Securing Your Digital Self
When you’re looking for a law practice to take your case, you may not think about that practice’s information security policies--or whether that practice even has them.
According to the ABA’s 2018 TECHREPORT on cybersecurity, the complexity of law firms’ information security measures tends to increase as the size of the law firm increases, but so does the likelihood that the law firm will be targeted. Strength invites challenge, so to speak.
These findings by the ABA are troubling in a larger context:
- Solo and small law practices comprise the largest demographic of lawyers in the United States.
- 53% of law practices say they have information retention policies.
- And 40% say they have disaster recovery plans for their practices.
When you’re looking for a law practice, then, you have to be mindful of how that practice secures your information, or what we’re calling your Digital Self. You’re going to be divulging a lot of it to them for your case, and each firm varies in what it offers security-wise.
In this blog post, we’ll walk you through how you can vet law practices to know how they’ll take care of your Digital Self.
Their Security History
When you want to know how a law practice will protect your information, it is best to begin with the question that is at the root of the whole inquiry: Has this practice ever experienced an information breach?
If the answer is “Yes,” you’ll want to ask the follow-ups: How extensive was it? How has it affected current and former clients since it happened? What is the likelihood of this happening again?
If the answer is “No,” and hopefully it is, you shouldn’t just kick your feet up, retire your other questions, and say “Let’s get to work on my case.” An answer of “No” does not equal “It will never happen.” You’ll want to know more.
This brings us to what you should next consider as you vet a potential attorney or law practice.
Policies and Procedures, Recovery and Security
Surprisingly, not as many law practices have procedures in place to manage and recover your information as you might think. And, in our experience, a lawyer may not think to bring up information about his or her practice’s information management policies at all, even if the practice has them. The legal industry is still behind the curve when it comes to thinking about technology.
So you’ll specifically want to ask about how a law practice stores its files, whether through traditional methods, an external hard drive, or cloud based storage. Additionally, you’ll want to ask about redundancies: In the case of disaster, is there a redundant server where information has been duplicated and saved?
As for security, you’ll want to ask about the measures that have been taken to defend your information. Ask about endpoint security agents, internal intrusion detectors, and firewalls. You may even want to ask about security within emails: whether the law practice filters out more than spam, and even whether they scan incoming attachments for potential malware.
There’s a lot that goes into information recovery and security. The specifics we have provided in this section address its overarching fundamentals. But now we want to transition to more specific aspects of information security.
Where’s the WiFi Coming From?
You’ll want to know how the law firm gets its WiFi because so much of the work that your law firm may do requires WiFi. Pray they do not use an Unsecured Network.
The ABA 2018 TECHREPORT article on cybersecurity reported that 38% of respondents use a virtual private network (VPN), which is often used to connect offices in various locations to the same network, and 20% reported using remote access software, which allows attorneys to access their WiFi network while they are away from the office.
These are probably the most secure options used by law firms. Asking about these methods is a good place to begin when you want to know how law practices are leveraging WiFi connectivity to secure your information. You’ll also get a sense of the scale of the law practice and the way that work is done at it. Use of remote access, for example, may indicate that working remotely is a part of the practice’s culture.
Encryption
Encryption is, perhaps, the most important measure a law practice can take to protect your personal information. That’s because encryption is such a versatile protective measure.
Many iPhones offer encryption when a PIN or passcode is utilized. This is helpful for attorneys who may work remotely during parts of the week. Additionally, emails and documents can be encrypted, and so can whole files and entire drives.
We encourage you to ask a deeper, more essential question about a law practice’s use of encryption: Which type of encryption?
Since 2001, the U.S. Federal Government has enforced Advanced Encryption Standards that mandate which type of encryption organizations should use to protect information. Due to their complexity, 192-bit and 256-bit encryption are the most preferred encryption ciphers. Knowing which type of encryption that a law practice uses will be a good indicator of their larger information security structure.
If They Use Legal Tech …
If you are vetting a law practice that uses legal technology (in its many forms and combinations), most of your questions will be redirected to the legal technology provider. In that case, you should conduct some cursory research on that legal technology provider.
To streamline the process, go directly to that legal technology provider’s website. Search for their information on the website. If you still have questions, call the company. It's worth the few minutes it will take.
Further Reading
This blog post has thrown a lot of information at you.
But if you are interested in learning more about information security and the legal industry, we recommend these resources:
First: The American Bar Association’s (ABA) 2018 TECHREPORT, and particularly its “2018 Solo & Small Firm” and “Cybersecurity” articles. Whether you’re already a SimpleLaw user or not, have hired a lawyer or not, these articles contextualize technology literacy and cybersecurity in the legal industry. We’ve referenced this report quite often on this blog, so you know it’s informative.
Second: The Pew Research Center’s 2016 Digital Readiness Gaps, a report on how accustomed people are to using technology and recognizing data security risks. This is especially useful if you aren't quite up on the latest in data security. Ironically, you’ll close your gaps by reading about those gaps.
And if you have any burning questions about data security and your Digital Self, we’d love to answer them! Contact us anytime at hello@simplelaw.com. We say it often because it’s true: it’s about people first, then using legal tech as a tool.