Sharon D. Nelson can describe data security at many law firms in one word: terrible. And that's when she's being kind about it.
"Many law firms still have this head-in-the-sand mentality about information security," says Nelson, an attorney and president of Sensei Enterprises, a legal technology, security, and computer forensics firm based in Fairfax, Virginia. "Firms don't want to spend any money on it. Sometimes, attorneys are too busy making a living to worry about security. Or they're arrogant; they think that 'it can't happen here.' And when it does, they're absolutely panicked."
Nelson literally wrote the book on computer security for the legal trade, coauthoring Locked Down: Information Security for Lawyers
, which was recently published by the American Bar Association. She says that the presence of critical client data coupled with security practices that are lax make law firms an attractive target for thieves. And in fact, as far back as 2009 the FBI began issuing warnings that hackers in the United States and abroad were zeroing in on law firms to steal sensitive client information. Some of that hacking is believed to be sponsored by the Chinese government. Other breaches are pulled off by shadowy groups of cyber-criminals who sell the purloined data to the highest bidder.
And lately so-called hacktivists - politically motivated hackers - have set their sights on law firms. In February, the Anonymous group infiltrated the computer network of Virginia-based law firm Puckett and Faraj, stole sensitive client information, and posted it on the Internet. Anonymous members were angry at the firm because it had defended a Marine sergeant accused of killing two dozen Iraqi civilians. The security breach shook clients' confidence, and the firm has ceased operations.
The computer networks of government agencies and corporations can be tough for hackers to crack, but the information they're after can often be gathered much more easily from the lawyers who represent them. And what juicy stuff it can be! Law firm networks hold everything from the details of a proposed business deal or the inside scoop on a patent to personal financial data.
And it's not just big firms that are being attacked these days. Nelson says she's seen quite a few small practices victimized - and for them the results can be particularly devastating. Once the breach is detected, a security expert must be called in to investigate. Then the hack has to be reported, since 46 states (including California) - along with the District of Columbia, Puerto Rico, and the Virgin Islands - have laws that require people to be notified of security breaches that involve their personal information. (California's notification requirements are covered in Cal. Civ. Code §§ 1798.29 and 1798.82.) By the time Nelson's outfit is called in to investigate, the law firm's security will have been breached for eight months, on average, before it was discovered.
Scared yet? Well, a little fear can go a long way toward combating complacency about data security. Fortunately, there are some basic measures that, if consistently applied, will help attorneys protect themselves against a damaging or embarrassing data breach.
Establish a Solid First Line of Defense.
Most large law firms already have security software built into their networks, but solo attorneys and smaller firms that don't should invest in a software package as a first line of defense. It used to be that you had to purchase several different pieces of software to secure your computer against spam, viruses, spyware, and malware. But now, you can buy a single integrated security product that will ward off a broad range of attacks. Several vendors offer packages that are well worth their relatively modest cost: Kaspersky Internet Security 2012 (about $22 online), Trend Micro Titanium Internet Security 2012 (about $13 online), McAfee Internet Security 2012 (about $19 online), and Norton Internet Security (about $50 online). Many of these security packages can be shared by up to three users, making them well suited for a solo or small practice.
Keep Security Software Up-to-Date.
If you installed security software on your PC or network a few years ago, consider buying a new version to protect against the latest viruses and malware. Many of the data breaches at law firms involve known code vulnerabilities that could have been patched had the software been current and the user still supported with updates.
Conduct an Annual Security Assessment.
Security experts say law firms of all sizes should have an annual security assessment performed by a competent independent company. Don't assume you can leave this assessment to your current IT provider: It may already have overlooked problems and could have a vested interest in declaring your network trouble-free. It's also a good idea to periodically review your in-house security policies, such as who has access to which computers, what website sites are off-limits, and how much social networking is permitted on office devices.
Be Password Smart.
If all it takes to get into your firm's computers is an eight-letter password, they're not really protected. These days, an eight-character pass code can be cracked by hackers in less than two hours. And if your password is password
, you've got one of the most common and easiest-to-guess passwords on the planet. It's far safer to have a twelve-character alphanumeric password, which should take more than 17,000 years to crack. A good way to create a twelve-character password you'll remember - say, "Safeguarding client data is my fiduciary duty" - and use the first letter (or first two letters) of each word.
Lock Down Laptops.
Lost or stolen laptops can be an especially serious problem for law firms, because they can give hackers a detailed blueprint for infiltrating the firm's entire network. Many newer laptops ship from the factory with what's known as whole-disk encryption, the prevailing security standard. If you have an older machine, you can get its whole disk encrypted by installing software such as the free TrueCrypt
Don't Neglect Physical Security.
Even the best electronic safeguards can be undone by careless security on a law firm's premises. Leaving computers up and running on desks where anyone can access them is an invitation to intrusion. Small and solo practices should be especially vigilant about keeping unauthorized folks from getting near the office computers.
In other words, don't put your head in the sand.