Skip to Content
  • Home
  • About the Bar
  • Mission
  • Forms
  • Sitemap
    • Member Directory
      Last Name:
      First Name:
      Bar Number:
      City:


    • Login
OSB Logo

Oregon State Bar Bulletin — OCTOBER 2012







Related Sidebar Articles

E-Security Pros Offer 15 Tips to Help Law
Firms Better Protect Sensitive Data


Two years ago, Ryan Schlunz was managing information technology for a large East Coast law firm with offices in New York and abroad. He saw firsthand just how tenuous a law firm’s electronic security can be as news of breaches at high-profile firms made national headlines.

Law firm electronic security, or “e-security,” has taken center stage nationally and is a frequent topic of practice management seminars and publications. The American Bar Association and its practice management journals continually advise members how to improve their e-security, as do other national legal publications, blogs and social media sites. Horror stories about large U.S. law firms being hacked — in several cases by Chinese and other foreign entities seeking to derail corporate transactions — and confidential information being stolen or lost have fueled the national discussion.

Many of Oregon’s larger firms have taken notice and either hired a chief information officer or similar internal IT manager or contracted with consultants to make sure they are adequately protected. Stoel Rives hired Schlunz as its chief information officer about 18 months ago as part of its strategy to consolidate its information management and technology systems and conduct several system overhauls designed to better serve — and protect — its clients. One of the growing cadre of IT professionals charged with enhancing law firms’ e-security, Schlunz points out that it’s simply a new way of conducting an old practice.

“Security has been at the forefront for law firms for hundreds of years. We’ve always needed to protect our clients’ information and confidentiality,” he says. “What has changed in the last decade is the availability of that information. And if law firms haven’t already started looking at this by now, they are way behind the trend.”

A New Perspective on Protecting Assets
Stoel Rives reorganized its IT department in the summer of 2011 to focus on engineering reliable and secure technology that helps the firm better support its clients anytime and anywhere they need its legal services. Through the reorganization, the firm added three senior management positions to help develop its technology strategy: a network operations and security manager, an enterprise applications manager, and a desktop and remote access engineering manager.

In addition, the firm recently hired a new training manager and is reorganizing its training on how employees should use technology to better serve their clients. “This will also help us raise awareness about security and how to minimize any efficiency issues that may arise as a result of a newly implemented security policy or procedure,” Schlunz says.

Aaron Starr manages information technology for Gevurtz Menashe Larson & Howe and provides consulting services for Barran Liebman. He says he has seen a sea change in attitudes about e-security since he began working with law firms in 1999 as a database administrator.

“IT managers are now being taken a lot more seriously when it comes to these kinds of threats, and law firms have really started to realize that their electronic assets are almost more important than their paper assets,” he says. “Much like paper assets that you would put under lock and key, you need to do the same with your electronic data.”

Andy Kitchen, firm administrator for Bullard Law, says the first question firms need to consider when bolstering their e-security is where they are going to store sensitive information, such as on their own servers or in the cloud. Then they must determine what kind of encryption system they will use to protect that storage.

“We store our information on our own servers and it’s a closed loop, so the biggest point of access is email because it’s being sent out to other places,” he says, noting Bullard’s security measures include programs that scan all email to remove metadata before messages go out and block malware, viruses and other damaging elements as messages come in.

“Encrypted email is another trend and our firm is discussing whether it’s worth it. It’s an additional layer of security, but it’s not exactly convenient for the clients,” Kitchen says.

Michael Shufeldt, director of information technology for Cosgrave Vergeer Kester, says his firm’s e-security measures include multiple layers of security internally and an additional cloud-based layer for email scanning. And Jordan Ramis conducts auditing and logging of events and information associated with Internet communications.

Full disclosure is another key piece of e-security, from information to clients about protections that are in place to reporting security breaches when they happen. Eugene firms like the Corson & Johnson Law Firm and sole practitioner Daniel Gordon provide detailed explanations of their client privacy and information protection policies on their websites, and how client information provided through email and electronic contact forms may and may not be used. Others, like Bend lawyer Warren West and Anderson Law, which has offices in Bend, McMinnville and Portland, caution potential clients that confidential and time-sensitive information should not be submitted electronically because of potential security issues online.

Salem firm Sherman Sherman Johnnie & Hoyt advises its clients to consider “cyber insurance” because most general liability insurance policies do not cover the loss of electronic data. E-security experts suggest law firms follow suit and purchase insurance that specifically protects against such losses.

A Eugene firm that asked to remain anonymous says its biggest e-security challenge is keeping up with new issues and requirements as technology evolves and new threats are discovered.

“This requires special vigilance. Technology changes quickly and security needs to follow,” says the firm’s IT manager. “We devote significant resources to be up to date. Most recently we have updated our written procedures for securing portable data on thumb drives, smart phones and tablets.”

As the range of e-security considerations and protection measures evolve, so do the Oregon State Bar’s ethics guidelines on how to protect client information. Recent ethics opinions include how to handle the disclosure of metadata, what to do about misdirected attorney-client email, and how to ensure the safe, third-party electronic storage of client information, among other issues.

Mobile Devices Generate Growing Problem
Even with so many measures in place, however, data leakage is still the biggest concern for most law firms. Starr says leakage can occur through intentional methods such as a virus or malware or theft when an employee burns information onto a disk or flash drive and steals it. It can also happen accidentally if an employee inadvertently uploads information to a social media site.

“Gone are the days when you could just throw things on a server or a computer at work and know that that data will sit there forever or that it will never go outside the four walls of your firm. That just doesn’t exist anymore,” he says. “The biggest factor in controlling data leakage is knowing where all of your firm data is at all times.”

Starr says that includes secure offsite backup storage, transported in a secure method, and using industry-standard methods of securely destroying data on decommissioned equipment — from traditional workstations to mobile devices, external storage, server storage and flash memory. Law firms also should have strict policies on accessing firm data remotely, he says.

The biggest potential e-security threat, most IT professionals agree, is posed by mobile devices. Starr, Schlunz and Kitchen all say laptops, smart phones, tablets and other similar devices can be a ticking time bomb if an employee uploads client information onto them.

“That is a definite concern and we have specific protocols that I’m sure other firms have in place as well,” Kitchen says. “What we’ve done … is make it so that all of our notebooks now access our servers. Nothing goes on the hard drive, and we made that switch about a year ago.”

National e-security experts Sharon Nelson and John Simek point out that most smart phones write some amount of data to the phone, and opening a client document may write it to the smart phone whether or not it gets saved.

“The iPhone is particularly data rich. Make sure you have a PIN for your phone. This is a fundamental protection,” they advise. “Don’t use ‘swiping’ to protect your phone, as thieves can discern the swipe the vast majority of the time due to the oils from your fingers. Also, make sure that you can wipe the data remotely if you lose your phone.” (See sidebar for more e-security tips.)

Traci Ray, director of marketing, client services and events for Barran Liebman, says the firm is determined to prevent data leakage at every level, and specifically through mobile and tablet devices. Barran Liebman enforces strong pass code policies on all of its mobile devices, coupled with a centralized tool to control and remotely wipe devices.

Teri Miller, marketing director at Jordan Ramis, notes that the increased use of the iPad as a business tool has made keeping sensitive information inside the corporate network even more challenging.

“If you are typing notes from a business meeting on your iPad, those notes are being backed up on the iCloud — essentially, someone else’s server. The data is no longer on your corporate network, and you are no longer solely in custody of it,” she says.

Miller says other e-security challenges include evaluating new technology before it is implemented, particularly in light of where and how sensitive data is stored, and keeping abreast of new attack methods used on the Internet. Another ongoing concern is the need to back up critical information to allow for fast recovery in case of data loss

Solo and Small Firms Face Unique Difficulties
E-security can be particularly troublesome for solo and small law firms, many of which cannot afford IT staff. Lorena Reynolds, partner at the Reynolds Law Firm in Corvallis, says her 13-employee firm does not include a chief information officer. However, the firm does contract with an IT consultant whose services include attempting to hack into her e-security system to ensure its integrity.

In addition, only the firm’s three attorneys can access information from a small group of designated remote locations. No client information may be downloaded onto laptops or flash drives. And all data is password protected and stored on a secure server, Reynolds says.

“I think if I were trying to manage all these details I would be completely overwhelmed,” she notes. “But I have someone I trust who has worked with other businesses that have these same concerns, so I feel very comfortable with him.”

Myah Osher, a solo attorney and chair of the bar’s Solo and Small Firm section, says she reads up as much as she can about e-security issues and her husband’s work for a small software company helps educate her as well. Still, managing her firm’s information technology is yet another demanding — and often frustrating — element of running a practice.

“Security is a huge matter of stress for small firms and solos, whether they know a lot about it or have a lack thereof,” Osher says. “Those who know more about it tend to be lackadaisical because they assume it will always be a problem. And others are stressed because they don’t know enough about it. I think most people fall into the category of being nervous about it because we are lawyers and not technology people.”

For her part, Osher now converts all of her documents into PDFs that cannot be altered and also to prevent access to metadata. She avoids using Google for email because of the company’s electronic storage policy, and she hesitates to use Dropbox because she’s unsure of where that data is stored.

“For functionality, it’s really a constant struggle. It’s so much easier to upload things to Dropbox or other formats where you have access to it anywhere, but you don’t want it to be available for just anyone to see,” Osher says. “For a solo or small firm, efficiency is the key to not being stressed, and it’s really frustrating to not be able to just upload things.”

As an additional precaution, Osher backs up her information on her own server and uses a computer that isn’t linked elsewhere.

“It’s a double-edged sword because, on one hand, I’m worried about losing data and, on the other hand, I’m worried about client confidentiality,” she says.

While Osher acknowledges that it would be helpful to hire an IT person, other priorities come first. “Honestly, before I hire IT staff I’m going to need to hire a paralegal or other administrative support staff,” she says.

Schlunz empathizes with small firms and solo lawyers who cannot afford IT staff, but encourages them to partner with a good information technology consultant. He advises small firm owners and solo attorneys to work with the International Legal Technology Association ( www.iltanet.org ) to find a qualified, trustworthy IT consultant.

 

ABOUT THE AUTHOR
Melody Finnemore is a Portland-area freelance writer and a frequent contributor to the Bulletin.

© 2012 Melody Finnemore


— return to top
— return to Table of Contents



  • For The Public

      Public Legal Information

    • Public Information Home
    • Legal Information Topics
    • Oregon Juror Guide
    • Submit Ethics Complaint

    • Getting Legal Help

    • Finding The Right Lawyer
    • Hiring A Lawyer
    • Lawyers Fees

    • Client Services

    • Client Assistance Office
    • Client Security Fund
    • Fee Dispute Resolution
    • Public Records Request
    • Locating Attorney Files

    • Unlawful Practice of Law

    • UPL Information
    • UPL FAQ

    • Volunteer Opportunities

    • Public Member Application
  • For Members

    OSB Login

    • Log In To OSB Site
    • Member Account Setup
    • Non-Member Account Setup
    • Reset Password

    OSB Resources

    • Attorney's Marketplace
    • Career Center
    • Events
    • Forms Library
    • Online Resources
    • OSB Group Listings
    • Performance Standards
    • Rules Regulations and Policies
    • Surveys and Research Reports
    • Unclaimed Client Funds
    • Voting Regions and By-City
      County Information

    Fastcase™

    • Log in to Fastcase
    • Overview
    • Scheduled Webinars
    • Inactive Member Subscriptions

    Legal Ethics

    • Legal Ethics Home
    • Find an Ethics Opinion
    • Bulletin Bar Counsel Archive

    Company Administrator

    • Company Administrator Home
    • Company Administrator FAQ
    • Authorization Form

    State Lawyers
    Assistance Committee

    • SLAC Info

    Volunteering

    • Volunteer Opportunities

    Court Information

    • Judicial Vacancies
    • Court Info | Calendars | Jury Info
    • Oregon Attorneys
      in Federal Court
    • Tribal Courts of Oregon

    OSB Publications

    • Bar Bulletin Magazine
    • – Bulletin Archive
    • – Legal Writer Archive
    • Capitol Insider
    • Disciplinary Board Reporter

    PLF Programs

    • (OAAP) Oregon Attorney
      Assistance Program
    • Practice Management Attorneys
    • Malpractice Coverage
  • CLE/Legal Publications

    CLE Seminars

    • CLE Seminars Home
    • Online Seminar Registration
    • General Info/FAQ

    My Account

    • My Content
    • My Events
    • Order History

    Legal Publications

    • Legal Publications Home
    • Log in to BarBooks®
    • BarBooks® FAQ
    • Online Bookstore
    • Legal Pubs Blog
  • Bar Programs

    Diversity & Inclusion

    • Diversity & Inclusion Home
    • Diversity Story Wall
    • D&I Programs
    • ACDI Roster
    • D&I Staff Contacts
    • D&I Links

    Legislative/Public Affairs

    • Legislative Home
    • Committee Contacts
    • Legislative Sessions
    • Staff Contacts
    • Useful Links

    Legal Services Program

    • LSP Home

    Oregon Law Foundation

    • OLF Home
    • Partners in Justice

    Fee Dispute Resolution

    • Fee Dispute Resolution Home

    Pro Bono

    • Pro Bono Home
    • Pro Bono Reporting
    • Volunteer Opportunities

    Lawyer Referral and Information Services

    • RIS Login
    • Summary of Referral and Information Services Programs
    • Lawyer Referral Service Info and Registration Forms
    • Modest Means Program Registration Forms
    • Military Assistance Panel Training Info and Registration Form
    • Problem Solvers Registration Form
    • Lawyer To Lawyer Registration Form

    (LRAP) Loan Repayment Assistance Program

    • LRAP Home
    • LRAP FAQ
    • LRAP Policies
  • Member Groups

    Sections

    • Section Info/Websites
    • Joining Sections
    • CLE Registration Services
    • Standard Section Bylaws (PDF)
    • Leadership Resources
    • Treasurers Tools

    Committees

    • Home
    • Leadership Resources
    • Professionalism Commission
    • Volunteer Opportunities

    House of Delegates

    • HOD Home
    • HOD Resources
    • Meetings
    • Rules (PDF)
    • Roster (PDF)
    • Staff Contacts

    Board of Governors

    • BOG Home
    • Meetings & Agendas
    • Members
    • Liaisons
    • Committees
    • Resources
    • Task Forces

    Oregon New Lawyers Division

    • ONLD Home
    • Law Students
    • Student Loan Repayment
    • Committees
    • Upcoming Events

    Task Forces and Special Committees

    • Task Forces Home

    Volunteer Bars

    • List/Contacts
    • Leadership Resources

    Volunteering

    • Volunteer Opportunities
  • Licensing/Compliance

    Admissions

    • Admissions Home
    • Alternative Admittance
    • Applicants for Admission
    • Admissions Forms
    • Past Bar Exam Results

    Supervised Practice Portfolio Examination

    • SPPE Home

    Licensed Paralegal Program

    • LP Home

    Lawyer Discipline

    • Discipline Home
    • Disciplinary Board Reporter
    • Disciplinary Boards
    • Client Assistance Office
    • (SPRB) State Professional Responsibility Board

    Membership Records

    • Address Changes
    • Good Standing Certificate
    • Request Discipline File Review

    MCLE

    • MCLE Home
    • Program Database
    • Forms
    • Rules (PDF)

    IOLTA Reporting

    • IOLTA Home
    • IOLTA FAQ

    Licensing Fees

    • Licensing Fee FAQ
    • Licensing Fee Payment

    Status Changes

    • Status Changes FAQ
    • Inactive Status Form
    • Retired Status Form
    • Active Pro Bono Status Form
    • Reinstatement Forms
    • Resignation Form A
    • Pending Reinstatements

    Unlawful Practice of Law

    • UPL Information
    • UPL FAQ

    Pro Hac Vice/Arbitration

    • Pro Hac Vice
    • Arbitration

    New Lawyer Mentoring Program

    • New Lawyer Mentoring Program Home

    Professional Liability Fund

    • Professional Liability
      Fund Website
For The Public

Public Information Home
Legal Information Topics
Oregon Juror Guide
Finding The Right Lawyer
Hiring A Lawyer
Lawyers Fees
Client Assistance Office
Public Records Request
Unlawful Practice of Law
Fee Dispute Resolution
Client Security Fund
Volunteer Opportunities
for the Public

For Members

BarBooks®
Bulletin Archive
Career Center
Fastcase™
Judicial Vacancies
Legal Ethics Opinions
OSB Group Listings
OSB Login
OSB Rules & Regs
SLAC Info
Surveys and Reports
Volunteer Opportunities

CLE/Legal Pubs

CLE Seminars Home
Legal Publications Home

Bar Programs

Diversity & Inclusion
Fee Arbitration/Mediation
Legal Services Program
Legislative/Public Affairs
Loan Repayment
Assistance Program

Oregon Law Foundation
Pro Bono

Member Groups

Board of Governors
Committees
House of Delegates
Volunteer Bars
Oregon New
Lawyers Division

OSB Sections
Professionalism
Commission

Volunteer Opportunities

About The Bar

About the Bar
ADA Notice
Contact Info
Copyright Notice
Directions to the Bar
Meeting Room Rentals
Mission Statement
OSB Job Opportunities
Privacy Policy
Staff Directory
Terms of Use

Licensing/Compliance

Admissions
Client Assistance Office
Client Security Fund
IOLTA Reporting
Lawyer Discipline
MCLE
Member Fee FAQ
New Lawyer
Mentoring Program

Professional Liability Fund
Status Changes

Oregon State Bar Center

Phone: (503) 620-0222
Toll-free in Oregon: (800) 452-8260
Facsimile: (503) 684-1366

Building Location:
16037 SW Upper Boones Ferry Road
Tigard, OR 97224

Mailing Address:
PO Box 231935
Tigard, OR 97281

Oregon State Bar location Map

Copyright ©1997 Oregon State Bar  ®All rights reserved | ADA Notice | Mission Statement | Privacy Policy | Terms of Use