In the past, law firms protected confidential and sensitive data by securing it in locked file cabinets within locked rooms. Now, almost all information is manipulated and stored electronically. Even printed or handwritten documents are scanned and stored digitally in the event anything were to happen to the original. With the ease of access that digital storage offers, lawyers have instant access to the data they need by using laptops, tablets, and mobile phones. But what are the risks of these law firm mobile devices? What security can be put in place to ensure sensitive and confidential data is kept secure?
Understanding the Risks of Law Firm Mobile Devices
With the advancement of mobile devices and increased efficiency, lawyers can access data from almost everywhere. They are able to get work done without being tied to the office. Instead of taking time to print documents for review, attorneys can easily download documents to a laptop or tablet for sharing with a client. Having access to client and other data on the go is essential in today’s business environment.
The main advantage of working from a mobile device is the flexibility it offers. It allows lawyers to work from almost anywhere a Wi-Fi signal is available. This gives the user the ability to connect to servers and retrieve data at a moment’s notice.
But mobility also removes the lawyer from the controlled, secure environment of the law office. Law firms need to identify all the security risks that accompany the use of mobile devices and implement protocols to keep the attorneys’ mobile work and communications secure.
Assessing the Risks of Law Firm Mobile Devices
Law firms need to assess all mobile security risks and develop plans to manage those risks. The goal is not to limit a lawyer’s flexibility or his or her ability to get work done but, rather, to ensure the security of client documents and the lawyer’s work product and communications.
The first step to managing mobile security for law firms is to identify the mobile devices in use and understand how they will be used. Most firms can easily address security on laptops and tablets the firm has issued to its lawyers. For those devices, basic necessary security includes installing virus protection, requiring the use of VPN connections, and using encrypted cloud storage.
But what about user-provided devices? If an attorney uses his or her personal laptop, tablet, or mobile phone for work, how does the firm manage security on those devices? And does the firm have a policy requiring attorneys to use encrypted USB jump drives to hold client and firm documents?
In addition to identifying the devices used, law firms must also consider how its lawyers will access the Internet or the firm network on the go. How secure is the Internet or network connection the mobile attorney uses? When a lawyer is working from home and needs to print a document, is he or she using a Wi-Fi connection to the printer? If so, is that Wi-Fi connection secure?
Often missed in a risk assessment is the exposure from other devices connecting over the same Wi-Fi signal. That includes desktops and wireless printers. While we don’t think of desktops as mobile, using a desktop or printing documents in the office or at home may be working on a wireless network connection.
A complete assessment of risks of law firm mobile devices must take into consideration all technologies that are used to make mobile work possible.
Mobile Device Management
Law firms must ensure the confidentiality of client data. The need to secure the privacy of client and firm data at all times is the responsibility of the firm. Private client files, HIPAA data, confidential negotiations, and data from ongoing legal proceedings must all remain private and secure from accidental or intentional disclosure.
Using mobile devices takes this data outside of that secure environment to public spaces for use in court, client meetings, and even at home. Managing mobile security risks must take into account the use of mobile devices in a public environment.
Law firms should carefully choose security protocols for their lawyers’ mobile devices. These security protocols should incorporate several factors, including the following:
- Strong passwords on devices;
- Capacity for remote wiping of lost or stolen devices;
- Multifactor authentication login for applications;
- VPN connections to firm networks and data;
- Encryption for data stored in the cloud; and
- Forced updates to the operating system (OS) and applications.
Together, all of these steps can help minimize the risks for law firm mobile devices to remain secure and help the firm prevent data breaches that can cause irreparable damage to the firm and clients.
Identifying the Risks of Law Firm Mobile Devices
Law firm mobile security is necessary to create a safe work environment for today’s mobile workforce. Implementing the safety considerations already mentioned will help to make a device more secure, but it does not eliminate all risks. The biggest risk comes from the users themselves.
There are multiple ways for hackers or thieves to gain access to a network or device despite the security measures put in place. Doorways to malware or hacking can be opened by any of the following:
- Opening an attachment in a phishing email;
- Reviewing client data on an unsecure Wi-Fi network;
- Clicking on a malicious web link while browsing online; or
- Accessing social media on public Wi-Fi or discussing work issues on social media.
Each one of these can let a hacker into a device or network and thereby allow access to client data. Ongoing training of all law firm personnel is the surest way to prevent a data breach caused by user error.
Risks of law firm mobile devices need to be addressed by the firm and the users alike. Users need to be made aware of their responsibility to ensure the privacy of the data they are working with and the security of the equipment they are using. Education is a key building block to maintaining a safe work environment for everyone, no matter where they are currently located.