Another day, another [insert one] cyber attack, vulnerability, hack, malware, data breach, network insecurity, or other potential compromise to one’s online safety. It’s a war zone out there, and we are the innocent bystanders. Time for the innocent bystanders to form a neighborhood watch.
All kidding aside, when you venture online, you risk exposing yourself and your data to compromise. Your own personal data is one thing. Personal data over which you may have a heightened obligation to protect is another entity entirely. In the comments to Rule 1.6 of the ABA Model Rules, it is noted that:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Last month, the crisis du jour went by the name of Heartbleed. An ominous sounding name for an ominous bug in a security protocol known as Open SSL. You may know what SSL means – Secure Sockets Layer –a means of encrypting data as it passes from your local device to an online destination, ostensibly protecting it from inadvertent disclosure or third party snoop or hack. Well, sort of. In the case of Open SSL, an open source protocol benefiting from the universe of online developers that volunteer to advance its cause, one of the “advancements”resulted in a bug that permits data to leak during the transmission. The vulnerable data is information held in temporary memory on your device, such as passwords and browsing history. So, as you can imagine, if you have been using a site over the past two years (the time frame during which the bug has been active) that employed Open SSL, theoretically someone exploiting the bug could view your passwords and browsing history. The NSA has been doing so; why not teenage hackers from around the globe? As of May 2, 2014, 0.8% of the 200,000 most popular TLS-enabled websites were still vulnerable to Heartbleed. Even more surprising: almost half of those individuals affected have not yet changed their passwords on affected sites, according to a Pew Research Center report.
Once word got out in a big way last month, affected sites scrambled to patch the bug. Once patched, your password should be changed on those sites. Check out this list here and this tool here for determining affected sites. Taking these steps (as well as all other means possible to protect your accounts such as two-factor authentication) doesn’t mean that someone hasn’t already attempted to log into your profile or account on these sites already. It just means you can stop that unauthorized access going forward.
So, what is a lawyer to do, especially since we are now desirable targets?
“Hackers are now targeting small law firms because of the wealth of info in client files that can be used for identity theft – in family law, estate planning, real estate, elder law and other matters. And Mass. law requires you to notify clients of a data breach – do you really want to have to do that?”
I myself have become pretty well reliant on the Internet for managing my life and data, personal and work related. My company has too. You would have to be a pretty unique sort of legal dinosaur not to be using some form of online tool to manage some aspect of your practice. You might even be storing all of your client data in the cloud. Are you safe? Well, in a sense, you are never fully protected against data destruction whether your store your data online or in a cardboard box in your basement. The risks simply differ. And, while there are certainly new challenges to online security popping up every day, you would be putting yourself at an extreme disadvantage if you eschewed all available tech tools to manage your practice, particularly if you are a solo or small firm practitioner.
The security issues surrounding Heartbleed and similar bugs or vulnerabilities all boil down to one important practice: effective password management. Larger enterprises can roll out system-wide password management requiring their employees use strong passwords, make frequent password changes, and even instituting temporary codes and multi-step verification. If you are a solo or small firm, you may have to get a bit more creative.You can enable multi-factor authentication on any site that offers it: Google, Twitter, Facebook, to name a few. These security protocols require you to enter your password and then a code which is sent to your mobile device in order to access your account on the site.
You also should consider using a third party password management app such as 1Password or Dashlane for all of your online logins. These apps use high level security protocols (although some, like LastPass were using Open SSL), employ password generators that create very strong, difficult to crack passwords, and utilize an in-app secure browser for accessing and logging into the service from your computer or mobile device in a protected environment.
But here is the real kicker: your data may actually be safer stored in the cloud than on your local server, where you can inadvertently download viruses and other malware that could open up your information to outsiders. Cloud services tend to employ stronger, more effective controls on their servers than you could deploy on your own local intranet. But, to really benefit from that higher level protection, you need to go with services that are designed around security, encryption and data protection. Dropbox alone won’t do. You need a higher level of security, like that found in services like cloudsafe, designed for protecting sensitive data. Check out this very comprehensive list of questions to ask of a potential cloud provider when assessing whether it is a good option for your confidential client information. Or, you could leverage a service like Viivo which places an encrypted file in your Dropbox, Box or OneDrive online folder.
In short, my recommendation is not to avoid the cloud in order to avoid the risk. You are at risk with any storage solution and avoiding the cloud’s risks means you will also lose its many benefits. That said, you need to be proactive in dealing with risks such as those posed by bugs like Heartbleed. Keep yourself well informed of emerging risks and employ recommended fixes and precautions in a timely fashion. Use hard to crack passwords and password managers to maintain a secure browsing environment. Use two-factor or multi-factor authentication on any site that offers it. And, while it may seem a major pain, consider changing your passwords at regular intervals. If you use best practices in dealing with the risks, you can reap all the benefits, minimize exposure, and meet ethical obligations to leverage technology for your client’s benefit and mutual protection of interests.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.
Interesting epilogue to the Heartbleed story – several million dollars are being allocated to perform a full security audit on Open SSL and to hire two full-time developers. It’s that serious.
http://goo.gl/FojRtf