Security alert
Is your office network secure from hackers, viruses, disgruntled former employees or careless current ones? Here's what you need to know about protecting your practice.
By Tom Carter
Over the past five years or so, Canada's lawyers have finally crossed the electronic Rubicon—they embraced the Internet. The great majority of lawyers now have e-mail addresses, and as a result a massive amount of highly confidential electronic messages flow among lawyers, clients and law firms every day.
But how much do lawyers know, or care, about the risks that go along with an internet connection? And what are they doing to protect themselves from their new and unwanted partners in this age of instant e-communication—the hackers and virus spawners who can flood the White House e-mail system and bring giant commercial networks to a halt with a keystroke?
|
Québec's notaries are ahead of the curve
Canada's lawyers are used to fending for themselves when new technology comes along. Law societies don't take charge of the matter; they leave it up to individual professionals to decide whether to adopt or not.
But that wasn't the case for Québec's 3,000 notaries. In 1996, their governing body, the Chambre des Notaires du Québec, established Notarius, an arm's-length company with a mandate to bring all members into the electronic age gently and peacefully
"Before Notarius, very few notaries were computerized," says the company's director, Linda Rahill of Montreal. "Now every notary has been linked via the Internet since 1998." They've been able to file documents in Québec's public registries in complete confidence using digital, electronic signatures.
"There has never been a breach," Rahill says, and even if there was, the data is fully encrypted and couldn't be read by an intruder. A secure email project will soon be underway using the same technology. Visit www.notarius.com for more. |
Unfortunately, most lawyers remain preoccupied with practical matters, like deadlines and billings, and turn a blind eye to Internet security. "I think that's right. Well, no, I know that's right," says Richard Ferguson, Past Chair of the CBA's Law Practice Management and Technology section and a lawyer with Lynass Ferguson & Shoctor in Edmonton.
"Lawyers, particularly solos and small firms, take the view, 'Who would be interested in me?'" says Ferguson. "The fact is, a high school student on a lark could be interested in you." Indeed, he reports that one unnamed firm in his city recently learned that the hard way. "They were using a software firewall that's continuously and publicly available and is continuously and publicly hacked," he reports. "A high school student attacked their [system]."
The attacker scrambled all the data on the firm's hard drive, and a full day of productivity was lost while the data was restored. There was no evidence that confidentiality was breached, but the firm was left with a nagging fear—if a hacker could do that, he could also steal confidential client information and send it who knows where.
Then there's the problem of viruses. Despite all the publicity about widespread infections like Melissa and Klez, few lawyers are adequately protecting themselves from these threats, says Dan Pinnington, Director of Practice Pro, the risk management arm of Lawpro in Toronto.
Pinnington's not just guessing—he has proof. Last summer, he sent an e-mail to about 1,000 Ontario lawyers about the new federal money laundering legislation. That put his e-mail address in a thousand lawyers' address books. "When a major virus infection made the rounds," he recalls, "I found my inbox full of e-mail messages sent by infected computers. In one case, the virus also grabbed a file from the hard drive and included that as an attachment. I received email with confidential client documents."
Faced with these disasters, some lawyers might be tempted to just pull the plug on their computers, but today's clients simply won't let them. "In many cases, clients drove their lawyers to it, saying 'I want to communicate with you by email,'" Pinnington notes. "Most lawyers realize that locking the computer away in the back room and never attaching it to the Internet is no longer an option."
|
Where to find security
Here are some Web sources to help you fortify your office network.
Viruses
For stand-alone computers hooked to the Internet, both Norton (www.symantec.com) and McAfee (www.mcafee.com) offer separate anti-virus programs and firewall programs. Alternatively, you can get both in their "IS" or Internet Suite packages.
Firewalls
Small office networks connect to the Internet through routers, which all come with firewall protection. SonicWall (www.sonicwall.com), D-Link (www.dlink.com), and 3Com (www.3com.com) are well-known brands.
Backup
Data backup is covered in a PracticePro booklet called Managing Practice Interruption. You can download a copy at www.practicepro.ca and check the chapter called "Computer Planning and Backup Best Practices." For an overview of backup products and systems, see www.networkcomputing.com/1215/1215buyers2.html.
Encryption
Among other things, Juricert (www.juricert.com), a joint initiative of the Law Society of British Columbia and other law societies, offers secure communications services for lawyers and clients, including electronic signatures and data encryption. For a good article on e-mail encryption and industry standard PGP ("Pretty Good Privacy"), see www.netlawtools.com/security/index.html.
CBA Preferred Suppliers
The Data Corporation (www.thedatacorp.com) has entered into a preferred supplier arrangement to offer Tenix 2.0 e-business software to CBA members. Tenix 2.0 is essentially an "extranet-in-a-box," allowing lawyers in different locations to work together in real time over the Internet, with the added benefit of high security. Supported by 3DES and Advanced Encryption Standard up to 256 bit, Tenix 2.0 provides online collaborators with the security of a private network. |
Security checklist
Internet security starts from a time-honoured professional premise—you must maintain confidentiality. Whether on paper or on disk, client information must not get into unauthorized hands. That means taking every reasonable step to secure all your office's electronic storage devices.
Here's an eight-point checklist to help make your law office secure.
1. Protect the hardware.
Recognize that a computer is a desirable object and that "anyone can pick it up and all the information stored on it ," Ferguson says. "So you may wish to attach it to something, like the floor. Don't laugh," he adds. "We've had computers lifted."
2. Encrypt your data.
Scramble the data on your network and hard drives, so that if someone does steal your computer, they won't be able to read your files. Ferguson says a variety of good encryption software is readily available on the Net (see sidebar for a list of security products and their Web sites).
3. Install a firewall.
Basically, a firewall is a program that prevents hackers from coming down your computer's "pipeline" to the Net, so that no one can hack you or create chaos, explains Ferguson. "Having a firewall is not just getting one and installing it," adds Pinnington. "You want to make sure you've gone through the various settings to lock down things to the extent that you want to."
4. Stop those viruses!
Install a good anti-virus program. "Put it on your server and on each computer, so if anyone tries to introduce a virus into your network, it will not cause havoc," says Ferguson. Once it's installed, make sure you update it regularly. "Most of the major products now allow for automatic updates," Pinnington notes. That means you can set the program to go to its home Web site and download new virus definitions as often as you wish.
5. Back up your data.
"If something screws up today, if someone steals the computer today, if it is destroyed in a fire today, you have the information necessary to carry on your practice," advises Ferguson. "That means backing up daily, taking backup media offsite on a regular basis, and checking that backup data to make sure it's working."
This last point is often overlooked, even by the experts. Ferguson's firm used the same tape backup system faithfully for years. "Then the hard drive got munched, and lo and behold, no one made that kind of tape drive anymore. We had to send the tape to a processing outfit in the States to get it restored onto a hard drive."
6. What's the password?
Use passwords and manage them properly. "A password gets you through a locked door," Pinnington observes. "You have to get people using them and keeping them secret. Then there's the issue of changing them. Do you change them every 30, 60, 90 days, in case they've been compromised?"
7. Watch for turnover.
Pay attention when staff are fired or quit. "It's possible to change a password the moment you terminate someone, so they can no longer get on the network and screw up anybody else," says Ferguson. This is especially important if the termination is acrimonious. "A disgruntled employee may say ,'To hell with this' and issue that formidable command, 'Format Drive C,' and all that was there is gone."
8. Mind your portables.
Remember that everything that we've said about computers also applies to portable data-saving devices like laptops, Palm Pilots and even cell phones.
Other aspects
As for e-mail, make sure it's addressed properly. A slip of a finger can send a confidential message to the wrong person; automated addressing can lead to errors, too. Time pressures make it easy to type in someone's first name and press send without checking to see if it's the right John or Mary.
Even if the message is addressed properly, there's still the problem of interception as the message moves through the ether. An important e-mail can be read by unauthorized people. "Theoretically, any e-mail can be intercepted," Pinnington says. "Practically speaking, it is difficult to do. If you're using a small local ISP, the chances that somebody there could see an e-mail and do something with it are higher than if you're using somebody like Bell Sympatico, where there are far more messages going through."
That brings us to another question. Does good practice now require that law firms encrypt every e-mail before sending it out? "That's one of the most frequent questions I get," says Pinnington. "What you should do is raise the issue with your client and get direction. Look at the nature and type of matter. If it's a major Bay Street deal, then encryption is appropriate; if it's a smaller litigation matter, perhaps not."
Ferguson adds: "Some firms are [encrypting e-mail] partly as a precaution, but also as a marketing strategy. They can say to their clients, 'Look at us. This is how much we care about you.'"
Could encryption be more than just a practice issue—could it be a professional obligation that carries disciplinary sanctions? "At present, I believe the position of most law societies is there is not an ethical obligation on the law firm to encrypt or otherwise secure e-mail transmissions," says Ferguson. Pinnington adds that the Law Society of Upper Canada is now in the process of putting together some guidelines on that point.
Tom Carter is a lawyer and writer in Edmonton.
