Lawyers Journal

You might want to pay attention (a.k.a. securing client information)

A hot topic these days is how lawyers should be securing the electronic versions of their clients' information. Given the ethical duties and malpractice concerns this issue presents, this topic deserves the attention it is getting.

The topic of security gives rise to a number of questions, especially applied to the legal environment. In order to explore this topic, we will follow through a typical line of questioning. As we move through these questions, you can compare the descriptions to your own situation. Hopefully this will help you in evaluating your current security and give you ideas for how you might improve it.

Can someone breach your computer(s)? The answer is yes. Just like the "best lock can be picked" or "better safes lead to better burglars," more sophisticated firewalls lead to more sophisticated hacking tools and techniques. You will never have a 100 percent security solution. The real question will be: do you know what your security risks are (have you quantified them)?

What is the likelihood someone will attempt to get in? This follows from the "quantified risk" note above. I want to break this question into two parts.

First: What is the likelihood someone is going to single you out for an attack? This is hard to measure, and may well be low. But you never know when someone might find you or your firm an interesting target.

Second: What is the likelihood of a random attack? The answer to this is: High. Most hacking attempts come from "Script Kiddies." These less sophisticated hackers borrow hacking "scripts" (small programs) from more experienced hackers. They then run these automated attacks against random Internet addresses. Since the Internet is made up of sequential numbers, the attackers pick a number and work up from there.

When the automated attack gets to your address, it runs a series of known attempts to get into your system. If any of these are successful, an alert is sent to the hacker that a security hole has been found. Now the hacker will pay specific attention to your network and start playing around with your system.

To give you any idea for how many of these attacks occur, I point to my Internet Service Provider (ISP). This ISP has a program that creates a log and reports on the number of and types of attacks that occur. Last Friday when I asked, they had had 22,000 attempted hacks that day.

What will the hacker do once he's in? So the Script Kiddie made it in. Now what's he going to do? The usual answer: that depends. It depends a lot on his interests. A number of hackers will use your network for trading music or movie files. They may park a bunch of files on your system and then let everyone know they can go there for free downloads. This could put a tremendous load on your storage, servers and bandwidth. This relatively innocuous use of your computers may slow them down or ultimately crash them from too many requests.

Moving up the intent scale, the hacker may load some malicious files or delete a few important system files, again leading to a crash.

One interesting hacker approach is to drop in files that are used to run attacks on someone else's system. This is called a distributed denial of service attack (or DDoS). The hacker will place scripts on a number of different systems and set them to go off at the same time. Now your computer is being used to flood a third-party system with irrelevant requests.

[As I write this column, this type of attack happened to RIAA on July 31, 2002. RIAA is upsetting many Internet junkies with its aggressive approach to protecting music copyrights. The attack brought down its web site.]

In addition to causing harm, hackers may be into theft. Stealing electronic information is simple since there is nothing really missing. What a hacker would do with this information is anyone's guess. Suffice to say, if it appears anywhere, your clients won't be happy.

What are the possible consequences from being hacked? Of course having your system crash is a possible consequence and not a very good one. But I thought I would aid in an extra layer of concern here. If your computers are used in an attack, you might have even bigger problems. At one layer, you may be held liable for damages to the third party if you had not taken reasonable precautions to protect your system for such use. At the "worst case" layer, the authorities might seize your computers and all back-up copies.

Recently Federal agents seized some computers from Arizona State University. Someone had loaded malicious software on these computers and that individual had terrorist connections. In this case, ASU cooperated in the seizure. But imagine having the police drive off with all of your computers and your clients' confidential information. Not a pretty picture.

What can and/or should you do about it? This question brings us back to the title of this article. You need to pay attention to security. As a lawyer, you probably do not need to know all of the specific aspects of security. But you better make sure your computer people do. From this leadership position you probably want certain policies and procedures in place to insure adequate security. If you are not aware of the quantified security risks of your system, you should take steps to find out.

Questions for you to ask To help you better understand the security environment variables, here is a short description of the three main categories of security.

Technology — This is the most obvious one. Your network needs adequate firewalls, with someone monitoring attacks on them. You need up-to-date virus detection software. You need up-to-date operating systems and applications (these can create security holes). You need good back-up systems, and these should be tested regularly. And finally, you should have one or two people responsible for keeping this all in shape as well as some documentation on the set-up
Physical — You can have great technology security, but then have your server physically open to access and not be any better off. Critical computers and communication systems (phones) should be in locked rooms, with proper environmental controls. These also should be password protected and on appropriate power supplies.
Human — Often overlooked, this is usually where security breaks down. Employees with access to critical, confidential information should be screened at some level. This may even include a police back-ground check. "The easiest way to break in is to bribe the guard." So make sure you have some trust in your guards. You also will want HR policies to manage your staff. They should change passwords regularly. And when the time comes for them to leave the firm, their computer access should be terminated at the proper time.

Paying attention Hopefully this article has given you plenty of reasons to pay attention to computer security as well as some knowledge about good ways to do just that. Security has a number of issues surrounding it, but comes down to a relatively simple concept — You need to pay attention. As the boss of the IT people, who should be doing the hands-on work, you should pay attention and know what they are doing for security and that it is getting done. With your duties to protect client information, this seems a very reasonable course of action.

A final side note This article has focused mainly on securing the information you have residing on your computer or network. The same level of attention should be given to information that is transmitted across the Internet. You have probably seen the "fax" disclaimer language on e-mails or may use it yourself. This is probably a good practice, but you should look into taking more steps to protect your communications from falling into the wrong hands in the first place. But that's a topic for another day.

Resources ABA Standing Committee on Technology and Information Systems: http://www.abanet.org/scotis/home.html
ABA Legal Technology Resource Center:: http://www.lawtechnology.org/publications/ltn_security200204.html
Internet Engineering Task Force - The Site Policy Handbook Section 2-POLICIES (RFC 2196): http://www.ietf.org/rfc/rfc2196.txt?number=2196

Editor's note: Lincoln Mead, IT director for the Utah State Bar, gave invaluable input for this article.

©2014 Massachusetts Bar Association