If you are a Mac-using lawyer, you probably use your laptop, iPhone and iPad both at work and at home. In other words, your business devices do double duty as your personal devices. At ABA TECHSHOW 2016 this month, Tom Lambotte will be speaking at the session “Home-Mac; Work-Mac.” So we asked the Apple IT pro what Mac-using lawyers need to keep in mind when it comes to securing client information. First up, documentation!
Why You Need a Mobile Device Management Policy
Using the same technology at work and home can mean huge benefits for the law firm and user, but it also introduces security concerns. If you are using your personal Mac for firm business, make sure you have the proper policies in place to keep your firm data safe — and ensure you are complying with state, local and ABA rules governing client confidentiality and technology competence.
If your firm doesn’t have a mobile device management (MDM) policy in place, you need to get one.
An MDM policy gives a framework for securing mobile devices, and should be linked to other documentation you have in place to support your firm’s IT and data security policies. An MDM policy not only covers mobile phones and tablets, but also laptops. Common items covered in MDM policies include:
- Password use
- Encryption use (before accessing firm systems or e-mail)
- Document sharing
- Wi-Fi use
- Reporting lost or stolen devices, etc.
The Cobbler’s Child Has No Shoes
Certain personalities tend to excel at providing services to others while neglecting to observe that their immediate ecosystem is in need of said services. Attorneys are in no way exempt from this rule.
The overwhelming majority of the firms I see — typically those with five to 50 users — do not have an MDM policy. And it’s safe to say the vast majority of firms with one to five users do not have one either.
The picture is brighter when you look at larger firms. According to the 2015 ILTA/InsideLegal Technology Purchasing Survey (which skews toward firms of 50-plus), 86 percent of respondents reported they have a formal “mobile device security” policy in place or are establishing one. Of the respondents that don’t have one, 67 percent are from small firms.
Sure, larger firms are more likely to have these policies in place because they have greater resources. But that doesn’t excuse smaller firms — or exempt you from harm. You must have an MDM policy in place, and you must enforce it, no matter the size of your firm. This is not an optional “nice-to-do” thing.
As Jason Gonzalez, practice group leader in charge of privacy and data protection for Nixon Peabody in Los Angeles, told California Lawyer: “It is much more of a concern than it has been in the past. Law firms are soft targets and also very juicy because they have all the good information. If you’re a law firm, the information that’s gotten to you has already been filtered so that all the unimportant stuff is gone and only the important stuff is left.” (“How Law Firms Can Protect Data Security in the BYOD Age”)
I find that the smaller the firm, the higher the level of implicit trust. Trust is important among colleagues, of course, but it often leads to complacency. We all hope nothing bad ever happens to us — that hackers won’t target us, employees will never cross us and our staff will be with us forever. But the more relaxed you are about enforcing policies or updating them to meet new realities, the harder it will be to recover when stressful events happen (and they will).
If a mobile device is lost, or if an employee has to be fired, it’s too late to wonder whether you have the tools in place to secure your clients’ confidential data.
Don’t Put It Off!
Go out and find an MDM policy template that you can grab as soup-starter. You’ll find a few here: IT Manager Daily, MaaS360 and Info-Tech Research Group. Adjust the template to meet the needs of your firm. Once you’re happy with it, set up a meeting with your staff (even if it’s just two of you), review the policy and have everyone sign it.
That’s one security concern covered.
In Part Two, I’ll cover why you need full disk encryption for your computer.
Apple at Law Survey Highlights
Attorney at Work’s Apple at Law User Survey results are available here.