There’s a lot of hand-wringing in the legal community about cloud computing and security concerns. There are also tons of bar journal and magazine articles threatening dire consequences for attorneys who are not properly storing client data and foretelling the doom and gloom that could result from a data breach.
It seems like a lot of the information I read and hear about law firm security is espoused by people who either have no idea what these new computin’ machines are all about or are proposing some completely insane Top Secret Encryption intended for nuclear launch codes that 99% of law firms have neither the ability nor the need to implement. Allow me to distill the steps you need to take down into five relatively simple concepts. I don’t speak for any bar ethics committee or anything like that, but if you follow my five very simple rules I don’t believe anyone could possibly fault you or say you were irresponsible.
- Use a unique, strong password. What does that mean? It means use a password that includes a mix of uppercase and lowercase letters, numbers, and symbols. That really isn’t very hard if you just think about it a little bit. So many people resist this. Just do it. Your wife’s maiden name and the year you were born is not a good password.
- Turn on two-step verification to your cellphone whenever possible. Again, lots of people resist this. Just do it. It takes less than 5 minutes. It’s not going to lock you out of your account. It’s not going to eat all your data. Just turn it on, following the step-by-step instructions from the company.
- Turn on the password for your home and office WiFi. Make it very long and very complex (you’re only going to have to enter it in once per device).
- Don’t use public WiFi when doing sensitive things.
- Read the cloud provider’s Terms of Use. Yes, I know it’s long and boring fine print, but you’re a lawyer.
That’s it. Seriously. Do these five things, and your data is practically guaranteed not to be compromised. In the unlikely event that it is, I can’t imagine any ethics or grievance committee deciding it was your fault that some genius hacker got into your Gmail after somehow guessing your unique, strong password and finding some way to foil the two-step verification. It’d be like someone getting into your physical office files by rappelling 50 stories down from a nearby skyscraper with a laser glass-cutter and picking the file cabinet locks; there’s just no way that’s your fault.
Yes, there’s a lot more you can do. Yes, there are some additional security practices that are helpful. But at a bare minimum, if you do these five simple things, you’re very unlikely to be compromised or sued.
As far as your password, make a strong one, using the criteria above. Then memorize it. Don’t write it down on a sticky note and stick it to the computer (I have seen this far too many times). Don’t tell your support staff or friends. Just keep that password to yourself. Nobody needs to know it but you. If you absolutely must write it down (for example, if you die and your heirs or business partners need access to your accounts), write it down once and put it in a safety deposit box at the bank. Just keep your password secret. Nobody is ever going to figure out that password if you do this. But, as I’m going to explain a little later, even if they did, it’s probably not going to be catastrophic.
What you most certainly don’t want to do is use the exact same password for every single thing, as then if one account is compromised, they are all compromised. Your most important accounts need unique, strong passwords.
I used to use KeePass for all my accounts, and that was a great program for me for many years (you essentially just have to remember one “Master” password to open the KeePass file to get at all your other passwords, which are randomly generated). However, as my iPhone, iPad, and Chromebook became more important to me, I became annoyed at my inability to get into certain accounts since I had to have KeePass installed to access my passwords. It was just cumbersome. I think LastPass may be a good solution, but for some reason I just can’t bring myself to pay for it (KeePass was free). This is all almost irrelevant anyway because of the advent of two-step verification.
If you don’t know what two-step verification is, it’s very simple and very ingenious. You set it up on an account that supports it. Say you set it up on your Dropbox account. Now, every time you log into Dropbox, you’ll enter your password just like normal. However, once you’ve entered in the correct password, Dropbox will then text your phone a special, random code. You’ll have to enter this code into your login screen before you can access your account. The code will be random and unique every time.
The practical effect of this is that it is no longer devastating if somehow your password gets leaked. Even with your correct password, no one is getting into your account without your cellphone. Even if that company’s password database somehow gets hacked and decrypted, you’re still safe as long as you’re in physical possession of your cellphone. I am sure there is some super awesome hacker trick that will someday be able to defeat two-step verification, but it would entail having to somehow hijack your cellphone number. It’s just not something that I think an attorney could reasonably be disciplined for or expected to be able to guard against. We are obliged to take reasonable security measures; we aren’t obliged to be word-class computer programmers or system engineers along with our law licenses. If you don’t believe me, here’s what the Florida Bar had to say about it.
On that note, do you know who are world-class programmers and system engineers? The people who run the cloud: Google. Microsoft. Apple. Dropbox. Evernote. Cloud-based law practice management software companies like Clio and Rocket Matter. If you are concerned about entrusting your data to the cloud, ask yourself this question: Do you really think you are better equipped and more knowledgeable about technology than the people who work at these companies? I doubt it, very much so. I am more than happy to let Google provide me with e-mail service and Dropbox to provide me with a secure place to store documents (behind, of course, strong passwords and two-step verification). These are established companies with very secure data storage facilities, almost certainly far more secure than a filing cabinet in your physical office.
Another big mistake I see people and law firms make is not running secure WiFi. Again, this isn’t difficult. Most routers have it configured by default; I think people are going in and affirmatively turning it off because they don’t want to take the 30 seconds to enter in the long security key that one time. Would you rather take the 30 seconds to enter the long security key on your computer or would you prefer to spend weeks or months dealing with the consequences of a major data breach? Running an office on unsecured WiFi is like shoving your desk into the middle of the street, taking all your paper files out there with you, just throwing all that shit up into the air for anyone to look at it, and then leaving it there. Turn. On. The. WiFi. Password.
By the same token, unsecured public networks are just that: Unsecured. No harm is likely to befall you from reading a blog or checking the weather report on public WiFi, but please, don’t transfer documents with client Social Security numbers over public WiFi. If you can’t do it on a private, secured network then just doing it over your phone’s carrier network is probably the next best thing (e.g., 3G, 4G LTE), but this is still dicey based on my (extremely) limited understanding of the issue.
Aside from concerns about being disciplined, attorneys’ other big concern with the cloud is ownership of their documents. This is really more of a company-by-company thing, but it’s not hard. I just took about 30 seconds and Googled the terms of service for Google, Dropbox, and Evernote. All three of these companies (as of this writing) state in their terms that you retain ownership of your data. They’re not going to steal your stuff. Whew, I know I’m relieved.
Remember that the vast, vast majority of “hacking” incidents are actually due to someone getting suckered into giving up the goods. Social engineering is far more common and effective than genius programming and system knowledge. Most people who say they got “hacked” actually just got “fooled.” They responded to an e-mail asking them for their passwords or clicked an attachment in an e-mail from an unknown source. People are more savvy about this stuff than they used to be, but it still happens frequently. The old advice is still true: Don’t give out your passwords to anybody and don’t download e-mail attachments from strangers. Even if it’s somebody you know, just don’t do it. Call them up and verify that it’s really them sending you something if you’re not expecting anything. Be extremely wary of anyone calling you on the phone asking for passwords or other information; most reputable companies simply don’t do that.
To sum it all up, don’t be scared of the cloud. I was born in the mid-1980’s, and I’ve been waiting for the day to come when virtually all of our data could be stored securely, online, and off-site. This was inevitable. Dropbox and Google (and others) are all going to be constantly backing up and safeguarding your data for you. It’s a massive headache that we don’t have to deal with anymore (though a good, old fashioned hard-drive backup never hurt anyone as far as I know).
So go forth and use Google, use Dropbox, use Evernote, use LPM software. Just make sure you do it over a secure internet connection, use a strong password, and use two-step verification. And for Pete’s sake, don’t post the password up in the office somewhere on a yellow sticky note.