Two-and-a-half years ago, I concluded a post with this bluster: “Listen, Amazon, Apple, Microsoft and all the other companies collecting vast volumes of our data through intelligent agents, apps and social networking sites, you must afford us a ready means to see and repatriate our data. It’s not enough to let us grab snatches via an unwieldy […]
We all know that securing our law firms and protecting client information is our ethical duty. Thus, the continuing focus on security at this year’s ABA TECHSHOW.
Among the topics:
- Cloud computing
- Password management
- Secure file sharing
- Training staff
- Trends in hacking threats
Of course, there were the usual reminders: don’t use unsecured WiFi, don’t click without thinking, watch out for keyloggers when using public computers, and use strong (and unique) pass phrases for all accounts.
Even so, reminders don’t hurt. And we need to stay on top of trends like how to secure your phone when traveling or Internet-connected printers, TVs, baby monitors, or appliances that may be spying on us.
So get a cup of coffee or tea, and take five with me. Check out these “best of” summaries of what the experts at TECHSHOW shared:
- Law Firms Beware: Secure Your Data
- Security Awareness for Lawyers
- What Do Lawyers Need to Know About Blockchain?
For more summaries of 2018 ABA TECHSHOW tips, advice, apps, websites, and other useful resources for lawyers, see my main Wakelet page.
All Rights Reserved 2018 Beverly Michaelis
A recent headline reads:
Bank Escapes Liability Where It Accepts Two-Party Check
With Only One Endorsement
Hey, wait a minute! Isn’t the bank required to honor restrictions placed on my operating or IOLTA account?
Don’t assume that any of the following restrictions on your account will be honored:
- Multiple endorsements [The situation highlighted above]
- Signature limitations [For example: Two signatures required for amounts over $500]
- Stale dates [Void after 60 days]
Stop payments aren’t the answer either. They are generally good for a limited time only and can be disproportionately expensive, depending on the amount of your original check.
If you fall prey to a counterfeit scam it is unlikely your bank will come to your rescue
and restore funds. As noted above, commercial account holders have very limited recourse.
What Can I Do to Protect My Bank Accounts?
Go to your bank and sign up for fraud prevention services:
- Positive Pay or Payee Positive Pay [PP]
- Reverse Positive Pay [RPP]
- ACH Block and Filter [ACH Controls]
- Proxy Accounts
Ask the banker about “Fraud Prevention Services” or “Disbursement Risk Management Services.” Here is a quick primer:
PP and RPP Services
PP and RPP services match the checks you’ve written against checks presented. When a non-matching check appears, you are alerted. The process varies slightly from bank to bank. Here are some examples from Chase, Wells Fargo, and US Bank.
ACH is the system that moves money and information from one bank to another electronically – via direct payment and direct deposit. You can block all ACH transactions [prevent any money from moving into or out of your accounts electronically] or filter ACH transactions. With filtering, you set criteria to determine who can or cannot move money into or out of your accounts. For additional tips on foiling ACH fraud, see this post.
The Wells Fargo version of this service is called Perfect Receivables®. It works to protect your accounts by providing “proxy” account numbers for your use when receiving ACH and wire payments. For example:
New corporate client [NCC] wants to pay a $10,000 retainer by initiating a wire transfer. Instead of providing NCC your IOLTA account number, you give them a proxy account number issued by your bank. NCC doesn’t know the difference. Your IOLTA account number remains private and protected.
Learn More – Online CLE Event October 27, 2016
Attend Ethical Trust Accounting on Thursday, October 27, 2016 from 10:00 a.m to 12:00 p.m. Enter the discount code Blog to save $5 (20 percent) on your registration – a bargain for 2.0 MCLE ethics credits!
In addition to the above, it never hurts to stay on top of the latest scams – because believe me, they won’t stop. And if you didn’t seem this post, take a gander. This is yet another way scammers can steal your money: using your endorsement on the back of their cancelled retainer check to open a counterfeit bank account.
[All Rights Reserved 2016 Beverly Michaelis]
Unless you’ve been playing ostrich, you’re likely aware that data breaches and ransomware are about as common as Mom and apple pie. Witness the recent hack of 272 million Gmail, Microsoft, and Yahoo! accounts.
Fortunately, there are simple steps you can take now that will help protect your data. [With thanks and all due credit to Lane Powell’s Beyond IP Law post, The Scariest Hack So Far, for inspiring this elucidation of their original list]:
Step 1: Start Using Encryption
For your desktop, cloud-based accounts, mobile devices – anywhere or any place you store or transmit confidential or private information. For a thorough discussion of how to implement encryption throughout your firm, see Encryption Made Simple for Lawyers, now a book available for purchase on the ABA website. (Non-ABA members in Oregon can save money at checkout by using the OSB Professional Liability Fund discount code: OSBPLF.)
Step 2: Set Up Two-Factor Authentication for Cloud Services
“The concept of two-factor authentication is that a person cannot access another user’s account without something she knows and something she has. In the case of popular services (like Google or Dropbox), the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.” Catherine Sanders Reach, Set Up Two-Factor Authentication: What Are You Waiting For? [Read Catherine’s post for step-by-step directions or search Help in your cloud-based service for assistance in setting up two-factor authentication.]
Step 3: Erect Firewalls
Firewalls sit between you and the rest of the Internet. They protect unauthorized access to your computer by ignoring or repelling information that appears to come from unsecured, unknown, or suspicious locations. The best firewall configuration is a one-two punch: hardware firewall + software firewall.
Setting up a hardware firewall requires no effort on your part. While you can buy a stand-alone appliance, hardware firewalls are now automatically incorporated into your router (the box in your office or house installed by your Internet Service Provider).
Software firewalls are installed on your computer system like any other application, and are also easy/breezy since they are typically built into anti-virus software. (See discussion that follows.)
Step 4: Install Anti-Virus, Anti-Malware, Anti-Spyware Programs and Keep Them Updated
This seems pretty explanatory, but let me add some free advice:
- Don’t disable automatic updates to your virus definition database
- Run quick scans when prompted
- Run full scans at least monthly
- Don’t ignore notifications that your software isn’t running properly
For a list of the best anti-virus utilities for PCs, see this list from PC Magazine. For a list of the best anti-virus utilities for Macs, check out this MacWorld post. For other recommendations, run a Google search.
My personal opinion: run far, far away from McAfee. [I really don’t give a rip that it is “now part of Intel Security.”] First, McAfee blocked access to my work VPN (virtual private network). There was no way to set a rule or create an exception and tech support was incredibly unhelpful. Second, McAfee is notoriously hard to uninstall. Using Add/Remove Programs in the Control Panel is only the first step; you must download a separate application from McAfee to get rid of it. I mention this because McAfee tends to come pre-installed on laptops or desktops purchased from retailers like Best Buy. What to do? If McAfee was inflicted on you (pre-installed), get rid of it. Follow the link above for the uninstaller. Next, buy Kaspersky. I have been very pleased with Kaspersky from day one and it has never interfered with my VPN connection.
Step 5: Run Operating System and Other Software Updates
This also seems self-explanatory. Mac and Windows OS ship with automatic updates enabled – don’t fuss with this. If Microsoft or Apple thinks you need a security patch, a fix, or upgrade, let it run. The same goes for every application installed on your computer: Microsoft Office, Acrobat DC, Quicken, QuickBooks – let automatic updates run. If you’re not sure whether automatic updates are enabled, check Help or search the product’s website. Some programs also allow you to manually search for updates. Acrobat DC is an example. In the menu, select Help, and choose “Check for Updates…”
Step 6: Be Ready to Kill Your System If You Suspect a Breach
In the original post which inspired me to write on this topic, author Jane E. Brown comments: “Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.”
I have known of events that required a kill switch. One Oregon lawyer was hacked via a phishing email. The hacker was able to get enough information from the lawyer and the lawyer’s system to contact clients by email and request that they input credit card information to pay their bills. Fortunately, a few clients recognized that this request was outside the lawyer’s usual billing process and called the office. The lawyer had to pull the kill switch and take other steps, including freezing bank accounts. This turned out to be a smart move, as within 24 hours the hacker also attempted to withdraw thousands of dollars from the lawyer’s trust account.
Step 7: Lose Your Device? Lose Your Credentials.
There are some obvious times when it makes sense to reset or revoke user names and passwords (login credentials):
- At termination
- If a network-connected device is lost
- You experience a security intrusion
- Your security, privacy, or confidential policies are breached
None of these steps are difficult, but bouncing back from a security breach is.
[All Rights Reserved 2016 Beverly Michaelis]