7 Steps You Can Take Now to Protect Your Data

lockUnless you’ve been playing ostrich, you’re likely aware that data breaches and ransomware are about as common as Mom and apple pie.  Witness the recent hack of 272 million Gmail, Microsoft, and Yahoo! accounts.

Fortunately, there are simple steps you can take now that will help protect your data.  [With thanks and all due credit to Lane Powell’s Beyond IP Law post, The Scariest Hack So Far, for inspiring this elucidation of their original list]:

Step 1: Start Using Encryption

For your desktop, cloud-based accounts, mobile devices – anywhere or any place you store or transmit confidential or private information.  For a thorough discussion of how to implement encryption throughout your firm, see Encryption Made Simple for Lawyers, now a book available for purchase on the ABA website.  (Non-ABA members in Oregon can save money at checkout by using the OSB Professional Liability Fund discount code: OSBPLF.)

Step 2: Set Up Two-Factor Authentication for Cloud Services

“The concept of two-factor authentication is that a person cannot access another user’s account without something she knows and something she has. In the case of popular services (like Google or Dropbox), the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.”  Catherine Sanders Reach, Set Up Two-Factor Authentication: What Are You Waiting For?  [Read Catherine’s post for step-by-step directions or search Help in your cloud-based service for assistance in setting up two-factor authentication.]

Step 3:  Erect Firewalls

Firewalls sit between you and the rest of the Internet.  They protect unauthorized access to your computer by ignoring or repelling information that appears to come from unsecured, unknown, or suspicious locations.  The best firewall configuration is a one-two punch:  hardware firewall + software firewall.

Setting up a hardware firewall requires no effort on your part.  While you can buy a stand-alone appliance, hardware firewalls are now automatically incorporated into your router (the box in your office or house installed by your Internet Service Provider).

Software firewalls are installed on your computer system like any other application, and are also easy/breezy since they are typically built into anti-virus software.  (See discussion that follows.)

Step 4: Install Anti-Virus, Anti-Malware, Anti-Spyware Programs and Keep Them Updated

This seems pretty explanatory, but let me add some free advice:

  • Don’t disable automatic updates to your virus definition database
  • Run quick scans when prompted
  • Run full scans at least monthly
  • Don’t ignore notifications that your software isn’t running properly

For a list of the best anti-virus utilities for PCs, see this list from PC Magazine.  For a list of the best anti-virus utilities for Macs, check out this MacWorld post.  For other recommendations, run a Google search.

My personal opinion: run far, far away from McAfee.  [I really don’t give a rip that it is “now part of Intel Security.”]  First, McAfee blocked access to my work VPN (virtual private network).  There was no way to set a rule or create an exception and tech support was incredibly unhelpful.  Second, McAfee is notoriously hard to uninstall. Using Add/Remove Programs in the Control Panel is only the first step; you must download a separate application from McAfee to get rid of it.  I mention this because McAfee tends to come pre-installed on laptops or desktops purchased from retailers like Best Buy.  What to do?  If McAfee was inflicted on you (pre-installed), get rid of it.  Follow the link above for the uninstaller.  Next, buy Kaspersky.  I have been very pleased with Kaspersky from day one and it has never interfered with my VPN connection.

Step 5:  Run Operating System and Other Software Updates

This also seems self-explanatory.  Mac and Windows OS ship with automatic updates enabled – don’t fuss with this.  If Microsoft or Apple thinks you need a security patch, a fix, or upgrade, let it run.  The same goes for every application installed on your computer:  Microsoft Office, Acrobat DC, Quicken, QuickBooks – let automatic updates run.  If you’re not sure whether automatic updates are enabled, check Help or search the product’s website.  Some programs also allow you to manually search for updates. Acrobat DC is an example.  In the menu, select Help, and choose “Check for Updates…”

Step 6:  Be Ready to Kill Your System If You Suspect a Breach

In the original post which inspired me to write on this topic, author Jane E. Brown comments: “Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.”

I have known of events that required a kill switch.  One Oregon lawyer was hacked via a phishing email.  The hacker was able to get enough information from the lawyer and the lawyer’s system to contact clients by email and request that they input credit card information to pay their bills. Fortunately, a few clients recognized that this request was outside the lawyer’s usual billing process and called the office.  The lawyer had to pull the kill switch and take other steps, including freezing bank accounts.  This turned out to be a smart move, as within 24 hours the hacker also attempted to withdraw thousands of dollars from the lawyer’s trust account.

Step 7:  Lose Your Device?  Lose Your Credentials.

There are some obvious times when it makes sense to reset or revoke user names and passwords (login credentials):

  • At termination
  • If a network-connected device is lost
  • You experience a security intrusion
  • Your security, privacy, or confidential policies are breached

Final Thoughtsth

None of these steps are difficult, but bouncing back from a security breach is.

 

 

[All Rights Reserved 2016 Beverly Michaelis]

Saving Gmail to PDF Using Zapier

Google Calendar in one hourAre you a Gmail user?  Many lawyers are.

Gmail and Google Calendar [sometimes coupled with Google Apps] is a popular alternative to Outlook.  But there is a key issue with using web-based email that lawyers often overlook: messages stored online simply don’t make it to your client file.  If you prefer web-based email and rebel against the idea of downloading messages to a local program on your desktop or laptop, how can you document your file?

This has been a challenge.  Until now.

The Bad Old Days: Saving Messages as Individual PDF Files

Gmail – as stand-alone web-based email – does not offer an easy way to capture a group of messages labeled or stored in a folder online.  If you want to save client emails, you must do so one at a time by printing each message to PDF (or scanning each message to PDF).  This is so incredibly tedious that most lawyers never do it.  Messages are saved online and nowhere else, resulting in non-cohesive client records.

Today’s solution: Zapier

Zapier is one way to solve this problem.  It automatically files Gmail by moving messages for you.  The only trick is the destination, which must be another web-based service or account.  Google Drive and Dropbox are two examples of locations where mail can be saved.  Here is a simple explanation of how the service works.

If you are paperless and storing your client records at one of the supported online destinations, then Zapier can make your client file cohesive.  Everything is in one location and your records are complete.  One of the most popular approaches is to use Zapier to save client email to Dropbox.

Parting Thoughts

“Zapping” your Gmail to the same online location where you keep your other client records seems like a good way to go.  As with any cloud-based solution, there are ethical concerns.

  1. Is Zapier secure?  Zapier stores the data it is moving on your behalf for 7 days, then purges it.  Your credentials are protected by bank-level encryption.  HTTPS or SSL connections are used whenever possible [If the destination app you are connecting to is not HTTPS or SSLZapier cannot “force” that type of connection.]  Users can monitor the task history of Zapier for the life of their accounts to verify activity and data transfer. Read more here.
  2. Is it a good idea to keep confidential and privileged client records in Dropbox, Google Drive, Box, or One Drive?  Yes, provided you supplement the built-in protection of your online accounts with a private [client side] encryption product like Viivo.  Problem solved.
  3. Won’t I just be safer if I store files on my own computer?  This is another way to go, but you’ll be stuck with the one-at-a-time process of saving email as described above.  Additionally, the tide of expert thought is shifting to the belief that cloud-based solutions are superior.  See The great IT myth: is cloud really less secure than on-premise?

 

All Rights Reserved [2016] Beverly Michaelis

2016 ABA TECHSHOW Keynote

Does NSA or other government surveillance cause you to lose sleep or have you given up on privacy?  Some very interesting thoughts today from Cindy Cohn of the Electronic Frontier Foundation (EFF) in her keynote at the 2016 ABA TECHSHOW.

  • The Apple case isn’t about privacy, it’s about security.
  • Neither legally nor technically was it ever correct that the government wanted access to only one phone [referring to the Apple case].
  • Apple’s security backdoor: If you build it, they [hackers, foreign governments, law enforcement] will come.
  • Encryption is just applied math.
  • Everything old is new again. We’ll be here 20 years from now when this fight is still going on [on EFF’s mission].
  • We are moving into to a world where devices are deeply embedded in our lives. We have to get the balance right.
  • Stand up for strong security at Savecyrpto.org.

For an excellent recap of Cindy’s speech, click here or on the image below.

2016-03-18_12-24-21

 

Getting Your Head into the Cloud

Whether you’re setting up a practice for the first time or upgrading existing technology, odds are you’re taking a long, hard look at the cloud. Here is a checklist to help you through the process.

Getting Started

Moving your data to the cloud is all about vetting the cloud provider – will they or won’t they keep your client information secure?  Here are your marching orders:

Research the Provider

  1. What is their reputation?
  2. How many years have they been in business?
  3. Are bloggers and news outlets critical or supportive?
  4. Can the provider give you a list of other lawyers who use their product?  (If so, check the provider’s references.)
  5. Talk to friends and colleagues: are they familiar with the product or provider?  What are their thoughts?
  6. If you belong to a listserv, poll the members of the listserv.
  7. Use the power of Google to reveal problems.  A general search using the product or provider name is a good start.  To uncover security issues, Google the product or provider name followed by the words “security concerns” or “data breach.”  To reveal if outages are a problem, search the product or provider name followed by the words “downtime statistics.”

Evaluate Speed and Reliability

Uptime, bandwidth, and general reliability of the Internet matter.

  1. Check on provider uptime statistics as part of your general research – see the discussion above.
  2. Make sure your technology is up to the task.  To use the cloud effectively you must have a fast, reliable Internet connection. If you don’t, contact your ISP.  If there is a remedy (and you can afford it), great.  If not, taking your practice into the cloud is likely not a good choice.

Read the Fine Print

  1. Dig into the provider’s website and follow any links that reference Terms of Service, Terms of Use, Privacy Policy, Security, or Service Agreements.
  2. Contact customer service for clarification of terms if needed.

Educate Yourself about Encryption

Every cloud provider encrypts your data.  The devil is in the details:

  1. Is your data encrypted at all times (in transit and at rest)?
  2. Does the provider hold a master encryption key?  (If so the provider can access your data at any time, thus defeating client confidentiality.)
  3. Is third-party encryption an option?  If the answer is yes, you can lock out the cloud provider.  A master key only permits the provider to unlock their encryption, not yours.  With third-party (AKA client-side) encryption, you – the user – apply your own encryption software before uploading any content to the cloud provider’s site.  Here’s the rub:  encrypting your own content isn’t always an option for compatibility reasons, so check with the provider.

Learn about Data Access Policies – “Authorized” and “Unauthorized”

Getting an answer to the master encryption key question will resolve whether the provider’s employees can freely access your information.  Now you need to ask:

  1. Will the provider notify you if authorities seek access to your account information?  (Some providers comply with subpoenas first and tell you about it later.)
  2. What is the provider’s procedure if a data breach occurs?

Know Before You Go: Security, Backups, Redundancy, and Local Copies of Your Data

  1. Find out what the provider has to say about the physical security of its facilities.  Features like fire suppression, redundant electrical systems, temperature controlled environments, video surveillance, and 24/7 monitoring by security personnel are standard.
  2. Learn everything you can about how your data is backed up. Where, when, and how.  A decent cloud provider has multiple servers that are geographically dispersed.
  3. Consider it a deal breaker if you can’t download a local copy of your own data. Keeping a local copy just makes sense.  First, it protects you if the provider goes out of business (some have).  Second, if the provider suffers a catastrophic breach you’ll still have a pristine copy of your information.  [Caveat: ability to download a local copy of your data does not mean you can work with it offline.  This is simply a way to protect yourself in a worst case scenario.]

Nail down the Details: Support, Training, Data Migration, and Data Integration

Cloud products are generally pretty easy to use, but at some point you’ll need help – maybe at the outset when you import your data – or later when you start using more advanced features of the program.  Either way, ask:

  1. Does the provider offer live telephone support?  Live chat?  Email?  What are the hours?  Is it free or is there a support contract?
  2. What resources does the provider have on its website?  Searchable knowledge base?  User forums?  Blog?  Training videos?  Webinars?
  3. Will the provider help you migrate your existing data?  Are you on your own?  If there is a fee for data migration, get an estimate.
  4. What about product compatibility and integration?  Some users need the cloud product to communicate with an existing piece of software, like QuickBooks or Outlook.  [Tip: don’t just take the cloud provider’s word for it.  Run another Google search: Is (cloud product name) compatible with (existing program)? If the blogosphere has spotted issues, you’ll uncover them quickly enough.

Product Cost and Licensing

Most cloud products are sold on a monthly subscription basis.  Do a bit of research:

  1. What is the current fee per user?  Any price breaks for multiple licenses?
  2. Research historic costs.  If monthly fees have jumped significantly in the recent past, factor this into your choice.
  3. Are product upgrades or new features included in existing subscriptions or is there an additional fee?
  4. What does a single license or a single user account include? Some providers are strict: one user/one license/one device.  Others are more flexible: one user/one license/multiple downloads: desktop, laptop, tablet.

Choose the Right Version

If your cloud provider offers multiple packages or products, proceed cautiously.

  1. Look for a Web page on the provider’s site that will compare the features of each version side by side.
  2. Call customer service when in doubt.
  3. Take advantage of free trials, which are almost universally available. A trial run is the best way to know whether you’re really going to like something.

Cyber Liability and Data Breach – What if the Worst Happens?

If you’ve decided to store your data in the cloud, it might be a good idea to have cyber liability and data breach coverage.

The Professional Liability Fund Excess Claims Made Plan automatically includes a cyber liability and data breach response endorsement with these features:

  • Forensic and legal assistance to determine compliance with applicable law
  • Notifications to individuals as required by law
  • 12 months credit monitoring to each notified client
  • Loss mitigation resources for law firms

If you aren’t eligible or don’t wish to purchase excess coverage through the PLF, contact a commercial carrier.

This is Too Much Work – Can’t You Just Tell Me What to Do or Give Me a List of Recommended Products?

No.  I can’t make this decision for you.  You and I have different likes, dislikes, needs, skill levels, and preferences.  (Think: Windows vs. Mac, Word vs. WordPerfect, or Mayonnaise vs. Miracle Whip.)

If you want to be happy with your choice, you have to make it.  We can talk, I can point you toward resources, or send you comparison charts.  But in the end you are the decider.

[All Rights Reserved 2015 Beverly Michaelis]