A few years ago, an attorney at Dowling Aaron in the Central Valley left his iPhone
in his car while attending a funeral.
The attorney, like most employees at his midsize firm (and, it seems, the entire legal
industry), was accustomed to using his personal phone to check his work email, read
documents, and contact clients. When he got back to his car, a window was smashed
and the phone was gone.
It's an all-too-familiar scenario for IT professionals throughout the legal field
as attorneys increasingly use their personal devices for work purposes: The dreaded
BYOD (bring your own device) movement has taken the industry by storm. But Dowling
Aaron was prepared. Nine months earlier it had implemented policies for how law firm
members may use mobile devices, and it bought security software from AirWatch that
allows administrators to remotely command a phone to delete all of its sensitive data.
"It was a Sunday, so no one was at the office, but [the attorney] called his secretary,
she called me, and I sent the wipe signal," recalls Darin Adcock, Dowling Aaron's
chief information officer. "That's where it changed from 'Big Brother' to 'Big Helper.'
"
Colleagues outside the firm still ask him how they can start the process, Adcock says.
The American Bar Association's 2014 Legal Technology Survey found that 91 percent
of attorneys report using mobile devices in their practice. But more than half of
the respondents to a survey by the International Legal Technology Association didn't
have a mobile-device management plan in place. In other words, even though hacking
and data breaches have become commonplace, many firms still aren't handling sensitive
information with enough care.
"It is much more of a concern than it has been in the past," says Jason Gonzalez,
the practice group leader in charge of privacy and data protection with Nixon Peabody
in Los Angeles. "Law firms are soft targets and also very juicy because they have
all the good information. If you're a law firm, the information that's gotten to you
has already been filtered so that all the unimportant stuff is gone and only the important
stuff is left."
The ABA's ethics rules require attorneys to make "reasonable efforts" to prevent the
disclosure of client information. The first step experts recommend is for firms to
enact a mobile-device management plan directing the use of smartphones and tablets
for work.
Stephen Wu, of counsel at the Silicon Valley Law Group, has written extensively on
data security and encourages firms to adopt safeguards. Among them:
- Have someone in charge of keeping data secure.
- Clearly limit which employees have access to sensitive information and when.
- Back up and encrypt all client data.
- Enforce mobile-security policies by disciplining any employees who violate them.
Gonzalez agrees about the need for strong protocols. "And the main thrust of the policy
is to tell the person, 'It might be your own device, but you have no basic privacy
in it. If you want to use it for our stuff, you can't expect any of your information
on there to be confidential. We may have to look at it. And, also, if you lose the
thing, we want to be able to wipe it remotely, and that will eliminate all the baby
pictures you have on there.' "
Wu says the success of a mobile-device policy comes down to managing how attorneys
use their phones - and that can get difficult. Regular privacy and security training
is important, he says, and lawyers should be made to protect all of their devices
with passwords.
Dealing with Noncompliance
Lawyers who ignore data-protection policies and use unsecured phones are a constant
threat to any plan, says Philip Favro, senior discovery counsel at Recommind, a San
Francisco e-discovery and information governance company. Call it "shadow or stealth
BYOD," he says. Favro points to the flap in March over Hillary Clinton's use of a
private email server while at the State Department as a prime example of the potential
fallout. "Likewise, law firms have people using personal devices every day where the
messages and email or other content are not being brought into the company's information
ecosystem," Favro says.
Favro urges firms to ban stealth BYOD - and monitor compliance via software that tracks
how employees download messages and data. Penalties for violating the policy should
include termination.
Dowling Aaron's Adcock says he can't prevent the firm's employees from using unencrypted
programs such as Gmail on their personal phones. But they are forbidden to forward
business emails to a personal Gmail account or store firm and client documents on
a commercial service like Dropbox, even if that's how a client conveys them. "It's
about winning as many battles as you can; the war is going to go on."
Lawyers at Dowling Aaron have come to appreciate the security a good data-management
policy provides, Adcock says. "People also do mobile banking on their phones, they
have texts and pictures and personal emails they don't want someone else to have,"
he says. His ability to wipe a lost phone now brings them peace of mind.
____________________________________________________________
Products and Service Providers
You don't have to invent a security solution all by yourself. Numerous companies provide
full-service mobile-device management software that law firms can use. These programs
can remotely wipe devices, ensure that data on smartphones is encrypted, and enforce
password protection for apps that hold data belonging to the firm or its clients.
Features can include GPS tracking and secure file sharing. Vendors include:
-
Accellis
-
AirWatch
-
CDW
-
Good Technology
-
MobileIron
-
Sophos
-
Symantec
Pricing varies, but several companies charge less than $100 per user per year.
____________________________________________________________
Best Practices and Physical Safeguards
1. Always protect mobile devices with passwords.
2. A full-service mobile-device management vendor can enable a firm to enforce password
use and require longer, more complex passwords.
3. If software is too expensive, use a relatively cheap app such as 1Password by
AgileBits to create and store strong passwords for mobile devices.
4. Electronically wipe devices used for company business before they are sold or
donated.
5. Invest in software that detects malware and viruses.
6.Use common sense: Remind lawyers and staff that 3 million smartphones were stolen
in 2013; they should keep track of their devices when dining out, traveling, or just
leaving a parked car.
David Ferry writes from San Francisco about the law, social issues, and technology.
Donna Mallard
Daily Journal Staff Writer
