Technology

Print This Article

Managing the Security and Privacy of Electronic Data in a Law Office - Part II
by Dan Pinnington
February 2005

This resource was created as part of the practicePRO risk management initiative (www.practicepro.ca) by the Lawyers' Professional Indemnity Company (www.LAWPRO.ca). The full booklet is available at www.practicepro.ca/securitybooklet


Introduction

Computers and the Internet have transformed the practice of law, and how lawyers handle confidential client information. Where once paper documents were the norm, today clients, lawyers, and law office staff routinely work with electronic documents and data. Protecting the security and confidentiality of that information, however, is as important today as ever: Both the Rules of Professional Conduct and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply equally to paper-based files and to electronic documents, such as a computer files or e-mail messages.

A failure to take appropriate steps to protect the electronic data in your office could have disastrous consequences. This could include an embarrassing release of sensitive information, a malpractice claim, a complaint to the Law Society, or the theft of your personal identity. At the very least, the theft, loss, or destruction of client or practice-related data will be disruptive to you and your practice. In the extreme case, it could cause your practice to fail.

To minimize the risk of any disclosure or loss of confidential client or practice data, you should understand where the risks are, and implement office management practices and appropriate technology to ensure all of your data remains confidential and secure.

This booklet provides a comprehensive review of various steps you should take to ensure that the electronic information in your office remains confidential and secure. Although some of the suggested steps may not be relevant to every lawyer, all practitioners will find helpful information in this booklet. Even if you do not have the expertise to implement the suggested measures yourself, you’ll be in a better position to direct the work that technology consultants or others must do for you.

If you do nothing else – the lucky 13 things you must do

An unprotected computer can be infected or hacked within seconds of connecting to the Internet, so protecting your electronic data is a must. The question is: How much time, effort and money are you willing to invest in that task? Ultimately, you need to find a balance between the allowable risk and an acceptable cost and effort. From a best practices point of view, there are 13 steps that you should systematically take to protect the electronic data in your firm against the most common threats. Most can be completed quickly, and at little or no cost. More detail on each of these steps is provided in the remainder of this booklet. In part two of this series, we’ve listed steps 5 through 8.

Steps #1- #4 appeared in the previous issue of LPT.

Step #5 Install a firewall on your Internet connection: When you are connected to the Internet, the Internet is connected to you. Information can flow freely both ways across your Internet connection. You need a firewall to act as a gatekeeper to prevent unauthorized access to your computers and network.

Step #6 Be aware of and avoid the dangers of e-mail: E-mail is an essential communications tool in most law offices, but it is also one of the most dangerous tools. E-mail is one of the most common ways that viruses will enter your office, causing breaches of confidentiality and other serious problems. You and your staff must appreciate the dangers of e-mail, and know how to use it safely.

Step #7 Beware the dangers of metadata: Are you unwittingly sending confidential information to clients or opposing counsel? If you have e-mailed a Microsoft Word or Corel WordPerfect document to either, the answer to this question is likely yes, and you need to learn more about metadata.

Step #8 Lockdown and protect your data, wherever it is: Electronic client data is everywhere, both inside your office (on servers and desktop computers), and outside your office (in e-mails, on laptops, cell phones, and PDAs). People can access data across networks and even across the Internet. You need to understand who has access to your data, and how to limit or prevent access to it.

Don’t be tempted to skip or skimp on one or more of the suggested steps. Remember, your data is only as safe as the weakest link in your security plan. When you leave on vacation, you lock every door and window in your house. Leaving just one door or window open gives a thief easy and instant access. To make sure the security and privacy of your electronic information is properly protected, it is critical that you fully and properly implement all of the above steps. Working your way through this booklet will help you complete all the work necessary to protect the security and privacy of your data.

Lastly, look inside your firm for potentially the most dangerous people, your own employees, and be especially careful of departing employees.

Step #5 - Install a firewall on your Internet connection

Regardless of whether you use a high-speed Internet connection, or dial-up modem, your systems must be protected by a firewall – a type of gatekeeper that ensures all incoming and outgoing communications are legitimate.

For computers to transmit data back and forth over the Internet, lines of communication must be established. These work through ports which are opened on each computer. The problem is that all the computers on the Internet can see one another, and these open ports can allow unauthorized people to access a computer. A firewall watches these ports and will warn you about or prevent unauthorized communications.

Firewalls come in two varieties: software and hardware. Software firewalls are easier to set up, usually protect a single computer, and are adequate for personal use. ZoneAlarm Pro (www.zonealarm.com) is a highly rated software firewall that is easy to install and use, and costs $70 per year. The more basic ZoneAlarm is free for personal use, and suitable for a home computer.

Hardware firewalls are usually used to protect an entire network of computers. D-link, Linksys, Netgear and others make relatively inexpensive hardware firewalls, which are suitable for a small office network, Cisco and others make firewalls for larger networks.

Windows XP’s built-in firewall called the Internet Connection Firewall protects you only from incoming threats; it does not monitor or stop outgoing communications. XP users should consider a more robust hardware or software firewall. Note, you should disable the XP firewall if you use another firewall.

Probe your ports to test security vulnerabilities

ShieldsUP! (www.grc.com) is a free online program that scans your computer and its Internet connection looking for disclosure of personal information, open ports and other vulnerabilities. Within minutes, you’ll know if your Internet connection has any security vulnerabilities.


Step #6- Be aware of and avoid the dangers of e-mail

E-mail has become a vital tool in every law practice. Yet its widespread use exposes your firm to significant risks, including embarrassment, Law Society complaints, or malpractice claims due to the unintentional disclosure of confidential information, as well as data loss or destruction due to viruses or the downloading of other malware programs.

Firms should educate their staff on the dangers of e-mail, and have a clear, written policy on the proper use of e-mail.

Password protected access

All e-mail programs can be configured to require a password at login. To prevent people from reading other peoples’ e-mail, or from sending a message in someone else’s name, make sure all e-mail account logins require a password.

Take care before hitting send

It’s easy to inadvertently send an e-mail to the wrong person, potentially disclosing confidential or privileged information. The following steps can help you avoid making this mistake:

  • Make sure each client’s e-mail address book listing includes the client’s full name. Using generic addresses such as Fred007@aol.com alone can create confusion.
  • Make it an office policy to double-check that e-mail is addressed to the correct individual before it is sent.
  • Educate your staff about the necessity of protecting confidential information, so they can recognize circumstances where information should be protected and not disclosed.

Privacy statements

Many firms include a privacy statement in their e-mail messages, often in the signature text at the end of a message. From a practical point of view, anyone who mistakenly gets the message will have read it before they read the privacy statement. For this reason, some question their real value, but most feel that having such statements are worthwhile. There is also some suggestion that you should only put privacy statements on messages that contain sensitive information as putting them on every message could lessen their credibility.

E-mail encryption

Theoretically, e-mails are easy to intercept, and as they are usually sent in an unencrypted format, they could be read by anyone who intercepts them. Practically speaking, intercepting an e-mail message is very difficult in most circumstances. The use of encryption software is not mandatory for all e-mail communications. However, the risk of interceptions and the options to encrypt messages should be discussed with any client you intend to e-mail. When information is extraordinarily sensitive, a lawyer should use, and advise the client to use, encryption software to help maintain confidentiality.

Unfortunately there are no universal standards for encryption of e-mail messages. Some e-mail programs can encrypt messages; as well, there are many different third party e-mail encryption programs. Verisign (www.verisign.com) and PGP Personal 8.0 (www.pgp.com) are among the more widely used. Others include FileAssurity (www.articsoft.com), SecExMail Personal (www.bytefusion.com), and CenturionMail 2.0 which integrates with Outlook (www.centurionsoft.com).

Web-based ZipLip (www.ziplip.com) and Hushmail (www.hushmail.com) offer on-the-fly message and file encryption. Both allow replies to be encrypted.

Don’t be fooled by phishing

Did you know that e-mails appearing to come from companies you trust might actually be from criminals trying to steal your money or identity? So-called ‘phishing’ e-mails have quickly become one of the most devastating scams on the Internet.

Phishing scams use spoofed (faked or hoax) e-mails and Web sites to trick you into providing your personal and financial information. By using the trusted brands and logos of online retailers, banks, or credit card companies, phishing scammers trick surprising numbers of people. The phishing e-mail directs users to visit a Web site where they are asked to update personal information, such as passwords, and credit card, social insurance and bank account numbers.

Legitimate companies will not ask you to update your personal information via an e-mail message. Don’t get tricked by phishing scams.

Spam filters

On a daily basis you undoubtedly receive unsolicited commercial e-mail, commonly know as spam. To combat spam, many firms use spam filters, which detect unsolicited and unwanted e-mail, and prevent those messages from getting into a user’s inbox. Like other types of filtering programs, spam filters use various criteria to identify spam messages. Simple filters will watch for particular words in the subject line or sender’s name, while more sophisticated filters attempt to identify spam through suspicious word patterns or word frequency. Anti-spam products also use blacklists, which intercept messages from recognized spammers; and whitelists, which let through messages only if they come from your personal list of recognized e-mail addresses.

Given that a significant proportion of spam messages also contain viruses or other malware, spam filters can also help protect your systems, and may prevent phishing scams from getting through.

While spam filters can significantly reduce the amount of spam you receive, they are not perfect. They will sometimes let spam through, and will sometimes block legitimate messages (these are called false positives). If you are using anti-spam software, you should scan blocked messages to ensure an important message wasn’t missed. You also need to consider whether messages you send to others were intercepted by anti-spam software.

Anti-spam software can be installed on e-mail servers and/or on desktop computers. Some e-mail programs include anti-spam features. Popular third-party anti-spam products include Norton’s antivirus software which includes anti-spam functionality (www.norton.com), SpamNet from Cloudmark (www.cloudmark.com), and Postini (www.postini.com).

E-mail savvy staff can help stop infections

Teaching your staff to avoid dangerous activities can also help reduce your exposure to potential infections. Employees should be taught to take great care in opening e-mail attachments, and not to open attachments that they are not expecting. Even if the message is from someone they know, they should not open it because it is easy to fake or spoof the sender’s name. They should also be taught to take extreme care in downloading and running programs on their computers. Implementing a “no downloads rule” is the best protection.

Step #7 -Beware the dangers of metadata

Are you unwittingly sending confidential information to clients or opposing counsel? If you have e-mailed a Microsoft Word or Corel WordPerfect document to either, the answer to this question is likely yes. When you create and edit your Word or WordPerfect documents, information about you and the edits you make is automatically created and hidden within the document file. This information is called metadata. Metadata can be simply described as “data about data.” Think of it as a hidden level of extra information that is automatically created and embedded in a computer file.

On its Web site, Microsoft indicates that the following metadata may be stored in documents created in all versions of Word, Excel and PowerPoint:

  • your name and initials (or those of the person who created the file);
  • your firm or organization name;
  • the name of your computer;
  • the name of the local hard drive or network server where you saved the document
  • the name and type of the printer you printed the document on;
  • other file properties and summary information (see below);
  • non-visible portions of embedded OLE objects;
  • the names of previous document authors;
  • document revisions, including deleted text that is no longer visible on the screen;
  • document versions;
  • information about any template used to create the file;
  • hidden text, and
  • comments.

Similar (although less) metadata exists within WordPerfect files, and metadata data security issues affect the documents created in most other software programs.

While some metadata can easily be viewed within the program that has created a file, in most circumstances hidden metadata can only be seen with special software. However, hidden metadata can become visible accidentally – for example, when WordPerfect opens and improperly converts a Word file, or when a corrupted file is opened. In these instances, both of which are quite possible in a law office, the normally visible text and hidden metadata can appear on a computer screen.

The problem with metadata, especially for lawyers, arises when people electronically share files as an attachment via e-mail, on a floppy disk or CD-ROM, over a network, or through an extranet. Electronic document files include both the information you see on the screen, and all the metadata you don’t see. This metadata can often be sensitive or confidential information, and can be potentially damaging or embarrassing if seen by the wrong eyes.

Metadata in Word

How can you view metadata in one of your Word documents? (WordPerfect users should jump ahead to “Metadata in WordPerfect,” on page 25.) Find and open a letter or agreement that you recently e-mailed to a client or opposing counsel. Click on File, then Properties. This opens the Properties dialog box, which contains a variety of summary type information about the file.

On the General tab you can see on which hard drive the document was stored, and the time and date it was created, last modified and viewed. On the Summary tab you can see the name of the author, your firm name, as well as the name of the template that was used to create the document.

The Statistics tab contains information about the size and structure of the document, including the Total editing time in minutes. This statistic is really the total amount of time the file was open on a computer, regardless of whether someone was editing it or not. What if a client saw this information, and the time indicated was significantly less than the amount of time you docketed for working on this document? This discrepancy could be completely justifiable, but you could find yourself explaining it to an upset client.

In WordPerfect you can see the basic file summary type of metadata you see in Microsoft Office documents by selecting File, then Properties.

WordPerfect also has a feature called Undo/Redo History. It can allow you to view hundreds of past changes in terms of what text was cut, copied and even deleted from the document. Open a WordPerfect document. Click on Edit, then Undo/Redo. This opens the Undo/Redo History dialog box which lists past changes to that document, assuming Undo/Redo is turned on. Click on the Options button, and then uncheck Save Undo/Redo items with document to turn it off. Look at some of your WordPerfect files to see if you can view summary metadata or the Undo/Redo History.

The danger of using existing documents as precedents

In many instances lawyers will adapt a document they created for a previous client. This makes perfect sense from an efficiency point of view. However, the text deleted from the original document can remain within the revised document. What would happen if your client sees confidential information about the client for whom the document was originally created, or if opposing counsel saw changes that were made in an agreement at the drafting or client review stage?

How do you remove metadata?

Being aware of metadata is just the start. You should also reduce or eliminate the metadata in your documents. Sending a fax or paper copy by regular mail would solve the problem, but will likely not be an option in many circumstances. If you want your client to review and edit a document, sending it electronically is the only practical option. In many cases, clients, opposing counsel and even the courts expect to receive documents electronically. There are a number of options to reduce or eliminate metadata from your documents.

Word, PowerPoint and Excel users should turn off the Fast Saves feature. To do this click on Tools, then Options, then the Save tab, and uncheck Allow fast saves. In older versions of Microsoft Office products it will be turned on by default. This feature lets a computer more quickly save a file by not removing deleted text.

If you use features such as tracked changes, document versions or comments, make sure you delete the information that is being kept within the document with these features.

Office XP includes some new features to help reduce the accidental disclosure of metadata. Even more features are included in Word 2003 and the other Office 2003 applications. They now include a Security tab in the Options dialog box (select Tools, then Options to view this tab). You can specify that some metadata not be saved in a document in this dialog box. The Information Rights Management feature in Office 2003 can also be used to reduce paper trail types of metadata being stored within documents.

Converting files to PDF format with Adobe Acrobat or other PDF creators will usually strip out most metadata. For this reason, many firms have adopted a practice of sending only locked PDF documents to clients or opposing counsel, especially if the recipient doesn’t need to edit the document.

While converting a file to PDF format will help strip out metadata from the original document, remember that PDF files can also contain their own metadata. Select File, then Document Properties to view the summary metadata information within a PDF file. In this same dialog box you can add further restrictions on how the document can be accessed, used, copied and printed in the Security Options settings.

If you want the recipient to edit the document, send it in its native format, but without metadata. Several programs can help identify and clean metadata from your documents. Microsoft’s Remove Hidden Data Add-In permanently removes hidden and collaboration data, such as change tracking and comments, from Word, Excel, and PowerPoint files in Office XP and Office 2003 only.

For Word, Excel and PowerPoint documents, one of the most widely used metadata scrubbers is the Metadata Assistant, sold by Payne Consulting Group (www.payneconsulting.com) for US$79. Other metadata removal programs for the Microsoft suite of products include: Out-of-Sight (www.softwise.net); ezClean (www.kkl.com); Workshare Protect (www.workshare.net); and iScrub (www.esqinc.com), which integrates with Microsoft Outlook and will prompt a user to clean an outgoing attachment.

Unfortunately there is no software program that easily and automatically removes metadata from WordPerfect documents.

For more information on metadata, see the following resources:

  • Word, Excel and PowerPoint users should visit the Microsoft support page at http://support.microsoft.com/. For more detailed information on removing metadata from Word 97, 2000 or 2002, see respectively, Knowledge Base articles 223790, 237361 or 290945.
  • WordPerfect users should visit the Corel knowledge base at http://support.corel.com/ and search for “minimizing metadata.”


Step #8 - Lockdown and protect your data, wherever it is

Gone are the days when you had to worry about only one copy of each document, which you could easily secure by keeping it locked up in a file cabinet. Today, client data exists in electronic form in many different places inside and outside your office. You need to know where that data exists, who can access it, and what steps should be taken to secure and protect it.

Access to servers, routers and phone switches

Protecting your server and other key telecommunications equipment such as routers and phone switches starts with physical security. Intruders who have physical access to a server can get direct access to files and data on the server’s hard drives, enabling them to extract usernames and passwords of every user on the system, destroy data, or give themselves a backdoor for accessing the server remotely. Even curious employees who want to change settings can unintentionally cause serious problems. Lock up your servers and other key telecommunications equipment to protect them from unauthorized access.

Access to individual computers

To protect information on them and on the network, every computer in a law office should be configured to require a password at startup. Without this password, it is more difficult to access the data on the hard drive. Although all versions of Windows accommodate this requirement, Windows 98 users should note that a login password will not protect data on a computer, as simply pressing the Esc key will bypass the login and give you full access to the hard drive.

Put a password on your screensaver

Activating a password-protected screensaver is a simple and very effective way to prevent an unauthorized user from rifling through the files of a computer that have been inadvertently left logged on. All versions of Windows include password-protected screensavers.

To activate this feature, click on Start and select Settings to open the Control Panel. Click on the Display icon, and select the Screensaver tab. Check the Password protected checkbox, enter a password, and set a Wait time that is appropriate for you. This is the amount of time the computer will wait after keyboard activity ceases before starting the screensaver. Once started, you require the password to exit the screensaver.

Access across a network

Anyone who has worked on a computer network will recognize that they have the ability to access computer files on another computer in the office, usually a central server. How does this work? The hard drive on a server contains various computer files and folders. To be seen and accessed across a network, folders and files on the server must be configured to be shared. To control access to files or folders (and all the files in them), the level of sharing and access can be limited, by either individual users or groups of users. Files and folders that are not shared can’t be seen or accessed across a network. For example, you might give litigation staff read-only access to the folder with firm precedents so they can access them, but can’t change them. You might limit access to folders with payroll information to your bookkeeper and managing partner. Client work product would go in a folder to which all staff had access.

The configuration of servers and networks will vary from office to office. Take time to understand what information is stored on your servers, and who has access to that information. Configure your network shares and access rights so that access to sensitive information is limited or prevented. Remember that privacy legislation requires that you limit access to some types of personal information on a need-to-know basis.

Your desktop or laptop computer can act like a server in some cases, and content on your hard drive could be accessed by someone across a network, or from the Internet. To prevent this from happening you need to make sure that File and Printer Sharing is turned off on your computer.

Encryption of sensitive files

Many software products, including Word and WordPerfect, contain a feature that will let you password protect documents. Although this feature may prevent casual users from accessing password-protected documents, this type of password protection is easily circumvented. For files that contain extremely sensitive information, you may consider encryption. Encryption tools act as ciphers, converting information into secret code that can only be accessed with a password.

Windows 2000, NT, and XP have built-in functionality for encrypting files, but only on NTFS formatted hard drives. This offers some protection, although some software tools can decode NTFS-encrypted hard drives. Other file encryption products that are more effective than NTFS are listed in the next section.

Data on laptops and other portable devices

Laptops and personal data assistants (PDAs) contain large amounts of confidential client and personal information: They are also easily lost or stolen. As a first line of defense you can enable the built-in password protection on these devices. Although this should protect the data on them from the average thief, someone with specialized knowledge can bypass these built-in password-protection features.

For an extra level of security for laptops, consider using: PGP Personal 8.0 (www.pgp.com), PointSec for PC (www.pointsec.com); SafeGuard Easy (www.safeguardeasy.com); or SecureDoc (www.winmagic.com).

To encrypt the data on PDAs, the most widely used products include: PDADefense (www.pdadefense.com); PDASecure (www.trustdigital.com); PointSec for Palm (www.pointsec.com); SafeGuard PDA (www.safe guardeasy.com); or TealLock Corporate (www.tealpoint.com).

Never leave your laptop unattended in a public place. To be less of a target for theft, use a briefcase or bag that does not look like a standard laptop bag. Inexpensive cable locks from Targus (www.targus.com) and others may deter the casual thief, but are no obstacle for a determined thief with cable cutters.

E-mail encryption

E-mail messages carry confidential information outside your office and can, at least in theory, be intercepted. Encryption can prevent intercepted e-mail messages from being read, and is reviewed in more detail on page 20.

Deleted doesn’t mean deleted

It’s a misconception that deleted files are gone for good. In fact, deleted files are easy to recover using widely available forensic recovery tools. Even reformatting or repartitioning a hard drive will not completely destroy all the data on it.

This is an issue if you are sending your computer equipment outside the office for repair, or donating your computers to charity or a local school where a classroom of technology savvy students will be itching to recover your data.

To address this issue, you can use specialized software that will “scrub” all data from a hard drive so that it is not recoverable. WipeDrive (www.accessdata.com) is a widely used scrubber. Eraser 5.7 (www.heidi.ie), is a free download and is also a good scrubber. Physically destroying a hard drive with a hammer is the free and low-tech option.

Because the same forensic technology can also restore deleted files on floppy disks, you should always use new floppies when sending data outside your firm.

Remote access

Although a bonus for lawyers who want to work and access data when not in the office, remote access creates opportunities for breaches of confidentiality.

Virtual private networks or VPNs can make remote access more secure. A VPN is a network connection constructed by connecting computers together over the Internet and encrypting their communications so that intercepted data is incomprehensible. VPN’s are secure and fast, but are expensive and hard to configure. Windows Terminal Server, which is free with Windows, will allow remote connections, is easy to set up, but is slower and less secure than a VPN.

Accessing your e-mail or network from a public computer

If you rely on Internet cafés, library terminals, or other public computers, be aware that you are likely leaving behind passwords, your surfing history, data in temporary files, cookies and other personal information at each machine you use. Products such as P.I. Protector Mobility Suite 2.0 (www.imaginelan.com) protect against this. The program, which you install on a USB flashdrive or other portable device, creates a portable identity on that device, including your e-mail data. The Protector program then accesses the Internet through the flashdrive or other device, and stores all sensitive information on it. As a result, you can use public computers without leaving a trace.

Be aware of data theft with thumbdrives

Tiny, high-capacity USB drives or thumbdrives have become the new floppies. A combination of three things makes them a security concern: (1) they are very easy to use, (2) they are compact, lightweight and ultra-portable, and (3) they can store huge amounts of information. They are, in other words, the perfect tool for a disgruntled or soon-to-be ex-employee who plans to easily and quickly steal firm data.

How do you protect yourself? Make sure you have appropriate security and access rights to the confidential client and firm information on your firm’s computers and servers. Auditing file access may help you spot someone who is accessing information they should not. Consider disabling USB ports on all firm computers. Lastly, take extra care with employees who may be leaving the firm. (See page 48)

Off site storage

Storing electronic data with a third party raises a number of obligations to safeguard client property and confidentiality. These concerns also apply to data that is being backed up over the Web, or to matter documents that are being stored on a Web site for collaboration purposes.

Contracts with any third party who is in possession of confidential client information should deal with the various relevant securities issues, including having specific provisions that require all information is properly stored and secured to prevent inappropriate access. This can and should include password-controlled access and encryption of the information. In addition, antivirus software should be used. The third party should also indicate how the facility is prepared for a disaster, that adequate backup systems are in place, and what their contingency plans are if emergencies or disasters make the vendor’s primary facility unavailable. These measures ensure that your clients’ information is protected, and that you will have access to it when needed.

List serves and chat rooms

Through list serves, chat rooms and other virtual electronic communities, the Internet has created new ways to meet and mingle with others, including potential clients.

List serves, sometimes called e-mail lists, let you interact with dozens, hundreds or even thousands of other people. List serves are really nothing more than a group of people with the same address. You reach everyone on a list by sending an e-mail message to a specific e-mail address. List serve software operates by receiving this message, and then automatically sending it to everyone on the list. All replies are automatically sent to the entire list. In effect, this allows a large group conversation via e-mail.

Chat rooms are also called “online forums.” Chat rooms are simply a page on a Web site or online service where people can “chat” with each other by typing messages on their computer. These messages are displayed almost instantly on the screens of others who are in that same “chat room.” When you’re in a chat room you can view all of the conversations taking place at once on your screen.

Saying something in a message posted to a list serve or in a chat room conversation is the same as blurting something in an elevator or at a meeting. All obligations of confidentiality still apply. Be aware of this and don’t disclose confidential information on a list serve or in a chat room.

Summary

LAWPRO encourages you to proactively protect the security and privacy of the electronic information in your offices – not only to comply with the Rules of Professional Conduct and privacy legislation, but also to safeguard the viability and integrity of your practice.

A failure to protect the electronic data in your office could have disastrous consequences. This could include an embarrassing release of sensitive information, a malpractice claim, a complaint to the Law Society, or the theft of your personal or firm identity. At the very least, the theft, loss, or destruction of client- or practice-related data will be disruptive to both you and your practice. In the extreme case, it could cause your practice to fail.

Take time to understand where the risks are. Implement office management practices and appropriate technology to ensure all your data remains confidential and secure.

Carefully review and implement the suggestions and steps outlined in this booklet. Seek outside, knowledgeable help if necessary. It is relatively easy and inexpensive to protect yourself from the common threats. Acting now to protect yourself from the most common threats could help you avoid having to spend time and money dealing with security compromises.

In next month's article we will cover the final five steps that you must take to protect the security and privacy of your data, including:

Step #9 Harden your wireless connections:
Step #10 Learn how to safely surf the Web:
Step #11 Change key default settings:
Step #12 Implement a technology use policy:
Step #13 A backup can save your practice

Appendix 1 lists other resources that can help you secure the electronic data in your office.

Appendix 1

Other resources

Web sites

PC Magazine Security Watch page – www.pcmag.com/security
Various articles on security issues, and reviews of security related technology products.

Urban Legends Site Computer page – www.snopes.com/computer
An easy to use listing of current virus threats and hoaxes.

Symantec Home Page – www.symantec.com
Current information on the latest threats, list of known viruses, and information on how to repair and clean infected computers.

Consumer Web Watch – www.consumerwebwatch.org
A good page from Consumer Reports people for current news and information about Web-related security issues.

eBay Security and Resolution Centre – http://pages.ebay.ca/securitycentre/
Helpful information on avoiding online auction fraud and identity theft.

Senseient Publications Page – www.senseient.com
See the Publications Page for detailed articles on variety of law firm related security and forensics issues.

Test your password strength – www.securitystats.com/tools/password.php
Test the strength of your passwords, and get suggestions on how to make them stronger.

Tips For Troubleshooting Computer Problems
www.lawpro.ca/lawpro/ Computer_troubleshooting.pdf
practicePRO article on steps to take to troubleshoot computer problems.

LSUC Practice Management Guidelines – www.lsuc.on.ca/services/ pmg_tech.jsp
Guidelines to assist lawyers in conducting various aspects of legal work, including management of files and client information.

ABA’s Law Practice Management Webzine – www.lawpracticetoday.org
General articles on legal technology and other LPM issues.

Office of Privacy Commissioner of Canada – www.privcom.gc.ca
Information on complying with PIPEDA.

Magazines

Smart Computing Magazinewww.smartcomputing.com
Great magazine for basic information on all types of technology.

Law Office Computing Magazinewww.lawofficecomputing.com
Great magazine for legal technology articles and product reviews.

Books

Computer Security for the Home and Small Office by Thomas C. Greene.
Covers many of the topics covered in this booklet in more detail. 405 p. Apress, 2004.

Information Security: A Legal, Business, and Technical Handbook by Kimberly Kiefer, Stephen Wu, Ben Wilson and Randy Sabett; 82p. American Bar Association, 2003; www.ababooks.org. This book reviews security threats, includes information on security best practices and how to respond to security incidents. It also has standards, guidelines and best practices precedents.


 

This booklet was prepared for the Lawyers’ Professional Indemnity Company (LAWPRO®) by Daniel E. Pinnington, Director, practicePRO, LAWPRO (dan.pinnington@lawpro.ca).