The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
The App That Knew Too Much Many a lawyer frequent one of my favorite hotel bars in Shanghai for happy hour. Afterward, you used to find some of them in the hotel's business center. There was no reason to lug around a laptop when they have high-speed access right there. Unfortunately for them, I was there too one day, and I looked just like them... Our Story of Loss Begins Earlier that day, I installed tiny webcams on the monitor stand — one pointed directly at the keyboard and another pointed at the monitor. Simply put, I was able to penetrate the internal network of every visitor. It did not matter if they had two-factor authentication, VPN, Web access or Citrix access. Their private documents and correspondence were mine. Thanks to the iPad, the hotel's business center has fewer visitors these days. But as you might expect, that is not the end of the story, as new technology brings new opportunities for exploitation. My first attempt was to hand out funny hats with hidden webcams at happy hour. I got a few hits that way, but it was more for the laugh. That made me think, what else would work? I can do some high-tech wireless sniffing, but I can no longer bank on ignorance, snooping around business centers looking for scraps left behind and engineering simple attacks like video recording. This is a good thing for anyone involved in securing private data from the likes of me. Education Provides a Holy Grail Okay, well not really me. I'm actually a law firm CIO who reads too many crime novels. "The Girl with the Dragon Tattoo" gets my highest recommendation for those who do not understand what goes into securing data. During the story, readers see that in every case, simple social engineering and eavesdropping are Lisbeth Salander's power tools. Let's be honest — don't all these iThings and apps make it more likely for private data to be compromised? Yes, but we have had our data "out there" since we allowed any form of remote access. We must continue to provide reasonable security measures that don't inhibit productivity. Relying on policies could be considered a cop-out for the extremely security-conscious, but until all the security holes are patched (i.e., never), education and awareness are our best bets. There's no use embellishing on the value of policies we can enforce using technology: complex passwords, locking devices and wiping them clean. The most important job we have is to drive into the psyche of each and every employee that: • There are places on the Internet where they are prohibited from storing work product • If work product might have been exposed, they need to report it immediately That second policy is the closest thing we in IT have to a Holy Grail. Scare Tactics Go Only So Far According to various counsel I have asked over the years, unless the data are bound to specific access and storage requirements agreed upon by all parties, most charges of negligence with respect to a mobile device, from a floppy disk to an iPhone, being compromised and subsequent attorney-client data being exposed would be dismissed if the party or parties involved made immediate and best efforts to recover from the loss. In practical terms, this means the loser must report the details of the loss to IT, at which point IT, and other departments if necessary, follow procedures to minimize the impact of the loss. With the right technology and policies in place, my (and your) challenge remains the same as it has always been — finding the right balance of information security and trust with my users. For every Luddite turned zealot who is interested in being more e-literate, there is the zealot turned rogue, fooled into a false sense of security by advertisers. The hacker community is helping me scare some into submission; the cloud companies, too. Dropbox temporarily disabling authentication, Google and Microsoft going down for a bit, the MegaUpload takedown, personal data stolen from most banks: These facts of life are there for the picking. It should give anyone pause. No matter how sensational the event, however, we will be lulled back into complacency. Scare tactics have a short shelf life. I have been dabbling in advertising recently. With no budget and no precedent, I took a step beyond the ubiquitous email announcement of new and improved IT services with an Xtranormal cartoon. I told the story of how a new product improves the work habits of a partner. I didn't win an award, but I did get reactions, which means it was watched. I followed it up with a series of cartoons about gadgets and being mobile. Security best practices are in the pipeline. My recent security media blitz found the addition of memes to my communications arsenal. My cartoon's characters — Lawyer Dog and Koala — help me drive my message home: Keep our data secure, and keep us in the loop if anything changes. Love for Analysis Apps Law firm IT departments are proficient at controlling data and the computing environment enough to ensure high availability and adequate security. The often-mobile nature of attorneys' work has allowed for remote and fairly ubiquitous access to their data and applications. Their use of iOS and Android apps is changing this. Their data and applications now commingle with ours, and we no longer "own" their productivity suite. Little beyond the imagination A Tale of Loss, Love and Protection Peer to Peer 73