A few years ago, an attorney at Dowling Aaron in the Central Valley left his iPhone in his car while attending a funeral. The attorney, like most employees at his midsize firm (and, it seems, the entire legal industry), was accustomed to using his personal phone to check his work email, read documents, and contact clients. When he got back to his car, a window was smashed and the phone was gone. It's an all-too-familiar scenario for IT professionals throughout the legal field as attorneys increasingly use their personal devices for work purposes: The dreaded BYOD (bring your own device) movement has taken the industry by storm. But Dowling Aaron was prepared. Nine months earlier it had implemented policies for how law firm members may use mobile devices, and it bought security software from AirWatch that allows administrators to remotely command a phone to delete all of its sensitive data. "It was a Sunday, so no one was at the office, but [the attorney] called his secretary, she called me, and I sent the wipe signal," recalls Darin Adcock, Dowling Aaron's chief information officer. "That's where it changed from 'Big Brother' to 'Big Helper.' " Colleagues outside the firm still ask him how they can start the process, Adcock says. The American Bar Association's 2014 Legal Technology Survey found that 91 percent of attorneys report using mobile devices in their practice. But more than half of the respondents to a survey by the International Legal Technology Association didn't have a mobile-device management plan in place. In other words, even though hacking and data breaches have become commonplace, many firms still aren't handling sensitive information with enough care. "It is much more of a concern than it has been in the past," says Jason Gonzalez, the practice group leader in charge of privacy and data protection with Nixon Peabody in Los Angeles. "Law firms are soft targets and also very juicy because they have all the good information. If you're a law firm, the information that's gotten to you has already been filtered so that all the unimportant stuff is gone and only the important stuff is left." The ABA's ethics rules require attorneys to make "reasonable efforts" to prevent the disclosure of client information. The first step experts recommend is for firms to enact a mobile-device management plan directing the use of smartphones and tablets for work. Stephen Wu, of counsel at the Silicon Valley Law Group, has written extensively on data security and encourages firms to adopt safeguards. Among them:
- Have someone in charge of keeping data secure.
- Clearly limit which employees have access to sensitive information and when.
- Back up and encrypt all client data.
- Enforce mobile-security policies by disciplining any employees who violate them.
Products and Service ProvidersYou don't have to invent a security solution all by yourself. Numerous companies provide full-service mobile-device management software that law firms can use. These programs can remotely wipe devices, ensure that data on smartphones is encrypted, and enforce password protection for apps that hold data belonging to the firm or its clients. Features can include GPS tracking and secure file sharing. Vendors include:
- Good Technology
Best Practices and Physical Safeguards1. Always protect mobile devices with passwords. 2. A full-service mobile-device management vendor can enable a firm to enforce password use and require longer, more complex passwords. 3. If software is too expensive, use a relatively cheap app such as 1Password by AgileBits to create and store strong passwords for mobile devices. 4. Electronically wipe devices used for company business before they are sold or donated. 5. Invest in software that detects malware and viruses. 6.Use common sense: Remind lawyers and staff that 3 million smartphones were stolen in 2013; they should keep track of their devices when dining out, traveling, or just leaving a parked car. David Ferry writes from San Francisco about the law, social issues, and technology.