A longer version of this article first appeared in
Probate & Property
Magazine, Vol. 31, Septem-
ber/October 2017
LPMT BITS &
BYTES
BY CATHERINE SANDERS-REACH
ENCRYPTING DOCUMENTS AND COMMUNICATIONS
Keep It Secret, Keep It Safe
Catherine Sanders Reach is the
Director, LawPracticeManage-
ment & Technology at the CBA.
Visit
www.chicagobar.org/lpmtfor articles, how-to videos,
upcoming training and CLE,
services, and more.
T
he security landscape has become
overwhelming for many lawyers.
The last ten years have witnessed an
increasing awareness that a lack of compli-
ance with security best practices may put
lawyers and their clients at great risk. The
updates to the Model Rules of Professional
Conduct in 2012, now adopted by nearly
30 states, including Illinois, served as a
wakeup call to the fact that security and
technology awareness are an essential part
of running a law firm. Rule 1.1 (Compe-
tency) now requires a lawyer to understand
the benefits and risks of relevant technol-
ogy. The expansion of the comments in 1.6
(Confidentiality) includes taking reason-
able precautions to prevent client infor-
mation from unauthorized access as well
as inadvertent or unauthorized disclosure.
Recent ethics opinions promulgated by
bar associations and disciplinary agencies
regarding email encryption, cloud com-
puting, records management, and related
subjects provide guidance on how a law
firm should go about securing a client’s
confidential information.
It does not stop at ethics opinions. Law
firms also hold information protected by
statute and regulation, including data
breach notification laws in 48 states,
HIPAA, FINRA, PCI, and others. Real
estate attorneys have special requirements
in residential real estate transactions
involving mortgage financing. Attorneys
acting as title agents in mortgage financing
transactions have data security require-
ments under obligations expressed by
TRID (Truth in Lending Act/Real Estate
Settlement Procedures Act Integrated
Disclosure), enforced by the Consumer
Financial Protection Bureau.
Create a Risk Profile
To comply with regulations and ethical
requirements law firms should first map
out their risk profile. What kind of data
does the firm store and access? Transmit?
Is it data defined by statute such as PII
(Personally Identifiable Information),
PHI (Protected Health Information) or
NPI (Non-Public Personal Information)?
Financial information? Read the laws and
regulations to see what guidance they may
provide to help protect the data. Next
consider what the firm may keep that is
privileged or confidential. How is that data
protected? Look at where the data is stored,
how it is transmitted, who has access to it,
and what steps the firm takes to protect
it–is it enough?
Follow Best Practices
Security is a moving target. Don’t let the
firm get too complacent in its practices.
The most important thing a firm can do
to protect client data is to keep up with the
latest recommendations in cyber protection
and keep attorneys and staff constantly
vigilant to maintain security and privacy
protocols. Ninety-one percent of cyberat-
tacks begin with a spear phishing email
and 96% of executives cannot distinguish a
phishing email from a legitimate one 100%
of the time, according to an All Covered
security study. Learn to know the signs
of scams and do not sacrifice security for
convenience.
For instance, there has been a lot in the
news about scams involving intercepted
and redirected wire transfer information,
especially in real estate transactions. Do not
send wire instructions via email. Tell clients
whether to expect this type of informa-
tion from the firm. Let clients know that
the firm will
not
request wire transfer or
electronic payment information or, if the
firm does, exactly how and what it will look
like.
Encrypt Email Attachments
If the firm sends out documents via email
that contain protected or sensitive informa-
tion, such as NPI or PII, then at the very
least those documents should be encrypted
via password protection. Current versions
of Microsoft Office (versions 2013 &
2016), Adobe Acrobat Document Cloud,
and Nuance Power PDF Advanced provide
password protection, which trigger encryp-
tion of the document. This encryption is
enabled by setting a password to open the
document. Strong passwords (at least 12
random characters,) should be employed.
Also, do not email the password to the
document with the attachment or even in
a separate email. Call the client or use a
secure messaging application to send the
password in a different way than the docu-
ment was sent. Tools on the market make
it relatively easy for someone to access file
content from older versions of Microsoft
Office documents, bypassing the password
altogether. There are more comprehensive
ways to protect documents and communi-
cation, but this method helps protect the
document from inadvertent and unauthor-
ized access.
“No Cloud” Options
Some law firms have a mistrust of any
product or service that employs “the
cloud.” For this discussion, “the cloud” is
46
NOVEMBER 2017