This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Hidden breaches: Safeguarding client data on lawyers' mobile devices

Feature
Share:
Hidden breaches: Safeguarding client data on lawyers' mobile devices

By

Your mobile strategy should be based on how lawyers actually use their devices rather than how you think they should, warns Stephen Brown

BYOD, COPE and COBO - are these the last four tiles on my Scrabble rack or part of your firm's mobile strategy? Just as a good game of Scrabble can generate a 'healthy debate' about what is correct, choosing a suitable mobile strategy will generate significant debate within your firm. Issues to consider will include data security, productivity, Android, Apple, Microsoft, Blackberry, the cloud, backups, personal data, policies, access only and native. As you determine your mobile strategy, all of these words will become very familiar to you.

Let's define the three main strategies that exist when considering a mobile deployment.

  1. Bring your own device (BYOD).
    Staff own their devices. Their devices can connect to corporate resources
    and consume and possibly store corporate data. Their devices will be used for personal purposes and will
    store personal data.

  2. Corporate-owned personal enabled (COPE). The firm owns, manages and supports the devices. The devices can connect to firm resources and consume
    and usually store corporate data. Staff
    are allowed to store personal apps and
    data on the devices.

  3. Corporate-owned business only (COBO). The firm owns, manages and supports the devices. The devices can connect to firm resources, consume and store corporate data. However, usage of the devices is restricted to prevent personal use, apps or data.

The best strategy for your law firm is dependent on its risk appetite, client demographic and technical capabilities.
A good strategy will:

  • enable productivity;

  • increase staff engagement;

  • be aligned with your security requirements; and

  • join up policies, procedures, staff and technical solutions.

The Solicitors Regulation Authority (SRA) has identified BYOD practices as a risk to UK law firms. What steps can a law firm
take to reduce the risks associated with mobile strategies?

Policy framework

The starting point for any firm embarking on a mobile strategy is to ensure it has the correct policies in place. You will undoubtedly have numerous policies that safeguard traditional areas of use and there will be an overlap in the treatment of smartphones and tablets. But, have you kept your existing policies up-to-date to deal with new technologies and working practices? Consider the following.

  • A policy might state that a member of staff cannot install software or updates onto company hardware without explicit approval. But, how would members of staff install apps on their smartphones? Would they need to contact or visit your IT department every single time they want to download an app? What would that mean for your IT team's ability to conduct their day-to-day work?

  • Your firm might block social media interactions via company resources.
    But, what happens when a smartphone's apps automatically update to include social media communication?

  • Your firm may think it has the highest security option in place for clients with COBO. But, what happens when users connect their devices to unsecured
    wifi networks and then remotely
    access client files? How secure
    is your system then?

Ensure you follow the principle of good data handling - the Information Commissioner's Office (ICO) provides clear guidance for firms which support mobile working.1 The ICO requires that auditing and ongoing monitoring is performed to ensure policies are being adhered to.

Smartphones and tablets feature heavily in most people's lives - we all know that we can take a photo and share it with the world. In such a heavily-regulated industry as the legal industry, we need to increase awareness among lawyers of just what risks are involved with such great technology. As with most areas in life, it is not good practice to simply bring personal habits into the working environment.

Technical measures

It is important for your firm to invest in the appropriate technical measures to support a mobile strategy. Setting up connections from mobile devices to corporate systems is relatively straightforward, but what is more important is ensuring those connections are made in a secure and controlled manner.

A mobile device management (MDM) system is a prerequisite for any mobile deployment. MDM allows your firm to not only control the device, but also the applications and data on that device.

When considering an MDM system
for your firm, you should consider:

  • What types of devices will your lawyers be using?

  • Which application ecosystems (app stores) will be used?

  • How will you segregate firm and personal data?

  • How will devices be backed up?

  • Is it possible to 'copy and paste'
    or to use 'open in' to transfer files
    from secure managed applications
    to insecure applications?

  • Does your mobile strategy include
    both phones and tablets?

  • Do you need your own app store
    for staff?

  • How will you support and configure devices or apps?

It is important to design any technical solution whilst considering how lawyers interact with their mobile devices. DO NOT design your solution based on how you think lawyers will use their mobile devices. Instead, observe how they use their mobiles while in the office and while out and about - trends catch on really quickly.

For example, certain digital dictation apps allow lawyers to take pictures
and attach them to a submission to
a firm secretary or outsourced
transcription service. What happens
if a photo of confidential information
is accidentally attached?

If you think your lawyers wouldn't take photos of confidential client information, consider this scenario: a partner has been in a long meeting where a whiteboard was used to define a client's strategy in a contentious case; he takes a photo for his records before rushing off to his next meeting. Or, a junior associate has been told to urgently complete client due diligence, but the photocopier has a very long queue and the client needs to catch a flight, so he takes a photo of the client's passport instead.

What happens to those photos after they are taken? Do you allow users' devices or apps to take, backup, share or access photos? Do you allow photos to be automatically stored in a user's cloud? How much control do you have over the security and access protocols for a user's cloud? What if a user has given 'password1' as the password for his cloud? Can you confidently answer 'where has the data from the phone or tablet
gone and who could access it'?

Lawyer engagement

To gain acceptance of any new policies and procedures, you will need to train your lawyers on best practice and to highlight how they can become more productive. Talking them through the processes and explaining the potential consequences will ensure lawyers embrace the required changes to their devices. Reassure them that you are not interested in their personal data and let them know what will happen
if you collect it by accident.

It is important to discuss issues like device location tracking. Depending on your deployment, are your lawyers now capable of being tracked? If so, have you considered the implications to their right to privacy?

Finally, have you planned for that incident? An employee has lost his device - perhaps in the early hours of Saturday morning. What process should be followed when your IT helpdesk is closed until Monday and he cannot remember how
to wipe his device?

As part of our firm's deployment, we set up a 24/7 telephone line so that, in such scenarios, devices can be wiped immediately. We provided this information on a card similar to a credit card that could be kept in a wallet or purse at all times.

Changing times

Today, there are more smartphones than toothbrushes in the world. There are in excess of a million apps that can be installed in just a few clicks, with cloud backups of digital photos and files capable of being creating almost instantly.

This is one of the fastest areas of growth in technology. An employee could be forgiven for underestimating the potential security problems associated with the speed of change in this area.

It is imperative that your firm has robust procedures which are constantly updated to reflect new technologies, changing attitudes and client expectations.


Stephen Brown is IT Director at Higgs
& Sons (https://higgsandsons.co.uk)


Endnote

1. See Bring your own device (BYOD), Information Commissioner's Office, March 2013