October 4, 2017

Don't Be the Next Headline

On October 1, 2017, on the heels of the huge Equifax security breach, The Dispatch printed a story about a common e-mail scam that resulted in a $216,000 loss to a local couple after the sale of their residence.

Barron Henley of Affinity Consulting Group was asked for his input to help lawyers and law firms avoid making a similar mistake. Aside from carefully reading the e-mail address to verify accuracy, followed by making personal contact with the actual client/ostensible sender to verify content, his recommendations are:

  1. Email Encryption: Email encryption should be used any time the content or attachments could be considered sensitive by the client. Affinity recommends www.protectedtrust.com or www.rmail.com. If you don’t think this is necessary, then read Ohio Rule of Professional Conduct 1.6(c) and Rule 1.6 Comments 18 and 19. Remember that lawyers are not qualified to ascertain the sensitivity of client date (only clients can designate data sensitive or not), nor the likelihood of disclosure (unless you’re a digital security expert). Further, if any lawyer feels it is too expensive or difficult to protect a client’s electronic data, then they shouldn’t have possession of it in the first place.

  2. Device Encryption: Any notebook PC, tablet or phone that contains or has access to client data should be encrypted. With phones (Android and iOS) and tablets (Android and iOS), encryption software is included for free but it must be enabled. Windows 7, 8, 8.1 or 10 Pro, includes Bitlocker encryption software for free. Macs include FileVault encryption for free. If you are using a PC (Windows or Mac) that doesn’t include encryption software, then consider something like SecuriKey.

  3. WiFi Encryption: If you’re using any public WiFi connection when dealing with confidential client information (including email), then you should be encrypting your WiFi connection with a Virtual Private Network (“VPN”) service. To understand the risk here, see Here's what an eavesdropper sees when you use an unsecured Wi-Fi hotspot by Eric Geier, 6/28/13 and What Is A Packet Sniffer? by Andy O'Donnell, 12/15/14. For an interesting discussion of this in the legal arena, see the now famous California Formal Opinion No. 2010-179 which states:
    "With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client's matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so."
    How to Protect Yourself:
    1. Cellphone WiFi Hotspot: Rather than connecting to the public WiFi where ever you are, consider using a cellular hotspot or MiFi. Properly configured, these connections are a secure way to connect your notebook or tablet to the Internet via the phone hotspot.

    2. Consumer VPN Services: There are many services that allow you to create a Virtual Private Network connection even though you're using a public and otherwise unsecured WiFi connection. "In the simplest terms, a VPN creates a secure, encrypted connection between your computer and the VPN's server. This tunnel makes you part of the company's network as if you are physically sitting in the office, hence the name. While connected to the VPN, all your network traffic passes through this protected tunnel, and no one in between can see what you are up to. A consumer VPN service does the same thing, but extends that protection to the public." Here are some options for this. Hide My Ass (pardon the rude name) is the program Affinity recommends.
      1. Hide My Ass: https://www.hidemyass.com/
      2. Private Internet Access: https://www.privateinternetaccess.com/
      3. IPVanish: https://www.ipvanish.com/
      4. PureVPN: https://www.purevpn.com/
      5. Cloak (Mac only): https://www.getcloak.com/
      6. CyberGhost: http://www.cyberghostvpn.com/en_us
      7. VyprVPN: https://www.goldenfrog.com/vyprvpn
      8. NordVPN: https://nordvpn.com/
      9. Hotspot Shield Elite: https://hsselite.com/
      10. Spotflux Premium: http://spotflux.com/
  4. Two Factor Authentication: This is also known as 2FA or multi factor authentication.
    1. What Is Two Factor Authentication? Here's a good definition.
      "Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides two authentication factors to verify they are who they say they are. 2FA can be contrasted with single-factor authentication (SFA), a security process in which the user provides only one factor -- typically a password.

      Two-factor authentication provides an additional layer of security and makes it harder for attackers to gain access to a person's devices and online accounts, because knowing the victim's password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have stolen a password database or used phishing campaigns to obtain users' passwords.

      The ways in which someone can be authenticated usually fall into three categories known as the factors of authentication, which include:
      1. Knowledge factors -- something the user knows, such as a password, PIN or shared secret.
      2. Possession factors -- something the user has, such as an ID card, security token or a smartphone.
      3. Inherence factors, more commonly called biometrics -- something the user is. These may be personal attributes mapped from physical characteristics, such as fingerprints, face and voice. It also includes behavioral biometrics, such as keystroke dynamics, gait or speech patterns." (See http://searchsecurity.techtarget.com/definition/two-factor-authentication)
    2. How Do You Get 2FA? For critical services you access online, check to see if they offer any type of 2FA. Keep in mind that 2FA is ANNOYING, but better security is almost always more annoying. If you want to protect yourself well, be prepared to be slightly annoyed. Anyway, here are some 2FA ideas. Your bank probably offers it:

      Your email account probably offers it:

      Your file sharing service probably offers it:

      Your case management system probably offers it:

  5. Password Managers: Lawyers and other professionals that have a duty of confidentiality should use a password manager. A password manager is a program that helps one store, create and organize passwords (and logons and websites, etc.).
    1. Why You Need A Password Manager: First, it's part of your estate plan. Second, it's a place to keep logons, websites, account numbers and passwords all in one place. Barron uses Dashlane. Dashlane will generate and store strong passwords for (so you don't have to make them up). It will also let you know if your passwords are weak and recommend that you change them. It tells you how many different websites you’re using the same password for (it's not recommended that you use the same password for everything). It also lets you know if there are any reported security breaches for any of the websites it holds passwords for and recommend that you change them. Finally, it will hold all of your credit card information, secure notes about anything you want and personal information like your driver's license, passport, kid’s social security numbers, etc.

    2. Good Options: Top rated password managers include the following (and I strongly recommend the versions you have to pay for - almost all offer a free version that is missing features):
      1. Dashlane - https://www.dashlane.com/
      2. LastPass - https://www.lastpass.com/
      3. Sticky Password - https://www.stickypassword.com/
      4. LogMeOnce - https://www.logmeonce.com/
      5. TrueKey - https://www.truekey.com
      6. RoboForm - https://www.roboform.com/
      7. Keeper Desktop - https://keepersecurity.com/
Remember, while these recommendations are just a start they are a significant step toward safeguarding data in the age of cybercrime.

Learn More

Technology competence is the subject of this year's Chester Professionalism Institute. Get practical tech tips that you can put to use in your daily practice.

6.0 CLE Hours, $175
Lunch and reception included