Kim Jong-un, North Korea was blamed. Some Sony employees sued because their social security number and medical information were released. The Sony co-chairwoman stepped down.
 
In March 2016 it was revealed that nearly 50 large law firms, including some of the nation’s most prestigious, were the targets of hackers, although there is some dispute about how successful the hackers were in obtaining client information. (Update: After this column was published three men who allegedly made millions from hacking were charged with crimes.)
 
No lawyer or law firm wants to be hacked, whether the target is confidential client information or the lawyer’s credit card numbers and other financial information. As we approach a new year, let’s all resolve to take some affirmative action to improve our personal and professional digital security.

THE BASICS: A PASSWORD MANAGER AND TWO-FACTOR AUTHENTICATION 

Almost all lawyers are aware they need to use these tools, but many still resist due to the time it takes to set up these tools and the perceived inconvenience of using them.

Using the same password for all password-protected services you use means that when someone obtains your password for one of these sites, they will have access to all of them. Using words from the dictionary for a password means a brute force dictionary attack by hackers will crack your password. Using long strings of letters and symbols and numbers means that passwords will be difficult to remember. Many sites now require the use of numbers and characters in passwords.

It is time to start using a password manager.

Password managers are extremely affordable and allow you to generate long passwords of 20 to 30 characters without resorting to words found in the dictionary. A password that is short and simple enough for you to remember is too short and simple to be secure. In the endnotes (and on www.okbar.org when this article is published there) you will find links to reviews of some popular password managers. The basic version of LastPass is now free; however, I suggest you pay the $12 per year for the premium edition. Other popular password managers include 1Password, KeePass and Dashlane. Large firms may want enterprise solutions.

Using two-factor authentication for accounts you consider important is a great way to protect against hackers. There is no doubt the two-factor authentication is a bit of an inconvenience, but you should always use it with your financial accounts and any services where you have a credit card number on file. Also, if it would be devastating to lose all of the photos that you have stored online, you might consider using it for your photo storage account as well.
 
At the basic level using two-factor authentication means that when you log into to a website, a code number will be sent via text to your mobile device. You must enter that code to continue. If some hacker manages to steal your password by whatever method, they still cannot log into to access your information without also having access to your mobile phone. Note that when you set up this process individually on each website, it is very important to understand and preserve information about what to do if you lose your mobile phone.

PRACTICE SAFE COMPUTING WHEN OUT OF THE OFFICE

Unprotected public Wi-Fi hotspots are by definition not secure. You should only use Wi-Fi services that require a password or other authentication. If you plan on logging into your office from a remote location, it is best to set up a virtual private network (VPN) for you to login securely. Mac users can use Cloak. It is priced at $2.99 per month for the mini plan, $9.99 per month or $99.99 per year for the unlimited plan. This service was highly recommended by several speakers at ABA TECHSHOW 2016. PC Magazine recently posted a feature “The Best VPN Services of 2016.”

Invest in a sufficient data plan for your phone or other mobile device through your carrier so that you are not tempted to login to Wi-Fi hotspots.

FREE GMAIL WAS GREAT IN ITS TIME BUT…

Perhaps free Gmail is not the best plan for client email. After all, when Wikileaks passed along hacked emails from Clinton campaign chair John Podesta, many tech savvy people thought, “You were using a (presumably) free Gmail account to run a presidential campaign?”

Luckily there is a relatively painless quick fix to this issue. GSuite (formerly Google Apps for Business) provides many business enhancements for Gmail, Docs, Drive and Calendar for as little as $5 per user per month. If you have a law firm website, you can use that domain for your emails instead of Gmail.com with this service and your subscription payment provides you with many security and privacy features.
 
Now to be fair, almost everyone I know has a free Gmail account for personal matters or for providing when an email address is required that will result in you receiving email marketing messages. Having the business class security is a great plan for professional use and the administrative controls can be handy for a small firm lawyer who needs to easily cut off a recently-terminated employee’s access to firm email or calendar.

Another feature that sounded great about free web-based email services was that you received so much free storage space you didn’t have to worry about inbox management. It is easy to accumulate years of stored emails, but perhaps many years of searchable emails is not a great plan. You may never be the subject of a hacker dumping all of your saved emails into the public domain, but you might have an assistant using your email account and searching to find something or your heirs might have access to the account at some point. Maybe you don’t have terrible secrets hidden in your inbox, but maybe you had a less-than-charitable view of another lawyer or judge or your spouse was venting to you about someone who is now married to your child. Take a leap and delete everything in your inbox and sent folder that is more than a year or two old. If it is an important business or personal record, it should not be “filed” in your inbox anyway.

PHYSICAL DIGITAL SECURITY

That label may sound like an oxymoron, but there are several simple steps you should turn into habits to protect your computer and other data storage devices.

Never leave a laptop computer in the passenger compartment of your automobile. Always lock it in the trunk. If your computer bag has wheels, make sure the wheels point up and not down in the trunk in case you have to make an abrupt stop. Always turn off your computer when you leave work at the end of the day unless you intend to leave it on for remote access purposes. Make sure every workstation and mobile device is secured by a password or passcode.

PREPARE FOR TROUBLE

Backup any data you are not willing to lose. Have a disaster response plan printed out on paper so if your network or computer has a major problem or an intrusion you know who to call for help and what steps to take.

STAFF TRAINING
 
It is important to understand, most digital intrusions occur via email. Constant training and communication of emerging threats is now important for any office that must have use of its computer systems.
 
Just prior to Thanksgiving many Oklahoma bar members received an email with the subject line “Oklahoma Bar Association Complaint.” Of course it was a fake. Our general counsel’s office does not send these types of official notices by email. Cyber criminals hope the surprise and horror of reading a complaint has been filed will override judgment and generate a quick click on a link or attachment. If you receive an unexpected email that makes you want to instantly click on something, always pause and think.

Every year I place several phone calls or send emails (not replies) to lawyers asking, “Did you really just send me that email?” I’m known as a technology expert and I am not embarrassed to make outreaches, so you shouldn’t be either. I have been receiving a number of emails with Zip file attachments relating to online shopping orders I haven’t placed. The Zip file attachment is a warning all by itself, and if you hover over a suspicious link in an email you will often be able to see a preview that the link is actually to a suspicious location.

For more information see my blog post “The Holidays Bring More Email Threats.”
  
CEO FRAUD 

You were out of the office doing a series of depositions and had informed everyone in advance that interruptions could not happen during those two days. When you return, your assistant rushes up to you with a big smile and says, “Don’t worry, I got those funds wired for that settlement before the deadline.” You are puzzled and ask, “What funds?” Your day rapidly goes downhill from there.

The short version of how this works is that criminals reserve a domain name that looks very similar to the victim’s domain name. If their target used Smithlaw.com they might reserve Smiithlaw.com and few would notice the extra “i” in the emails they receive. It works even better if they have previously convinced the target to respond to an email so they can include the target’s actual signature block in their scam email.

The bottom line is wiring money is often an irreversible action and you should have very clear procedures with checks and balances before a wire transfer is made.

ENCRYPTION IS YOUR FRIEND

Encryption is not a four letter word and anyone concerned about confidentiality and privacy should understand how it works. Lawyers should know how to encrypt data on an “as needed” basis. I have previously noted the OBA member benefit Citrix ShareFile for email encryption and online file storage in my September 2016 Law Practice Tips column “Email Attachments vs. Client Portals.” This is a very important topic so if you missed it the first time, now is a good time to read it. Spoiler alert: Secure client portals are a much better way to share confidential information with your clients than unsecured, unencrypted email attachments.
 
If you have a laptop computer you should seriously consider encrypting the hard drive.

For reference I suggest reading “Encryption Made Easier: The Basics of Keeping Your Data Secure” by Sharon D. Nelson and John W. Simek along with another post that has been circulating online recently “How to Encrypt Your Entire Life in Less Than an Hour” by Quincy Larson of FreeCodeCamp. One note about some content in the Larson article is that the Tor browser is really for expert users. It can also be used as a gateway to those parts of the  internet you may have heard of but don’t want to visit. Duane Croft wrote about the Tor browser for the Oklahoma Bar Journal in 2013.
  
CONCLUSION

An old saying was that locks on doors were only to keep the honest people out. Perfect digital data security may not be possible, but by taking some of the steps above you can provide safeguards so you, your law firm and your client data are less appealing targets and perhaps the bad guys on the  internet will move on to those who have not taken these steps.

Mr. Calloway is OBA Management Assistance Program Director.  Need a quick answer to a tech problem or help solving a management dilemma?  Contact him at 405-416-7008, 1-800-522-8065 or jimc@okbar.org.  It's a free member benefit!

Originally published in the Oklahoma Bar Journal -- December 17, 2016 -- Vol. 87, No. 33