The Young Lawyers Section of the State Bar of Michigan, chaired by Mark Jane, held an excellent summit on June 4, 2016. A few of the participants had attended the State Bar presentation of programs and services the prior evening and remarked effusively on how impressed they were with the many offerings. In turn, I was impressed with not only the substance of the presentations at the summit, but also the materials offered by other sections in the exhibit area outside the main meeting room. Specifically, the Information Technology Law Section, chaired this year by Susanna Brennan of General Motors, provided many helpful pamphlets and brochures about the protection of privacy. I thought it might be helpful to share some of the information in those materials with you.
The Federal Trade Commission publishes a booklet called, "Start with Security, a Guide for Business." It includes these tips:
- Gather only what personal information you need. No one can steal what you don't have. To that end, properly dispose of what you no longer need as soon as you no longer need it. And dispose of information securely (shred it, burn it, or pulverize it). Click here to learn more about prudent record retention policies.
- Protect the information you keep. Not all employees need unrestricted access to all information in your files; passwords must be complex, unique and not duplicated; use strong cryptography to secure confidential material during transmission; use firewalls to segment your network; use intrusion detection and prevention tools; and remember that your network security is only as strong as the weakest security on a computer with remote access to the network. Protection of information also applies to paper and computer hardware. Never leave a computer in a car, even if the car is locked. When mailing drives and disks, use a method that lets you track where the package is.
- Create a plan to respond to security incidents.
Another FTC publication provided by the IT Law Section talks about protecting children's identities to prevent the use of a minor's personal information to commit fraud. These tips seem particularly on-point for probate and estate planning, and domestic relations attorneys to advise their clients:
- Don't send documents, including children's birth dates or social security numbers, through an unsecured wireless connection.
- Lock up all documents showing children's personal information.
- Inquire at school about who has access to the student's personal information.
- The need to have strong passwords also applies to children.
- Posting identifying information on social media makes it easy to guess account passwords. Don't do it.
- Check children's credit reports as often as can be done for free to see if their identities are being used fraudulently.
More tips, these from a booklet called, "Net Cetera" published by OnGuardOnline.gov:
- Before using a public Wi-Fi network, make sure it asks you to provide a WPA or WPA2 password. If it doesn't ask for a password, don't use that network to sign in to accounts or send personal information.
- Most Wi-Fi hot spots do not use encryption: check to be sure yours does.
- Log out of websites as soon as you are done using them.
- If a website doesn't start with https (the "s" stands for "secure"), don't use it.
- Forward Phishing Scams (texts, emails or pop-up messages that get people to share their personal and financial information) to spam@uce.gov.
And yet a few more tips, from the State Bar of Michigan Practice Management Resource Center: Lawyers can arm themselves against cyber-attacks by educating themselves about some of the top threats targeting law firms:
- Be on the lookout for spear phishing emails, which are malicious messages sent to individuals that appear to be legitimate. They can infect a specific target by using message attachments that, when clicked on, infect their targets with malware and steal information.
- Ransomware encrypts a victim’s files, after which it attempts to sell the victim the key to unlock their own data. It’s either pay the extortion fee or lose access to any files that were not backed up.
- Hacktivism is the act of hacking or breaking into a computer system. The individual who performs an act of hacktivism is said to be a hacktivist. Groups of hacktivists, such as Anonymous, target law firms involved in controversial cases for inside information.
- Employee information is also sought by unauthorized parties, targeting tax information, social security numbers, and even passport information.
If this blog has your palms feeling sweaty, consider having a cyber-security audit done at your firm.
Lori is a shareholder at Nichols, Sacks, Slank, Sendelbach, Buiteweg, & Solomon, P.C.