Print This Article

Introduction

Computers and the Internet have transformed the practice of law, and how lawyers handle confidential client information. Where once paper documents were the norm, today clients, lawyers, and law office staff routinely work with electronic documents and data. Protecting the security and confidentiality of that information, however, is as important today as ever: Both the Rules of Professional Conduct and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply equally to paper-based files and to electronic documents, such as a computer files or e-mail messages.

A failure to take appropriate steps to protect the electronic data in your office could have disastrous consequences. This could include an embarrassing release of sensitive information, a malpractice claim, a complaint to the Law Society, or the theft of your personal identity. At the very least, the theft, loss, or destruction of client or practice-related data will be disruptive to you and your practice. In the extreme case, it could cause your practice to fail.

To minimize the risk of any disclosure or loss of confidential client or practice data, you should understand where the risks are, and implement office management practices and appropriate technology to ensure all of your data remains confidential and secure.

This booklet provides a comprehensive review of various steps you should take to ensure that the electronic information in your office remains confidential and secure. Although some of the suggested steps may not be relevant to every lawyer, all practitioners will find helpful information in this booklet. Even if you do not have the expertise to implement the suggested measures yourself, you’ll be in a better position to direct the work that technology consultants or others must do for you.

If you do nothing else – the lucky 13 things you must do

An unprotected computer can be infected or hacked within seconds of connecting to the Internet, so protecting your electronic data is a must. The question is: How much time, effort and money are you willing to invest in that task? Ultimately, you need to find a balance between the allowable risk and an acceptable cost and effort. From a best practices point of view, there are 13 steps that you should systematically take to protect the electronic data in your firm against the most common threats. Most can be completed quickly, and at little or no cost. More detail on each of these steps is provided in the remainder of this booklet. Below are steps 9 through 13. Previsouly published in LPT: Steps #1-#4 and Steps #5-#8.

Step #9 Harden your wireless connections: Connecting to the Internet with wireless technology is so easy and seductive. However, if not configured properly, wireless can give hackers easy and unimpeded access to the data on your computer and network. Wireless users beware!

Step #10 Learn how to safely surf the Web: The Internet browser is another one of the more dangerous tools in your office. Even casual surfing on the Web can expose you to viruses and worms, and divulge personal data. You and your staff need to know how to safely surf the Web.

Step #11 Change key default settings: Every computer program and every piece of hardware has certain preset or default settings. These are necessary to make them operate out of the box. However, default settings are common knowledge, and hackers can use them to compromise a computer or network. You can make your systems much safer by changing some key default settings.

Step #12 Implement a technology use policy: Everyone using law office technology must understand basic do’s and don’ts, and where the dangers are. Every law office should have a basic technology-use policy that clearly informs all staff of what they can and can’t do while using e-mail, surfing the Web, and using other law office systems.

Step #13 A backup can save your practice: You hope and pray it never happens to you, and you will take all of the above steps to reduce the likelihood of a malware infection or hacker attack, but if your system is ever compromised, nothing will be more valuable to you and your practice than a full backup of your critical practice and client data.

Don’t be tempted to skip or skimp on one or more of the suggested steps. Remember, your data is only as safe as the weakest link in your security plan. When you leave on vacation, you lock every door and window in your house. Leaving just one door or window open gives a thief easy and instant access. To make sure the security and privacy of your electronic information is properly protected, it is critical that you fully and properly implement all of the above steps. Working your way through this booklet will help you complete all the work necessary to protect the security and privacy of your data.

Lastly, look inside your firm for potentially the most dangerous people, your own employees, and be especially careful of departing employees.

Step #9- Harden your wireless connections

Wireless connectivity is seductive, cool and offers endless exciting possibilities. You’re no longer tied to your desk. You can take your laptop to a meeting down the hall and access local servers and the Web. At home or the office, you can easily connect multiple computers and printers, without running cables through walls and ceilings. You can stay connected in many public places, including coffee shops, restaurants, hotels, conference centers, and airport terminals. This is all possible because cheap, easy-to-use wireless technology has hit the mainstream.

Before you jump on the wireless bandwagon (and even if you already are a wireless user), you need to know that wireless is fraught with serious security issues. Installing a wireless device is like leaving the front door of your home or office open and unlocked. Anyone who can pick up your wireless signal could potentially access your Internet connection or data. Use wireless with caution, and only after you enable all possible security features on your wireless devices.

Why is wireless a security nightmare?

On the hardware side, wireless networking starts at a wireless access point or AP. The AP plugs into your wired network and has an antenna which broadcasts data via radio waves. These radio waves are transmitted to a receiver in a wireless network interface card (NIC) in your laptop or desktop computer, which in turn lets your computer communicate with the network without physically being plugged into it.

To make wireless products easy to use, they are generally shipped with all security features turned off. Although this makes installation a dream, it creates a security nightmare because it potentially allows anyone to connect to your network. So they are easy to locate and connect to, APs broadcast a service set identifier or SSID. This SSID is the name of your wireless network. The radio signal from your AP will radiate in a sphere 20 to 35 metres or more in diameter. Wireless-enabled laptops can scan their surroundings for SSIDs. Someone sitting in a car across from your home or office could easily find and connect to your network. Hackers known as “wardrivers” actually cruise around looking for networks they can hack into.

Under older standards (802.11a, 802.11b and 802.11g), wireless device communications are not very secure. They allow easy interception of passwords and other information. A new standard, 802.11i, offers much stronger security, and devices compatible with it are now available.

For security reasons, many law firms will not install an AP on their networks. Firms that are installing wireless networks are using products such as the Aironet Series from CISCO. Although these products have more security features than the widely available consumer brand wireless products, they are much more expensive.

Wireless technologies will become even more common. If you are going to install a wireless network, make sure you get the newest wireless technology and enable all possible security features. Some generic directions for enabling security features on APs are available on our Web site at: www.practicepro.ca/securitybooklet.

Step #10 -Learn how to safely surf the Web

Your Internet browser is one of the more dangerous tools in your office. Even casual surfing on the Web can expose you to viruses and worms, and divulge personal data. You and your staff need to know how to safely surf the Web, and how to configure your browser so that surfing is less dangerous. This involves disabling some browser features, controlling which cookies can be stored on your computer, and preventing pop-ups.

Locking down Internet Explorer

Malware programs can automatically install themselves while you are browsing or surfing on the Internet. These are called drive-by downloads. This can occur when Web sites run scripts (small bodies of code designed to perform a specific action) or ActiveX Controls (a module of code that adds extended functionality to the browser). You need to configure your browser so that it will warn you when this is happening, and stop it from happening, if necessary.

To do this for Internet Explorer versions 5.0 and later, click on Tools, then select Internet Options. Next, select the Security tab. Click on the Internet icon (the globe), and then click on the Default Level button to remove any custom settings.

Next, click the Custom Level button. This will open the Securities Settings dialog box. In the ActiveX Controls And Plug-Ins section of that box (at the top), configure the following settings as noted:

• Download Signed ActiveX Controls: Prompt
• Download Unsigned ActiveX Controls: Disable
• Initialize and Script ActiveX Controls Not Marked as Safe: Disable
• Run ActiveX Controls and Plug-Ins: Prompt
• Run ActiveX Controls Marked Safe for Scripting: Prompt

To save your changes, click OK, answer Yes to the Are you sure you want to change the settings for this zone questions, then click Apply, and OK.

After making these changes, whenever a Web site attempts to run a script or ActiveX Control, you will receive a prompt asking whether you want to allow that script or control to run. Click Yes if the message appears while you are visiting a reputable site. Click No if it appears when you are visiting an unfamiliar site.

Don’t get eaten by the cookie monster

Spyware often works with the assistance of a cookie. Cookies are small files that provide a Web browser with information about a user such as identity information or preferences for visits to a particular site. One example would be your language preferences.

To protect yourself, you want to limit the types of cookies that can be stored on your computer. To do this, click on Tools, select Internet Options, and click the Privacy tab. By dragging the slider up or down, you can choose from six different levels of security, ranging from accepting all cookies, to total blockage of cookies, or various levels in between. To be safe, your setting should be at least Medium. This will protect you from third party cookies, which are the malicious type. Medium High or High settings provide greater protection, but may prevent some Web sites from running properly. To save your changes, click Apply, and then OK.

Preventing pop-ups

Pop-ups are the annoying windows that appear in separate browser windows while you are surfing the Web. Not only are they annoying, but they can also expose you to various types of malware. There are several software products that will intercept them and prevent them from loading. Pop-up Stopper (www.panicware.com) is very popular. Also widely used are the Google Toolbar (http://toolbar.google.com) and ZoneAlarm (www.zonealarm.com), which both include functionality for preventing pop-ups.

Instant Messaging can be insidious

At home and work, especially among younger people, instant messaging (IM) has become a popular form of online communication. IM is faster than e-mail and lets you communicate across the Internet with many people in real time. Although the features vary, at the core, most IM software products have two boxes for text in their main window. One box shows a running list of all comments from all participants in the conversation, the other box allows you to type your message. On pressing Enter, your message immediately jumps into the other box and goes out over the Web. IM products have little or no encryption or security, so IM statements are public and can expose your office to embarrassment. As well, IM makes it very easy to download or share files across the Web, and thus opens the doors for viruses, worms and other malicious code.

Many IM services are available for free on the Internet, including AOL Instant Messenger (AIM) (www.aim.com), ICQ (www.icq.com), and MSN Messenger (http://messenger.msn.ca). They are easily downloaded and installed, and they may already be running on your system.

IM can have a useful business purpose, but at present, it is usually used for personal conversations by office staff, often without permission. When using IM, it actually looks like staff are working hard on their computers. Most law offices will want to prohibit the use of IM in their technology use policy. (See page 43)

If IM is used in your office, be aware of it, and use antivirus, anti-spyware or firewalls to protect yourself from IM-related dangers. For further protection you should configure IM to hide personal information, turn off file sharing and receiving, and prevent downloads.

Disable messenger service

You can block pop-up spam messages in Windows NT, 2000, or XP by disabling the Windows Messenger service (this is unrelated to the MSN Messenger instant messaging program). Open the Control Panel, then click on Administrative Tools, and select Services. One of the running services will be Messenger. Right-click on it and select Properties. Set Start-up Type to Disabled, and press the Stop button.

Step #11- Change key default settings¹

Changing the default values for hardware and software on your systems is another critical step in safeguarding the security of your data. This is the most technical of the thirteen steps outlined in this booklet.

Every computer program and every piece of hardware has certain preset or default settings. These are necessary to make them operate out of the box. However, default settings are common knowledge, and hackers can use them to compromise a computer or network. You can make your systems much safer by changing the following key default settings:

Administrator account name
Domain name
Workgroup name
Outlook Web Access port

In the Windows world, the default administrator ID is administrator. Change the default name to something others won’t know. Fortunately with the advent of Windows 2000 Server, there is no longer a default domain name. In Windows NT 4 Server, the default domain name is domain.

However, Microsoft has still held on to defining default workgroup names. The default workgroup name can be WORKGROUP or you may see MSHOME as the default. Workgroups are used to connect computers in a peer-to-peer environment. Change the default workgroup name to something less well-known, especially if you are in a shared office location and connected to other computers. All computers must have the same workgroup name to see each other and share files or resources.

To change or specify the workgroup for Windows XP, go to Control Panel and click on System. If you don’t see System, then select Performance and Maintenance and then select System. Click on the Computer Name tab, and then click Change. Enter the desired workgroup name. Remember that this has to be done on all computers in your peer-to-peer network.

To change the workgroup in Windows 2000, go to Control Panel, and click on System. Click the Network Identification tab, and then select Properties. Enter the desired workgroup name in the workgroup box.

For Windows ME or 98, go to the Control Panel and then select the Network icon. Click on the Identification tab, and enter the desired name in the workgroup box.

1 Adapted, with permission, from Security for Small and Mid-size Law Firms by Sharon D. Nelson, Esq. and John W. Simek, an article posted on Sensei Enterprises, Inc. Web site (www.senseient.com).

If you are running an Exchange server or have installed Microsoft’s Small Business Server, a few default values should be changed. Exchange allows remote access to a user’s mailbox via a Web browser. Outlook Web Access (OWA) uses the default port 80, like most Web sites. This means that you have to allow port 80 to pass through your firewall to access your e-mail on the Exchange server. Unfortunately, port 80 is one of the most exploited ports by viruses and worms.
The default port for OWA is the same as the default Web site on your Windows server. From the server, go to the Administrator Tools, and select the Internet Services Manager. Right click on the Default Web site, and select Properties. Change the TCP Port value to a value other than 80, and one that’s easy for your employees to remember. The last four digits of a phone number is a good choice. Your firewall will have to be changed to allow the port that you configured for OWA. Assuming that you changed the port number to 9902, you access your e-mail by entering a URL in your browser that would be something like: http://mail.yourdomain.com:9902/exchange.

Step #12 - Implement a technology use policy

E-mail and the Internet have helped increase productivity in many law firms. But, as outlined in this booklet, they also expose a firm to significant risks. To address these risks, firms should: educate all lawyers and staff; and create a written policy that clearly establishes guidelines and minimum requirements governing the acceptable use of all firm technology resources.

A technology use policy should use simple and non-technical language that all employees can understand. It should be reviewed with new employees, and strictly enforced.

Every technology use policy should cover some basics. It should clearly state that technology resources provided by the firm, including Internet and e-mail access, are to be used for legitimate firm activities. Staff should understand that they have an obligation to use their resources properly and appropriately.

Technology use policies should also direct firm staff to ensure that confidentiality of firm and client information is protected at all times, that there is compliance with network system security mechanisms, and that resources are not used in a manner that would negatively affect others on the system.

Firms deal with personal use in different ways. Some firms allow occasional, reasonable use of Internet and e-mail resources, either on personal time, or even on company time. Other firms do not allow any personal use of these online resources.

Technology use policies should also indicate that the firm retains the right to monitor any and all electronic communications and use of the Internet to ensure the integrity of the firm’s systems and compliance with the firm’s technology use policy. As well, the policy should indicate that there may be sanctions for failure to comply.

The Law Society of British Columbia has a sample Internet and e-mail use policy for law firms on its Web site at www.lawsociety.bc.ca/services/ Practice/body_practice_policy-internet.html.

Family computers are dangerous

Teenagers are more likely to engage in all the most dangerous activities, including using IM, downloading programs, and file sharing. If you use a compromised computer to log into your office, you can bypass the firewall and other security mechanisms and cause a security breach. Take the steps outlined in this booklet to protect your home computer. To be absolutely safe, avoid using a home computer for work purposes if it is used by others.

Another alternative is to have two partitions on your home computer. This essentially means there are two complete sets of software on the computer, one which only you would use, and one which others in the house would use.

Step #13- A backup can save your practice

Computers and other legal technologies have become critical to practicing law. Every law firm has huge amounts of irreplaceable data on server and/or desktop hard drives. The most critical part of any disaster recovery plan is backing up the data on your firm’s computers. A backup will allow you to recover when hard drives are infected by malware, if they are lost or damaged (due to theft or fire), or when they fail. Computer hard drives are complex pieces of electronic hardware that are subject to failure, and most ultimately will fail if they are used long enough.

To ensure you have a complete and reliable backup, follow these steps:

• Do a full backup: Full backups are better than partial backups. Having everything that was on your hard drive is better than finding out you need a critical file that wasn’t backed up.
• Do backups daily: Modern backup hardware is able to do complete backups of large hard drives within hours. Backups can be set to run automatically, usually in the middle of the night. Doing a daily backup ensures you are as up-to-date as possible. It will have all of your work and data up until the end of the previous day.
• Identify responsible person(s) and alternatives: Doing the backup should be a mandatory responsibility that is assigned to a specific individual, and an alternate individual. You want to ensure that a backup is done every day, without fail.
• Review the backup log: Most backup software programs create a log report when a backup is completed. This report details what was backed up, and if there were any problems.
• Do regular test restores: Periodically, the backup log will report a successful backup when some or all of the data to be backed up was missed. The only way to truly test your backup is to regularly do a test restore of selected files and folders.
• Identify an offsite storage location: Tapes left on top of your server in your office could be destroyed or taken along with your server if there is a fire or theft. Don’t keep all your eggs in one basket. You should store at least some or your backup tapes in one or more safe off-site locations.
• Rotate and keep generations of tapes: Don’t use the same tape over and over; rotate your backup tapes. For example, use a series of five tapes, one for each night of the week. This can be helpful when database corruption is detected after it occurred. Having an older backup will allow you to reach back to an earlier date. Some firms keep end of week, end of month or end of year backups.
• Replace tapes regularly: Backup tapes degrade over time and with use. Replace them every six months. When tapes get to the end of their life, rotate them out as end-of-month tape etc.
• Don’t forget data on other devices: Server backups usually are configured to only backup data on servers. Make sure that data on desktop computers, laptops and PDAs (Personal Digital Assistants) get backed up as well. Also, have staff back up the phone numbers stored in their cell phones.
• Make sure open files are being backed up: Some backup software will not back up files that are in use or “open” by other programs. Central accounting systems, e-mail and other database files often remain open 24 hours a day.
• Make sure that your backup is getting all open files. Create written instructions for restoring: Many offices have one or two people who know how to do a backup, but none who know how to restore backed up data. Create written instructions and train several people to do this task.
• Find a hardware backup buddy: If your backup server and tape unit are destroyed or stolen, you could find yourself with a good backup tape and no compatible tape unit to do a restore. Ideally find someone who has a server and tape unit that is identical to yours.

A full or partial backup from last week is better than no backup at all. If you are not doing full, regular backups, at least back up some of your most important files. It is easy to copy files onto a CD or some type of removable storage device. For a few hundred dollars you can purchase a small portable external hard drive with a very large storage capacity. Maxtor, Seagate and Western Digital are all reputable hard drive manufacturers. These are easy to plug into your computer via a USB port, and you can make a copy of all the data on a hard drive in a few hours or less. Some come with software that will back up an entire hard drive with one push of a button.

If you don’t invest in any backup hardware, consider simply copying data to another computer on your network. This won’t help if your office burns down, but it will help if you have a hard drive failure.

Take care with current and departing employees

Most of us tend to look outside our offices for threats or dangers. However, you should also be aware of potential inside dangers. Statistics show that the majority of incidents involving the destruction or loss of data were perpetrated by current, soon-to-be dismissed or recently dismissed employees. Few, if any, know more about your firm’s systems than your employees, and few, if any, are in a better position to cause major damage.

In particular, your IT staff, employees with advanced technology knowledge, and outside technology support people are potentially the greatest threat because they have the greatest knowledge about your system configurations, and the technical know-how to be very destructive.

When hiring a new employee, make sure you are diligent and carefully check their backgrounds and speak to references. Look for any red flags on an application letter or resume, and watch for issues during the interview process. Watch for someone that is withholding relevant information, or that has falsified information on the application. Assess the overall integrity and trustworthiness of the candidate.

When any employee leaves your firm, regardless of whether they are leaving of their own accord or are being terminated, ensure that your systems are protected. Promptly close all their points of access to your office and computer systems, including keys and access cards, login accounts and passwords, e-mail accounts or remote access. If you discharge an employee who has access to critical company data, let them go without notice, and don’t allow them any access to a computer.

There are literally dozens of steps you should complete systematically to make sure all points of access for departed employees are closed down. A detailed departure checklist is available on the practicePRO Web site at www.practicepro.ca/securitybooklet.

Summary

LAWPRO encourages you to proactively protect the security and privacy of the electronic information in your offices – not only to comply with the Rules of Professional Conduct and privacy legislation, but also to safeguard the viability and integrity of your practice.

A failure to protect the electronic data in your office could have disastrous consequences. This could include an embarrassing release of sensitive information, a malpractice claim, a complaint to the Law Society, or the theft of your personal or firm identity. At the very least, the theft, loss, or destruction of client- or practice-related data will be disruptive to both you and your practice. In the extreme case, it could cause your practice to fail.

Take time to understand where the risks are. Implement office management practices and appropriate technology to ensure all your data remains confidential and secure.

Carefully review and implement the suggestions and steps outlined in this booklet. Seek outside, knowledgeable help if necessary. It is relatively easy and inexpensive to protect yourself from the common threats. Acting now to protect yourself from the most common threats could help you avoid having to spend time and money dealing with security compromises.

Appendix 1 lists other resources that can help you secure the electronic data in your office.

Appendix 1

Other resources

Web sites

PC Magazine Security Watch page – www.pcmag.com/security
Various articles on security issues, and reviews of security related technology products.

Urban Legends Site Computer page – www.snopes.com/computer
An easy to use listing of current virus threats and hoaxes.

Symantec Home Page – www.symantec.com
Current information on the latest threats, list of known viruses, and information on how to repair and clean infected computers.

Consumer Web Watch – www.consumerwebwatch.org
A good page from Consumer Reports people for current news and information about Web-related security issues.

eBay Security and Resolution Centre – http://pages.ebay.ca/securitycentre/
Helpful information on avoiding online auction fraud and identity theft.

Senseient Publications Page – www.senseient.com
See the Publications Page for detailed articles on variety of law firm related security and forensics issues.

Test your password strength – www.securitystats.com/tools/password.php
Test the strength of your passwords, and get suggestions on how to make them stronger.

Tips For Troubleshooting Computer Problems
– www.lawpro.ca/lawpro/ Computer_troubleshooting.pdf
practicePRO article on steps to take to troubleshoot computer problems.

LSUC Practice Management Guidelines – www.lsuc.on.ca/services/ pmg_tech.jsp
Guidelines to assist lawyers in conducting various aspects of legal work, including management of files and client information.

ABA’s Law Practice Management Webzine, Law Practice Today – www.lawpracticetoday.org
General articles on legal technology and other LPM issues.

Office of Privacy Commissioner of Canada – www.privcom.gc.ca
Information on complying with PIPEDA.

Magazines

Smart Computing Magazine – www.smartcomputing.com
Great magazine for basic information on all types of technology.

Law Office Computing Magazine – www.lawofficecomputing.com
Great magazine for legal technology articles and product reviews.

Books

Computer Security for the Home and Small Office by Thomas C. Greene.
Covers many of the topics covered in this booklet in more detail. 405 p. Apress, 2004.

Information Security: A Legal, Business, and Technical Handbook by Kimberly Kiefer, Stephen Wu, Ben Wilson and Randy Sabett; 82p. American Bar Association, 2003; www.ababooks.org. This book reviews security threats, includes information on security best practices and how to respond to security incidents. It also has standards, guidelines and best practices precedents