Document Exchange Breaches

Of equal importance is the growing trend of bring-your-own-device (BYOD) and the implications related to unsecured file transfers from personal devices such as smartphones or tablets. If a personal device used for access to firm data is not adequately secured, it can create yet another vulnerability that can be exploited by skilled individuals with malicious intent.

File Transfer

Exchanging documents with clients and outside counsel used to be a fairly mundane endeavor. Attach the documents to an e-mail and send it off. If you needed to deliver a large volume of documents or documents of a very large size, you could burn a CD or thumb drive and send it out via a delivery service.

However, what used to be a very simple process is now fraught with complexity and serious consequences to your firm. Data privacy regulations with severe penalties for the breach of confidential client information have upped the ante for attorneys. And if your practice requires access to protected health care information, the new HIPAA Omnibus regulations impose the same level of compliance and enforcement on you as on the health care providers you represent. As an attorney who is responsible to your clients to protect the confidentiality of their personal information, the following best practices can help you tighten the security of your document exchange practices.

Protect Your e-Mail Transmissions

Sending client/matter documents by regular e-mail is an open invitation for a data breach. Foreign hackers recently penetrated several law firms' network firewalls and accessed confidential e-mails from attorneys involved in trade litigation. Of equal risk is the potential for the unauthorized interception of e-mails as they traverse the Internet to their final destination.

To greatly diminish the risk of data breaches, law firms are deploying several technologies to secure e-mail transmission and storage. Many secure file transfer (SFT) systems include Outlook add-ins that enable the sending attorney to redirect the e-mail and attachments as an encrypted, limited-access delivery. The e-mail contents are uploaded and stored on an on-premise server. Recipients receive an e-mail notification with a link to securely download the e-mail contents after successfully passing through authentication. Along with enabling secure replies to the file exchange, a sound solution also provides automated tracking of all delivery activities for non-repudiation of receipt.

Beware of Hosted File Sharing Services

Attorneys, having to deal with increasingly large client files, are turning to a variety of online sites that allow them to upload files and be shared with other parties. They are easy to use and can get the job done. But the big risk here is the level of security imposed at the service provider's data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider's servers, and the services' employees may have access to the data. Most important, the provider may not have adequate user authentication measures to protect against access by unauthorized recipients.
State bar associations, recognizing the risk of the growing use of file-sharing services, have issued guidelines regarding the usage of services of this type. These guidelines include requiring an attorney to exercise due diligence to ensure that the service is deploying sufficient security controls and gaining client permission to use such services. The bottom line is that you should only utilize file-sharing services that have been thoroughly vetted and sanctioned by IT leadership.

Guard Your Fax Deliveries

Fax technology is still a very popular method of communication between law firms and their clients. The traditional method of sending faxes to a recipient's machine has obvious security implications. If the faxes you send are not immediately retrieved from the fax machine, the risk increases of an unintended recipient picking them up. Today, most faxes are sent electronically. Traditional faxes are converted to an electronic format that can be accessed via a computer through a Web client or received as an e-mail attachment. Most law firms use a hosted service for electronic faxing, meaning they pay a third-party service provider to convert faxes to files. Many of these services deliver the fax unencrypted over unsecured networks, raising the same security concerns as delivering documents via unsecure e-mail. If you are considering a hosted fax service, check that the service encrypts transfers. To further reduce the risk of data breach, some fax service providers are delivering the fax as a secured delivery rather than an unsecured e-mail.

Document Exchange on the Go: The New Frontier of Security Vulnerability

By now most everyone in the legal IT community is familiar with the BYOD trend ' the proliferation of attorney- and staff-owned personal mobile devices used for firm business.

In many ways BYOD is a net positive for legal professionals, allowing faster responses to client demands for document review and exchange, remote accessibility and greater flexibility. However, these productivity benefits challenge IT to support a wide range of personal mobile devices with competing operating and security environments. This increases the risk of breaches of confidential client data. One of the biggest challenges facing legal IT is access of firm data by personal applications, such as Dropbox-style applications used by legal professionals to synchronize client data on their mobile devices. Legal IT must provision these mobile devices with technology that will allow the encrypted and secure download and storage of client data accessed on mobile devices via e-mail, legal applications or document repositories. The legal and financial consequences of data breaches can be profound.

Many of the same security issues that apply to data exchange from desktops or laptops also apply to mobile device document exchange. Do the mobile applications that send or exchange documents on a phone or tablet encrypt the transfer of data? Do they restrict access to only authorized individuals? Do they track all data transfers, provide proof of delivery and allow for the ability to easily revoke a delivery if it is misaddressed?

How to Defeat Mobile Security Weaknesses

Most data breaches are caused by human error and employee negligence. The most sophisticated security technology will be less than effective without the full knowledge and support of legal professionals, including a formal education program covering mobile device best practices and firm usage policies. User education should include:

• The dangers of using unsanctioned personal apps and consumer-based file sharing services to synchronize firm data to mobile devices;
• A process for registering personal mobile devices;
• Approaches for creating strong passwords; and'
• Actions to take in the event of lost or stolen devices.

A solid BYOD usage policy as well as comprehensive training should provide unambiguous guidance and meet present security requirements, but as we have seen over the past decades, we can be sure that the technology and how devices are used will continue to change.

While law firm IT can make sophisticated security systems available, it is ultimately attorneys who are responsible for protecting their clients' data and documents. By being aware of the potential risks every time you exchange sensitive data, whether physical or electronic, you will significantly minimize the chances of data breaches.

Charles Magliato, Legal Program Director for Biscom, has more than 30 years of information technology industry experience, including application development, project management, business development, product marketing and channel and direct sales. He can be contacted at [email protected].

'

SPECIAL OFFER: Twitter, LinkedIn, Facebook and Google+ followers can get an online subscription to LJN's Legal Tech Newsletter for only $299. Click here, select Digital Only and use promo code'LTNOL299'at checkout.This offer is valid for new subscribers only.

'

Think about the last case you handled for your largest client. What would happen if that information was breached or hacked? It is an alarming possibility and one that should rightfully occupy your thoughts.

These days, it is difficult to turn on the TV or go online without seeing the latest article about a government agency or corporation that has been hacked. Now that same threat is of foremost concern for law firms. As evidenced by the rash of presentations featuring security experts from the FBI and beyond at legal technology events, hackers ' either foreign or domestic ' are often discovering that it is easier to virtually break into a law firm than into its corporate client.'

Data transfers are often the overlooked security hole for law firms. Attorneys and legal professionals handle ' and exchange ' highly sensitive client work product on a daily basis. Although lawyers normally default to tools such as e-mail, FTP, or courier deliveries, these methods do not necessarily deter breaches or offer the level of security mandated by government regulations such as HIPAA (Health Insurance Portability and Accountability Act).'

Of equal importance is the growing trend of bring-your-own-device (BYOD) and the implications related to unsecured file transfers from personal devices such as smartphones or tablets. If a personal device used for access to firm data is not adequately secured, it can create yet another vulnerability that can be exploited by skilled individuals with malicious intent.

File Transfer

Exchanging documents with clients and outside counsel used to be a fairly mundane endeavor. Attach the documents to an e-mail and send it off. If you needed to deliver a large volume of documents or documents of a very large size, you could burn a CD or thumb drive and send it out via a delivery service.

However, what used to be a very simple process is now fraught with complexity and serious consequences to your firm. Data privacy regulations with severe penalties for the breach of confidential client information have upped the ante for attorneys. And if your practice requires access to protected health care information, the new HIPAA Omnibus regulations impose the same level of compliance and enforcement on you as on the health care providers you represent. As an attorney who is responsible to your clients to protect the confidentiality of their personal information, the following best practices can help you tighten the security of your document exchange practices.

Protect Your e-Mail Transmissions

Sending client/matter documents by regular e-mail is an open invitation for a data breach. Foreign hackers recently penetrated several law firms' network firewalls and accessed confidential e-mails from attorneys involved in trade litigation. Of equal risk is the potential for the unauthorized interception of e-mails as they traverse the Internet to their final destination.

To greatly diminish the risk of data breaches, law firms are deploying several technologies to secure e-mail transmission and storage. Many secure file transfer (SFT) systems include Outlook add-ins that enable the sending attorney to redirect the e-mail and attachments as an encrypted, limited-access delivery. The e-mail contents are uploaded and stored on an on-premise server. Recipients receive an e-mail notification with a link to securely download the e-mail contents after successfully passing through authentication. Along with enabling secure replies to the file exchange, a sound solution also provides automated tracking of all delivery activities for non-repudiation of receipt.

Beware of Hosted File Sharing Services

Attorneys, having to deal with increasingly large client files, are turning to a variety of online sites that allow them to upload files and be shared with other parties. They are easy to use and can get the job done. But the big risk here is the level of security imposed at the service provider's data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider's servers, and the services' employees may have access to the data. Most important, the provider may not have adequate user authentication measures to protect against access by unauthorized recipients.
State bar associations, recognizing the risk of the growing use of file-sharing services, have issued guidelines regarding the usage of services of this type. These guidelines include requiring an attorney to exercise due diligence to ensure that the service is deploying sufficient security controls and gaining client permission to use such services. The bottom line is that you should only utilize file-sharing services that have been thoroughly vetted and sanctioned by IT leadership.

Guard Your Fax Deliveries

Fax technology is still a very popular method of communication between law firms and their clients. The traditional method of sending faxes to a recipient's machine has obvious security implications. If the faxes you send are not immediately retrieved from the fax machine, the risk increases of an unintended recipient picking them up. Today, most faxes are sent electronically. Traditional faxes are converted to an electronic format that can be accessed via a computer through a Web client or received as an e-mail attachment. Most law firms use a hosted service for electronic faxing, meaning they pay a third-party service provider to convert faxes to files. Many of these services deliver the fax unencrypted over unsecured networks, raising the same security concerns as delivering documents via unsecure e-mail. If you are considering a hosted fax service, check that the service encrypts transfers. To further reduce the risk of data breach, some fax service providers are delivering the fax as a secured delivery rather than an unsecured e-mail.

Document Exchange on the Go: The New Frontier of Security Vulnerability

By now most everyone in the legal IT community is familiar with the BYOD trend ' the proliferation of attorney- and staff-owned personal mobile devices used for firm business.

In many ways BYOD is a net positive for legal professionals, allowing faster responses to client demands for document review and exchange, remote accessibility and greater flexibility. However, these productivity benefits challenge IT to support a wide range of personal mobile devices with competing operating and security environments. This increases the risk of breaches of confidential client data. One of the biggest challenges facing legal IT is access of firm data by personal applications, such as Dropbox-style applications used by legal professionals to synchronize client data on their mobile devices. Legal IT must provision these mobile devices with technology that will allow the encrypted and secure download and storage of client data accessed on mobile devices via e-mail, legal applications or document repositories. The legal and financial consequences of data breaches can be profound.

Many of the same security issues that apply to data exchange from desktops or laptops also apply to mobile device document exchange. Do the mobile applications that send or exchange documents on a phone or tablet encrypt the transfer of data? Do they restrict access to only authorized individuals? Do they track all data transfers, provide proof of delivery and allow for the ability to easily revoke a delivery if it is misaddressed?

How to Defeat Mobile Security Weaknesses

Most data breaches are caused by human error and employee negligence. The most sophisticated security technology will be less than effective without the full knowledge and support of legal professionals, including a formal education program covering mobile device best practices and firm usage policies. User education should include:

• The dangers of using unsanctioned personal apps and consumer-based file sharing services to synchronize firm data to mobile devices;
• A process for registering personal mobile devices;
• Approaches for creating strong passwords; and'
• Actions to take in the event of lost or stolen devices.

A solid BYOD usage policy as well as comprehensive training should provide unambiguous guidance and meet present security requirements, but as we have seen over the past decades, we can be sure that the technology and how devices are used will continue to change.

While law firm IT can make sophisticated security systems available, it is ultimately attorneys who are responsible for protecting their clients' data and documents. By being aware of the potential risks every time you exchange sensitive data, whether physical or electronic, you will significantly minimize the chances of data breaches.

Charles Magliato, Legal Program Director for Biscom, has more than 30 years of information technology industry experience, including application development, project management, business development, product marketing and channel and direct sales. He can be contacted at [email protected].

'