How to Prevent Data Theft From Lost Devices

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.therecorder.com/more-latest-news/id=1202742027609/How-to-Prevent-Data-Theft-From-Lost-Devices

Technology can be a blessing and a curse for attorneys. While technology
enables attorneys to be able to conduct business on the go, it also puts
client and firm data at risk. In the United States, someone loses a
cellphone every 3.5 seconds. More than 3 million cellphones are stolen
every year. More than 12,000 laptops are lost in airports each week. Other
portable electronic devices, ranging from BlackBerrys to iPads to many
others are lost just as frequently. Almost every attorney's portable
electronic device includes some confidential client information

Most attorneys today conduct business in roaming offices, traveling with
huge amounts of client information with them via portable electronic
devices. When those devices are lost or stolen, it is tantamount to leaving
the doors of the law office unlocked or welcoming a thief to break in. The
attorney's and clients' information is readily available for the taking.

California attorneys also have duties to clients that are impacted by
technology. Per California State Bar Formal Opinion No. 2010-179, attorneys
are supposed to consider several factors when accessing or transmitting
confidential client data over a wireless or personal network that is not
subject to high levels of security: (1) the level of security attendant to
the use of that technology, including whether reasonable precautions may be
taken when using the technology to increase the level of security; (2) the
legal ramifications to a third party who intercepts, accesses or exceeds
authorized use of the electronic information; (3) the degree of sensitivity
of the information; (4) the possible impact on the client of an inadvertent
disclosure of privileged or confidential information or work product; (5)
the urgency of the situation; and (6) the client's instructions and
circumstances, such as access by others to the client's devices and
communications.

The greatest cyber risk to an attorney or law practice today is not an
overseas cyber-terrorist hacking into the law firm's database and accessing
confidential data. Instead, the most significant and most likely risk for
the average law practice is that an attorney or employee with law firm data
on their laptop, tablet or smartphone leaves it at the gym or in the
airport.

Fear not, this cyber risk is also one of the easiest risks to address.

No one needs to convince attorneys of the importance of cybersecurity. From
identity theft to a data security breach at the law practice, attorneys
understand that the risk is real and needs to be addressed. The question is
not whether to take action, but how.

One problem is that most people just throw money at technology problems.
This option includes hiring consultants who take full advantage of the
information gap between what most attorneys know and what most attorneys
actually need to know. High-priced lingo often translates into complicated
systems that may or may not offer benefit.

Four simple steps can effectively address the most common threats. While
these steps are no substitute for professional advice, these steps do
address the cyber risks that often worry attorneys the most.

Step One: Password-Protect Devices

All law firm personnel should be required to use passcode- or
password-protected portable electronic devices—no exceptions. A better
option is to require two-step authentication to log into law firm systems.

Even something as simple as an unlisted phone number in the wrong hands
(especially in domestic relations or criminal defense practices) is a
breach of the duty to maintain confidences. This breach can result in
serious consequences for both the attorney and the client.

In practice, this protocol has two implications. First, every portable
electronic device must be capable of having a password or passcode. The
cost of upgrading existing equipment for firm personnel pales in comparison
to the risks of unprotected portable electronic equipment.

Second, require that this password or passcode feature be activated on
every device, from phones to computers. Inevitably, it is the one laptop
without password protection that is stolen or lost.

Step Two: Activate Location and Remote-Erase Options

A feature that exists on most new devices is the ability to locate the
device if lost or stolen and, if desired, to remotely erase all content on
the device. Both features should be activated to minimize risk to the firm.

Step Three: Apply Protocols to Portable Storage Devices

There are additional protocols for attorneys and law firm personnel who use
transportable data via thumb drives, disks, memory sticks and other data
devices. Documents, files and other sensitive information are routinely
downloaded onto one of these devices.

More than 4,500 flash drives are left at dry cleaners in a year, with
thousands more left in taxicabs. Worse yet, memory sticks transported by
attorneys or law firm personnel typically contain some of the most
sensitive client data, not to mention the metadata that is also hidden with
the documents.

While enforcing a password or passcode requirement for portable electronic
devices is possible (although still an undertaking), policing password or
passcode requirements for portable storage devices can be even more
challenging. The best place to begin is in the downloading process.

Protocols requiring any information downloaded from a firm's systems to a
portable storage device to be password-protected should require
confirmation at the time the information is downloaded. After that, it is
too late to police.

Step Four: Address Wi-Fi Risks

There are almost 5 million hot spots around the world where Internet users
can access data. Retail establishments like Starbucks and Dunkin' Donuts
provide Wi-Fi access. Most hotels and airlines now also provide access.
Even law firms often provide Wi-Fi access to employees and guests.

Free, publicly accessible Wi-Fi services are rarely secure. The biggest
threat for attorneys using free Wi-Fi security is the ability for someone
else to hijack a signal—positioning the third party between the attorney
and the connection point. Instead of talking directly with the hot spot,
the attorney is sending information to the third party.

The third party has access to every piece of information that an attorney
sends out on the Internet, including client information, important emails,
credit card information, and even security credentials to the law firm's
business network.

Once someone has all of that information, including security credentials,
they have the potential to access the law firm's systems at any time. There
is also the risk of computer vandalism through malware aimed at disrupting
and/or damaging an attorney's computer systems.

One option is to avoid unsecured Wi-Fi hot spots. However, such a step is
unnecessary and unduly restricts the utility of portable devices. An
equally effective step is encryption of data. Through software, attorneys
and law firm personnel can make sure that all data transmitted over a
public network is encrypted.

Another step is to use a VPN (virtual private network) for communicating
confidential information. Assuming the law practice's network is encrypted,
the VPN effectively imports the encryption into all communications. In
effect, a VPN, even when used over a public network, operates as if the
attorney is the office using the office computer. Security protocols at the
office are then imported wherever the attorney may be online accessing law
firm information.

One easy solution is to keep the Wi-Fi turned off when the attorney is not
using it. When the Wi-Fi is on, it is possible for it to connect to a
network without the attorney even knowing it. It is an unnecessary risk,
albeit remote.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!