This is the property of the Daily Journal Corporation and fully protected by copyright. It is made available only to Daily Journal subscribers for personal or collaborative purposes and may not be distributed, reproduced, modified, stored or transferred without written permission. Please click "Reprint" to order presentation-ready copies to distribute to clients or use in commercial marketing materials or for permission to post on a website. and copyright (showing year of publication) at the bottom.

Law Office Management

Jun. 2, 2015

How Law Firms Can Protect Data Security in the BYOD Age

With appropriate policies for the use of personal devices, law firms can reconcile security and mobility. Here's how.

A few years ago, an attorney at Dowling Aaron in the Central Valley left his iPhone in his car while attending a funeral.

The attorney, like most employees at his midsize firm (and, it seems, the entire legal industry), was accustomed to using his personal phone to check his work email, read documents, and contact clients. When he got back to his car, a window was smashed and the phone was gone.

It's an all-too-familiar scenario for IT professionals throughout the legal field as attorneys increasingly use their personal devices for work purposes: The dreaded BYOD (bring your own device) movement has taken the industry by storm. But Dowling Aaron was prepared. Nine months earlier it had implemented policies for how law firm members may use mobile devices, and it bought security software from AirWatch that allows administrators to remotely command a phone to delete all of its sensitive data.

"It was a Sunday, so no one was at the office, but [the attorney] called his secretary, she called me, and I sent the wipe signal," recalls Darin Adcock, Dowling Aaron's chief information officer. "That's where it changed from 'Big Brother' to 'Big Helper.' "

Colleagues outside the firm still ask him how they can start the process, Adcock says. The American Bar Association's 2014 Legal Technology Survey found that 91 percent of attorneys report using mobile devices in their practice. But more than half of the respondents to a survey by the International Legal Technology Association didn't have a mobile-device management plan in place. In other words, even though hacking and data breaches have become commonplace, many firms still aren't handling sensitive information with enough care.

"It is much more of a concern than it has been in the past," says Jason Gonzalez, the practice group leader in charge of privacy and data protection with Nixon Peabody in Los Angeles. "Law firms are soft targets and also very juicy because they have all the good information. If you're a law firm, the information that's gotten to you has already been filtered so that all the unimportant stuff is gone and only the important stuff is left."

The ABA's ethics rules require attorneys to make "reasonable efforts" to prevent the disclosure of client information. The first step experts recommend is for firms to enact a mobile-device management plan directing the use of smartphones and tablets for work.

Stephen Wu, of counsel at the Silicon Valley Law Group, has written extensively on data security and encourages firms to adopt safeguards. Among them:

  • Have someone in charge of keeping data secure.

  • Clearly limit which employees have access to sensitive information and when.

  • Back up and encrypt all client data.

  • Enforce mobile-security policies by disciplining any employees who violate them.

Gonzalez agrees about the need for strong protocols. "And the main thrust of the policy is to tell the person, 'It might be your own device, but you have no basic privacy in it. If you want to use it for our stuff, you can't expect any of your information on there to be confidential. We may have to look at it. And, also, if you lose the thing, we want to be able to wipe it remotely, and that will eliminate all the baby pictures you have on there.' "

Wu says the success of a mobile-device policy comes down to managing how attorneys use their phones - and that can get difficult. Regular privacy and security training is important, he says, and lawyers should be made to protect all of their devices with passwords.

Dealing with Noncompliance

Lawyers who ignore data-protection policies and use unsecured phones are a constant threat to any plan, says Philip Favro, senior discovery counsel at Recommind, a San Francisco e-discovery and information governance company. Call it "shadow or stealth BYOD," he says. Favro points to the flap in March over Hillary Clinton's use of a private email server while at the State Department as a prime example of the potential fallout. "Likewise, law firms have people using personal devices every day where the messages and email or other content are not being brought into the company's information ecosystem," Favro says.

Favro urges firms to ban stealth BYOD - and monitor compliance via software that tracks how employees download messages and data. Penalties for violating the policy should include termination.

Dowling Aaron's Adcock says he can't prevent the firm's employees from using unencrypted programs such as Gmail on their personal phones. But they are forbidden to forward business emails to a personal Gmail account or store firm and client documents on a commercial service like Dropbox, even if that's how a client conveys them. "It's about winning as many battles as you can; the war is going to go on."

Lawyers at Dowling Aaron have come to appreciate the security a good data-management policy provides, Adcock says. "People also do mobile banking on their phones, they have texts and pictures and personal emails they don't want someone else to have," he says. His ability to wipe a lost phone now brings them peace of mind.


Products and Service Providers

You don't have to invent a security solution all by yourself. Numerous companies provide full-service mobile-device management software that law firms can use. These programs can remotely wipe devices, ensure that data on smartphones is encrypted, and enforce password protection for apps that hold data belonging to the firm or its clients. Features can include GPS tracking and secure file sharing. Vendors include:

  • Accellis

  • AirWatch

  • CDW

  • Good Technology

  • MobileIron

  • Sophos

  • Symantec

Pricing varies, but several companies charge less than $100 per user per year.


Best Practices and Physical Safeguards

1. Always protect mobile devices with passwords.

2. A full-service mobile-device management vendor can enable a firm to enforce password use and require longer, more complex passwords.

3. If software is too expensive, use a relatively cheap app such as 1Password by AgileBits to create and store strong passwords for mobile devices.

4. Electronically wipe devices used for company business before they are sold or donated.

5. Invest in software that detects malware and viruses.

6.Use common sense: Remind lawyers and staff that 3 million smartphones were stolen in 2013; they should keep track of their devices when dining out, traveling, or just leaving a parked car.

David Ferry writes from San Francisco about the law, social issues, and technology.


Donna Mallard

Daily Journal Staff Writer

For reprint rights:

Email for prices.
Direct dial: 949-702-5390

If you would like to purchase a copy of your Daily Journal photo, call (213) 229-5558.

Send a letter to the editor: