See also: Law Office Management Committee Standard #4 – Maintenance and backup of electronic data
The theft, loss, or destruction of practice-related data is disruptive, stressful, and financially draining to you. If that data belongs to, or impacts your client, this breach of confidentiality might result in a negligence claim against you, an investigation and fine under PIPEDA (Personal Information Protection and Electronic Documents Act), and/or a legal ethics and professional responsibility complaint.
Therefore, it is important that you take steps to safeguard your own and your client’s information. Implement a security policy for your office that covers your electronic data as well as your paper files.
There are many issues to consider when developing your policy, including the use of wireless connectivity without first ensuring that all possible security features are in place. Without these features in place, serious problems can result. This was seen in Edmonton recently, when an unprotected computer server in a downtown law firm allowed an employee in a neighbouring building to access hundreds of client files that included personal information. The lawyer had set up a wireless system himself and thought it was secured by encrypted password. It was not. Alberta’s Privacy Commissioner ordered an investigation into this security breach.
Electronic data protection
Many of us have a healthy skepticism about flying in “the Cloud”. We worry about our client information being compromised and tend to keep our data stored a little closer to home. So imagine arriving to work one day, turning on your computer and instead of accessing your client files, a digital ransom note appears: “If you pay our ransom demands, we will restore access to your computer.”
This scenario may sound far-fetched but it’s what a law firm in Alberta recently encountered. Its lawyers were the victims of a “ransomware” attack in which hackers burrowed deeply into their computer network, infiltrating and encrypting their electronic records. No cloud required.
This kind of attack on your system can be mitigated by ensuring your system has up-to-date antivirus software and anti-spyware software. Ensure that you install the updates and patches released by the software manufacturer. Back up your data regularly and store that backup off-site to minimize the harm of blocked access. Get a good firewall in place or use a network security gateway. If you don’t know how to do all of this yourself, talk to a computer professional about these and other recommendations for your system.
LIANS has reported at various times about email users (Yahoo! Mail and others) having their accounts compromised after a hacker retrieved passwords from the cookies stored in computer browsers. Hackers use this access to forward an email containing a malicious link to the yahoo account’s address book contacts.
This kind of attack can be avoided by using a strong password and changing your password on a regular basis. A “strong” password is 12 to 15 characters in length and contains a number, a special character and a capital letter. You might try using a song phrase or motto. According to Splashdata, the most vulnerable (weakest) passwords are: password, 123456; 12345678; abc123; qwerty; monkey; letmein; dragon; 11111; and baseball.
Online hackers have also threatened lawyers’ bank accounts. You should ensure that your trust account is “read only” internet access. Regular monitoring of your accounts will alert you to suspicious transactions. In Manitoba, a hacker gained access to a law firm’s general account, set up an automatic transfer of $5,000 to another bank and then transferred money to a prepaid credit card. They did the same thing the following day. Because the accounts were monitored regularly, the firm’s bookkeeper caught the transactions on the second day. The firm then froze the online access, changed its password and reported the incident to the bank and the RCMP.
As these examples demonstrate, data protection – whether it is your firm’s data or your clients’ – is becoming a much higher priority for lawyers and law firms. Data loss can be as simple as losing a document that took you hours to create, or as catastrophic as losing all data due to a virus or a server crash. A hacker can not only cause you to lose data, but can damage your reputation as well.
Here are the top 10 ways you can protect your data and prevent this from happening to you:
- Maintain physical security: lock your office door, file room and your server doors when you leave at night, or lock away sensitive information if you have afterhours cleaning staff. If you have a laptop, either bring it with you at the end of day or lock it away. Avoid putting printers and fax machines in high-traffic areas – consider putting them in your file room or another room with a locked door.
- Maintain virtual security: password protect your laptop and smartphone. This way if you leave your device behind in a washroom or taxi, you won’t have the added worry of someone accessing your private information. To password protect your laptop: to go the start menu > control panel > User Accounts > create password. On your smartphone, go to settings or options > security > Screen lock (exact words may vary).
- Protect your computer by using an operating system that requires users to be “authenticated”. This can restrict what individual users can see and do on the computer.
- Use strong passwords and change them regularly.
- Back it up: back up your data, and test your backups regularly. Make sure to back up your email as well.
- Keep a copy of your data offsite: if you’re not ready to store information in the Cloud, you can use an external hard drive for data backup. They are portable, inexpensive, and can store a large volume of data. In fact, buy two.
- Update! Make sure you have the latest updates for your software, including virus and malware protection software and, if the feature is available, have it set up for automatic software updates. Some malware poses as virus scanning software – know the name of your software and if another program is asking to scan your computer for viruses – just say no.
- Don’t blindly trust your email: heed the LIANS warnings and don’t click on any suspicious links, even if the email appears to have been sent to you buy a friend. If your email reader is set up to automatically open attachments, you should disable it and always run attachments through your virus scanner first.
- Perform regular maintenance: familiarize yourself with a disk-scanning program, how to defragment your hard drive, or whatever maintenance your system may need. These will keep your system running smoothly and prevent little problems from turning into big ones.
- Google yourself regularly: You never know when someone might be using your picture or personal information on a website.
Additional Tips
- Don’t open an email if you have any reservations about its source or content
- Do not leave laptop unattended; do not check it as luggage; watch it carefully as it is passed through any x-ray devices
- Do not leave laptop or other devices in your car if at all possible; if you must leave it in the car place in the trunk before you arrive at your destination; keep your car locked at all times
- Physically secure laptops with a lock and store in a locked file room or cabinet
- Discuss with your staff and client the risks of communicating via email, cell phone and cordless phone. Get your clients written instructions on these methods of communication and comply with them
- Do not share passwords
- Use strong passwords
- Change passwords at least every three to four months
- Update antivirus software regularly
- Use spam filters
- Do not open phishing emails. These types of emails often look like they are coming from reputable financial institutions.
- Require dual authentication from non-secure remote location
- Implement an Internet use policy that limits employee use of the internet
- Limit employees access to data
- Monitor dissatisfied employees closely – always take care with current and departing employees
- Eliminate metadata from documents before transmitting
- Have someone perform a security audit on all systems including phone and voicemail systems
- Add a confidentiality statement to the signature line of your emails
- Where possible use a landline for confidential telephone communications
- Do not fill in the name of your email recipient until you have read email in its entirety for grammar content and spelling. Check the named recipient before hitting the send button
- Do not use wireless without enabling all the security features
- Scrub computers before disposing them
- Treat electronic files with the care you would show to paper ones
- Do not tape passwords to monitors or inside desk drawer
Email: Compromised or spoofed?
Lately there seems to be an increase in what the IT industry calls “spoofing”. Spoofing occurs when a spammer uses your email address in the email header to make it appear as though the email originated from your account. This may result in a deluge of bounced email alerts going to your inbox and you become aware that your email address is being used to circulate spam. Spammers spoof email addresses to fool spam filters into letting the message through; the recipient is also more likely to open an email message from someone they recognize.
If this has happened to you, your first step is to ensure your email account or computer has not been infected or compromised in some way by malware or a phishing attack. Next, change your password to ensure your account is still protected. Unfortunately there is not much you can do once your email address is being spoofed; however, there are ways to protect your account:
- Use your primary email account to communicate with people you know and trust;
- Do not share your work email account when accessing a website or for posting information in a public forum. Instead use a personal account, like Hotmail or Gmail.
- Lastly, if you become aware that your email address is being spoofed, notify the recipients as soon as possible so they know that the email messages did not originate from your account.