Secur ity The Lawyer's Guide to Mobile Computer Security
By Ellen Freedman, Reid Trautz, and Jim Calloway
y all accounts, a personal computer is lost or stolen every 12 seconds. Most contain con dential or sensitive information. An article in the September 25, 2006, online issue of Enterprise Security Today detailed how the 217 laptops, 46 portable data storage devices, and 15 handheld devices belonging to the Census Bureau had been lost or stolen since 2003.1 All held con dential information. In fact, the Commerce Department performed a review and found that, since 2001, the department's 15 operating units had lost an astounding 1,137 laptop computers, all containing con dential information. The newsletter Privacy Journal reported 24 signi cant instances of Social Security numbers and other sensitive data being placed at risk through stolen or lost laptops in 2006. Of course, just one missing laptop can expose a great deal of information. Most will recall the media restorm when a laptop containing personally identi able information of 26.5 million veterans and family members was stolen from the home of a Veterans Administration employee. Having to explain to a client or disciplinary authority about lost or exposed client data on a missing laptop would be unpleasant and di cult. How could anyone seriously maintain that he or she had no idea that a laptop with con dential information could be lost or stolen? But laptops are not the only mobile devices that can contain con dential information. Virtually all mobile devices and removable media can potentially expose a
Ellen Freedman, a certified legal manager, is the Pennsylvania Bar Association's law practice management coordinator, president of Freedman Consulting, and founding partner of The Managing Partner Development Institute. She provides assistance to law firms in all aspects of business management and speaks and writes extensively on the topic. Reid F. Trautz heads the American Immigration Lawyers Association's Practice and Professionalism Center and is a nationally recognized author and presenter on law firm management. Jim Calloway is the director of the Oklahoma Bar Association Management Assistance Program and manager of the OBA Solo and Small Firm Conference. He served as chair of the ABA TECHSHOW 2005 board. A version of this article originally appeared in the March/April 2007 issue of The Pennsylvania Lawyer. Used with permission.
law rm to embarrassment and even ethical breaches if they fall into the wrong hands. Law rms need to devote more attention to protection of information on USB devices like thumb drives and iPods or other MP3 players; on removable media such as CDs, DVDs, oppy disks, and external hard drives; on seemingly innocuous devices such as dictation recorders; and on wireless devices such as cell phones, smart phones, and personal digital assistants (PDAs). We should also be aware that information can be stolen from a computer without the alarm created by vanishing hardware. Software is readily available on the Internet for e ciently purloining data. For example, third-party packet capture driver applications enable nefarious use of USB thumb drives. It prepares the device to enable both data and large applications to be copied onto the removable media within seconds. A hacker no longer needs to have a laptop available to compromise a network. A USB ash drive can be plugged in and used to steal large quantities of information rapidly. Similar software for MP3 players is now available. It would be easy for a short-sighted law rm manager or IT director to decree that no client information can ever be taken out of the o ce on a mobile device. But the demands of today's workplace make laptop computers, PDAs, ash drives, and other devices almost a requirement for many. It would be inconceivable to travel to visit with a client in another state without taking a laptop packed with information about the client's les. Remote access to the o ce network over the Internet is an important productivity component for lawyers who are working from home or traveling. Of course, email attachments leave the o ce regularly. It follows, then, that when we talk about mobile security, we are talking about training sta and lawyers to be aware of the risks and adopting policies to secure con dential information. Every rm needs to implement a computer use policy that carefully balances the need for security and the need of users to accomplish tasks without undue administrative burden.
By now, most lawyers should be aware that electronic documents contain hidden information called metadata. There have been embarrassing moments for individuals who were unaware that the documents that they emailed
The Computer & Internet Lawyer 19
Volume 24 Number 7 July 2007
contained potentially embarrassing hidden information. Some of the most problematic items of metadata are deleted comments or document revision history. Tools that expose metadata and instructions on how to look for it are readily available on the Internet. Sending a document to opposing counsel that potentially exposes the client's comments made while reviewing the document could constitute a major ethical breach. One way to create a document that is virtually metadata free is to create a new "clean" document just before emailing it. First, open a blank document. Then select the text in the original document, copy it to the clipboard, and paste it into the new blank document to create a new document with no troublesome metadata. WordPerfect users might consider upgrading to version X3 that has a "save without metadata" feature. There are various commercial products available for both viewing and deleting metadata from a document, such as the Metadata Assistant from PayneConsulting. com. Another option: Always print a document to PDF before allowing it to leave the o ce. While PDF documents created in this manner retain some metadata, it is limited and not of the type likely to expose client con dences or to prove embarrassing. to clients, co-counsel, and opposing counsel by phone. While the widespread knowledge of the password limits its e ectiveness, it goes a long way toward protecting any documents that get mis-delivered or lost.
Locking Down PDF Files
Another way to protect documents from unwanted changes or exposure is saving them to Portable Document Format (PDF). Law rm users can lock-down documents--disallowing printing, copying, editing, commenting, or even opening the document. One can encrypt the le or use secure digital signatures and other authentication protocols. Attorneys can make sure that the document is not exposed to alteration or copying. It is a more secure way to send documents to clients and opposing counsel, knowing that they cannot be altered or that alterations can easily be seen.
Password-protecting a document reminds one that locking your doors will keep out honest people but only slow down a professional thief. For critically important information, document encryption rather than password-protection is the solution. A marital dissolution settlement proposal might be e ectively protected by a password. Information about a proposed multimilliondollar merger or the defense of a criminal matter making national headlines might need to be encrypted. Encryption is the process of obscuring data or information to make it unreadable without special software or knowledge. Governments and the military have long used encryption to protect sensitive communications. Commercial encryption products have emerged to protect software, Internet communications, mobile data, cell phones, and other sensitive information. To encrypt digital information, the document, folder, or data le is run through a software application to obscure the information. There are various levels; the higher the "bits," the greater the protection. Currently, 256-bit encryption is a common standard. Super-sensitive documents will have higher levels. The way to deencrypt the information is with a key.The key is often a pass code or another software program tied to the original encryption software. An obvious danger: The loss of the key e ectively loses the document.
While the issue of metadata is getting all the attention these days, counsel should not overlook the o ce processes for protecting access to sensitive documents. There are two methods: authentication and encryption. Documents are the lifeblood of attorneys. Attorneys have a duty to preserve and protect the con dentiality of information. That task is made more di cult when documents are accessible across a rm network or shared electronically. Assuring con dentiality is more di cult than just locking a le cabinet or a desk drawer. Authentication is the common term for proactively limiting access to electronically created documents. We can easily install authentication requirements on a computer to view a document, folder, or the entire computer. Biometric authentication-- ngerprint and iris scans for example--is an emerging method, but passwords are by far the most common form. All computers should require at least one password for login. Individual documents containing sensitive information that are shared electronically should be individually password-protected. A strong password contains at least nine characters and both letters and numbers or typographic symbols. Even a relatively insecure or soft password may have bene ts. A rm can adopt a universal password for all documents to be taken outside of the rm, including by email attachment. The password is communicated
20 The Computer & Internet Lawyer
CD-ROMs, DVDs, and Floppy Disk Drives
Although one can encrypt or password-protect CDROMs, DVDs, and oppy drives, it generally makes more sense for the user to encrypt or password-protect the documents individually.
Volume 24 Number 7 July 2007
USB Flash Drives
The use of USB ash drives is increasingly widespread. A USB ash drive is a small removable data storage device that plugs into almost any computer built in the past ve years or so and is commonly used to transport and share documents.These devices are as small as a matchbook or ink pen but can hold thousands of documents, hundreds of photos, songs, or slide presentations. It is plugged into the USB port on any other computer for access to any documents and other les previously transferred to the device. USB ash drives have largely replaced oppy disks for transporting documents. For example, if a lawyer needs to redraft an agreement or nish drafting an article over the weekend, the agreement or article can be copied to a USB ash drive when leaving the o ce.Then one can plug it into another computer and work on the document. When nished, one should save it only on the ash drive, not the other computer's hard drive. Although these devices are very convenient, they are easily misplaced, and they can leave con dential data on the temporary host computer. To avoid losing the ash drive, a lawyer should attach it to o ce or car keys with a small but secure chain. Counsel should treat the ash drive like a million dollar nugget of gold, always knowing where it is at all times.Why? Because that may be the cost to settle a malpractice claim if con dential information is lost or stolen. Many smaller rms are buying two of these devices to use for their data backup protocol instead of using a magnetic tape drive. Coupled with reliable back-up software (included with some portable hard drives), the rms swap the two hard drives on a daily or weekly basis, keeping the alternate in a secure o -site location. As with any other information-laden storage device that leaves your o ce, it must be secured against the possibility of theft or being lost. Again, authentication and encryption are the best methods to protect data con dentiality. From a security standpoint, these drives have the same attendant risks and protection schemes as USB ash drives. They are slightly more inherently secure when used as back-ups because the back-up software will compress the data, often in a proprietary format. In addition, they sometimes work through proprietary installed software systems rather than the plug-and-play model of the USB ash drives. The nder of the lost USB ash drive merely needs to stick it into a computer's USB port to look at the contents. Spying on compressed data in a found back-up portable hard drive would present a greater challenge to the average user.
Mobile Phones and PDAs
The current generation of high-end mobile phones incorporates many of the information-carrying characteristics of computers. Smart phones now incorporate all of the functionality of PDAs. Unfortunately, password-protecting a mobile phone tends to reduce a great deal of its functionality and convenience. One should still consider whether documents placed on a mobile phone should be passwordprotected. Probably the most practical advice is to consider whether sensitive documents should be placed on a mobile phone at all. Some PDAs and mobile phones now provide for remote purging of the information when they are lost. One law rm that unsuccessfully tried to use this feature on a phone learned that it would not work in the shielded lower oors of a parking garage, where it was lost.
Protecting Data on Your Flash Drive
The two most common methods to protect ash drive data are authentication and encryption. Some lawyers take the precaution of using a password to access the ash drive contents and a second password for each le or folder on the ash drive. Encryption is viewed as an inconvenience, but it is much more secure than just a password. Flash drive manufacturers continue to meet the security demands of consumers and now add authentication and/or encryption software to some ash drive models.
Portable Hard Drives
Portable hard drives are external storage devices that can be easily transported in a briefcase, purse or pocket. These devices make it easy to carry your data backup home. They can hold more information than a ash drive, often as much or more than any computer in your o ce. They connect to any computer through a cable, usually a USB or FireWire cable. The portable hard drive has leaped in popularity as the physical size of the devices has dropped, as the storage capability has skyrocketed and as the prices have continued to fall.
Volume 24 Number 7 July 2007
The number of lawyers who have laptop computers is signi cant and steadily growing. It is a great convenience to have much of your client information, your forms, and other digital data with you when traveling or even going home at night. The loss or theft of a laptop is not as rare as one might think, however. The minimum standard for laptop protection is password protection. For laptops that are typically attached to a network, this is already done by the network login password.
The Computer & Internet Lawyer 21
Readers will begin to notice some familiar themes. Sensitive documents on a laptop can be either password-protected or encrypted. Sometimes it may make sense to encrypt entire folders for keeping important documents safe. Laptops left unattended in a hotel room can be secured by chain lock devices similar to those used to protect a bicycle. Screen protectors can be used to block prying eyes when working in public or on an airplane. There are software packages that allow a stolen computer to "phone home" when connected to the Internet. There are also packages for remotely deleting sensitive information when the laptop is connected to the Internet. While these concepts are new, one anticipates that they will become the minimum security standard within a few years. Likewise, it is no longer the stu of science ction to consider a laptop with ngerprint or iris scanning authentication. One of the most interesting methods of laptop remote access security uses a key fob that displays a series of numbers. The displayed numbers change every few minutes and are synchronized with the o ce computer network. Logging in to the network requires entry of the current set of numbers followed by a several digit number that the lawyer has memorized. The theory is that even if the purpose of the key fob is known and it has been lost or stolen along with the laptop, one would still be unable to crack the network without the memorized set of numbers. key. Like any other business, a law rm has to stay competitive and take advantage of advances in technology. That means taking advantage of the bene ts of mobile technology. Spending time drafting a written plan for mobile computing security is important for both the law rm and the clients.
Managing the Security and Privacy of Electronic Data in a Law Office is a must-read free booklet from PracticePRO at www.practicepro.ca/practice/ElectronicData Security.asp. "Death by Laptop," by Sheila Blackford and Reid Trautz, Law Technology News at http://tinyurl.com/ yg9vrs. Selection of mobile security articles at www.absolute. com. Web site of technology lawyer Dennis Kennedy at www.denniskennedy.com. RoboForm password storage at www.roboform.com. Information about password and encryption software for USB ash drives at www.Portableapps.com and www. lexar.com/jumpdrive/index.html.
The most important thing about mobile security is to consider everything in advance and implement a wellthought-out policy. Then training and education are
1. Elizabeth Millard, "US Reports Missing Laptops," Enterprise Security Today (09/25/2006), available at www.enterprise-securityonline.com.
22 The Computer & Internet Lawyer
Volume 24 Number 7 July 2007