Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Consumer Devices, e-Discovery and Security

By Gavin W. Manes and Tom O'Connor
May 29, 2012

Many consumer devices, such as iPads and smartphones, are being used by corporations or law firms, which may significantly compromise the security of any information transmitted to or from these devices.

Smartphones, tablets and other portable electronics have swept the nation in the past few years and are now being integrated into people's personal and business lives on a scale heretofore unseen. However, most of these devices were created for the consumer market and not necessarily for business applications. Therefore, confidential, sensitive and proprietary data must be protected both on the device itself and on the corporate network where the data resides.

The Problem

Telecommuting, ever-more-port- able digital devices and easy Internet access have blurred the lines between business and personal lives, and many people use the same iPhone or tablet to access both types of information. But that device may have the same privacy, security and Internet settings for both, when in fact the corporate or legal data may require far more discretion than a Facebook status update.

There is a substantial tradeoff of convenience and security in wireless networks; they have made accessing the Internet easier than ever but are notorious for their insecurity. There are a number of ways to make such networks more secure, such as passwords and firewalls, but each of these steps results in a loss of convenience as well. Achieving the right balance between these two sides of the spectrum is critical, but that balance may be different for personal and business Internet use.

Extra Precautions for Attorneys

Attorneys have another set of considerations beyond typical corporate privacy concerns, since they have a statutory obligation to protect client information. Coupled with a historical wariness of technology in general, law firms may be opening themselves to a significant risk by allowing the unrestricted use of consumer devices on their networks. This is a problem that requires consultation and very clear communication with IT professionals, which is not always easy for lawyers.

The Consequences

A fundamental concept of preserving the attorney-client privilege is that communications must be kept confidential. It is generally accepted that attorneys and clients have a reasonable expectation of privacy and confidentiality in their communications through unsecured or unencrypted e-mail on their own systems.

California and New York have specific laws that protect e-mail communications with wording to the effect that no such communications “' shall lose [their] privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.” The Federal Electronic Communications Privacy Act, 18 U.S.C. ”2510 et seq., http://1.usa.gov/JdAkFs, criminalizes the interception of e-mail transmissions, a fact which would seem to mitigate the risk of loss of privilege by deliberate interception.

However, the issue of unintentional waiver (accidental loss of privilege) arises when discussing consumer devices on unsecured networks. An attorney cannot hold a conversation with a client in a coffee shop without risking a claim of waiver. So what if that same attorney uses a public wireless network in a coffee shop to carry on an e-mail conversation with a client? ABA Formal Opinion 11-459 states that third parties may have access to confidential e-mails if they were sent from a public or shared account or computer, such as a computer located in a library, a hotel or the home. In that case, the ABA asserts that attorneys have an obligation to warn clients about the risks inherent in such communications. See, Formal Opinion 11-459 at http://bit.ly/JdBdOs.

In addition, Web services such as Google and Dropbox are under increased scrutiny for how they handle data. Terms of Service that allow for the disclosure of data, even when it is encrypted, are causing concern, as are assertions by providers that they need access to all data for a variety of reasons beyond the traditional compulsion by legal process (including, for example, to protect their “property rights”). In fact, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.

The Solutions

There are two principal security concerns for mobile devices: 1) access to the device itself; and 2) access to the information within the device. Addressing these two security concerns requires good passwords and encryption, respectively.

Password protection for mobile devices is a critical first line of defense. Most Apple products allow the user to set a four-digit numerical password, and Android devices allow you to choose between a text, numerical or graphical passcode. Although these are all good beginnings for security, a simple four-digit code is not enough to protect privileged information. Indeed, it is fairly easy to circumvent that code for a typical Apple device. Access can also be gained by “jailbreaking” the device, a process where the operating system limitations are removed (note that this voids the warranty).

No matter the device, short passwords can be easily cracked ' a strong password must contain at least eight digits and must be a combination of numbers, special characters and letters. Graphical passwords are not much more secure; fingerprint patterns can sometimes be detected on the surface of a phone or device by simply examining the screen from the side. Fortunately, there are add-on programs available in the mobile market that allow a user to set a complex password. This is the best barrier against someone gaining access to a lost or misplaced device, which is an all-too-frequent occurrence.

Even if someone did gain access to a mobile device, encryption can be used to prevent access to the information stored within. Since iPads and iPhones do not have encryption settings available on their operating systems beyond the initial password to access the device, it takes some extra work to apply encryption. However, there is a solution ' add-on software encryption programs available on all the major mobile markets. There are a large number of these programs available with a variety of features that can be beneficial to attorneys. Fortunately, securing “data at rest” is a process that only needs to happen once for the initial software setup and then occasionally updated.

Android devices do not have default security settings turned on, but users have an option to enable those features. Standalone programs are also available for Android devices. The new Windows tablets actually allow for full hard drive encryption in a feature already built in.

Conclusion

Security concerns for mobile devices have a different set of priorities than stationary desktop computers ' the most common threat is losing a tablet or cell phone. Therefore, blocking initial access to the device itself is paramount to protecting privileged information. Since the likelihood of losing a mobile device is much higher than a typical desktop computer, an extra layer of protection for the information itself, in the form of encryption, is also warranted.

For each of these solutions, there will be a loss of convenience. For attorneys, that client information is important enough to protect. Inputting a long password every time you unlock your iPad is a hassle, but imagine how much better you would feel about the security of your client's information if you accidentally left it on the airplane. And how much better that even if someone were motivated to crack that password that the most important files had a further level of encryption?

Although there is no silver bullet to secure consumer devices, a combination of passwords, encryption, and awareness can help attorneys safeguard their client information.


Gavin W. Manes Ph.D. ([email protected]) is president and CEO of Avansic, a Tulsa, OK-based company that provides ESI processing, e-discovery and digital forensics services to law firms and companies. A nationally recognized expert in e-discovery and digital forensics, Manes has briefed the White House, Department of the Interior, the National Security Council and the Pentagon on computer security and forensics issues. Tom O'Connor ([email protected]) is director of professional services at Avansic. Based in New Orleans, O'Connor is best known for his work in e-discovery, which includes assisting firms and corporate counsel in matters of retention policies, litigation holds, and document exchange protocols.

Many consumer devices, such as iPads and smartphones, are being used by corporations or law firms, which may significantly compromise the security of any information transmitted to or from these devices.

Smartphones, tablets and other portable electronics have swept the nation in the past few years and are now being integrated into people's personal and business lives on a scale heretofore unseen. However, most of these devices were created for the consumer market and not necessarily for business applications. Therefore, confidential, sensitive and proprietary data must be protected both on the device itself and on the corporate network where the data resides.

The Problem

Telecommuting, ever-more-port- able digital devices and easy Internet access have blurred the lines between business and personal lives, and many people use the same iPhone or tablet to access both types of information. But that device may have the same privacy, security and Internet settings for both, when in fact the corporate or legal data may require far more discretion than a Facebook status update.

There is a substantial tradeoff of convenience and security in wireless networks; they have made accessing the Internet easier than ever but are notorious for their insecurity. There are a number of ways to make such networks more secure, such as passwords and firewalls, but each of these steps results in a loss of convenience as well. Achieving the right balance between these two sides of the spectrum is critical, but that balance may be different for personal and business Internet use.

Extra Precautions for Attorneys

Attorneys have another set of considerations beyond typical corporate privacy concerns, since they have a statutory obligation to protect client information. Coupled with a historical wariness of technology in general, law firms may be opening themselves to a significant risk by allowing the unrestricted use of consumer devices on their networks. This is a problem that requires consultation and very clear communication with IT professionals, which is not always easy for lawyers.

The Consequences

A fundamental concept of preserving the attorney-client privilege is that communications must be kept confidential. It is generally accepted that attorneys and clients have a reasonable expectation of privacy and confidentiality in their communications through unsecured or unencrypted e-mail on their own systems.

California and New York have specific laws that protect e-mail communications with wording to the effect that no such communications “' shall lose [their] privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication.” The Federal Electronic Communications Privacy Act, 18 U.S.C. ”2510 et seq., http://1.usa.gov/JdAkFs, criminalizes the interception of e-mail transmissions, a fact which would seem to mitigate the risk of loss of privilege by deliberate interception.

However, the issue of unintentional waiver (accidental loss of privilege) arises when discussing consumer devices on unsecured networks. An attorney cannot hold a conversation with a client in a coffee shop without risking a claim of waiver. So what if that same attorney uses a public wireless network in a coffee shop to carry on an e-mail conversation with a client? ABA Formal Opinion 11-459 states that third parties may have access to confidential e-mails if they were sent from a public or shared account or computer, such as a computer located in a library, a hotel or the home. In that case, the ABA asserts that attorneys have an obligation to warn clients about the risks inherent in such communications. See, Formal Opinion 11-459 at http://bit.ly/JdBdOs.

In addition, Web services such as Google and Dropbox are under increased scrutiny for how they handle data. Terms of Service that allow for the disclosure of data, even when it is encrypted, are causing concern, as are assertions by providers that they need access to all data for a variety of reasons beyond the traditional compulsion by legal process (including, for example, to protect their “property rights”). In fact, Dropbox disclaims all responsibility for maintaining the confidentiality of user data and urges those concerned about security to separately encrypt any data uploaded.

The Solutions

There are two principal security concerns for mobile devices: 1) access to the device itself; and 2) access to the information within the device. Addressing these two security concerns requires good passwords and encryption, respectively.

Password protection for mobile devices is a critical first line of defense. Most Apple products allow the user to set a four-digit numerical password, and Android devices allow you to choose between a text, numerical or graphical passcode. Although these are all good beginnings for security, a simple four-digit code is not enough to protect privileged information. Indeed, it is fairly easy to circumvent that code for a typical Apple device. Access can also be gained by “jailbreaking” the device, a process where the operating system limitations are removed (note that this voids the warranty).

No matter the device, short passwords can be easily cracked ' a strong password must contain at least eight digits and must be a combination of numbers, special characters and letters. Graphical passwords are not much more secure; fingerprint patterns can sometimes be detected on the surface of a phone or device by simply examining the screen from the side. Fortunately, there are add-on programs available in the mobile market that allow a user to set a complex password. This is the best barrier against someone gaining access to a lost or misplaced device, which is an all-too-frequent occurrence.

Even if someone did gain access to a mobile device, encryption can be used to prevent access to the information stored within. Since iPads and iPhones do not have encryption settings available on their operating systems beyond the initial password to access the device, it takes some extra work to apply encryption. However, there is a solution ' add-on software encryption programs available on all the major mobile markets. There are a large number of these programs available with a variety of features that can be beneficial to attorneys. Fortunately, securing “data at rest” is a process that only needs to happen once for the initial software setup and then occasionally updated.

Android devices do not have default security settings turned on, but users have an option to enable those features. Standalone programs are also available for Android devices. The new Windows tablets actually allow for full hard drive encryption in a feature already built in.

Conclusion

Security concerns for mobile devices have a different set of priorities than stationary desktop computers ' the most common threat is losing a tablet or cell phone. Therefore, blocking initial access to the device itself is paramount to protecting privileged information. Since the likelihood of losing a mobile device is much higher than a typical desktop computer, an extra layer of protection for the information itself, in the form of encryption, is also warranted.

For each of these solutions, there will be a loss of convenience. For attorneys, that client information is important enough to protect. Inputting a long password every time you unlock your iPad is a hassle, but imagine how much better you would feel about the security of your client's information if you accidentally left it on the airplane. And how much better that even if someone were motivated to crack that password that the most important files had a further level of encryption?

Although there is no silver bullet to secure consumer devices, a combination of passwords, encryption, and awareness can help attorneys safeguard their client information.


Gavin W. Manes Ph.D. ([email protected]) is president and CEO of Avansic, a Tulsa, OK-based company that provides ESI processing, e-discovery and digital forensics services to law firms and companies. A nationally recognized expert in e-discovery and digital forensics, Manes has briefed the White House, Department of the Interior, the National Security Council and the Pentagon on computer security and forensics issues. Tom O'Connor ([email protected]) is director of professional services at Avansic. Based in New Orleans, O'Connor is best known for his work in e-discovery, which includes assisting firms and corporate counsel in matters of retention policies, litigation holds, and document exchange protocols.

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.