Five Ways You May Be Contributing to a Data Breach

While attorneys understand the importance of client confidentiality, many are less concerned about data security. This can be a serious oversight, since law firms are becoming increasingly vulnerable to security breaches. As other industries such as healthcare, financial services and the government start to recognize the dangers of security breaches and deploy more stringent security measures, the hacker community has begun to eye the legal industry as low-hanging fruit. Since law firms have been slow to adopt the newest security technology and practices, they are becoming increasingly vulnerable to attacks.

With a security breach, law firms not only hurt their relationships with clients; they may be at risk of noncompliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as data privacy laws. Such noncompliance can lead to large fines, a public announcement of the breach and damage to the law firm's reputation and business-development efforts. These costs, both quantifiable and non-quantifiable, can be enormous. Compared to the potential consequences of a data breach, the costs of actually implementing policies and technology to protect confidential client and personally identifiable data is trivial.

Breaches can be caused by extremely sophisticated hackers using cutting-edge technology, but many law firms also make very basic mistakes that leave them vulnerable. In order to avoid financial and reputational damage, you and your firm need to understand and mitigate five everyday practices that can cause data breaches.

Number 1: Hitting Send

e-Mail has become so seamlessly integrated in our communications and business activities that we hardly notice we're using it, even when exchanging matter-related documents with clients. Many attorneys have also begun using e-mail as the de facto method for archiving the delivery of these documents.

However, e-mail can be one of the leading ways to compromise client and matter information. You must always remember that you cannot ensure that the recipient of your e-mail practices the same level of security that your law firm does. And there are always chinks in the armor, no matter who is hitting send.

Here are some of the top ways that e-mail can leave you open to risk:

• Non-encrypted content. If your e-mail is intercepted by an unintended recipient, that person can easily access and read it.
• Unintended recipients. This can stem from something as simple as entering the wrong e-mail address. Or, you may send it to the correct recipient, who then forwards your e-mail on to an unauthorized individual. Another possibility is that you may send an e-mail to someone who is no longer with the organization, and your e-mail is automatically forwarded to someone at the company who is not authorized to view the information. If you have ever sent an e-mail to an unintended recipient, then you know the odds of successfully recalling it are little to none.
• Returned e-mails due to oversized attachments. This may not seem like a big security hazard, however as e-mail attachment sizes grow, the potential for undeliverable e-mails because of the recipient's mailbox size limits increases. This can be a serious problem when sending time-sensitive documents. It's also a productivity drain, as you and your IT staff waste valuable time looking for alternative delivery options. Along with the hassle, though, it opens the door to security breaches.

Number 2: FTP Sites

We've all encountered this scenario: Your client wants a document now, so you need to get it into his hands five minutes ago. When you e-mail it, you receive the dreaded bounce-back message that reads something like, “Message size exceeds fixed maximum size.” e-Mailing the document won't work and you are faced with several undesirable options. You can separate the document into multiple parts, sending it through multiple e-mails. This is tedious, time-consuming and prone to errors. It also creates the perception that your firm is a technology laggard.

Or, you can turn to other alternatives. One of the most popular fallbacks is an FTP site. FTP sites have been around for 30 years, but in some people's eyes they aren't any more user-friendly now than the day they were created. These sites require a great deal of hands-on work to ensure that data remains confidential at each stage of the process. If they aren't properly maintained, FTP sites can contribute to security concerns such as:

• Unsecure transfers. The number of rogue FTP sites in law firms is mind-boggling. Most of these sites are freeware that do not encrypt data transfers. This opens the door for data breaches.
• Pressuring IT for a fast solution. If your firm doesn't have an organization-wide FTP site or you don't have access to it, you may be tempted to put the IT staff under the gun to create a one-off site ASAP. With an attorney breathing down its neck, IT may race to create a site that is functional but not totally secure.
• Unrestricted access. IT must spend a great deal of effort and administrative time securing FTP sites, creating external user accounts and setting permissions to prohibit access by unauthorized external parties. When racing against the clock, attorneys may be tempted to upload documents to public folders and not set user permissions or go through IT. Even restricting access based on the recipient's information isn't 100% foolproof with an FTP site. This leaves you and your firm vulnerable to hackers.

Number 3: Hosted File Transfer Services

If you don't have an FTP site or decide not to use it, you still need to get that enormous file to the client. IT may not be immediately available to offer suggestions or help, so you may turn to a variety of online sites that allow you to upload files and share them with other parties. The big risk here is the level of security measures imposed at the service provider's data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider's servers. The provider's employees may have access to the data. Most importantly, the provider may not have adequate user authentication measures to protect against unauthorized access.

Recently, serious issues have been identified with several of these hosted file transfer services. Studies have found that these sites are particularly vulnerable to hackers who use an approach called “dumpster diving,” which randomly accesses sequentially incremented URLs to hack into these sites with impunity. Since these sites are so easy for non-technical people to use, law firms should be concerned that staff and attorneys will register and upload files without the knowledge or sanction of IT.

Number 4: Physical Media

While e-mail and Internet options are the go-to choices for many attorneys, many others still rely on copying documents and files to physical media. This tends to be the preferred practice of litigation and practice support teams that need to transfer large volumes of files to support discovery requests.

In a pinch, attorneys and staff will burn a DVD or copy files to a USB stick as a way to overcome e-mail size restrictions. The risks with this approach are obvious. In addition to the time involved along with the expense of courier services and overnight delivery, in most cases the data is not encrypted. This leaves the data susceptible if the DVD or USB stick is lost or stolen.

Number 5: Faxes

Along with DVDs and USB sticks, many law firms also rely on faxes to transmit documents. The traditional method of sending faxes to a recipient's fax machine has obvious security implications. If the faxes you send are not immediately retrieved from the fax machine, the risk of an unintended recipient picking them up increases.

Today, most faxes are sent electronically, which converts traditional faxes into an electronic format that can be accessed via a computer. Rather than relying on a physical device to receive your fax and transfer it to paper as a traditional fax machine does, electronic faxing typically delivers the document to the recipient as an e-mail. Most law firms use a hosted service for electronic faxing, meaning you pay a third-party service provider to convert your faxes to files. Many of these services deliver the fax unencrypted over unsecure networks, which raises the same security concerns as delivering documents via unsecure e-mail. If you are considering a hosted fax service, check that the service encrypts transfers.

Conclusion

Hackers can get to your data through the most mundane and everyday processes. These data breaches open your firm up to large fines and substantial dents in the firm's reputation and client base. By systematically tackling these weak links, you can significantly minimize the chance of a security breach.

While attorneys understand the importance of client confidentiality, many are less concerned about data security. This can be a serious oversight, since law firms are becoming increasingly vulnerable to security breaches. As other industries such as healthcare, financial services and the government start to recognize the dangers of security breaches and deploy more stringent security measures, the hacker community has begun to eye the legal industry as low-hanging fruit. Since law firms have been slow to adopt the newest security technology and practices, they are becoming increasingly vulnerable to attacks.

With a security breach, law firms not only hurt their relationships with clients; they may be at risk of noncompliance with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), as well as data privacy laws. Such noncompliance can lead to large fines, a public announcement of the breach and damage to the law firm's reputation and business-development efforts. These costs, both quantifiable and non-quantifiable, can be enormous. Compared to the potential consequences of a data breach, the costs of actually implementing policies and technology to protect confidential client and personally identifiable data is trivial.

Breaches can be caused by extremely sophisticated hackers using cutting-edge technology, but many law firms also make very basic mistakes that leave them vulnerable. In order to avoid financial and reputational damage, you and your firm need to understand and mitigate five everyday practices that can cause data breaches.

Number 1: Hitting Send

e-Mail has become so seamlessly integrated in our communications and business activities that we hardly notice we're using it, even when exchanging matter-related documents with clients. Many attorneys have also begun using e-mail as the de facto method for archiving the delivery of these documents.

However, e-mail can be one of the leading ways to compromise client and matter information. You must always remember that you cannot ensure that the recipient of your e-mail practices the same level of security that your law firm does. And there are always chinks in the armor, no matter who is hitting send.

Here are some of the top ways that e-mail can leave you open to risk:

• Non-encrypted content. If your e-mail is intercepted by an unintended recipient, that person can easily access and read it.
• Unintended recipients. This can stem from something as simple as entering the wrong e-mail address. Or, you may send it to the correct recipient, who then forwards your e-mail on to an unauthorized individual. Another possibility is that you may send an e-mail to someone who is no longer with the organization, and your e-mail is automatically forwarded to someone at the company who is not authorized to view the information. If you have ever sent an e-mail to an unintended recipient, then you know the odds of successfully recalling it are little to none.
• Returned e-mails due to oversized attachments. This may not seem like a big security hazard, however as e-mail attachment sizes grow, the potential for undeliverable e-mails because of the recipient's mailbox size limits increases. This can be a serious problem when sending time-sensitive documents. It's also a productivity drain, as you and your IT staff waste valuable time looking for alternative delivery options. Along with the hassle, though, it opens the door to security breaches.

Number 2: FTP Sites

We've all encountered this scenario: Your client wants a document now, so you need to get it into his hands five minutes ago. When you e-mail it, you receive the dreaded bounce-back message that reads something like, “Message size exceeds fixed maximum size.” e-Mailing the document won't work and you are faced with several undesirable options. You can separate the document into multiple parts, sending it through multiple e-mails. This is tedious, time-consuming and prone to errors. It also creates the perception that your firm is a technology laggard.

Or, you can turn to other alternatives. One of the most popular fallbacks is an FTP site. FTP sites have been around for 30 years, but in some people's eyes they aren't any more user-friendly now than the day they were created. These sites require a great deal of hands-on work to ensure that data remains confidential at each stage of the process. If they aren't properly maintained, FTP sites can contribute to security concerns such as:

• Unsecure transfers. The number of rogue FTP sites in law firms is mind-boggling. Most of these sites are freeware that do not encrypt data transfers. This opens the door for data breaches.
• Pressuring IT for a fast solution. If your firm doesn't have an organization-wide FTP site or you don't have access to it, you may be tempted to put the IT staff under the gun to create a one-off site ASAP. With an attorney breathing down its neck, IT may race to create a site that is functional but not totally secure.
• Unrestricted access. IT must spend a great deal of effort and administrative time securing FTP sites, creating external user accounts and setting permissions to prohibit access by unauthorized external parties. When racing against the clock, attorneys may be tempted to upload documents to public folders and not set user permissions or go through IT. Even restricting access based on the recipient's information isn't 100% foolproof with an FTP site. This leaves you and your firm vulnerable to hackers.

Number 3: Hosted File Transfer Services

If you don't have an FTP site or decide not to use it, you still need to get that enormous file to the client. IT may not be immediately available to offer suggestions or help, so you may turn to a variety of online sites that allow you to upload files and share them with other parties. The big risk here is the level of security measures imposed at the service provider's data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider's servers. The provider's employees may have access to the data. Most importantly, the provider may not have adequate user authentication measures to protect against unauthorized access.

Recently, serious issues have been identified with several of these hosted file transfer services. Studies have found that these sites are particularly vulnerable to hackers who use an approach called “dumpster diving,” which randomly accesses sequentially incremented URLs to hack into these sites with impunity. Since these sites are so easy for non-technical people to use, law firms should be concerned that staff and attorneys will register and upload files without the knowledge or sanction of IT.

Number 4: Physical Media

While e-mail and Internet options are the go-to choices for many attorneys, many others still rely on copying documents and files to physical media. This tends to be the preferred practice of litigation and practice support teams that need to transfer large volumes of files to support discovery requests.

In a pinch, attorneys and staff will burn a DVD or copy files to a USB stick as a way to overcome e-mail size restrictions. The risks with this approach are obvious. In addition to the time involved along with the expense of courier services and overnight delivery, in most cases the data is not encrypted. This leaves the data susceptible if the DVD or USB stick is lost or stolen.

Number 5: Faxes

Along with DVDs and USB sticks, many law firms also rely on faxes to transmit documents. The traditional method of sending faxes to a recipient's fax machine has obvious security implications. If the faxes you send are not immediately retrieved from the fax machine, the risk of an unintended recipient picking them up increases.

Today, most faxes are sent electronically, which converts traditional faxes into an electronic format that can be accessed via a computer. Rather than relying on a physical device to receive your fax and transfer it to paper as a traditional fax machine does, electronic faxing typically delivers the document to the recipient as an e-mail. Most law firms use a hosted service for electronic faxing, meaning you pay a third-party service provider to convert your faxes to files. Many of these services deliver the fax unencrypted over unsecure networks, which raises the same security concerns as delivering documents via unsecure e-mail. If you are considering a hosted fax service, check that the service encrypts transfers.

Conclusion

Hackers can get to your data through the most mundane and everyday processes. These data breaches open your firm up to large fines and substantial dents in the firm's reputation and client base. By systematically tackling these weak links, you can significantly minimize the chance of a security breach.