Send Document, Get Breached? Tightening Security in Document Exchanges
Exchanging documents with clients and outside counsel used to be a fairly mundane, straightforward endeavor. Attach the document to an email and send it off. Or, to deliver a large volume of documents or documents of a very large size, just burn a CD or thumb drive and send it via overnight delivery. However, what used to be a simple process is now fraught with complexity and potentially serious consequences for you and your firm. Data privacy regulations with severe penalties for breach of confidential client data have upped the ante—plus, there’s the very real threat to law firms of cyber-attacks targeting individual attorneys within the firm.
How to Secure Document Exchanges
As an attorney who’s responsible to your clients for protecting the confidentiality of their data, the following best practices can help you tighten the security of your document exchange practices and guard against the threat of unauthorized access to sensitive data.
- Protect your email transmissions. Sending client and matter documents by regular email is an open invitation to a data breach. Foreign hackers recently penetrated several law firms’ network firewalls and stole emails from attorneys involved in trade litigation. Of equal risk is the potential for unauthorized interception of emails as they traverse the Internet. Law firm IT departments are deploying several different technologies to secure email transmission and storage. Secure file-transfer systems include Outlook add-ins that let the sender redirect the email and attachments as a “secure delivery.” The email contents are encrypted, uploaded and stored on an on-premise server. Recipients receive an email notification with a link to securely download the email contents after they’ve been successfully authenticated. Some secure file-transfer systems allow the recipients to reply back to the sending attorney. An important side benefit is that deliveries can be tracked automatically for non-repudiation of receipt.
- Beware of hosted file-sharing services. A variety of online sites allow lawyers to upload files and share them with other parties in the cloud. The big risk here is the level of security imposed at the service provider’s data centers. Uploads and downloads may not be encrypted. Data may not be encrypted on the provider’s servers. The provider’s employees may have access to the data. Most importantly, the provider may not have adequate user-authentication measures to protect against unauthorized access. Some state bar associations, recognizing the risk of the growing use of file-sharing services, have issued guidelines that include requiring the attorney to exercise due diligence to ensure the service is deploying sufficient security controls, and to gain client permission. Bottom line: Only use file-sharing services that have been thoroughly vetted and sanctioned by your firm’s IT department or a trusted consultant.
- Protecting your fax deliveries. The traditional method of sending faxes has obvious security implications. Today, however, most faxes are sent electronically—traditional faxes are converted into an electronic format that can be accessed via a website service or received as an email attachment. Most law firms use a hosted service for electronic faxing, meaning you pay a third-party service provider to convert your faxes to files. The concern here is that many of these services deliver the fax unencrypted over unsecure networks. This raises the same security concerns as delivering documents via unsecure email. If you are considering a hosted fax service, check to make sure that the service encrypts transfers.
While law firm IT can make sophisticated security systems available to lawyers, ultimately you are responsible for protecting clients’ data and documents. Being aware of the potential risks every time you exchange sensitive data, whether physical or electronic, will significantly minimize the chances of data breaches.
Charlie Magliato, legal program director for Biscom, is a seasoned IT professional with more than 30 years of experience in application development, IT project management, business development, and channel and direct sales.