By now most everyone is familiar with the “Bring Your Own Device,” or BYOD, trend—meaning the proliferation of lawyer- and staff-owned personal mobile devices used for firm business. But apart from being the latest buzzword, BYOD has distinct security implications for law firms. Let’s look at the way the profession’s use of technology has evolved over the past couple of decades to pinpoint security gaps and best practices.
Catching Up with Technology on the Go
Prior to the 1990s, the only access to firm data was via PC workstations on the lawyers’ desks. By the mid-1990s, laptops and Internet access allowed lawyers to realize mobility with remotely accessed, centrally managed legal applications and data. However, these early devices were typically firm-supplied and came with stringent personal use policies and controls—laptop data encryption, enforcement of user authentication and restrictions on the installation of personal applications.
True mobility came in the late 1990s, when Research in Motion introduced a pager-sized device with a tiny keyboard and an eight-line LCD display that allowed access to firm email. But, again, these were typically employer-controlled devices: strong security measures, no Internet access and no use of personal applications.
The world of mobility changed with Apple’s first iPhone. Today, mobile device users demand the convenience of using one device for both business email and access to firm data and for personal activities—including access to personal email and the exponentially growing number of personal apps. And they’re expecting the law firm to support their devices—whether an iPhone, an iPad or the various Android and Microsoft mobile devices.
The Good and the Bad
In many ways BYOD is a net positive, allowing faster responses to client demands for document review and exchange, remote accessibility to document and case management systems, and greater flexibility to work remotely and better accommodate lawyers’ and clients’ schedules.
Along with these benefits, however, comes the challenge to the law firm of having to support a wide range of personal mobile devices with competing operating and security environments. Of even greater consequence is the risk of confidential client data breaches. In fact, one of the biggest challenges facing legal IT is the accessing of firm data by personal applications, such as Dropbox-style transfers used to synchronize client data on everyone’s mobile devices. Legal IT must provision mobile devices with technology that allows encrypted and secure download and storage of client data accessed on the devices via email, legal applications or document repositories. The legal and financial consequences of data breaches can be profound for a law firm.
Creating Your Policy
Protecting confidential client data on mobile devices requires close cooperation between a law firm’s IT professionals, attorneys and staff. Whether you’re in a firm with a few lawyers or several hundred, here are some best practices to consider in your mobile device deployment and security program.
- Compliance starts at the top. General counsel and managing partners must set a firm policy on protecting client data and reinforce the need to be cognizant of the potential risk each time mobile devices are used to access firm data.
- All personal mobile devices that will be accessing firm data and applications should be registered with the firm’s IT department, to make certain the devices can support and meet minimum security requirements, including scanning all downloaded documents for viruses, requiring the user to sign in on the device with a user ID and password, and automatically encrypting all data and documents on the device.
- Legal IT must have the ability to centrally provide firm-authorized and supported apps—including auto-upload and install—to registered employee mobile devices, eliminating the need for lawyers to access third-party stores.
- Legal IT should be able to remotely monitor mobile devices to identify activities that may contribute to potential breaches, including accessing unsecured wireless connections or unintentionally downloading malicious software.
Smart Users Are Safe Users
Most data breaches are caused by human error and negligence. Even the most sophisticated security technology will be compromised absent obtaining the full understanding and support of legal professionals—including through a formal education program covering mobile device best practices and firm usage policies. Training should focus on:
- The dangers of unsanctioned personal apps and file-sharing services used to synchronize firm data to mobile devices
- A process for registering personal mobile devices
- Approaches for creating strong passwords
- Actions to take in the event of lost or stolen devices
The bottom line: A solid BYOD usage policy, as well as comprehensive training, should provide unambiguous guidance and focus on meeting security requirements.
Charles Magliato, Legal Program Director for Biscom, has more than 30 years of information technology industry experience, including application development, project management, business development, product marketing and channel and direct sales. He has more than five years of experience working with setting marketing and product direction strategies for managed and secure file-transfer applications. As Biscom’s Legal Program Director, Charles is responsible for legal industry marketing and sales for Biscom’s secure document delivery product line. He can be contacted at email@example.com.