Oregon State Bar Bulletin OCTOBER 2012
E-Security Pros Offer 15 Tips to Help Law
Firms Better Protect Sensitive Data
Two years ago, Ryan Schlunz was managing information technology for a large East Coast law firm with offices in New York and abroad. He saw firsthand just how tenuous a law firm’s electronic security can be as news of breaches at high-profile firms made national headlines.
Law firm electronic security, or “e-security,” has taken center stage nationally and is a frequent topic of practice management seminars and publications. The American Bar Association and its practice management journals continually advise members how to improve their e-security, as do other national legal publications, blogs and social media sites. Horror stories about large U.S. law firms being hacked — in several cases by Chinese and other foreign entities seeking to derail corporate transactions — and confidential information being stolen or lost have fueled the national discussion.
Many of Oregon’s larger firms have taken notice and either hired a chief information officer or similar internal IT manager or contracted with consultants to make sure they are adequately protected. Stoel Rives hired Schlunz as its chief information officer about 18 months ago as part of its strategy to consolidate its information management and technology systems and conduct several system overhauls designed to better serve — and protect — its clients. One of the growing cadre of IT professionals charged with enhancing law firms’ e-security, Schlunz points out that it’s simply a new way of conducting an old practice.
“Security has been at the forefront for law firms for hundreds of years. We’ve always needed to protect our clients’ information and confidentiality,” he says. “What has changed in the last decade is the availability of that information. And if law firms haven’t already started looking at this by now, they are way behind the trend.”
A New Perspective on Protecting Assets
Stoel Rives reorganized its IT department in the summer of 2011 to focus on engineering reliable and secure technology that helps the firm better support its clients anytime and anywhere they need its legal services. Through the reorganization, the firm added three senior management positions to help develop its technology strategy: a network operations and security manager, an enterprise applications manager, and a desktop and remote access engineering manager.
In addition, the firm recently hired a new training manager and is reorganizing its training on how employees should use technology to better serve their clients. “This will also help us raise awareness about security and how to minimize any efficiency issues that may arise as a result of a newly implemented security policy or procedure,” Schlunz says.
Aaron Starr manages information technology for Gevurtz Menashe Larson & Howe and provides consulting services for Barran Liebman. He says he has seen a sea change in attitudes about e-security since he began working with law firms in 1999 as a database administrator.
“IT managers are now being taken a lot more seriously when it comes to these kinds of threats, and law firms have really started to realize that their electronic assets are almost more important than their paper assets,” he says. “Much like paper assets that you would put under lock and key, you need to do the same with your electronic data.”
Andy Kitchen, firm administrator for Bullard Law, says the first question firms need to consider when bolstering their e-security is where they are going to store sensitive information, such as on their own servers or in the cloud. Then they must determine what kind of encryption system they will use to protect that storage.
“We store our information on our own servers and it’s a closed loop, so the biggest point of access is email because it’s being sent out to other places,” he says, noting Bullard’s security measures include programs that scan all email to remove metadata before messages go out and block malware, viruses and other damaging elements as messages come in.
“Encrypted email is another trend and our firm is discussing whether it’s worth it. It’s an additional layer of security, but it’s not exactly convenient for the clients,” Kitchen says.
Michael Shufeldt, director of information technology for Cosgrave Vergeer Kester, says his firm’s e-security measures include multiple layers of security internally and an additional cloud-based layer for email scanning. And Jordan Ramis conducts auditing and logging of events and information associated with Internet communications.
Full disclosure is another key piece of e-security, from information to clients about protections that are in place to reporting security breaches when they happen. Eugene firms like the Corson & Johnson Law Firm and sole practitioner Daniel Gordon provide detailed explanations of their client privacy and information protection policies on their websites, and how client information provided through email and electronic contact forms may and may not be used. Others, like Bend lawyer Warren West and Anderson Law, which has offices in Bend, McMinnville and Portland, caution potential clients that confidential and time-sensitive information should not be submitted electronically because of potential security issues online.
Salem firm Sherman Sherman Johnnie & Hoyt advises its clients to consider “cyber insurance” because most general liability insurance policies do not cover the loss of electronic data. E-security experts suggest law firms follow suit and purchase insurance that specifically protects against such losses.
A Eugene firm that asked to remain anonymous says its biggest e-security challenge is keeping up with new issues and requirements as technology evolves and new threats are discovered.
“This requires special vigilance. Technology changes quickly and security needs to follow,” says the firm’s IT manager. “We devote significant resources to be up to date. Most recently we have updated our written procedures for securing portable data on thumb drives, smart phones and tablets.”
As the range of e-security considerations and protection measures evolve, so do the Oregon State Bar’s ethics guidelines on how to protect client information. Recent ethics opinions include how to handle the disclosure of metadata, what to do about misdirected attorney-client email, and how to ensure the safe, third-party electronic storage of client information, among other issues.
Mobile Devices Generate Growing Problem
Even with so many measures in place, however, data leakage is still the biggest concern for most law firms. Starr says leakage can occur through intentional methods such as a virus or malware or theft when an employee burns information onto a disk or flash drive and steals it. It can also happen accidentally if an employee inadvertently uploads information to a social media site.
“Gone are the days when you could just throw things on a server or a computer at work and know that that data will sit there forever or that it will never go outside the four walls of your firm. That just doesn’t exist anymore,” he says. “The biggest factor in controlling data leakage is knowing where all of your firm data is at all times.”
Starr says that includes secure offsite backup storage, transported in a secure method, and using industry-standard methods of securely destroying data on decommissioned equipment — from traditional workstations to mobile devices, external storage, server storage and flash memory. Law firms also should have strict policies on accessing firm data remotely, he says.
The biggest potential e-security threat, most IT professionals agree, is posed by mobile devices. Starr, Schlunz and Kitchen all say laptops, smart phones, tablets and other similar devices can be a ticking time bomb if an employee uploads client information onto them.
“That is a definite concern and we have specific protocols that I’m sure other firms have in place as well,” Kitchen says. “What we’ve done … is make it so that all of our notebooks now access our servers. Nothing goes on the hard drive, and we made that switch about a year ago.”
National e-security experts Sharon Nelson and John Simek point out that most smart phones write some amount of data to the phone, and opening a client document may write it to the smart phone whether or not it gets saved.
“The iPhone is particularly data rich. Make sure you have a PIN for your phone. This is a fundamental protection,” they advise. “Don’t use ‘swiping’ to protect your phone, as thieves can discern the swipe the vast majority of the time due to the oils from your fingers. Also, make sure that you can wipe the data remotely if you lose your phone.” (See sidebar for more e-security tips.)
Traci Ray, director of marketing, client services and events for Barran Liebman, says the firm is determined to prevent data leakage at every level, and specifically through mobile and tablet devices. Barran Liebman enforces strong pass code policies on all of its mobile devices, coupled with a centralized tool to control and remotely wipe devices.
Teri Miller, marketing director at Jordan Ramis, notes that the increased use of the iPad as a business tool has made keeping sensitive information inside the corporate network even more challenging.
“If you are typing notes from a business meeting on your iPad, those notes are being backed up on the iCloud — essentially, someone else’s server. The data is no longer on your corporate network, and you are no longer solely in custody of it,” she says.
Miller says other e-security challenges include evaluating new technology before it is implemented, particularly in light of where and how sensitive data is stored, and keeping abreast of new attack methods used on the Internet. Another ongoing concern is the need to back up critical information to allow for fast recovery in case of data loss
Solo and Small Firms Face Unique Difficulties
E-security can be particularly troublesome for solo and small law firms, many of which cannot afford IT staff. Lorena Reynolds, partner at the Reynolds Law Firm in Corvallis, says her 13-employee firm does not include a chief information officer. However, the firm does contract with an IT consultant whose services include attempting to hack into her e-security system to ensure its integrity.
In addition, only the firm’s three attorneys can access information from a small group of designated remote locations. No client information may be downloaded onto laptops or flash drives. And all data is password protected and stored on a secure server, Reynolds says.
“I think if I were trying to manage all these details I would be completely overwhelmed,” she notes. “But I have someone I trust who has worked with other businesses that have these same concerns, so I feel very comfortable with him.”
Myah Osher, a solo attorney and chair of the bar’s Solo and Small Firm section, says she reads up as much as she can about e-security issues and her husband’s work for a small software company helps educate her as well. Still, managing her firm’s information technology is yet another demanding — and often frustrating — element of running a practice.
“Security is a huge matter of stress for small firms and solos, whether they know a lot about it or have a lack thereof,” Osher says. “Those who know more about it tend to be lackadaisical because they assume it will always be a problem. And others are stressed because they don’t know enough about it. I think most people fall into the category of being nervous about it because we are lawyers and not technology people.”
For her part, Osher now converts all of her documents into PDFs that cannot be altered and also to prevent access to metadata. She avoids using Google for email because of the company’s electronic storage policy, and she hesitates to use Dropbox because she’s unsure of where that data is stored.
“For functionality, it’s really a constant struggle. It’s so much easier to upload things to Dropbox or other formats where you have access to it anywhere, but you don’t want it to be available for just anyone to see,” Osher says. “For a solo or small firm, efficiency is the key to not being stressed, and it’s really frustrating to not be able to just upload things.”
As an additional precaution, Osher backs up her information on her own server and uses a computer that isn’t linked elsewhere.
“It’s a double-edged sword because, on one hand, I’m worried about losing data and, on the other hand, I’m worried about client confidentiality,” she says.
While Osher acknowledges that it would be helpful to hire an IT person, other priorities come first. “Honestly, before I hire IT staff I’m going to need to hire a paralegal or other administrative support staff,” she says.
Schlunz empathizes with small firms and solo lawyers who cannot afford IT staff, but encourages them to partner with a good information technology consultant. He advises small firm owners and solo attorneys to work with the International Legal Technology Association ( www.iltanet.org ) to find a qualified, trustworthy IT consultant.
ABOUT THE AUTHOR
Melody Finnemore is a Portland-area freelance writer and a frequent contributor to the Bulletin.
© 2012 Melody Finnemore