around the bar
February 9, 2013

Pleading Ignorance is Not Protection Against Client Data Loss, Say ABA Panelists

According to John Simek, vice president of Sensei Enterprises, “we’re addicted to our phones.” He cited that 58 percent of smartphone users can’t go one hour without checking their phones.

Simek and David Ries of Thorp Reed & Armstrong LLP teamed up on Friday to present the ABA Midyear Meeting program “Locked Down: Security in Using Cloud Services and Mobile Devices.” The two emphasized the importance of protecting client data in the cloud, whether computing or using a smartphone.

There are no ethical violations if reasonable efforts are made to protect data, Ries said.

Clients may require special security measures, or they may give informed consent to forgo security measures, Ries said.

“Pleading ignorance won’t work,” Simek said. “Competence requires understanding the benefits and risks associated with the relevant technology. You must get a baseline knowledge or get help.”

Law firms are targets for hacking attacks, Ries said. “It doesn’t matter if you’re large or small,” Simek added.

The consequences of being hacked include having to report to your insurer and give notice to clients, which is a “PR nightmare,” according to Simek.

Simek says to avoid “hot spots,” or areas offering free Wi-Fi, such as airports, coffee shops and hotels. “There is absolutely no security,” he said.

Simek and Ries also covered mobile threats. They said the biggest threat to mobile devices is their being lost or stolen: 30 percent to 70 percent of data breaches are from lost or stolen devices.

The way to avoid stolen data is to encrypt it, the two recommended. Encryption takes plain text and turns it into cypher text, which makes it totally unreadable. “It’s getting easier and easier [to do],” Ries said.

For example, if you enable a passcode, it will encrypt the data on iPads and recent iPhones, Ries said. Microsoft Office and Adobe Acrobat will encrypt text with the software. Or use encryption software such as PGP, TrueCrypt, Windows BitLocker and Mac FileVault.

Encrypted portable media is also available, such as the “iron key,” which is a USB drive with strong encryption ability, Ries said.

Other protections include making sure software is up to date and sending personal data only to an encrypted site (one that starts with https and has a lock symbol), Ries said.

If you must use public Wi-Fi, only use it with a VPN, which encrypts data, Simek said.

Finally, make sure you have strong passwords. Aim for 12 characters with a combination of upper and lowercase letters, punctuation marks and symbols. Do not use the same PIN in multiple places, Ries said.

This panel was sponsored by the ABA’s Government & Public Sector Lawyers Division and co-sponsored by the Law Practice Management Section.