Previous Page  46 / 52 Next Page
Information
Show Menu
Previous Page 46 / 52 Next Page
Page Background

A longer version of this article first appeared in

Probate & Property

Magazine, Vol. 31, Septem-

ber/October 2017

LPMT BITS &

BYTES

BY CATHERINE SANDERS-REACH

ENCRYPTING DOCUMENTS AND COMMUNICATIONS

Keep It Secret, Keep It Safe

Catherine Sanders Reach is the

Director, LawPracticeManage-

ment & Technology at the CBA.

Visit

www.chicagobar.org/lpmt

for articles, how-to videos,

upcoming training and CLE,

services, and more.

T

he security landscape has become

overwhelming for many lawyers.

The last ten years have witnessed an

increasing awareness that a lack of compli-

ance with security best practices may put

lawyers and their clients at great risk. The

updates to the Model Rules of Professional

Conduct in 2012, now adopted by nearly

30 states, including Illinois, served as a

wakeup call to the fact that security and

technology awareness are an essential part

of running a law firm. Rule 1.1 (Compe-

tency) now requires a lawyer to understand

the benefits and risks of relevant technol-

ogy. The expansion of the comments in 1.6

(Confidentiality) includes taking reason-

able precautions to prevent client infor-

mation from unauthorized access as well

as inadvertent or unauthorized disclosure.

Recent ethics opinions promulgated by

bar associations and disciplinary agencies

regarding email encryption, cloud com-

puting, records management, and related

subjects provide guidance on how a law

firm should go about securing a client’s

confidential information.

It does not stop at ethics opinions. Law

firms also hold information protected by

statute and regulation, including data

breach notification laws in 48 states,

HIPAA, FINRA, PCI, and others. Real

estate attorneys have special requirements

in residential real estate transactions

involving mortgage financing. Attorneys

acting as title agents in mortgage financing

transactions have data security require-

ments under obligations expressed by

TRID (Truth in Lending Act/Real Estate

Settlement Procedures Act Integrated

Disclosure), enforced by the Consumer

Financial Protection Bureau.

Create a Risk Profile

To comply with regulations and ethical

requirements law firms should first map

out their risk profile. What kind of data

does the firm store and access? Transmit?

Is it data defined by statute such as PII

(Personally Identifiable Information),

PHI (Protected Health Information) or

NPI (Non-Public Personal Information)?

Financial information? Read the laws and

regulations to see what guidance they may

provide to help protect the data. Next

consider what the firm may keep that is

privileged or confidential. How is that data

protected? Look at where the data is stored,

how it is transmitted, who has access to it,

and what steps the firm takes to protect

it–is it enough?

Follow Best Practices

Security is a moving target. Don’t let the

firm get too complacent in its practices.

The most important thing a firm can do

to protect client data is to keep up with the

latest recommendations in cyber protection

and keep attorneys and staff constantly

vigilant to maintain security and privacy

protocols. Ninety-one percent of cyberat-

tacks begin with a spear phishing email

and 96% of executives cannot distinguish a

phishing email from a legitimate one 100%

of the time, according to an All Covered

security study. Learn to know the signs

of scams and do not sacrifice security for

convenience.

For instance, there has been a lot in the

news about scams involving intercepted

and redirected wire transfer information,

especially in real estate transactions. Do not

send wire instructions via email. Tell clients

whether to expect this type of informa-

tion from the firm. Let clients know that

the firm will

not

request wire transfer or

electronic payment information or, if the

firm does, exactly how and what it will look

like.

Encrypt Email Attachments

If the firm sends out documents via email

that contain protected or sensitive informa-

tion, such as NPI or PII, then at the very

least those documents should be encrypted

via password protection. Current versions

of Microsoft Office (versions 2013 &

2016), Adobe Acrobat Document Cloud,

and Nuance Power PDF Advanced provide

password protection, which trigger encryp-

tion of the document. This encryption is

enabled by setting a password to open the

document. Strong passwords (at least 12

random characters,) should be employed.

Also, do not email the password to the

document with the attachment or even in

a separate email. Call the client or use a

secure messaging application to send the

password in a different way than the docu-

ment was sent. Tools on the market make

it relatively easy for someone to access file

content from older versions of Microsoft

Office documents, bypassing the password

altogether. There are more comprehensive

ways to protect documents and communi-

cation, but this method helps protect the

document from inadvertent and unauthor-

ized access.

“No Cloud” Options

Some law firms have a mistrust of any

product or service that employs “the

cloud.” For this discussion, “the cloud” is

46

NOVEMBER 2017

1 41 42 43 44 45 46 47 48 49 50 51 52