The Lawyer’s Guide to Mobile Computer Security
by Ellen Freedman, Ellen Calloway, Reid Trautz
Reprinted with permission from the Pennsylvania Bar Association.
By all accounts, a personal computer is lost or stolen every 12 seconds. Most contain confidential or sensitive information.
An article in the Sept. 22, 2006, online issue of Enterprise Security Today detailed how the Census Bureau had lost or had stolen 217 laptops, 46 portable data storage devices and 15 handheld devices since 2003. All held confidential information. In fact, the Commerce Department performed a review and found that since 2001, the department’s 15 operating units had lost an astounding 1,137 laptop computers, all containing confidential information.
The newsletter Privacy Journal reported 24 significant instances of Social Security numbers and other sensitive data being placed at risk through stolen or lost laptops in 2006.
Of course, just one missing laptop can expose a great deal of information. Most will recall the media firestorm when a laptop containing personally identifiable information of 26.5 million veterans and family members was stolen from the home of a Veterans Administration employee.
Having to explain to a client or disciplinary authority about lost or exposed client data on a missing laptop would be unpleasant and difficult. How could anyone seriously maintain he or she had no idea that a laptop with confidential information could be lost or stolen?
But laptops aren’t the only mobile devices that can contain confidential information. Virtually all mobile devices and removable media can potentially expose a law firm to embarrassment and even ethical breaches if they fall into the wrong hands. Law firms need to start devoting more attention to protection of information on USB devices like thumb drives and iPods or other MP3 players; on removable media such as CDs, DVDs, floppy disks and external hard drives; on seemingly innocuous devices such as dictation recorders; and on wireless devices such as cell phones, smart phones and personal digital assistants (PDAs).
We should also be aware that information can be stolen from a computer without the alarm created by vanishing hardware. Software is readily available on the Internet for efficiently purloining data.
For example, third-party packet capture driver applications enable nefarious use of USB thumb drives. It prepares the device to enable both data and large applications to be copied onto the removable media within seconds. A hacker no longer needs to have a laptop available to compromise a network. A USB flash drive can be plugged in and used to steal large quantities of information rapidly. Similar software for MP3 players is now available.
It would be easy for a short-sighted law firm manager or IT director to decree that no client information can ever be taken out of the office on a mobile device. But the demands of today’s workplace make laptop computers, PDAs, flash drives and other devices almost a requirement for many. It would be inconceivable to travel to visit with a client in another state without taking a laptop packed with information about the client’s files. Remote access to the office network over the Internet is an important productivity component for lawyers who are working from home or traveling. Of course, e-mail attachments leave the office regularly.
It follows, then, that when we talk about mobile security, we are talking about training staff and lawyers to be aware of the risks and adopting policies to secure confidential information. Every firm needs to implement a computer-use policy that carefully balances the need for security and the need of users to accomplish tasks without undue administrative burden.
By now, most lawyers should be aware that electronic documents contain hidden information called metadata. There have been embarrassing moments for individuals who were unaware that the documents they e-mailed contained potentially embarrassing hidden information. Some of the most problematic items of metadata are deleted comments or document revision history. Tools that expose metadata and instructions on how to look for it are readily available on the Internet. Sending a document to opposing counsel that potentially exposes the client’s comments made while reviewing the document could constitute a major ethical breach.
One way to create a document that is virtually metadata free is to create a new "clean" document just before e-mailing it. First, open a blank document. Then, select the text in the original document, copy it to the clipboard and paste it into the new blank document to create a new document with no troublesome metadata.
WordPerfect users might consider upgrading to version X3, which has a "save without metadata" feature. There are various commercial products available for viewing and deleting metadata from a document, such as the Metadata Assistant from PayneConsulting.com. Another option: Always print a document to PDF before allowing it to leave the office. While PDF documents created in this manner retain some metadata, it is limited and not of the type likely to expose client confidences or to prove embarrassing.
While the issue of metadata is getting all the attention these days, don’t overlook the office processes for protecting access to sensitive documents. There are two methods: authentication and encryption.
Documents are the lifeblood of attorneys. Attorneys have a duty to preserve and protect the confidentiality of information. That task is made more difficult when documents are accessible across a firm network or shared electronically. Assuring confidentiality is more difficult than just locking a file cabinet or a desk drawer.
Authentication is the common term for proactively limiting access to electronically created documents. We can easily install authentication requirements on a computer to view a document, folder or the entire computer. Biometric authentication — fingerprint and iris scans for example — is an emerging method, but passwords are by far the most common form. All computers should require at least one password to logon. Individual documents containing sensitive information that are shared electronically should be individually password-protected.
A strong password contains at least nine characters and both letters and numbers or typographic symbols. Even a relatively insecure or "soft" password may have benefits. A firm can adopt a universal password for all documents to be taken outside of the firm, including by e-mail attachment. The password is communicated to clients, co-counsel and opposing counsel by phone. While the widespread knowledge of the password limits its effectiveness, it goes a long way toward protecting any documents that get mis-delivered or lost.
Locking Down PDF Files
Another way to protect documents from unwanted changes or exposure is saving them to Portable Document Format (PDF). Law firm users can "lock down" documents — disallowing printing, copying, editing, commenting or even opening the document. One can encrypt the file or use secure digital signatures and other authentication protocols. Attorneys can make sure the document is not exposed to alteration or copying. It is a more secure way to send documents to clients and opposing counsel, knowing that they cannot be altered or that alterations can easily be seen.
Password-protecting a document reminds one that locking your doors will keep out honest people but only slow down a professional thief. For critically important information, document encryption rather than password-protection is the solution. A marital dissolution settlement proposal might be effectively protected by a password. Information about a proposed multimillion-dollar merger or the defense of a criminal matter making national headlines might need to be encrypted.
Encryption is the process of obscuring data or information to make it unreadable without special software or knowledge. Governments and the military have long used encryption to protect sensitive communications. Commercial encryption products have emerged to protect software, Internet communications, mobile data, cell phones and other sensitive information.
To encrypt digital information, the document, folder or data file is run through a software application to obscure the information. There are various levels; the higher the "bits," the greater the protection. Currently 256-bit encryption is a common standard. Super-sensitive documents will have higher levels. The way to de-encrypt the information is with a "key." The key is often a pass code or another software program tied to the original encryption software. An obvious danger: The loss of the key effectively "loses" the document.
CD-ROMs, DVDs and Floppy Disk Drives
Although one can encrypt or password-protect CD-ROMs, DVDs and floppy drives, it generally makes more sense for the user to encrypt or password-protect the documents individually.
USB Flash Drives
The use of USB flash drives is increasingly widespread. A USB flash drive is a small removable data storage device that plugs into almost any computer built in the past five years or so and is commonly used to transport and share documents. These devices are as small as a matchbook or ink pen but can hold thousands of documents, hundreds of photos, songs or slide presentations. It is plugged into the USB port on any other computer for access to any documents and other files previously transferred to the device.
USB flash drives have largely replaced floppy disks for transporting documents. For example, if a lawyer needs to redraft an agreement or finish drafting an article over the weekend, it can be copied to a USB flash drive when leaving the office. Then one can plug it into another computer and work on the document. When finished, one should save it only on the flash drive, not the other computer’s hard drive.
Although these devices are very convenient, they are easily misplaced, and they can leave confidential data on the temporary host computer.
To avoid losing the flash drive, attach it to your office or car keys with a small but secure chain. Treat it like a million dollar nugget of gold; you always know where it is at all times. Why? Because that may be the cost to settle a malpractice claim if confidential information is lost or stolen.
Protecting Data on Your Flash Drive
The two most common methods to protect flash drive data are authentication and encryption. Some lawyers take the precaution of using a password to access the flash drive contents and a second password for each file or folder on the flash drive. Encryption is viewed as an inconvenience, but it is much more secure than just a password.
Flash drive manufacturers continue to meet the security demands of consumers and now add authentication and/or encryption software to some flash drive models.
Portable Hard Drives
Portable hard drives are external storage devices that can be easily transported in a briefcase, purse or pocket. These devices make it easy to carry home your data back-up. They can hold more information than a flash drive, often as much or more than any computer in your office. They connect to any computer through a cable, usually a USB or FireWire cable.
The portable hard drive has leaped in popularity as the physical size of the devices has dropped, as the storage capability has skyrocketed and as the prices have continued to fall.
Many smaller firms are buying two of these devices to use for their data backup protocol instead of using a magnetic tape drive. Coupled with reliable back-up software (included with some portable hard drives), the firms swap the two hard drives on a daily or weekly basis, keeping the alternate in a secure off-site location.
As with any other information-laden storage device that leaves your office, it must be secured against the possibility of theft or being lost. Again, authentication and encryption are the best methods to protect data confidentiality.
From a security standpoint, these drives have the same attendant risks and protection schemes as USB flash drives. They are slightly more inherently secure when used as back-ups, because the back-up software will compress the data, often in a proprietary format. In addition, they sometimes work through proprietary installed software systems rather than the "plug-and-play" model of the USB flash drives. The finder of the lost USB flash drive merely needs to stick it into a computer’s USB port to look at the contents. Spying on compressed data in a found back-up portable hard drive would present a greater challenge to the average user.
Mobile Phones and PDAs
The current generation of high-end mobile phones incorporates many of the information-carrying characteristics of computers. Smart phones now incorporate all of the functionality of PDAs.
Unfortunately, password-protecting a mobile phone tends to reduce a great deal of its functionality and convenience. One should still consider whether documents placed on a mobile phone should be password-protected. Probably the most practical advice is to consider whether sensitive documents should be placed on a mobile phone at all.
Some PDAs and mobile phones now provide for remote purging of the information when they are lost. One law firm that unsuccessfully tried to use this feature on a phone learned that it would not work in the shielded lower floors of a parking garage, where it was lost.
The number of lawyers who have laptop computers is significant and steadily growing. It is a great convenience to have much of your client information, your forms and other digital data with you when traveling or even going home at night. However, the loss or theft of a laptop is not as rare as one might think, as noted previously.
The minimum standard for laptop protection is password-protection. For laptops that are typically attached to a network, this is already done by the network login password.
Readers will begin to notice some familiar themes. Sensitive documents on a laptop can be either password-protected or encrypted. Sometimes it may make sense to encrypt entire folders for keeping important documents safe.
Laptops left unattended in a hotel room can be secured by chain lock devices similar to those used to protect a bicycle. Screen protectors can be used to block prying eyes when working in public or on an airplane.
There are software packages that allow a stolen computer to "phone home" when connected to the Internet. There are also packages for remotely deleting sensitive information when the laptop is connected to the Internet. While these concepts are new, one anticipates they will become the minimum security standard within a few years. Likewise, it is no longer the stuff of science fiction to consider a laptop with fingerprint or iris scanning authentication.
One of the most interesting methods of laptop remote access security uses a key fob that displays a series of numbers. The displayed numbers change every few minutes and are synchronized with the office computer network. Logging on to the network requires entry of the current set of numbers followed by a several digit number that the lawyer has memorized. The theory is that even if the purpose of the key fob is known and it has been lost or stolen along with the laptop, one would still be unable to crack the network without the memorized set of numbers.
The most important thing about mobile security is to consider everything in advance and implement a well thought-out policy. Then, training and education are key. Like any other business, a law firm has to stay competitive and take advantage of advances in technology. That means taking advantage of the benefits of mobile technology. Spending time drafting a written plan for mobile computing security is important for both the law firm and the clients.
Ellen Freedman, a certified legal manager, is the Pennsylvania Bar Association’s law practice management coordinator and president of Freedman Consulting Inc.
Reid F. Trautz heads the American Immigration Lawyers Association’s Practice and Professionalism Center and is a nationally recognized author and presenter on law firm management.
Jim Calloway is the director of the Oklahoma Bar Association Management Assistance Program and manager of the OBA Solo and Small Firm Conference.