Jump to Navigation | Jump to Content
American Bar Association

Law Practice Today

Search
Font Size: Increase Font Increase | Decrease Font Decrease    Bookmark:   Bookmark page Print:   Print-friendly page   Email: E-mail This Page   

  Best of TECHSHOW

Securing Your Clients' Data While On the Road

October 2008

This "Best of ABA TECHSHOW" article was originally presented at ABA TECHSHOW 2008, the World's Premier Legal Technology Conference. It's just one example of the terrific content offered at TECHSHOW by more than 50 legal technology experts. ABA TECHSHOW 2009 will be held April 2-4, 2009 at the Hilton Chicago.

To learn more about ABA TECHSHOW and register for the 2009 conference, just lick the banner below.

ABA TECHSHOW 2009

Whether you are traveling across the county or globally, securing client data is a critical task.  These recommendations offer best practices on ways to keep client communication safe - no matter where you are going, or how you are storing information.

Mobile technology is a necessity for most attorneys today, including technologies such as laptops, mobile devices (PDAs, smart phones, etc.), portable storage (external hard drives, USB drives, DVDs and CDs, etc.), and remote access. It is easier today than ever before for attorneys to take their offices on the road – to client’s locations, courtrooms, hotel rooms, and attorneys’ homes. This technology provides great benefits for attorneys, but it also presents great risk. Laptops, mobile devices and portable media can be easily lost, stolen or compromised. This can result in breaches of confidentiality or loss of data.

It has been reported that as many as 10% of laptops used by American businesses are stolen during their useful lives and 97% of them are never recovered. An August 2007 survey reports that 70% of data breaches result from the loss or theft of off-network equipment. The most common devices involved are laptops and PDAs, followed closely by USB drives.

Mobile technology also faces the same threats as other components of information systems, including insiders, hackers, software vulnerabilities, viruses and worms, Trojan horses, spyware, rootkits, and more. Many of them can compromise confidential information or lead to loss of important information.

The Computer Security Resource Center of the National Institute of Standards and Technology lists the following as the major security issues with mobile devices:

Because of their small size, handheld devices may be misplaced, left unattended, or stolen.

User authentication may be disabled, a common default mode, divulging the contents of the device to anyone who possesses it.

Even if user authentication is enabled, the authentication mechanism may be weak or easily circumvented.

Wireless transmissions may be intercepted and, if unencrypted or encrypted under a flawed protocol, their contents made known.

The ease with which handheld devices can be interconnected wirelessly, combined with weak or no authentication of the parties involved, provides new avenues for the introduction of viruses or other types of malicious code, and also other forms of attack such as a man-in-the­middle attack.

The duty of confidentiality is arguably one of an attorney’s most important ethical responsibilities. This duty extends to confidential data in information systems, computers, and networks, including mobile technology. Attorneys have an ethical obligation to act competently and reasonably to safeguard client information and confidences, including electronic data. The challenge for attorneys, in practice, is determining what information security measures are reasonable and necessary to comply with these general requirements. Beyond these ethical obligations, appropriate information security is an essential part of sound business and professional practice.

 

1. INFORMATION SECURITY BASICS

As a starting point, there is no such thing as absolute or perfect information security. The challenge is to provide a reasonable level of security to protect against anticipated threats.

Information security is a process which includes people, procedures and technology. It is sometimes viewed too narrowly as only a technology issue. The goal of information security is to protect information systems, including the systems and the data in them, in order to ensure availability, integrity and confidentiality.

Information security should be implemented through an information security program which includes a written policy. The program and policy should expressly cover laptops, mobile devices and portable media. An information security program should be part of an enterprise security program which addresses a broader range of issues, including physical security. If physical security for information systems is not addressed in another program, it should be addressed as a key part of an information security program.

An information security program should start with a risk assessment, followed by design and implementation of a program to address identified risks.

A risk assessment is a necessary first step in implementing an information security program. First, it is necessary to conduct an inventory of information assets which need to be protected, including mobile technology. The data should be classified to determine appropriate levels of protection for different kinds of information. Reasonably anticipated threats must be identified and measures must be designed and implemented to guard against them. It is important to view information as an ongoing process which is only as strong as its weakest link.

A critical part of implementation of an information security program is initial training, followed by training on an ongoing basis. An effective program also requires monitoring, auditing and updating.

 

2. LAPTOP SECURITY

A particular area of current concern is security of laptops. There have been a number of recent high profile incidents in which confidential data has been compromised by theft or loss of laptops from businesses, accounting firms, nonprofits, and government agencies. As noted above, the August 2007 survey reports that 70% of data breaches are from loss or theft of laptops and other mobile devices and media.

As a starting point, laptops should be protected by the basic security measures which apply to all computers. These basic steps for securing personal computers, whether at home, in a law office, or on the road are:

 

  • Install and Use Security Software, Including Anti-Virus Programs, a Firewall and Spyware Protection -­Keep them Current with Updates.
  • Keep Your System Patched.
  • Use Care With E-mail Attachments and Embedded Links.
  • Make Backups of Important Files and Folders.
  • Use Strong Passwords, Passphrases, or Other Authentication.
  • Use Care When Downloading and Installing Programs.
  • Install and Use a Hardware Firewall.
  • Install and Use a File Encryption Program.
  • Configure the Operating System, Internet Browser, and Other Software in a Secure Manner.
  • Operate in a User Account Without Administrator Access for Routine Use.

Adapted from (a) Home Computer Security, available at http://www.cert.org/ by clicking on “publications and security documents,” (b) Internet Security Alliance, Common Sense Guide for Home and Individual Users (2003), and (c) Internet Security Alliance, Common Sense Guide for Small Businesses (2004), both available at www.isalliance.org, by clicking on “Cyber-Security Guides.” Details of these steps are covered in these publications and are not repeated here.

For the last several years, the major security software vendors have started to offer security suites which include several integrated products, like antivirus, software firewalls, spyware protection, and spam filters. Some of them include advanced features like rootkit protection and basic intrusion protection systems. They offer the advantage of having a single integrated product which is easier to install, configure, and keep up to date.

The major security software providers now offer products to protect mobile devices. Some examples include McAfee Mobile Security, Symantec Mobile Security, F-Secure Mobile Security, Kaspersky Anti-Virus Mobile, and Trend Micro Mobile Security.

These basic security measures should be a minimum for law firm computers – both desktop and laptops.

Some additional recommendations for protecting laptops include:

  • Don’t store unnecessary confidential information on a laptop.
  • Use strong authentication -preferably two-factor.
  • Encrypt your data.
  • Never leave access numbers, passwords, or security devices in your carrying case.
  • Backup important data.
  • Consider using a laptop tracking and wiping program.
  • Provide for physical security of the laptop, including:
  • Carry your laptop with you.
  • Keep your eye on your laptop.
  • Avoid setting your laptop on the floor.
  • Use a laptop security device.
  • Use engraving or an asset tag to identify the owner.
  • Use a screen guard.
  • Avoid using computer bags.
  • Watch your laptop when going through airport security.
  • Avoid leaving a laptop in view in a parked car.
  • Try not to leave your laptop in your hotel room or with the front desk.

Similar security measures should be employed for mobile devices, like PDAs and cell phones, and for portable media, like USB drives, external hard drives, CDs and DVDs.

For additional information, see, Microsoft, “9 Ways to Increase the Security of Your Laptop While on the Road,” available at www.microsoft.com/atwork/stayconnected/laptopsecurity.mspx, Microsoft’s 5 Minute Security Advisor – The Road Warrior’s Guide to Laptop Security, available at http://tinyurl.com/kdo9l,Microsoft’s How to Protect Your Laptop from Thieves, at http://tinyurl.com/jqgy3, LabMice.net, “Laptop Security Guidelines” (last updated December, 2003), available at http://labmice.techtarget.com/articles/laptopsecurity.htm, T. Mighell, “A Road Warriors Guide to Mobile Security,” Law Practice Magazine (July/August 2006), and E. Freedman, R. Trautz, and J. Calloway, “A Lawyer’s Guide to Mobile Computer Security,” Immigration Law Today (January/February 2007).

After the high profile theft of a Department of Veteran’s Affairs laptop containing personal information on over 28 million veterans in 2006, the Office of Management and Budget issued security guidelines for federal agencies, including the requirement of encryption of all data on laptops and handhelds, unless it is classified as “non-sensitive,” and two-factor authentication (like a password and a physical device) and automatic timed logoff for remote access to databases. OMB Memorandum dated June 23, 2006, available at www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf. These are now becoming standard information security measures.

Laptop tracking programs are available to report the location of lost or stolen laptops to security centers when the laptops are connected to the Internet. Some examples include Computrace (consumer and small business version LoJack for Laptops), CyberAngel and zTrace. Some of these programs include remote wiping of the data on a laptop if it is reported as lost or stolen. Iron Mountain offers a PC Data Protection Suite, which includes threat detection and monitoring, backup, encryption, and data destruction (which can be triggered by multiple entries of an incorrect password or failure to contact the network for a prescribed period of time). Orbicule has a product for Macs which repeatedly transmits network information, screenshots, and photos from the laptop’s built-in camera, after a laptop is stolen. It then makes the laptop malfunction and displays a message that it has been stolen when it is connected to a different network.

Laptop tracking software led to the arrest of a thief who allegedly engaged in a multistate campaign of stealing and selling laptops over a 5-year period. Two of his victims were law firms.

 

3. ENCRYPTION

While encryption is not yet universally used, it is becoming a standard security measure to protect data on laptops and portable media against unauthorized access. Encryption is a process which translates electronic data into a secure electronic format. Anyone trying to read or view the data must use a decryption key to make it readable. A lost or stolen laptop, USB drive, or backup tape which is encrypted is protected unless the decryption key has also been compromised. There are two basic approaches to encrypting data on hard drives – full disk encryption and limited encryption. As its name suggests, full disk encryption protects the entire hard drive. It automatically encrypts everything and provides decrypted access when an authorized user properly logs in. Limited encryption protects only specified files or folders or a part of the drive. With limited encryption, the user has to elect to encrypt the specific data.

Some commonly-used third party encryption software products for hard drives include those offered by PGP Corporation, SafeBoot (now owned by McAfee), Pointsec (now owned by Check Point), Guardian Edge, and Utimaco. Some of them also offer encryption for portable devices and drives. Individual USB drives with encryption capability are also available, like the KanguruMicro and the SanDisk Cruzer Professional and Cruzer Enterprise. Seagate is now offering hard drives which have full disk encryption built in. Intel is expected to have chip-based hardware encryption available in the second half of 2008. Some observers believe that hardware-based encryption, either disk-based or chip-based, will ultimately replace software encryption products.

Since most encryption programs are tied to a user’s password, secure passwords or passphrases are critical and a forgotten password can lead to lost data. Automatic logoff, after a specified time, is critical so that unencrypted data will not be exposed if a user goes away from a computer or forgets to turn it off. In an enterprise environment, like a law firm, administrator access, ability to reset passwords, and key recovery are essential. Installing encryption and administering it, particularly in a large enterprise, can be a challenge.

Windows XP Professional and some earlier versions of Windows include an encryption function called Encrypted File System (EFS). It allows encryption of files and folders. An authorized user who is logged on has access to decrypted data. It is encrypted and unreadable to anyone else (unless they can defeat the log-on process). EFS in Windows XP is reportedly susceptible to certain kinds of attacks.

Windows Vista Enterprise and Ultimate include an enhanced EFS. They also include a new encryption feature called BitLocker. BitLocker works below the operating system and encrypts an entire volume on the hard drive. BitLocker requires either a computer which is equipped with a Trusted Platform Module (TPM) chip on the motherboard or use of an external USB drive to hold the decryption key. If an intruder gets access to a USB key, the encryption can be defeated. Because BitLocker is new, current online references should be reviewed before deciding to use it. In addition, setup of both EFS and BitLocker are fairly technical processes. For most attorneys, it will be necessary to obtain technical assistance to implement them.

For more information on EFS and BitLocker, see, TechRepublic, “Prevent Data Theft With Windows Vista’s Encrypted File System (EFS) and BitLocker” (February 2007), available at http://tinyurl.com/3a2wyj; Microsoft, “Encrypt Your Data With Windows XP Professional” (December 2005), available at http://tinyurl.com/8gzo6; Microsoft, “How To Encrypt a File in Windows XP” (July 2004), available at http://support.microsoft.com/kb/307877; and Microsoft, “Windows BitLocker Drive Encryption Step-by-Step Guide” (April 2007), available at http://tinyurl.com/y2m9ld.

As noted above, after the theft of a Department of Veteran’s Affairs laptop containing personal information on over 28 million veterans, the Office of Management and Budget, in June 2006, issued security guidelines for federal agencies, including a requirement for encryption of all sensitive data on laptops and handhelds.

In January of 2007, 18 laptops were stolen from the offices of a law firm in Orlando. The laptops were reportedly protected by encryption and the incident received very little publicity. In discussing this incident, a publication of the SANS Institute, a leading information security organization, noted “[l]aptop thefts aren't going away, but by this time in 2008 this type of item (laptop stolen, but the data was protected) shouldn't even be newsworthy.”

Encryption is not a total mobile security solution. There is no “silver bullet” for information security. Encryption is an important element of securing laptops and mobile devices.

Encryption can also be used to protect electronic communications like e-mail. Public key encryption is frequently used for this purpose. It requires the use of a pair of cryptographic keys – a public key and a private key. The sender obtains the recipient’s public key and uses it to encrypt the e-mail. It is then in cipher text and cannot be read. It can be decrypted and made readable only with the recipient’s private key. As long as the recipient protects his or her private key, the confidentiality of the message is protected.

While attorneys have generally avoided the use of encryption, is confidential client information deserving of less protection than data about individuals on federal computers? Encryption of sensitive data on laptops, mobile devices, and portable media is becoming a standard security practice and should be used by attorneys.

While a weaker security measure than encryption, password protection of files and electronic documents provides a basic level of security. For example, Microsoft Office and Adobe Acrobat provide the ability to password protect documents. This is, however, a limited level of security.

 

4. REMOTE ACCESS

Remote access is the ability to connect over the Internet to work on your primary office computer or law firm network. Working remotely can make attorneys more content and productive, but such freedom comes with additional risks. Remote access--allowing users to work from home or the road--can still have security issues, especially when using shared family computers. There are two basic questions when considering remote access: How will the employee remotely connect to the law firm network, and what computer will they be using?

Remote accessibility comes in several flavors:

 

Web-Based Services

Accessing your computer from any remote location is easy with web-based services such as www.GoToMyPC.com and www.LogMeIn.com. It’s as simple as downloading the software and creating an account. The software creates a secure “tunnel” between the office computer and the remote access company (for example, GoToMyPC) using Secure Socket Layer (SSL) Virtual Private Network (VPN) technology. (A SSL VPN is a browser-based VPN allowing for end-to-end encryption of data from computer to computer, provided that the data goes through the web-based VPN hosting company.) When you need to access your office computer, you just use a web browser from any Internet-enabled computer to connect to the service, which then connects into your computer.

Remember, to access your office computer, it has to be left running to be accessible. Connection to the web-based service (such as GoToMyPC) should have a robust authentication process, requiring at least 2 layers of strong password protection and user identification. While many believe these remote access services to be secure, there are numerous IT professionals who believe the contrary, but most of their concern comes not from the services, but the security of the computer the employee uses to remotely access the firm computer—a topic covered below. Because the office computer must be left on, physical security of the office computer is essential.

 

Software Applications

Another solution to remote connectivity is a software product you install on the host and remote computers. The product must be on both computers to work. These products include MS Remote Desktop preinstalled in Windows XP Pro, and Symantec’s PCAnywhere or Netopia’s Timbuktu Pro, a $150 one-time purchase. Once installed, you access either computer through your Internet service provider. This software solution limits the computers that can remotely access your firm computers, because users have to log in from those machines, and can’t log in from any Internet-connected computer in the world, as they can with web-based remote access services.

 

Terminal Servers

Another secure option gaining popularity for larger enterprises is to have remote access users connect to a terminal server, like Citrix or Microsoft Terminal Server. In this method, the employee does the work on the server; the user’s computer only provides the interface. Windows Terminal Services allows you control over each user’s sessions, and you can set profiles and security restrictions on users’ terminal accounts. Connections of remote desktop clients may be vulnerable to “man in the middle” attacks where an intruder connects between the remote desktop and the terminal server.

 

Virtual Private Networks (VPNs)

VPNs provide secure remote access to your office computer network through private connections via the Internet. VPNs are useful to connect several offices together, and to allow remote access to a firm’s local area network (LAN). Until recently, this was not a do-it-yourself project, but that is changing. Several companies, such as PublicVPN.com are offering VPN solutions that do not require an investment in additional hardware to create a more secure remote computing environment. This can be especially valuable for smaller firms without an IT staff.

Although the security of the remote access technology is robust and improving constantly, the biggest risk remains the computer the employee is using, often a computer in their home shared with other family members, whose computer use may compromise your network. Let’s talk about those risks.

 

Public Computers

Accessing your office computer from a public computer, such as at a public library or an Internet café in the US or abroad, is inexpensive and convenient, but can be fraught with risk. Keyloggers, prying eyes, and even failure to log-off properly occur all too frequently. Therefore, we do not recommend using such computers to access your office information, as the risks of confidentiality breaches and other maladies are too great.

 

Home-Based Computers

Many employees who are allowed to work from home often work from a computer used by other family members or residents in the house. Security problems include corrupting files, snooping, or introducing viruses and malware that work their way into your computer network. To avoid these issues, several approaches are possible:

  • Require telecommuters to use a computer dedicated to office use, or provide a computer to these employees.
  • Require minimum security compliance, including up-to-date patches, anti-virus subscriptions, firewall software, and frequent security scanning. Some higher end security systems will scan the remote computer for current patches and up to date security software before it will permit a connection.
  • Hold employees accountable for such matters, including a signed telecommuting agreement outlining the security requirements for continued telecommuting privileges.

A number of security professionals have expressed the view that it is not safe to allow remote connection to a network from home computers because security features like current security software and patches for all software cannot be controlled. In addition, home computers can be compromised by downloading malware or visiting malicious or compromised websites.

 

5. WIRELESS

Wireless networks present special concerns because of their security risks. These risks include unauthorized access to the wireless network, interception of wireless traffic, and unauthorized wireless access to individual computers. Public wireless networks in hotels, airports, and coffee shops are a significant security risk. Hackers sometimes set up “evil twin” networks which they control to lure users to log on, believing that they are using a legitimate public network.

Wireless networks should have strong security, including (1) strong passwords or passphrases for the wireless access point, (2) turning off remote access to the access point, (3) keeping the access point patched and up to date, (4) turning off Service Set Identifier (SSID) broadcasting, (5) changing the default SSID and use of an SSID that does not identify the network to outsiders, (6) using a hardware firewall in the access point, (7) use of strong wireless encryption (WPA or WPA2 – not WEP), and (8) use of Media Access Control (MAC) filtering.

The SSID is the name of the wireless network. When broadcasting is on, the name is broadcast to laptops and mobile devices with wireless capability. When it is off, the network is hidden because its name is not broadcast. A MAC address is a unique identifying number for every network device. MAC filtering limits wireless access to specific devices, like specific laptops.

For more information, see, Sharon D. Nelson and John W. Simek, “Wireless Security for Law Firms,” available at www.senseient.com; Dan Pinnington, ”Directions for Enabling Security Features on Wireless Access Points,” (practicePRO January 2005), available at http://www.tinyurl.com/nfx43 or; and US-CERT, Using Wireless Technology Securely (2006), available at http://tinyurl.com/29rhvd.

Some vendors like Cisco Systems, Juniper Networks, and Air Defense provide high end security products for wireless networks.

Attorneys who use wireless networks which could compromise confidential client information and attorneys considering their use should, at minimum, make sure (1) that they use current technology, including security features, (2) that the wireless network is securely configured, and (3) that they have in place appropriate security policies and practices for the wireless network. In addition, they should consult with information security professionals about security risks and make a professional judgment that the use of wireless technology under the circumstances is reasonable. Some observers have expressed the view that wireless technology presents too great of a risk for attorneys to use for confidential client information, particularly with the older WEP encryption.

 

6. SECURE DISPOSAL

An important concern for mobile computing is secure disposal of computers and storage media. Confidential information, including law firm records, has been found on hard drives at used computer stores and even on eBay. Confidential information must be properly removed from computers and drives before they are discarded, traded in or given away. Deleting or reformatting is not adequate. The accepted methods for secure sanitization of hard drives are overwriting, degaussing (a magnetic process), and physical destruction of the drive. Special software is available to securely remove data by overwriting it. Portable media, like disks, CDs and DVDs, must generally be physically destroyed. The National Institute of Standards and Technology (NIST) has recently published NIST Special Publication 800­88, Guidelines for Media Disposal (September 2006), which provides a thorough treatment of this subject.

 

7. CONCLUSION

While using today’s mobile technology, it is critical for attorneys to appreciate and address the security risks. The greatest risk is loss or theft, with the potential for compromise or loss of data. Awareness of the risks and employment of reasonable security measures to address them are the first steps. It is then necessary to devote constant attention and vigilance to security.

 


ADDITIONAL INFORMATION SOURCES

Websites

American Bar Association website - www.abanet.org

CERT Coordination Center, Carnegie Mellon University, www.cert.org (provides current alerts and numerous guides and publications, ranging from basic to highly technical).

Internet Security Alliance, www.isalliance.org.

Microsoft Security Homepage, www.microsoft/security.

National Institute of Standards and Technology (NIST), Computer Security Resource Center, http://csrc.nist.gov, develops information security standards for government agencies, publishes outreach materials for businesses.

SANS Institute, www.sans.org (a cooperative research and education organization in information security; operates the Internet Storm Center).

Security Focus, www.securityfocus.com, a website operated by Symantec, a security software and product provider.

U.S. Computer Emergency Readiness Team, US-CERT, a partnership between the U.S. Department of Homeland Security and the public and private sectors, www.uscert.gov.

 

Articles

Jim Calloway, “Computer Viruses to Spyware: Things You Don’t Want to Pick up Online,” Law Practice Today, October 2003, available at www.abanet.org/lpm/lpt/home.shtml.

Computerworld Executive Briefings The Untethered Worker (2004).

Jeffrey M. Flax, “The Seduction of Wireless Networking: Resist the Temptation, Law Practice Today, November 2003, available at www.abanet.org/lpm/lpt/home.shtml.

Ellen Freedman, Reid Trautz, and Jim Calloway, “A Lawyer’s Guide to Mobile Computer Security,” Immigration Law Today (January/February 2007).

Dain Gary, “Safeguarding Your System: A Security Checklist,” Law Technology News, January 2003.

Galen Gruman, “ABC: An Introduction to Mobile Security,” CIO (March 8, 2007), available at www.cio.com/article/print/40360.

Joseph Kashi, “Wireless Insecurity,” Law Practice Today, May 2004, available at www.abanet.org/lpm/lpt/home.shtml.

Jason Krause, “Guarding the Cyberfort,” ABA Journal, July 2003.

LabMice.net, “Laptop Security Guidelines” (last updated December, 2003), available at http://labmice.techtarget.com/articles/laptopsecurity.htm.

T. Mighell, “A Road Warriors Guide to Mobile Security,” Law Practice, July/August 2006.

Sharon D. Nelson and John W. Simek, “Building Better Fences: Security for Small and Mid-Sized Law Firms,” (Sensei Enterprises, 2004), available at www.senseient.com.

Sharon D. Nelson and John W. Simek, “Wireless Security for Law Firms,” available at www.senseient.com.

Dan Pinnington,”Directions for Enabling Security Features on Wireless Access Points,” (practicePRO January 2005), available at http://www.tinyurl.com/nfx43 .

Daniel Pinnington, “Managing the Security and Privacy of Electronic Data in a Law Office Today,” Law Practice Today, January 2005 (Part I), February 2005 (Part II), March 2005 (Part III), available at www.abanet.org/lpm/lpt/home.shtml.

Josh Ryder, “Laptop Security, Part One: Preventing Laptop Theft,” and “Laptop Security, Part Two: Protecting Information on a Stolen Laptop,” Security Focus (July and August 2001), available at www.securityfocus.com.

David Storm, “10 Tips to Secure Your Laptop,” Information Week (November 24, 2007).

 

Books and Pamphlets

Selim Aissi, Nora Dabbous and Anand R. Prasad, Security for Mobile Networks and Platforms (Artech House 2007) (a technical publication).

Julia H. Allen, CERT Guide to System and Network Security Practices (Addison Wesley 2001) (a technical publication; modules available online at www.cert.org).

Blackberry, The CIO’s Guide to Mobile Security (2006).

Mark Egan, The Executive Guide to Information Security (Addison Wesley 2005).

Daniel V. Hoffman, Blackjacking: Security Threats to Blackberry Devices, PDAs, and Cell Phones in the Enterprise (Wiley 2007).

Internet Security Alliance, Common Sense Guide to Cyber Security for Small Businesses (2004), available at www.isalliance.org.

Internet Security Alliance, Common Sense Guide for Senior Managers (2004), available at www.isalliance.org.

S. Kami Makki, et al., Eds., Mobile and Wireless Network Security and Privacy (Springer 2007).

Microsoft, Security Guide for Small Business (2005), available at http://tinyurl.com/dnrw8.

Motorola, Mobile Device Security (2007)

Andrew Conroy-Murray and Vincent Weafer, The Symantec Guide to Home Network Security (Addison Wesley 2006).

Sharon D. Nelson, David K. Isom and John W. Simek, Eds., Information Security for Lawyers and Law Firms (American Bar Association 2006).

Karen Scarfone and Marugiah Souppaya, User’s Guide to Securing External Devices for Telework and Remote Access (Draft) (Nat’l Institute of Standards and Technology, Special Publication 800-46, May 2007).

Karen Scarfone and Derrick Dicci, Wireless Network Security for IEEE 802.11 a/b/g and Bluetooth (Draft) (Nat’l Institute of Standards and Technology, Special Publication 800­48, August 2007).

Jody R. Westby, ed., Roadmap to an Enterprise Security Program (American Bar Association 2005).


1 Poneman Institute, LLC, “National Survey: The Insecurity of Off-Network Security” (August 2007).

MT2 Securing Client Data on the Road March 13 – 15, 2008

Available at http://csrc.nist.gov/groups/SNS/mobile_security or http://tinyurl.com/22xyeg.

ABA Model Rules of Professional Conduct 1.1 and 1.6 and Comments 15 and 16 to Rule 1.6. For a well-reasoned ethics opinion which applies these duties to electronic data and information systems, see, State Bar of Arizona, Opinion No. 05-04 (July 2005) (Formal Opinion of the Committee on the Rules of Professional Conduct, “advisory in nature”).

St. Petersburg Times, October 28, 2007, available at http://tinyurl.com/yuymuk

SANS NewsBites, January 26, 2007, available at http://tinyurl.com/2ckvp3

For a technical reference on wireless security, see, Karen Scarfone and Derrick Dicci, Wireless Network Security for IEEE 80211 a/b/g and Bluetooth (Draft) (Nat’l Institute of Standards and Technology, Special Publication 800-48, August 2007).

E.g., Jeffrey M. Flax, “The Seduction of Wireless Networking: Resist the Temptation,” Law Practice Today, November 2003; Joseph Kashi, “Wireless Insecurity,” Law Practice Today, May 2004.

[an error occurred while processing this directive]

About the Authors

Reid F. Trautz  is director of the American Immigration Lawyers Association Practice & Professionalism Center, and is a nationally-known author and presenter on management issues of importance to solo and small firm lawyers.

David G. Ries is a partner in the Pittsburgh office of Thorp Reed & Armstrong, LLP, where he practices in the areas of environmental, commercial and technology litigation. Dave has frequently spoken and written on technology law issues for legal, academic and professional groups, including the American Bar Association, the Association of Corporate Counsel, the Information Systems Security Association, Carnegie Mellon University and the Pennsylvania Bar Institute.

Back to Top