13 Resources for Protecting Data – Courtesy of the FTC

With data breaches in the news on an almost daily basis, how do you protect your law firm’s assets? What advice should you give to your clients?

The FTC offers a list of 13 data security resources to help you get started. From mobile apps to digital copiers and shutting down spam, there is a ton of good advice to be culled from these posts and PDFs: Continue reading

Free Shred Day for Multnomah County Lawyers

The Professional Liability Fund is providing free shredding of legal files on Saturday, March 15, from 8:00 a.m. to 12:00 p.m. in the Oregon State Bar Center parking lot. Mobile shredding trucks from Recall, a document management company, will be shredding the materials onsite. Limit: 15 boxes per firm.

The trucks will be located in the back Free Shred Day 8 24 2013 photo by Ivan Hernandezparking lot of the OSB Center, 16037 SW Upper Boones Ferry Road, Tigard, Oregon, 97224. Shredding will be available until the trucks are filled to capacity. Please respect the 15 box per firm limit, so that we can provide this service to as many firms as possible. You must wait until your material is shredded and take your boxes back with you. Paper clips and binder clips are okay to shred but 3-ring binders should be removed.

If you have any questions please contact DeAnna Shields at 503-639-6911, ext. 440 or deannas@osbplf.org.

Using Google Voice in Your Law Practice

The February issue of Multnomah Lawyer, the official publication of the Multnomah Bar Association, has an excellent article by Charley Gee about using Google Voice.

As Charley describes:

Google Voice is a service from Google that provides a user with a telephone number, voicemail, conference calling, and text messaging service. It is accessible from any computer with access to the Internet, or from a cellphone or tablet.

The best feature of Google Voice is its price: free. Using your Google account, just sign up, select the number you want from a list of available numbers, and verify and connect your cell phone to the account.

Google Voice supports call routing, text message archiving, and voicemail to e-mail transcription.  (But not emergency service calls.)  If traveling, you can access voicemails and make calls without cell service:

Google Voice users can make and receive calls and text messages, as well as fetch their voicemail, over the internet instead of a cell tower signal. I’ve accessed my voicemail and text messages from remote locations around the state just by finding a Wi-Fi hotspot.

Great tip Charley!  My only caveat is to keep security risks in mind when using Wi-Fi.

If you are evaluating Google Voice vs. Skype, read this post.  For more thoughts on the benefits of using Google Voice in your law practice, check out what Go Matters has to say.

If you’ve committed to Google Voice and want to know about using it on your Android Phone or iPad, see:

How to Use Google Voice for Your Primary Android Phone Number and Messages or App Review: Google Voice for iPad.

Final Thoughts

I blogged earlier this month about how to cope with Gmail outagesGoogle Voice is tied to your Gmail account.  If Gmail goes down, Google Voice may also experience an outage.  Without a doubt, you will lose WiFi functionality, voicemail to e-mail transcription, and perhaps other features.  A cursory search did not return an answer to the question: How many times has Google Voice experienced an outage?  However, searching for “Google Voice outage” returns numerous results dating back the last few years.  Whether Google’s uptime stats are better or worse than the competition is hard to gauge.

Finally, I can’t write a post about Google Voice without expressing how much I like Ruby Receptionists, our very own home-grown virtual reception service based in Oregon.  Ruby Receptionists goes far above and beyond Google Voice, with the advantage of personalized, live reception services.  Read about this awesome service for lawyers here.  For another take, see this post.

All Rights Reserved [2014] Beverly Michaelis

What Lawyers Can Learn from the Yahoo Email Hack

Yahoo, the second largest email service worldwide, reported a security breach last untitledweek which exposed personal information from sent email folders.

The Associated Press reports:

Yahoo Inc. said in a blog post on its breach that “The information sought in the attack seems to be the names and email addresses from the affected accounts’ most recent sent emails.”

That could mean hackers were looking for additional email addresses to send spam or scam messages.  By grabbing real names from those sent folders, hackers could try to make bogus messages appear more legitimate to recipients.

If you correspond with friends, family, clients, or colleagues who use Yahoo’s mail service, scrutinize incoming e-mail carefully to avoid phishing scams. 

This breach has another takeaway for lawyers – you are only as secure as your third party vendors.  The Yahoo and Target breaches were both the result of third-party vendor hacks.  In the case of Yahoo, the information was collected from a third-party database.  In the Target hack, credentials were stolen from a third party vendor.

Lawyers should take this to heart when evaluating their own cyber liability and security – specifically with regard to HIPAA compliance.  If your servers are hosted in the cloud, or you use cloud-based practice management, accounting, or backup solutions, inquire into the security procedures of your vendors.  Remember that encryption is your friend.  All data stored in the cloud should be encrypted – minimally by your vendor.  Better yet: go the extra mile.  Seek out cloud providers who permit you to add your own third party encryption, like Viivo or TrueCrypt, so that you (and only you) hold the final encryption key.

All Rights Reserved [2014]

Beverly Michaelis

Encryption: Essential Best Practice or Much Ado About Nothing?

In a recent post, MASS LOMAP’s senior law practice management advisor Jared Correia shared the ABCs of encryption.  Whether you’re securing one document at a time or an entire collection, be sure to check out his recommendations.  Another excellent resource is Email Encryption for Everyone by Catherine Reach.

While Oregon practitioners are not required to comply with data protection statutes, encryption is an essential best practice when it comes to the cloud.  And perhaps in a few other contexts when the situation warrants:

Although use of electronic communications is not a per se violation of the duty of confidentiality, special precautions may be necessary in particular circumstances. For example, if information is particularly sensitive or subject to a confidentiality agreement, a lawyer may need to implement special security measures. Also, if a client requests it, a lawyer may be required to avoid, or be allowed to use, a particular type of electronic communication notwithstanding expectations of privacy in the communication method.  Helen Hierschbiel, “Odds & Ends:  Safeguarding Client Information in a Digital World,” Oregon State Bar Bulletin [July 2010].  Also See Melody Finnemore, “The Data Dilemma: Law Firms Strive to Strengthen E-Security as Potential Threats Continue to Rise,” Oregon State Bar Bulletin [October 2012] and the companion sidebar by John W. Simek and Sharon D. Nelson, “E-Security Pros Offer 15 Tips to Help Law Firms Better Protect Sensitive Data.”

Fellow Oregon practice management advisor Sheila Blackford is working on an encryption article for In Brief, the official publication of the Professional Liability Fund.  Keep an eye out in your mailbox and your inbox – the article is likely to appear late this year or in early 2014.

[Photo credit: The Lone Gunman/Conspiracy Hack]

The 7 Rules of Using Dropbox

Dropbox - what could be new?  With the announcement of a new API last month, someimages believe it may become an alternative for iCloud.  For the rest of us, Dropbox simply remains the incredibly popular file sharing and collaboration tool.

But before you dive in, or if you’re already swimming in the Dropbox pool, use some common sense.  Follow these 7 rules of using Dropbox securely and without regret:

  1. Get educated about the Cloud.
  2. Read and understand your state’s ethics opinion.
  3. Know the difference between free, pro, and business accountsFree account users have a limited 30 day archive.  Pro and Business Users can add Packrat to recover any file “as far back in time as you like.”
  4. Before sharing folders or links, review Dropbox help and learn how to unshare a file or remove a member from your business account.
  5. Establish strong user names and passwords unique to the Dropbox site.
  6. Understand Dropbox security and privacy policies …
  7. But add your own “client side” encryption to fully protect files.

All Rights Reserved Beverly Michaelis (2013)

Free Shred Day a Resounding Success

The Professional Liability Fund held its first ever “come one/come all” free shredding recycle binevent  at the Oregon State Bar Center on Saturday,
June 15. Invitations were extended to all Oregon lawyers practicing in Clackamas and Washington county:

  • Participants brought 447 containers of client files in everything imaginable – produce boxes, large bags, standard bankers boxes, and oversize bankers boxes.
  • Recall filled 85 bins and shredded all files on-site.
  • If stored in standard containers, the material would occupy 595 letter/legal size bankers boxes.
  • By weight, 14,875 pounds of client files were destroyed.

To learn about future shred events, follow the Professional Liability Fund on LinkedIn, Google+ or Twitter.

All Rights Reserved Beverly Michaelis (2013)

Demandforce – Appointment Reminder Solution for Lawyers?

My first experience with Intuit’s Demandforce came in the form of a text message from my vet’s office. I received a reminder about an appointment and was prompted to confirm. I remember thinking: this is pretty neat! Veterinary staff later confirmed that clients universally appreciated the appointment reminders generated by this service. (Some did not care for the social campaign piece and opted out.)

This made me wonder: should lawyers use an automated appointment reminder service like Demandforce? Professional services are certainly targeted on the Demandforce site… but what about confidentiality?

  • Demandforce retains log files
  • They may disclose information in response to a subpoena or legal request:
    Demandforce may disclose, access, or report personal information when we believe, in good faith, we’re required to do so by law or to protect our legal rights. We may also do this in connection with an investigation into a suspected violation involving a Terms of Service, fraud, intellectual property infringement, or other activity that may be illegal or expose us to legal liability. For example, we may be required to disclose personal information to cooperate with regulators or law enforcement authorities or to comply with a court order, subpoena, search warrant, or law enforcement request.
  • Encryption and site intrusion detection software is used to protect sensitive information
  • Consumers (your clients) are given an opt-out with each communication
  • Suggestions, ideas, enhancement requests, feedback, recommendations (collectively, Feedback) or other information provided by the Customer or any other party relating to the Service belong to Demandforce.
  • The customer (lawyer using the service) retains all right, title and interest to any and all patient or customer data including consumer review data captured by the … system … subject to Demandforce’s right to use such Customer Data to provide the Service to Customer. (Paragraph 3, Terms & Conditions)
  • Demandforce does not own any Customer Data, information or material that you submit to the Service in the course of using the Service. (Paragraph 5, Terms & Conditions)
  • For medical professionals – Demandforce is HIPAA compliant
  • Personal customer information (information belonging to the lawyers using the service) may be sold by Demandforce. Customers will be asked if they would “like to stop receiving promotional information following any change of control.”

Evaluating Third Party/Cloud-Based Services

Can a lawyer in Oregon use a cloud-based service? Yes – provided the lawyer follows the parameters of Opinion 188. How do you know if a cloud service is appropriate for your confidential client information?

  1. Review the Terms of Service, Terms of Use, or Terms & Conditions
  2. Review the Privacy Policy
  3. Review the Security Policy
  4. Fully investigate the vendor following the guidelines suggested by the ABA Legal Technology Resource Center
  5. Ask questions: Who is my vendor? How will my data be stored and where? Who can access my data? Who owns the data I upload? What happens if the cloud provider goes out of business? For a great discussion, see Evaluating Cloud-Computing Providers.
  6. Get client permission. Add a provision to your fee agreement/engagement letter allowing you to send cloud-generated appointment reminders. This is also an opportunity to address communication by unencrypted e-mail, storing client data in the cloud, or use of a client portal.

All Rights Reserved (2013) Beverly Michaelis