While the use of technology has changed the practice of law in many positive ways, it can also expose client data to risks posed by increasingly sophisticated cybercriminals with increasingly sophisticated software, scams, and strategies. Lawyers make appealing targets because they store well-organized, valuable data like intellectual property; trade secrets; sensitive personal, health, and financial information; and inside knowledge of litigation strategy and big-money transactions. A lawyer’s responsibility to safeguard client data implicates the ethical duties of competence and confidentiality (see Formal Opinion No. 2011-188) and may implicate certain provisions of the Oregon Consumer Identity Theft Protection Act. Fortunately, with a number of free or cost-effective techniques, you can increase data security. Here are just a few.
Encrypt your devices.
If someone steals a device like your computer, phone, or flash drive, encryption can render its data unreadable to anyone who doesn’t hold your encryption key (e.g., your password). The downside to encrypting your device is that you lose your data if you lose your encryption key. So choose your encryption key wisely. For example, use a long, complicated password that’s easy for you to remember. Write it down and store it under lock and key somewhere other than the location of your encrypted device. To encrypt the hard drive of a PC running certain versions of Windows, BitLocker is already installed but may need to be turned on. To encrypt the hard drive of a Mac, FileVault is already installed but may need to be turned on. For iOS devices like iPhones and iPads, encryption is enabled by default and tied to the password that was set when the device was purchased (which you can adjust under Settings). CipherShed, DiskCrypt, and VeraCrypt are free programs that can encrypt your hard drive as well as devices like flash drives and external hard drives.
Consider a password manager.
Using the same password for multiple websites and services can be as dangerous as using a common password that’s easy for hackers to guess. Say you use the same password for iTunes, eBay, and Dropbox when eBay suffers a data breach: your password could be sold on the Dark Web, and your client data in Dropbox could be jeopardized. A password manager can store a unique, complex password for each site you log in to. Many password managers are secured behind two-factor authentication so that you need a master password and something unique (like your fingerprint) for access (see Safeguard Data with Two-Factor Authentication). LastPass, Keeper, and True Key offer free password managers with two-factor authentication on multiple platforms. To see if your email address has been the subject of a known data breach that may have compromised your password, visit haveibeenpwned.com and enter your email address in the search bar.
Use malware protection software.
“Malware” (short for malicious software) refers generally to any program designed to access your computer system and cause harm. Malware includes the familiar computer virus, “spyware” that can gather client data without your knowledge, and “ransomware” that can hold client data hostage until you pay a ransom. Some operating systems have built-in security features to combat malware (e.g., Microsoft’s Windows Defender, Apple’s Gatekeeper), but there are also a number of free or affordable malware protection programs on the market. Avast, Avira, and Bitdefender offer malware protection in free and paid versions across multiple platforms.
Choose cloud storage providers carefully.
Cloud storage can be a wonderful convenience, but not all cloud storage is equal in terms of data security. Investigate cloud storage providers to determine whether their service satisfies your data security obligations. Read the terms of service, as many free storage services authorize the provider or third parties to access and analyze your data. Look into the provider’s track record, because some have a history of data breaches while others do not. Research the provider’s security practices, as certain services apply “zero-knowledge” encryption so that your files are unreadable to everyone but you (including the provider and any governmental authority that seeks to obtain the provider’s data by warrant or subpoena) – SpiderOak, Sync, and Tresorit come to mind. Find out whether the provider offers a HIPAA-compliant version of their service (and note that this will typically be a paid version). See if the provider offers two-factor authentication as an added security measure. Consider how long the provider has been in business and whether there’s a risk that the company will fold without a plan for your data. To learn more about encryption in the context of cloud storage, see Understanding Security When Using Cloud Storage.
For an in-depth discussion of factors to weigh when selecting software, see Avoid Feeling Trapped: Factors to Consider Before Committing to Software.
For additional questions to ask when vetting cloud storage providers, view our Online Data Storage Providers practice aid at https://www.osbplf.org/ > Practice Management > Forms > View Forms by Category: Paperless Office and Cloud Computing > Search.