A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. (Rule 1.6(c).)

So what are reasonable efforts when it comes to your clients’ information stored on your computer? You have to make an effort, obviously. But how much effort is so unreasonable that you don’t have to make it?

At a minimum, a reasonable effort has to mean taking advantage of the easy-to-use security features already available on your computer and device(s). Where the potential harm is great and the potential fix is cheap and easy to implement, it is also be a reasonable effort.

With that in mind, here are four ways you may not be making a reasonable effort.

1. Encrypt Your Clients’ Files

If you are using a Mac or a Windows PC that has Bitlocker, you can encrypt your files with just a few clicks. That is not hyperbole. All you have to do is change a setting.

But is it reasonable? Well, after you encrypt your computer and devices, you can continue using them exactly as you do now. And while encryption will affect your computer’s performance, the change will be so small that you aren’t likely to notice. Encrypting your files barely takes any effort, so it must be reasonable.

Many lawyers misunderstand what encryption means for using their computers. Under Rule 1.1, they probably have a duty to be better-informed about encryption technology, but the bottom line is that after encrypting your computer you can go on using it exactly as you do now. It is not like email encryption, which definitely still is pretty clunky. You can open and save files, send and receive files, and generally go on using your devices just like you are used to.

You should definitely be encrypting your client files.

2. Use a VPN

When you use a strange Wi-Fi network, it doesn’t matter whether you have to log into that network with a password or not. It is, for all intents and purposes, public. And public means that when you browse the web or check your email, you might as well be sharing it with the room. Anyone who wants to listen in, can. It isn’t even illegal. If you send a confidential document as an email attachment over a public network, anyone can read it.

Keeping your Internet activity private is not difficult or expensive, but it does require you to use a third-part service called a VPN (virtual private network). A VPN is a secure line to the web that prevents anyone on the same network from seeing what you are doing online. As Kashmir Hill recently said, “if you use the Internet, you need a VPN.”

3. Use Two-Factor Authentication for Key Services

Two-factor (sometimes called two-step or multi-factor) means using something you know (your password) and something you have (usually your phone) to log into an account. With two-factor authentication, you have to type in your password plus a code generated by an app or sent to you by text or email. Two-factor authentication is slightly more work than logging into your account with just a username and password, but it is also drastically more secure. Even if a malicious hacker has your username and password, they will not be able to log into your account or reset your password unless they also have access to your phone.

Without two-factor authentication, anyone who cracks your password can access your accounts. And anyone who gains access to your email account can change the passwords to all your other accounts, which will let them empty your bank accounts (goodbye, client funds!), go on a shopping spree on Amazon, or if you are lucky, turn your computer into a spambot.

If you aren’t using two-factor authentication on your critical accounts, you aren’t making reasonable efforts to protect the client information stored in any of your accounts.

4. Use Good Passwords

Good passwords may be the last thing on this list, but they are the most important, without a doubt. Even if you take all the precautions in the world, they won’t do any good if you use weak passwords.

In 2014, Russian hackers acquired 1.2 billion passwords. If each of those passwords represents a person, that means the hackers compromised about 17% of the world’s population. In order to get those passwords, they will have to attempt to decrypt the passwords. This is not particularly difficult.

If your password in the dictionary or uses common substitutions like 1 for l or @ for a, it will only take seconds to decrypt your password. If you use a long, randomly-generated password, it may be effectively impossible to decrypt. If your password is somewhere in the middle, cross your fingers and hope the cracker gets bored before it brings the necessary processing power to bear.

If a hacker manages to get ahold of your username or email address, connected with your password, then that hacker can access any other account for which you use the same credentials. In fact the first thing they will probably do once they have your credentials is try them on a list of popular websites.

Using good passwords is not unreasonable, it is required.

Fix These Things Now

We put our heads together to try to identify several things lawyers could do to drastically improve their computer security. We identified each of the problems listed above.


If you aren’t doing any of these things, we would give you a D- when it comes to your own computer security. But you can fix all of these things in under an hour (or start, in the case of using good passwords)! All you need is a step-by-step guide to doing each of them.

I put together a step-by-step guide to doing just that, and I just updated it. You can get the 4-Step Computer Security Upgrade in PDF right now. It is also available in paperback and (soon) for Kindle, from Amazon.

It won’t make your computer impregnable, but it will upgrade your computer security from a D- to at least a solid B. If you get the guide and follow the instructions, you can rest easier knowing you have taken care of the low-hanging fruit and made your computer far more secure than it was.

Originally published 2015-05-19. Last updated 2016-06-01.

Featured image: “Umbrella in the rain in vintage tone” from Shutterstock.

  • The challenge with long, randomly generated passwords is that they are very difficult to remember. Passwords that are difficult to remember tend to get written down or reused, both of which are not good ideas.

    You may want to check out the “diceware” approach which was first proposed back in 1995. It involves mapping random dice rolls to a dictionary of words. The result is complete randomness combined with actual words which are easy to remember. This XKCD comic gives an example: https://xkcd.com/936/

    I also built an app which implements the Diceware system: https://www.dmuth.org/diceware/ Feel free to check it out. :-)