Locked Down: Information Security for Lawyers

Posted on by Ben Rothke

Had Locked Down: Information Security for Lawyers not been published by the American Bar Association (ABA) and 2 of its 3 authors not been attorneys; one would have thought the book is a reproach against attorneys for their obliviousness towards information security and privacy.  In numerous places, the book notes that lawyers are often clueless when it comes to digital security.

With that, the book is a long-overdue and valuable information security reference for anyone, not just lawyers.

Such a title is needed as the legal field has embraced digital technology for nearly every aspect of the legal field, has magazines and conferences about legal technology and much more.  Wireless (often insecure) networks are pervasive in corporate offices throughout legal America.

The underlying problem is that while attorneys often know the intricacies of tort law, court proceedings and the like; they are utterly unaware of the information security and privacy risks surrounding the very technologies they are using.  In many firms, the lawyers think that someone is protecting their data, but don’t understand their requirements around those areas of data protection.

Legal IT systems are a treasure trove of personal data. Many small law firms are extremely attractive to identity thieves gives their systems have significant amount of personal information via social security numbers, credit card information, birth dates, financial information and much more.  Small law firms are notorious for weak information security controls and attackers will scan those systems and networks for vulnerabilities.

A pervasive aspect of the book is ABA rule 1.6 regarding the confidentiality of information regarding client-lawyer relationships. The rule requires that a lawyer not reveal information relating to the representation of a client unless the client gives informed consent.  The lawyer though can reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary.  The myriad details of 1.6 can be left to the bar association to enforce, suffice to say that a lawyer can find themselves on the wrong side of the law if they are not careful with information security controls.

The authors note that although lawyers are all well aware of rule 1.6, the challenge is how to keep client data secure in the digital age.  In a world of paper, things were much easier and cheaper  This is why the authors note that so many otherwise competent layers fails so miserably in reference to their duty to maintain the confidentiality of digital client data.

The book quotes an ABA 2011 technology survey in which 21% of large law firms reported that their firm had experiences some sort of security breach, and 15% of all firms reported that they suffered a security breach.  It is figures like those which show that attorneys really need to read this book and take the information to heart.

The books 17 chapters are in a readable 150 pages, with an additional 120 pages of appendices.  Written in an easily understandable style and non-technical for the technologically challenge lawyer.

When it comes to the security of client data, in chapter 4 the authors write that encryption is a topic that most attorneys don’t want to touch with a ten-foot pole.  But it has reached a point where attorneys must understand how and when encryption should be used.  Just as important, they need to know about key managements, and what good encryption is.  The chapter provides a high-level detail on what needs to be done regarding encryption.

Chapter 13 is on secure disposal, is an important topic to everyone, and not just lawyers. Digital media needs to be effectively disposed of; and for many lawyers, they often think that means reformatting a hard drive or simply erasing files. The chapter effectively details the issues and offers numerous valuable hardware and software-based solutions.

Chapter 14 on outsourcing and cloud computing is an area where too many attorneys are oblivious to of the security and privacy risks.  For example, the authors advise attorneys against the use of the free Gmail service since the terms of service allow Google to do anything it wants with the data.  That opens a Pandora’s Box when it comes to securing client data.  The authors advise to use premium Google business versions, so attorneys can stay in control of their data with added security and privacy features.

Two omissions in chapters 13 and 14 are that the authors don’t reference NAID (National Association for Information Destruction) or the CSA (Cloud Security Alliance (CSA).

Firms that outsource their digital disposal to non-NAID certified firms run the risk of having a glorified recycler do their work. As to NAID, it is an international trade association for companies providing information destruction services. NAID's mission is to promote the information destruction industry and the standards and ethics of its member companies; while the mission of the CSA is to promote the use of best practices for providing security assurance within cloud computing and to provide education on the uses of cloud computing to help secure all other forms of computing.

The authors include many real-world stories and case law to reinforce their point.

The book closes with a number of appendices on various rules from the FTC, state information protection regulations, the SANS Institute glossary of security terms and more.

For the lawyer looking for an easy to read introduction to nearly everything they need to know about information security and privacy, the book is a great resource.

The book closes with the note that since lawyers have an ethical duty to protect their client’s data, they have no choice but to keep themselves as well educated as possible.

For the attorney that wants to ensure their requirements remain current and are looking for an easy to read introduction about information security and privacy Locked Down: Information Security for Lawyers should be considered required reading.

Ben Rothke

Senior Information Security Manager, Tapad

data security forensics & e-discovery legislation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community