 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 
|
|
 |
||||||||||||||||
|
Bar News - October 3, 2003 Information Security for Lawyers Part 2: Evolving Threats By: Toby Brown Editor's note: The following is part two of a two-part article on computer security and how to ensure that your law office technology is protected. Part one appeared in the Sept. 19, 2003 issue of Bar News, which can be found in the Publications/Archives section of this site.LAWYERS NEED TO protect client data. Since security threats are constantly evolving, so should your approach. One possible approach is to use your engagement letter as a means of communicating your information security policies. Let your clients know you take special care of their electronic data. Show them how you use technology and how you adapt to changing security threats. The standards of care for protecting client info will continue to evolve. As you change with this evolution, keep your clients informed of your active role in protecting their data. Emerging Threats To highlight the evolution of threats to information security, let's look at some of the newer hazards. Perhaps the most significant emerging threat has to do with wireless technology. For $100, you can easily set up a wireless node on your network. Wireless access is very useful, since you can access the network and the Internet with wireless-enabled laptops throughout your office. A problem with this method arises, however, because many wireless hubs are set with a default setting of no (or little) security. This means that anyone passing by with a wireless device can connect to your network. In larger metropolitan areas, geeks enjoy a sport called "War Driving," whereby they drive around in search of open wireless access points. Once on a network, they might just "borrow" some bandwidth, or they may do something far worse. Good policy would be to enable good security on all wireless access points. Another emerging problem has to do with PDAs, cell phones and other mobile devices. Lawyers who use these tools effectively end up carrying a lot of client information on them. If the mobile devices are not password-protected, when they are lost or stolen you may be exposing client data. Make sure all mobile devices are password-protected. The last emerging issue, identity assurance and protection, is still embryonic. It is possible to "spoof" another's identity online. How do you know that last e-mail you sent went to your client and not to someone else? This issue will grow in importance as transactions move online. A final security issue, which has been around for a while but is just hitting the radar screens, has to do with discarded hardware. This past year, a number of MIT graduate students purchased used hard drives over the Internet as a class project. They were research ing what kind of data might exist on discarded hard drives. Approximately 80 percent of the hard drives had retrievable data, and a portion of the data they found contained personally identifiable information (e.g. bank account numbers, social security numbers, etc.). Oops! I'll let you guess the type of policy you should have for dealing with computers that are retired from your network. Where to Start? The first step in dealing with your computer security will be figuring out where you currently stand. Two possible approaches: Hire someone or try it yourself. Microsoft has a downloadable program called the Microsoft Baseline Security Analyzer (MBSA). Running MBSA against a computer will give you a list of security problems as well as options for curing them. If you have adequate IT staffing, you may want to take this path. However, consider that you are a law firm (or dept.) and your expertise is in practicing law. You may be much better off hiring an outside security firm to perform this analysis. Once you know your security status and have plugged the holes, you now should turn to vigilance. Again you can work on this your self or hire it out. There are services and database solutions for monitoring evolving security threats and updating your systems to address them.1 The Policy Wrap-Up Think about all of the policies you have or should have for managing information. How is your technology managed? When is information archived and/or destroyed? How is staff managed? What are they allowed to access on the network? These questions and more should be asked and answered to insure the ongoing security of your and your clients' information. Conclusions Where does all this security information leave you, as a lawyer? First, there is most definitely cause for concern. With computer security threats so pervasive and dynamic, lawyers need to take an active role in ensuring the security of their computers. These efforts will come in the form of solid policies; policies that drive effective security practices. Such an approach will go a long way towards protecting the integrity of client information.
Toby Brown wears a variety of technology and legal management hats. He is the president of Roberts Brown LLC, a legal technology consulting firm. In this role he provides advice and consulting on emerging technologies for bar associations and lawyers, including a consortium of state bar associations in New England.
|
|
Home | About the Bar | For Members | For the Public | Legal Links | Publications | Online Store New Hampshire Bar Association |
