Law firms are coming under increasing scrutiny for potentially lax security measures. Here are five easy-to-check security items, some physical, some electronic. These types of concerns will grow as the Internet of Things (IoT) grows.
- VOIOP Network Connections. Polycom, Cisco and other VoIP (Voice Over Internet) phones are connected to computer networks using Ethernet connectors. Unless there is a separate Ethernet switch and IP network (10.x.x.x vs. 192.168.x.x) for VOIP devices, firm visitors who are alone in a conference room or work room with VoIP phones could disconnect the phone and connect a laptop and be within the firm’s firewall. The visitor is now given a valid IP address by the firm’s DHCP server and is inside the firm’s firewall – free to browse or run applications.
- Leaking Images of Copied, Faxed or Printed Paper. Modern multifunction devices (MFDs) like combined faxes/printers/copiers can permit device managers to send digital copies of whatever is being faxed, printed, or copied to email addresses or storage locations defined in the device settings. The big item here is that lawyers can’t avoid electronic privacy concerns by dealing only with paper documents if digital devices are used to make copies of them. Look at a graphic monitor to identify sensitive images being sent to or through your MFDs.
- Keypad-Controlled Door Access. Law firms sometimes control physical access to individual conference rooms or litigation war rooms by using keypads where individuals seeking entry must enter a specified numeric sequence. However, whoever sets up the locks should also remove the factory default password. If you have the lock pictured below – try this: press 2 and 4 at the same time, release and then press 3. Did it open?
- WiFi Password. Handing out strong passwords for visitor to use in accessing a firm’s wifi network can be viewed as a nuisance so firms may use strings of characters that appear on most of the firm’s business, card, e.g., fax numbers. This is a basic security violation. What’s the password for your firm’s wifi? If it’s your firm’s fax number, change it today!
- Microphones used by Deposition Witnesses. Court reporters often use wireless microphones that broadcast the witnesses’ testimony. This permits the reporters to record the testimony but it can also permit others to eavesdrop on what can be extremely sensitive information. Lawyers should make sure that the microphones broadcast are encrypted, broadcast on Private (not Public frequency ranges) and that the reporter does not use the default username/passwords on the equipment used for the testimony. For less than $1,000 in easily obtainable gear, someone can sit in your parking lot and record your depositions.
The above items are just samples of the types of issues that law firms should be examining. Considering the many potential downsides to data breaches (e.g., reputational injury, malpractice claims, and, depending on the breach, statutory or contractual liability for unauthorized access to credit or health information), law firms should take two steps immediately:
- Obtain data breach insurance. Damages for data breach can be staggering and coverage under existing insurance policies may be nonexistent or wholly inadequate. Consult your insurance agency or your local bar association.
- Hire an expert to perform penetration testing of your firm. Most law firms don’t have the expertise to perform rigorous testing of their physical and electronic security measures. It makes sense to periodically retain an expert to probe the firm’s security measures. These good faith efforts to secure client’s confidential data may not only lower the probability of being hacked but also lower the cost of insurance and help deal with disciplinary or ethics violations in the event confidential data is leaked or lost. Sharon Nelson of Sensei Enterprises has a great blog and a podcast dealing with many of these issues.
Another action that firms using Windows can take to start down the road to cybersecurity is to download and run Microsoft’s free Safety Scanner (https://www.microsoft.com/security/scanner/en-au/default.aspx). After it runs it provides a report on any viruses or spyware found and the adequacy of passwords used. Firms could also consider using CCleaner (or equivalent application) to check for viruses, malware/spyware, and help optimize computer performance (https://www.piriform.com/business).
For your free personal copy of my book, Guide to Managing Unstructured Content, go to http://beyondrecognition.net/download-john-martins-guide-to-managing-unstructured-content/