Send Document, Get Breached? Tightening Security in Document Exchanges

By | Sep.18.12 | Cloud Computing, Daily Dispatch, Document Management, Legal Technology

Exchanging documents with clients and outside counsel used to be a fairly mundane, straightforward endeavor. Attach the document to an email and send it off. Or, to deliver a large volume of documents or documents of a very large size, just burn a CD or thumb drive and send it via overnight delivery. However, what used to be a simple process is now fraught with complexity and potentially serious consequences for you and your firm. Data privacy regulations with severe penalties for breach of confidential client data have upped the ante—plus, there’s the very real threat to law firms of cyber-attacks targeting individual attorneys within the firm.

How to Secure Document Exchanges

As an attorney who’s responsible to your clients for protecting the confidentiality of their data, the following best practices can help you tighten the security of your document exchange practices and guard against the threat of unauthorized access to sensitive data.

  1. Protect your email transmissions. Sending client and matter documents by regular email is an open invitation to a data breach. Foreign hackers recently penetrated several law firms’ network firewalls and stole emails from attorneys involved in trade litigation. Of equal risk is the potential for unauthorized interception of emails as they traverse the Internet. Law firm IT departments are deploying several different technologies to secure email transmission and storage. Secure file-transfer systems include Outlook add-ins that let the sender redirect the email and attachments as a “secure delivery.” The email contents are encrypted, uploaded and stored on an on-premise server. Recipients receive an email notification with a link to securely download the email contents after they’ve been successfully authenticated. Some secure file-transfer systems allow the recipients to reply back to the sending attorney. An important side benefit is that deliveries can be tracked automatically for non-repudiation of receipt.
  2. Beware of hosted file-sharing services. A variety of online sites allow lawyers to upload files and share them with other parties in the cloud. The big risk here is the level of security imposed at the service provider’s data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider’s servers. The provider’s employees may have access to the data. Most importantly, the provider may not have adequate user-authentication measures to protect against unauthorized access. Some state bar associations, recognizing the risk of the growing use of file-sharing services, have issued guidelines that include requiring the attorney to exercise due diligence to ensure the service is deploying sufficient security controls, and to gain client permission. Bottom line: Only use file-sharing services that have been thoroughly vetted and sanctioned by your firm’s IT department or a trusted consultant.
  3. Protecting your fax deliveries. The traditional method of sending faxes has obvious security implications. Today, however, most faxes are sent electronically—traditional faxes are converted into an electronic format that can be accessed via a website service or received as an email attachment. Most law firms use a hosted service for electronic faxing, meaning you pay a third-party service provider to convert your faxes to files. The concern here is that many of these services deliver the fax unencrypted over unsecure networks. This raises the same security concerns as delivering documents via unsecure email. If you are considering a hosted fax service, check to make sure that the service encrypts transfers.

While law firm IT can make sophisticated security systems available to lawyers, ultimately you are responsible for protecting clients’ data and documents. Being aware of the potential risks every time you exchange sensitive data, whether physical or electronic, will significantly minimize the chances of data breaches.

Charlie Magliato, legal program director for Biscom, is a seasoned IT professional with more than 30 years of experience in application development, IT project management, business development, and channel and direct sales. 

Illustration ©Thinkstock.

Sponsored Links

Recommended Reading

3 Responses to “Send Document, Get Breached? Tightening Security in Document Exchanges”

  1. Kenneth Hoffman
    18 September 2012 at 7:19 am #

    My firm uses a client portal from that encrypts our data while in-transit and at rest. In the past I have used, but our clients prefer

  2. Joshua Stein
    18 September 2012 at 9:26 am #

    I would be interested in knowing how many users of cloud-based hosted services have actually suffered breach of confidential information as a result of using cloud-based hosted services. To the extent any such breaches occurred, what were the specific facts and circumstances? Did an electronic intruder actually breach the cloud or a transmission, or was it user error or local error of some kind? I’m just asking.

  3. Adam Carlson
    19 September 2012 at 11:51 am #

    I was told during my time there (but was not actually a part of the response) that some Dropbox users at Berkeley were notified by Dropbox that their accounts may have been accessed during the Dropbox authentication issue in 2011. While it was a small number of accounts overall who had their data access inappropriately, it did happen to some.

    The passwords stolen from LinkedIn, Yahoo!, and Blizzard have all been used to try to access individual user accounts so there is real evidence that attackers not only steal data but then also use that data maliciously.

    The problem is often not with “the cloud” per se but the fact that cloud services often take shape as web applications. Web application security is currently a terrible problem and affects both cloud-based and non-cloud-based applications. Cloud computing is just another technical tool which must be designed and used securely or it will continue to face the same security problems as every computing platform.