Print This Article

Introduction

Computers and the Internet have transformed the practice of law, and how lawyers handle confidential client information. Where once paper documents were the norm, today clients, lawyers, and law office staff routinely work with electronic documents and data. Protecting the security and confidentiality of that information, however, is as important today as ever: Both the Rules of Professional Conduct and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply equally to paper-based files and to electronic documents, such as a computer files or e-mail messages.

A failure to take appropriate steps to protect the electronic data in your office could have disastrous consequences. This could include an embarrassing release of sensitive information, a malpractice claim, a complaint to the Law Society, or the theft of your personal identity. At the very least, the theft, loss, or destruction of client or practice-related data will be disruptive to you and your practice. In the extreme case, it could cause your practice to fail.

To minimize the risk of any disclosure or loss of confidential client or practice data, you should understand where the risks are, and implement office management practices and appropriate technology to ensure all of your data remains confidential and secure.

This booklet provides a comprehensive review of various steps you should take to ensure that the electronic information in your office remains confidential and secure. Although some of the suggested steps may not be relevant to every lawyer, all practitioners will find helpful information in this booklet. Even if you do not have the expertise to implement the suggested measures yourself, you’ll be in a better position to direct the work that technology consultants or others must do for you.

If you do nothing else – the lucky 13 things you must do

An unprotected computer can be infected or hacked within seconds of connecting to the Internet, so protecting your electronic data is a must. The question is: How much time, effort and money are you willing to invest in that task? Ultimately, you need to find a balance between the allowable risk and an acceptable cost and effort. From a best practices point of view, there are 13 steps that you should systematically take to protect the electronic data in your firm against the most common threats. Most can be completed quickly, and at little or no cost. More detail on the first four steps is provided in the remainder of this booklet.

Step #1 Install latest updates to eliminate security vulnerabilities: The networking functionality built into software that allows the Internet to operate can create security vulnerabilities that in turn can allow computers to be compromised by hackers. Microsoft products are particularly vulnerable. You must protect yourself by installing the latest security patches and updates.

Step #2 Make full and proper use of passwords: We all have more passwords than we can remember, and as a result, we get lazy and use obvious ones, or we don’t use them at all. You must use passwords, and use them properly to keep your data safe.

Step #3 Antivirus software is essential: Computer viruses are a fact of life. Every computer in every law office should have antivirus software on it, and this software needs to be frequently updated, at least weekly. Make sure you understand how to properly use and configure your antivirus software.

Step #4 Avoid spyware and adware: Viruses used to be the only threat that you had to worry about. Now you need to be aware of several other malicious software threats, including some that will spy on you. Odds are they are already on your computer. You need to take steps to make sure no one is watching your surfing habits, or collecting personal or client information from your computer.

Step1: Install latest updates to eliminate security vulnerabilities

Computer software programs sold today are incredibly complex. Microsoft Windows XP, for example, has more than forty million lines of code written by thousands of programmers. Not surprisingly, programs often contain coding errors that were not detected prior to their release, and that can create problems, ranging from non-functioning features or functions to program lockups or crashes that result in data loss or file corruption.

These same coding errors can also cause security vulnerabilities that a hacker can exploit to access or destroy data, or run programs on a vulnerable computer, without the computer owner’s knowledge. Once hackers become aware of a security vulnerability, they use tools to search the Web for computers that are open to attack.

To address these issues, software vendors make available updates or patches – usually as free downloads on the software vendor’s Web site. They are also sometimes called service packs. You should regularly check that you have all the latest updates for all the programs on your computer.

Microsoft product users beware

Because Microsoft products are particularly prone to security vulnerabilities, you should update all Microsoft software regularly. Be aware if you are using any version of the Microsoft Windows operating system (Windows 98, Windows Me, Windows NT, Windows 2000 or Windows XP), Word, Excel, PowerPoint, Internet Explorer, Exchange Server, Outlook or Outlook Express.

Updates to Microsoft Windows: Go to www.windowsupdate.com and follow the instructions. The tools on this Web page will review the Windows software on your computer (without sending information to Microsoft), and tell you what updates are available. Those that address security vulnerabilities are identified as critical updates. Other Windows and driver updates will also be listed. You don’t have to install all available updates, but you should work through and install all security-related updates. Some security updates must be installed individually, and most require that you restart your computer after they have been installed.

Updates for Microsoft Office applications such as Word: Go to http://office.microsoft.com/ and follow the instructions.

Windows Automatic Update

Windows Automatic Update (formerly called Critical Update Notification) streamlines the updating process by notifying you when critical updates are available for your computer. Once activated, Automatic Update periodically checks with the Microsoft Web site for any critical updates for your system. It automatically downloads updates and notifies you when they need to be installed. All you do is wait for the installation prompt to appear and follow the on-screen instructions to complete the installation.

For greater control and automation, there are other products for managing the installation of updates from a central location.

Be careful with Windows XP Service Pack 2

Although Microsoft’s Service Pack 2 update (SP2) for Windows XP contains some important security updates, users have reported problems with various programs and hardware operating properly afterwards. Before you install SP2, do some research to ensure it will not cause problems with the programs and hardware on your computer. For more information see www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx.

Update all your software

If you are using non-Microsoft PC software, check for updates on the product’s Web site. Sometimes direct links to an updates Web page can be found on the Help menu. Click on Help, then look for a link to a Web updates page. Otherwise, you should be able to find the product’s site with a search on Google. You are not immune to vulnerabilities if you use Linux or a Mac; these also need to be updated.

Backup before you install updates

Installing updates can interfere with the way a program works, or with the operation of the computer itself. Back up data on your computer before you install patches or updates. See page 45 for more information on backups.

Step #2: Make full and proper use of passwords

We all have more passwords than we can easily remember, and as a result, we get lazy and use obvious passwords, or we don’t use them at all. However, like the keys that open your front door or start your car, computer passwords “unlock” your computer. They are essential for properly securing and accessing electronic data so you need to be conscientious about how you set them up and use them.

How to properly use passwords

The following are steps you can take to use passwords more effectively:

• Never write down your password, especially on your monitor. Take a walk around your office and see how many passwords you can find on monitors.
• If you absolutely have to write down some of your passwords to remember them, don’t write them out exactly. Write them out so they have to be translated in some way. For example, add or delete a character, transpose letters, or vary them in some other consistent way that only you can figure out.
• Don’t tell anyone your passwords, ever. You are the only one who needs to know your passwords. Once someone else knows your password, you lose control over who can access your computer.
• Change any compromised password immediately. To be completely safe, you should change your passwords even if you only suspect they have been compromised.
• Don’t use the same password for everything as this gives someone full and easy access to your entire system if they know that password. Try to use different passwords for different programs, especially for important or sensitive applications such as network logon or bank accounts
• On Windows 2000 and XP computers, don’t have identical passwords for your network logon and administrator account passwords.
• Change your network and other important passwords every 60 to 90 days. This will frustrate people who have your password without your knowledge.
• Be careful about where you save passwords on your computer. Too often users have a Word or WordPerfect file with all their passwords in it. This file can be located in seconds, especially if it is called password.doc, or if it contains the word “password.” Consider getting a tool such as Password Manager XP (www.cp-lab.com) which will store your passwords on your computer in an encrypted and password-protected database.
• Be wary of dialog boxes, such as those for remote access and other telephone connections that let you save or remember your password. Do not select this option as it makes your password available to anyone who accesses your computer. Similarly, don’t let your browser remember your Web site passwords.

Creating “strong” passwords

Create passwords that are harder to guess or figure out. These are called strong passwords and they are more difficult for password-cracking tools to determine. Password-cracking software uses one of three approaches: intelligent guessing, dictionary attacks, and automation. Automation is sometimes called brute force as it simply tries every possible combination of characters. Given enough time, the automated method can crack any password. However, it still can take months to crack a strong password.

• For a password to be “strong”, it should:
• Be at least eight characters long;
• Contain at least one character from each of the following four groups:
  • Uppercase letters A, B, C, ...;
  • Lowercase letters a, b, c, ...;
  • Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9; and
  • Symbols (all characters not defined as letters or numerals, including: ` ~ ! @ Step $ % ^ & * ( ) _ + - = { } | [ ] \ : “ ; ‘ < > ? , . /
  • Have at least one symbol character in the second through sixth positions;
  • Be significantly different from any passwords you have used previously;
  • Not contain your name or your computer user name; and
  • Not be a common word or name.

Treating passwords as confidential keys to your computer helps properly secure your firm and client data.

Step #3: Antivirus software is essential

Antivirus software is essential to protect your computer and data from malware – the generic name for computer programs such as worms and viruses that are designed, as the name suggests, solely for malicious purposes.

Viruses

Like their biological namesakes, viruses are small programs that infect other programs on other computers, and in the process replicate and spread themselves further. Most viruses distribute themselves by e-mail, but they can also be spread by diskettes, and in many types of computer files, including Microsoft Word documents. Viruses bury themselves deep within the executable code in the programs they infect, making it difficult, if not impossible, to detect their presence, often after damage or data loss has occurred. There are tens of thousands of known viruses.

Worms

Worms are an even bigger threat because they replicate more easily than viruses. They embed themselves in e-mail messages or Web pages, lying dormant until the computer user opens an infected e-mail or accesses an infected Web page, at which time they will spread rapidly. Two of the more recent major worm incidents saw millions of computers across every continent infected in less than ten minutes.

Trojan Horses

Inspired by ancient Greek mythology, Trojan horse programs sneak malicious code onto your computer by hiding themselves within safe-looking programs, such as screen savers, games, titillating images, and other free downloads. Like other malware, Trojan horses can destroy your computer data or capture and share confidential information. See page 16 for more information on adware and spyware.

Antivirus software

Antivirus software effectively prevents virus and worm infections, although it may slow your computer down a bit. Once installed, the software continuously monitors other programs running on your computer. It will attempt to stop any virus activity it detects, hopefully in time to prevent further infections and data loss or damage.

The type of antivirus software you select depends on your computer. For computers that are not networked or are on a peer-to-peer network, use “personal” versions. Some corporate versions operate from a central server, others protect an e-mail server. No matter which type you select, antivirus software should be installed on all computers in your office — even those not connected to the Internet.

The two most widely used antivirus programs are Norton Antivirus (www.symantec.com) and VirusScan (www.mcafee.com). Expect to pay $40-$60 per computer to buy the software, plus an additional annual fee for virus signature file updates (see below). Buying antivirus software that is bundled with other products, such as firewall and anti-spam software, will save you money.

A free program that is a good option for a home computer is the AVG antivirus program from Grisoft (www.grisoft.com).

To scan a computer that doesn’t have antivirus software on it, consider Housecall (www.trendmicro.com) and ActiveScan (www.panda software.com/activescan).

Installing antivirus software however is only the start: You also need to regularly update your virus definition or signature files. Antivirus programs use the information in these files to recognize virus infections when they are occurring. As there are new viruses being created every day, you need to have the most recently released virus signature file to be protected against all possible infections. The updates to these files are available on your antivirus software’s Web site. Expect to pay about $30 -$40 per year for these updates, starting on the first anniversary of your installation.

Most antivirus software programs can be configured to download these updates automatically, without user intervention. Make sure the automatic update feature is enabled in your antivirus software as this ensures that your protection is always up-to-date.

Lastly, and most importantly, run your antivirus software to scan your entire hard disk(s) at least weekly, either manually or automatically.

Step #4: Avoid spyware and adware

Of far greater practical threat than any worms or viruses are adware and spyware – two new types of malware that likely have already infected your computers, unless you have taken specific steps to protect yourself and clean them from your systems.

Adware

Adware is software that tracks your surfing habits, and displays targeted pop-up advertisements on your computer based on Web sites visited or search terms used. Pop-ups are the advertisements that appear in separate browser windows while you are surfing the Web. In some cases, adware can also modify the settings on your computer. To protect yourself, you need to disable some types of Javascript and ActiveX controls in your browser. See page 37 for directions on how to do this.

Not all adware is illegal: The licensing agreements of some software programs allow the program to function as adware. Carefully read the licensing agreements of any program that you install on your computer, especially free screensavers and demo games.

Spyware

Spyware is software that surreptitiously installs itself on your computer, usually through dishonest means such as a Trojan horse or an unsolicited file download through your Web browser. Its function is to monitor and log system activity. Some spyware programs record every key a user types, then store that information on the hard drive of a computer. The spyware creator can then access and scan that information for passwords, bank account numbers, SIN numbers and other confidential information or client data. In other words, spyware makes your computer vulnerable to hacking, fraud and identity theft.

Recognizing and avoiding spyware and adware

Is your computer acting strangely? Is it running very slowly? Is there unexplained hard drive activity or Web traffic when you are not actively using it? Was your browser home page changed? If so, you may have a virus, spyware or other sort of malware on your computer. Adware and spyware can be extremely difficult to remove from a computer.

Because current antivirus software has only basic functionality to protect you from adware and spyware, you should use products specifically designed for this purpose. Two good products to consider are Ad-Aware (www.lavasoftusa.com) and Spybot S&D (http://security.kolla.de). They are easy to download and install, and should be used together as they will each catch things the other will miss.

The free personal version of Ad-Aware may not be used on business computers. For maximum protection, run Ad-aware and Spybot every week or two, and, update them regularly. Unfortunately, you’ll have to check the products’ Web sites regularly for updates, as they don’t include an automatic update feature.

In next month's article we will cover four further steps that you must take to protect the security and privacy of your data, including:

Step # 5 Install a firewall on your Internet connection:
Step #6 Be aware of and avoid the dangers of e-mail:
Step #7 Beware the dangers of metadata:
Step #8 Lockdown and protect your data, wherever it is:

Appendix 1

Other resources

Web sites

PC Magazine Security Watch page – www.pcmag.com/security
Various articles on security issues, and reviews of security related technology products.

Urban Legends Site Computer page – www.snopes.com/computer
An easy to use listing of current virus threats and hoaxes.

Symantec Home Page – www.symantec.com
Current information on the latest threats, list of known viruses, and information on how to repair and clean infected computers.

Consumer Web Watch – www.consumerwebwatch.org
A good page from Consumer Reports people for current news and information about Web-related security issues.

eBay Security and Resolution Centre – http://pages.ebay.ca/securitycentre/
Helpful information on avoiding online auction fraud and identity theft.

Senseient Publications Page – www.senseient.com
See the Publications Page for detailed articles on variety of law firm related security and forensics issues.

Test your password strength – www.securitystats.com/tools/password.php
Test the strength of your passwords, and get suggestions on how to make them stronger.

Tips For Troubleshooting Computer Problems
– www.lawpro.ca/lawpro/ Computer_troubleshooting.pdf
practicePRO article on steps to take to troubleshoot computer problems.

LSUC Practice Management Guidelines – www.lsuc.on.ca/services/ pmg_tech.jsp
Guidelines to assist lawyers in conducting various aspects of legal work, including management of files and client information.

ABA’s Law Practice Management Webzine – www.lawpracticetoday.org
General articles on legal technology and other LPM issues.

Office of Privacy Commissioner of Canada – www.privcom.gc.ca
Information on complying with PIPEDA.

Magazines

Smart Computing Magazine – www.smartcomputing.com
Great magazine for basic information on all types of technology.

Law Office Computing Magazine – www.lawofficecomputing.com
Great magazine for legal technology articles and product reviews.

Books

Computer Security for the Home and Small Office by Thomas C. Greene.
Covers many of the topics covered in this booklet in more detail. 405 p. Apress, 2004.

Information Security: A Legal, Business, and Technical Handbook by Kimberly Kiefer, Stephen Wu, Ben Wilson and Randy Sabett; 82p. American Bar Association, 2003; www.ababooks.org. This book reviews security threats, includes information on security best practices and how to respond to security incidents. It also has standards, guidelines and best practices precedents