Protecting your law firm from data breach

General

What’s the worst that can happen?  I used that title for an article on disaster planning I wrote a few years ago.  I just reviewed it and the advice is still sound.  However, someone who receives this e-newsletter to referring attorneys just informed me that he had a data breach at his office.  I decided to re-visit the topic, with an emphasis on protecting your law firm from data breach. 

Law firms deal with sensitive and personal information.  In fact, the entire concept of attorney client privilege is based on secrecy.  Law firms are repositories of Personal Identifiable Information, (PII) which includes names, addresses, dates of birth, and social security numbers.  Because we have clients’ PII, law firms are targets for data thieves.  A recent ABA study found that nearly 1 in 4 firms have been the victim of some sort of data breach, whether from a hacker, lost laptop or web site attack.  What follows are a few things you can do to protect your firm and clients from a data breach. 

Password Management 
I cannot stress strongly enough to create strong passwords for any system or web site which contains PII.  Here are a few things important tips when it comes to passwords:   

  • Do not leave passwords on Post-It notes
  • Do not leave passwords on a piece of paper under a keyboard
  • Do not use the same password for everything
  • Create passwords at least 8 characters long and use numbers, letters and symbols
  • Use random passwords, not something easy for you to remember.

You should also use log in security for your computer.  This way, someone cannot gain access to your computer and files, including your e-mail.  Best practices also suggests changing your password at least every 90 days.  Yes, passwords are a pain, but they are important.  I use a free service called LastPass which allows me to save every password for every site.  With one click, it logs me into the site.  Of course, there is a password to log into LastPass, but all I need to remember is one password.   

Updates 
It is very important to update all of your software.  As soon as a new version of software is released, hackers are trying to find vulnerabilities.  Windows is the most important software to keep up to date.  Most computers automatically update Windows.  To be sure your settings are correct, follow these simple instructions: 

  • Open Control Panel
  • Type Windows Updates in the search bar
  • Click on “Check for Updates”.
  • To check the settings, click on “Change settings”, while in Windows Update 


It’s that easy.  Other programs to update for security vulnerabilities include Microsoft Office, Adobe and Quickbooks.  Updates can be annoying, but be sure to do it automatically, or at least frequently, to avoid being vulnerable to a data breach. 

AntiVirus and Phishing Scams 
We all get e-mails which are obviously scams.  I have previously written about how even lawyers fall for some of them.  But, they all have in common that you, the user, have to do something to make them effective.  AntiVirus software will catch many and being careful in opening or clicking anything in an e-mail will stop others.  But, these thieves only need to trick one person out of the millions of e-mails or viruses they send out to do their damage.  Don’t let it be you. 

WiFi 
For anyone who uses a mobile device, be it laptop, tablet or smart phone, which utilizes WiFi, you must be careful.  WiFi systems alert you that it is a public system and not secure.  Your device warns you it is a public system.  Do not ignore these warnings.  It is very easy for someone to intercept your data between your device and the wireless router as it flows through the air on WiFi.  One of the most notorious attacks of a WiFi system is called a Man in the Middle Attack (MITM Attack).  In simple terms, data from your device gets re-directed to another device before being sent on to the WiFi router.  All of this happens without your knowledge.  As your data passes through the MITM’s computer, your passwords, account numbers, and yes, PII of clients are stolen.  Your browsing experience is not impacted and you are not even aware that your data has been stolen.  Be very careful on unsecure public WiFi. 

Data breach at your firm is not a matter of if, but a matter of when.  Do not think it can’t happen to you.  As my colleague on this e-newsletter demonstrates, it can happen to anyone.  In closing, here’s a great article from the ABA Section on Solo and General Practice for a more in depth look at this topic..