7 Cyber Security Practices Lawyers Must Teach Their Clients

In this industry specific blog, we take a closer look what it takes to secure law firms. Personally, I love lawyers...literally. Most of my family are attorneys and my best friends practice the law. Although numerous sites and blogs describe the reasons law firms should take action to secure their internal operations, there is no information on how to secure one of the most import elements … the attorney’s client. The attorney/client digital information interchange is one of the most vulnerable aspects of data loss. For example, the client will send sensitive documents such as financial spreadsheets and even term sheets, unencrypted using a public email service.

Why law firms need security (Recap and Reference) 

Attorneys are bound by ethical guidelines set forth by the American Bar Association that dictate they must do all they can to protect their client’s data. The two ABA rules below state this clearly: 

The ABA Rule 1.6 Confidentiality Of Information: (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). 

The ABA Model Rule 1.1 – Competence : To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. 

In addition to professional requirements encouraging best cyber security practice, law firms are having to fortify their security infrastructures as they are becoming the de facto target for hackers due to the lucrative nature of the information attorneys possess. For example, a hacker can gather information relating to mergers and acquisitions, intellectual property filings and even criminal proceedings in a manner that allows the hacker to benefit financially. The Teach Privacy initiative has also published a list of why law firms are perfect for hacking here.

But what about the client?

With the unique threats facing law firms, combined with ethical requirements regarding confidentiality, many law firms have already taken steps to fortify their internal operations or have even outsourced security operations to companies specializing in law firm cyber security such as CyberSquire. However, although the law firm’s inward facing security operations are stong, an often overlooked aspect is the security outside the law firm’s boundaries.. the cyber security practices of the clientele the law firm is working with. For example, the law firm could have the most secure document management system complete with the highest level of encryption, but the law firm is forced to send documents unencrypted where they can be easily hacked using a number of simple techniques because the client uses an insecure, free public email service. 

Thankfully there are simple, low cost (many free) ways that attorneys can teach their clients to implement strong cyber security practices to protect the information no matter where it is transmitted and stored.

7 Cyber Security Practices To Help Clients Protect Data

Provide Education

The most important element in a strong cyber security program is awareness and knowledge. Many times, clients are simply not aware that they may need to take steps to protect their data. Therefore, the attorney should clearly describe to them that they need to take extreme caution when transmitting data. This education process could occur by giving the client a brochure, listing the security requirements in their engagement letter or even a formal training class.. If the law firm does not have a security policy in place, the websites below provide step by step guidance and other free resources to setup an effective cyber security program for clients.  

FCC Cyber Security For Small Business

US Chamber of Commerce Security Essentials

Stop - Think - Connect Initiative

Encrypt all information

We all have heard it by now...encrypt your data! However, this topic can be complicated and may not be well understood by all clientele. The good thing is most popular software can allow the user to encrypt data without too much effort. Let’s explore the most commonly (and easiest) ways clients can encrypt their data.

Encrypting office files: The Microsoft office suite already has built in encryption for excel, word and powerpoint. This means that clients can encrypt their data with just a few button clicks. The web site below provides step by step instructions: See here for steps on encrypting word, excel and powerpoint files.
 
Encrypting files: If the client needs to encrypt files that do not have a built in encryption capability, they can use a free utility known as 7zip. This utility supports the strongest encryption protocols and provides a simple to use interface that that can allow the client to encrypt any kind of file and even entire folders. There is a great tutorial by Northeastern University here.
 
Encrypting email: This is one of the most effective ways of protecting sensitive messages because it allows the client and attorney to set up their messaging systems to automatically encrypt both messages and content when sending email. Unlike the previous encryption methods described, this approach uses public key infrastructure (PKI) technology to allow the attorney and client to encrypt messages without the need to share the password. To encrypt messages, a digital certificate is needed by both parties. After acquiring the digital certificate, the attorney and client configure their messaging systems to automatically encrypt messages to one another. This great Youtube video provides step by step detail.
 

Secure Their Mobile Workspace

When a client uses their built in email client to retrieve messages that contain downloads, the information will be stored in an unprotected space. Therefore, if the device is ever compromised or stolen, the data could be viewed. Thus, if the law firm is sharing sensitive information that could have a large financial impact to the client, the law firm consider having the client install secure software on their mobile device that creates a secure, encrypted zone that can not be read by third parties. When this approach is used, the sensitive files cannot be viewed even if the device is lost or compromised.

Use instant messaging that disappears

The built in mobile texting platforms can allow the client and attorney to communicate extremely fast. Unfortunately, it is well known that these messaging applications are susceptible to being read by third parties. As a countermeasure this, there are new messaging technologies, known as ephemeral messaging platforms, that both encrypt the message content and disappear after a short amount of time. Two market leaders in this technology are Vaporstream and Confide. If communication through a text channel must occur, the attorney should consider using one of these platforms to ensure any information sent is secure and is not readable by an unauthorized 3rd party.

Share files securely

Public data storage is extremely low cost these days. For example there are major providers that allow customers to store multiple gigabytes of data for free. The problem is there are numerous vulnerabilities that put the stored data at risk for unauthorized access or alteration. Additionally, once the data is uploaded to the cloud, the data is never able to be fully deleted. Therefore, we recommend that in additional to encryption, the law firm require the client to use a secure file storage platform to share data. If the information is highly sensitive, the firm can even employ platforms specifically design for encryption and information leakage countermeasures such as Stash. These platforms encrypt the data as well as implement stronger authentication protocols to ensure only authorized personnel can access the data.

Use multi-factor authentication

If the attorney provides a website or secure file sharing platform for their clients to exchange information, enforce multi-factor authentication to ensure the client uses more than just a password to access the information. Many well known platforms offer this security feature for free. Google provides an easy to understand tutorial here.

Digitally sign documents

Another technique that is not only is good cyber security practice, but streamlines operational efficiency, is the ability to digitally sign documents. This approach allows the client to sign a document using a digital certificate instead of a physical handwritten signature. This can save numerous manual steps while also allowing both parties to instantly determine if the document has been changed in any way after the digital signature has been applied. Digital signing is a feature in the free version of Adobe PDF reader so it can be used by any client.

Conclusion 

These practices are instrumental in helping clientele do their part in securing confidential data to help protect trade secrets as well as ensure the legal process is not manipulated by an unauthorized 3rd party. To get started today, subscribe to our blog and receive a free digital certificate (limited to the first 100 subscribers.)

                                              Click here to subscribe to our blog and recieve a free digital certificate