No matter what jurisdiction we’re in, Lawyers have an obligation to protect the property of our clients. This includes communications between ourselves and our clients. We have a duty to keep this property and these communications private and confidential. Rule 1.6 of the ABA Model Rules of Professional Conduct. And we have a duty to protect them from destruction or harm Rule 1.15 of the ABA Model Rules of Professional Conduct. And, in this day and age, we will likely need to use sufficient data security tools to accomplish this purpose.
When dealing with the client’s physical property, it is not so difficult for us to understand how to protect it. We usually lock it up in a place that is protected from flood, fire, or other types of damage. Additionally, we make sure that there are no prying eyes or ears around when we are communicating with our clients.
Protecting a client’s digital data, on the other hand, can sometimes be more difficult to conceptualize. It can be difficult for us to understand the lengths we need to go to in order to keep our clients safe. Luckily, there are many data security tools out there purporting to help us with that task. Unfortunately, however, it is not always easy to figure out which ones are worth using.
Data Security Tool Features
Generally, data security tools protect your information in one of two ways. They either keep people out of the information all-together, Authentication. Or they protect that information from a third-party who we assume has access to that information, Encryption.
Authentication
When we talk about Authentication, for lawyers and law firms, we usually mean passwords and two-factor authentication (2FA) methods. Which are both part of the same scheme. For this part, we have tools that help you create and keep track of appropriately complex passwords (password vaults and organizers), Authentication Apps, and USB Authentication Keys. Each of these serves a slightly different purpose, and should be used in tandem with each other.
Encryption
It is good to think of encryption as happening at two different places. We want to encrypt our information while it is being sent (in Transit), and we want to encrypt our information while it is sitting on your computer or in a server somewhere (at Rest).
In Transit
When protecting our information in Transit, we are generally talking about Email, Video Conferencing, Phone Calls, Text Messages, and Instant Messaging (i.e. Slack/MS Teams). Here, the highest level of protection is End-to-End Encryption (E2EE). When we are communicating any sort of sensitive or confidential information, we need to make sure that our connection is E2EE. If we cannot do that, like in the case of email, then we need to make sure that the actual communication package (email along with its attachments) is, itself, encrypted.
At Rest
If the machine on which your information is being stored is connected to the internet at-large (or is connected to another machine that is connected to the internet at-large) you should assume that a third-part can access it. Given enough time and resources, any network can be exploited. Accordingly, you must take extra steps to protect your sensitive information from the prying eyes of third parties by encrypting it while it sits on your machine (your laptop, the office server, your phone, etc … ). This can be accomplished by encrypting an entire machine, certain folders on the machine, specific files, or even particular portions of specific files. One can use tools like Encypt.me, or simply hide columns and password protect an excel spreadsheet.
Keep in mind, that encryption at Rest should be used in conjunction with strong Authentication methods. Most encryption is connected to a User profile, so if a third-party gains access to your system through your User account, they will generally have access to your encrypted files as if they are you.
How to Choose a Tool
4 Steps to Choose a Data Security Tool
- Know Your Rights
First, know what you should expect from software with our Legal Software Bill of Rights. - Determine Your Needs
First, start with creating a threat model for your firm and your client information. This will give you a better idea of what information you are trying to protect, where that information exists, and who you are trying to protect it against. For example, are you attempting to protect information in Transit, at Rest, or both? - Research Data Security Tool Features
Once you have a solid threat model, your remedies will likely fall into one of the two broad categories above, Authentication, or Encryption. If you want to keep someone out of your information, look for an authentication solution, like YubiKeys or other forms of Multi-factor Authentication. Alternatively, if you want to protect data that is inevitably going to be in a third-party’s hands for a period of time, then you will want to look for an application that encrypts your data, like Office365’s encrypt your email feature. - Try Before You Buy
Once you have narrowed down your choices to 1-3 products, dig into their specific capabilities. If they have a free trial, use it. Otherwise, contact the company and get a demo. Make sure you focus on how the Data Security Tool will affect your office’s specific needs.