Tomorrow (May 4) is World Password Day. World Password Day occurs on the first Thursday of May. It was created by Intel several years ago to raise awareness about the importance of stronger passwords and promote better password habits. Passwords are critical gatekeepers to our (and our clients) digital and business records and identities.
I have preached the need for lawyers to be especially mindful of the need for password protection for years. But too often, I am greeted with the response, “I’m just a small-time lawyer. No one would be interested in anything I have. My stuff is not that important.” In other words, security through obscurity. But it doesn’t work.
It doesn’t work because while the bad guys may not care about the substance of what you have in your files, they do care about the information there. It could be personally identifiable information for clients or others. It undoubtedly includes client confidences. It could be health records protected by HIPPA rules. No matter what it is, you, as a lawyer, have an ethical and legal duty to protect all this information.
All too often, lawyers and legal professionals use weak passwords, like a simple 4-digit number. Often that number is 1234. This doesn’t protect you or your information.
Lawyers also often forget that their mobile devices (smartphones, tablets, even laptops) often have client and private information on them
Lawyers also often forget that their mobile devices (smartphones, tablets, even laptops) often have client and private information on them. Just like any digital information on a desktop in the office, this information may be considered confidential subject to Model Rule 1.6 (duty of confidentiality) and similar state rules. At least one state, New York, believes that even information about a client, like a name and address, is confidential. New York reasons you have to take steps to protect that information on your mobile devices, including making sure that that information is not shared with app that, in turns, shares that information with a human.
A data breach has a real financial impact, particularly if you are shut down.
Satisfying your confidentiality duties starts with good password protection.
It’s not just some pie-in-the-sky ethical issue. It’s also a practical one. If your firm or legal department is breached, you have the duty to notify your clients and take steps to investigate, stop and mitigate the breach. You also have the duty to restore your system so you can adequately represent your client. (For a good discussion of your responsibilities if your system is breached, see ABA Formal Opinion 483). None of them does much for client relations. Think also of the disruption in work that this may cause. A data breach has a real financial impact, particularly if you are shut down.
And, oh, did I mention ransomware? The bad guys may ask you to pay them to get your data back. Weak passwords and a data breach pose a real significant threat to you. You may have breached your ethical obligations. You may lose clients. You may take an indirect financial hit to operations. You may have to pay to get the stuff back. All because you like using 1234 as your password.
What are some good password practices? Here are several, courtesy of the FTC:
• Make your password long, strong, and complex. That means at least twelve characters mixed with uppercase and lowercase letters, numbers, and symbols. Don’t use common words, phrases, or information in your passwords.
• Don’t reuse passwords used on other accounts. Use different passwords for different accounts so that if a hacker compromises one account, he can’t access the other one.
• Use multi-factor authentication when available. Two-factor authentication requires both your password and an additional piece of information to log in. The second piece could be a code sent to your phone or a random number generated by an app or token. This protects you even if your password is compromised.
• Consider a password manager. People have trouble keeping track of all their passwords, so they use a simple one over and over. Store your passwords in a reputable password manager. These managers are easy-to-access applications that store all your password information. I use 1Password. It’s easy to use and has to my knowledge, never been compromised.
• Select security questions only you know the answer to. Many security questions ask for answers to information available in public records or online, like your zip code, mother’s maiden name, and birthplace. That is information a motivated attacker can obtain. Don’t use questions with a limited number of responses that attackers can easily guess. And by the way, if you answer all those surveys posted on Facebook, keep in mind that often, that survey is just a ruse to get answers to your security questions.
• Change passwords immediately if there is a breach. If you receive a notification about a possible breach, change that password. And change any account that uses a similar password.
But you should probably do more than good passwords, at least according to experts in the field.
These suggestions constitute the bare minimum for lawyers to protect their—and their clients’—confidential information ethically. But you should probably do more, at least according to experts in the field.
Ian Leysen, CEO, CSO, and Co-Founder, Datadobi, which specializes in unstructured data management, for example, says, “We cannot rely on passwords alone. From a business perspective, relying solely on passwords to protect critical data is an especially risky proposition. The next step must be to employ data governance policies that designate what constitutes critical data that must be protected.”
Steve Santamaria, CEO of Folio Photonics, a data storage company, adds, “One of the most common ways that cybercriminals gain access to our accounts and information is through weak or easily guessable passwords.”
To truly safeguard our digital assets, we need to employ multiple layers of data protection
But [having strong passwords] is not enough. Hackers are becoming more sophisticated in their tactics, and relying solely on passwords for protection is like leaving your front door unlocked in a high-crime area. To truly safeguard our digital assets, we need to employ multiple layers of data protection. This includes things like two-factor authentication, encryption, and regular system updates.”
Another expert, Don Boxley, CEO and Co-Founder of DH2i, a data maintenance and security mitigation company, cautions, “While creating strong and unique passwords and regularly changing them is critical, passwords must be considered a first-line, not the only-line, of defense.”
If the experts are saying it and you, as a lawyer, know you have highly sensitive data that, by definition, is confidential, you need to do more. That’s your ethical duty, a duty that doesn’t change just because the information is digital.
Security through obscurity? It’s just an illusion.