Protecting Portable Devices
All firm-owned portable computing and storage devices used for firm business should be secured with encryption.
Malpractice and cyber liability insurance applications are increasingly asking for information about how firms are securing data, including device encryption. If your firm works with clients in the financial or health-care sectors they may request an audit, or evidence of security protocols and standard certifications.
According to the 2018 Gemalto Breach Level Index, only 4 percent of breaches were “secure breaches” where encryption was used, and the stolen data was rendered useless. All mobile devices should have encryption enabled to protect data on the installed drive or storage. So, how do you do that?
Laptops
Any laptop, whether issued by the firm or a personal device used to access firm data, should have drive encryption enabled. Drive encryption protects the information stored on a computer hard drive when it is offline, and a user is not actively logged in. Which is why it is also a good idea to apply a timed logout when the computer is idle. For individuals, in Windows 10 go to Settings – Personalization and in the lock and resume display screen settings, choose the option to wait for X number of minutes. For a firm that has devices deployed by IT, the administrator will apply this configuration.
The good news is that it is easy to set up drive encryption on most Windows 10, Windows 11 and macOS devices since it is built in. Older devices can be protected with third-party encryption software.
On laptops, devices running Windows 10 or 11 (excluding Home edition) have an encryption tool called BitLocker already installed. Just search for it on the computer and follow the instructions to enable encryption protection on the laptop or convertible device like the Microsoft Surface Pro.
Mac users will find an encryption tool called FileVault already installed. Simply go to System Preferences from the Apple menu, then click Security and Privacy then FileVault. Follow the instructions to enable.
Of note, if you lose the encryption key (password) or can’t remember it and have not set up a recovery key you will be locked out of your computer. So, keep up with that information, preferably in a secure password manager.
Commercial encryption software from Symantec, VeraCrypt (all operating systems) or Disk Utility for Mac have encryption tools for any device.
Portable Storage Devices
If you have external storage devices, such as thumb drives or hard drives, these devices should also be encrypted. Numerous firms have had to report a data breach due to the loss of an unencrypted portable storage device, including one firm that had to report a data breach because an unencrypted USB drive with discovery documents was mailed and the recipient discovered the envelope had been tampered with upon receipt.
Again, you can use third-party encryption software to protect a portable storage device, such as Symantec PGP or Endpoint, Check Point or Utimaco (Sophos). Microsoft also offers BitLocker To Go. BitLocker To Go extends encryption protection to USB flash drives, SD cards, external hard drives, and other drives with specific formatting. To use BitLocker To Go the drive partition must meet the partitioning requirements. You can also purchase portable storage devices that have encryption software built in. IronKey (Imation), Kingston, Western Digital and SanDisk all sell storage devices that include strong encryption. These can be bought at most any big box store or online. Be sure to enable the encryption and record the unique, strong password in your password manager.
Encryption on Smartphones and Tablets
On iPhones and iPads you should set up a passcode (six digits or longer) and make sure that “data protection enabled” is turned on in the settings. On Android phones and tablets enable a PIN to access the phone’s features through the screen lock. On older versions of Android, you will need to go into the security settings to enable encryption. It is worth noting that you should upgrade your phone and install the latest operating system version, as additional security enhancements are included. Older phones often cannot support updated mobile operating systems, and thus can’t be patched and adequately secured.
Remote Wiping and Mobile Device Management
Do you know how to remotely wipe the drive of a mobile device if it is lost or stolen? IT departments can help deploy Mobile Device Management. Law firms using Microsoft Office 365 Business Premium and other Enterprise-level subscriptions can also enable Mobile Device Management, which offers multi-factor authentication, device security policies and remotely wiping selective data from a firm approved device.
For solos and small firms without IT help individual lawyers can take steps to enable remote wiping of data. On an iPhone or iPad enable Find My Phone. If you lose your phone just log into iCloud.com and you can try to use the phone’s built-in GPS location to ping the phone and show the location on a map. You can also erase the phone’s data. Your GPS does not have to be on, this will turn on the GPS on the phone.
Similarly, on Android devices go into your Google account in any browser to the Find My Device section. Select your device and then you can sign out of your phone, lock your phone, locate it or erase the data. You can also add a lock screen message like: “Please return this phone. Contact me at ### ### ###” (and don’t put in the name of your law firm!).
Third-party applications like Lookout Mobile have similar features, plus antivirus, safe browsing, privacy advisor, backup and more for $30 per year.
An additional aspect to consider is whether your phone is properly backed up. The prospect of remotely wiping your device isn’t daunting if you know that your data is backed up to the cloud. In fact, if you are using your phone to access data, rather than store data you are more likely to wipe your phone, rather than hope it shows up and risk exposure of firm or personal information. If your phone isn’t presently backed up, explore options to back up text messages, voicemails, files and photos.
If you use text messaging as the second factor for two-factor authentication or an app on your phone and you lose it, things could get difficult. Make sure you have set up alternative access options ahead of time, like backup codes or a secondary number.
To locate or remotely wipe a Windows or Mac laptop you can install and subscribe to Absolute’s Lojack for Laptops or Prey.
Also, for online services that are linked to a device, including LinkedIn, Facebook, Twitter, Google, iCloud and others, log on from a browser, go into your settings and “forget” the lost or stolen device.
Securing Files in the Cloud
You can password protect Microsoft Office and PDF files to enable a certain amount of encryption before you store them in an online repository with a business subscription that has security protocols; an appropriate end user license agreement; and privacy control like Drive in Google Workspace for Business, MS 365 OneDrive or SharePoint for Business, Dropbox for Business, Box, Citrix ShareFile and others.
For extremely sensitive files you have other options. One is to use a zero-knowledge cloud storage service. The files are encrypted in transit and storage and the storage company cannot access your files or hold the encryption key. You cannot recover your password, so don’t lose it! Examples include Sync.com, pCloud, Tresorit and Icedrive.
Another option for encrypted cloud storage is to encrypt your files on your computer and then store them in your online storage (Dropbox, Google Drive, OneDrive, etc.) of your choice. The files are stored in a special drive or app on your local device where they are encrypted and then synchronized with the cloud storage. Sensitive files are incredibly well protected. Examples of this type of service include Boxcryptor, Cryptomator and NordLocker.
Plans and Policies
Law firms should develop an incident response plan to help determine what should be done if there is a risk of data breach or exposure of client information. Know what you don’t know and employ an expert to help determine next steps. An incident response plan can help identify those steps, including documenting experts, cybersecurity policies, help from law enforcement and more.
Additionally, law firms should have policies in place to help safeguard data. For instance, an associate should be obligated by policy to immediately report a misplaced mobile device, passphrase encryption on smartphones must be enabled, portable data storage devices such as thumb drives or external drives must be approved by the firm with encryption enabled, etc.
Even in larger firms, where IT departments monitor logs, secure servers, issue optimized mobile devices and deploy mobile device management for BYOD (bring your own device), policies should be in place to help enforce a security attitude and to enforce an understanding that circumventing firm security protocols for convenience has consequences.
What type of policies should the firm have in place?
Office Computers and Server
This policy should include appropriate use of firm property, including what cannot be stored or deployed (personal files, inappropriate use of servers), software downloads, file deletion or scrubbing, file modification.
Backups
Make it clear what is backed up and when. Users should save and store files, emails and other firm assets in a place that is backed up or risk losing it. Explain how long backup files are kept and how to request a file restore.
Password Security
Reiterate the requirements to use long, strong and unique passwords. If the firm uses an enterprise/business password manager, enforce that it is used to log on to all firm subscriptions. Remind users not to write down passwords or store them on the computer.
Internet Use
Consider a balance between work and nonwork related website use. Streaming certain media, visiting unsafe websites and downloading copyrighted material should be forbidden. While technology can address these behaviors, they should be enforced in writing as well.
Sending personal email from firm email, how document attachments need to be scrubbed of metadata and secured, linked file permissions, cautions on checking the to line to ensure against inadvertent disclosure, and proper use of BCC should be included. When receiving email and attachments instruct on where those should be stored with the client file. Additionally, users should be reminded that email is the top attack vector for malware, viruses and ransomware and to maintain a security attitude.
Remote Access
Proper use of VPN and remote access protocols, removal of files on portable storage devices or emailing files to “work on at home”, and other guidance on securely interacting with the firm’s resources when out of the office should be discussed.
BYOB Smartphones, Tablets and Personal Computers
Require that any device used to interact with firm data and files is properly encrypted; that lock screens are enabled; that the firm maintains the right to wipe firm assets from the device, to report when a personal device has gone missing, stolen or accessed by a third party. Devices like USB drives and external drives should be scanned for viruses before connecting to the network.
Visitors and Contractors
Temporary passwords, guest Wi-Fi networks and confidentiality agreements should be in place to allow vendors and contractors access to your firm’s resources.
Departing Employees
Have checklists at the ready, based on the person’s access to firm property to retrieve devices, remove access to VPN or (remote desktop protocol), cloud services, email, VoIP and anything else that gives an employee permissions or entrée into firm property and client information.
Device Disposal
When you are getting rid of an old laptop or smartphone, it is important to wipe the drive before recycling, re-purposing or gifting it. If you are recycling your device or giving it to someone you can wipe and reset the drive. For iPhones and iPads you can select Erase All Content and Settings and for Android you can reset the device and then select Erase Everything.
For Windows devices, go to Settings – Update & Security – Recovery and then “get started” under the “Reset this PC” option. On a Mac you will need to restart the operating system and as it boots up hold down the Option+Command+R keys. When you see a spinning globe, release the keys and choose “Reinstall macOS” and follow the prompts. If the device is using a mechanical drive (not Solid-State Drive–SSD) there can be certain bits of data that are still recoverable. You may need to destroy the disc if the information on the drive is of an extremely sensitive nature. Products that scrub a drive like DBAN’s personal version may be “good enough” for personal devices, but for complete erasure their fee-based Blancco Solutions offers certification of erasure. Or you can simply smash the drive into bits with a hammer or drill holes in it.
Conclusion
To reduce the risk of data breach and exposure of confidential client information, law firms should maintain best practice security protocols. These include encryption of devices, enforceable policies, data mapping and controls to reduce inadvertent disclosure or unauthorized access. Taking these steps are neither hard, nor expensive. In fact, you may find you are less of a risk in the eyes of insurers and get more advantageous quotes. Don’t delay; take these easy encryption steps today!
©2022. First published in Law Practice Magazine Vol. 48 Issue 6 Nov/Dec 2022 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.