Press enter to see results or esc to cancel.

The Biggest Security Vulnerability for Law Firms

For some odd reason, North Carolina is at the epicenter of the debate regarding the ethics of cloud computing. There’s an opinion in the comment period now awaiting final approval.

The concern with the cloud is security. Will client data be safe?

The answer is, of course, that our client data won’t be safe.

Why? Because most law firms let lawyers pick their own passwords.

What do they pick?

Randolph21 (or something like that). They use it on every site they visit.

When the system forces them to change their password, they change it to Randolph22.

Then Randolph 23.

It’s genius.

You can build the most amazingly secure system on the planet, but if you leave it up to Randolph to set the password, then the game is OVER.

Of course, this isn’t just a problem for the cloud. It’s the same issue for the system in your office if it’s accessible from outside (and inside if someone decides to break in). If you’re using a remote desktop of any variety, you’re opening up the door if you don’t have decent passwords.

My preferred approach is to use software that remembers my passwords for me and is itself password protected. I’m using LastPass. I use 18-character passwords containing uppercase and lowercase letters, numbers, and symbols. It’s easy to use, and it works on my computer and phone.

If you’re really worried about protecting your client’s data, then start with the basics.

Do you hear me, Randolph?

Print Friendly
Get updates delivered to your inbox
  • Anonymous

    Certainly, state bar associations and practitioners should be mindful of “good computer security” practices like passwords, but the level of concern sometimes seems overblown as far as law firms per se being a big security target.

    A secure client portal or extranet or typical law firm server with an internet connection is not some kind of “honeypot” for cybercriminals from the Russian mafia or Nigeria or even hackers.  Most cybercrime striking attorneys seems to be the very low tech phishing attacks by someone who wants you deposit a phony check and  wire them the proceeds.

    So, while the concerns for security are laudable, most people are comfortable with using logins to do on line banking, management of their investments and buy merchandise by mail order and are aware of the needs for strong passwords and not using the same password for their bank account that they do for Facebook.  But the threat of phishing and account hacking  is much higher to their “throwaway” yahoo and gmail addresses and bank accounts than it is in any kind of thing you could find on a law firm server.  

    (I am a victim to this, sad to say, and it taught me the lesson of having different strong passwords on “throwaway” non-financial accounts like gmail, Facebook and the like.  I save them manually with a mac program called “Together” which is great for cutting and snipping interesting stuff you see online for future reference…a great product!)

    Anyway, at least any of the law firms where I worked as an environmental lawyer in a corporate/transactional firm, we had little to worry about in terms of our networks being hacked, and we had secure VPN tunnels for offsite access.  But we didn’t hire private dicks to follow around the other spouse, so perhaps your concern is merited in some circumstances?   :-)   But still, most lawyers not doing hush hush m/a work or bet the ranch litigation don’t seem to be big targets for computer cybercrime for their work product computers, and the level of concern on some of these task forces and bar associations puzzles me, quite frankly.

    Am I missing something?  (I’ve been known to do that).

    • Jim Burton

      Lawyers are pessimistic and frequently afraid of technology.

      As lawyers, we are trained to spot flaws and look for problems.  We are not trained to evaluate risk.  Furthermore, lawyers are frequently punished for taking risks, but rarely punished for being unduly risk averse.

      For most lawyers, the odds of their data falling into the hands of an a adversary through hacking is practically nil.  Those who have the expertise to hack into a network, simply don’t care about most lawyers’ data.  Even for lawyers who work in sensitive areas, their computer system is rarely their weakest point.  For most firms doing this kind of work, their cyber security is far stronger than their human security. 

  • Ann Bradley

    The security problem I came across was unethical attorneys sharing  private client emails without the prior knowledge or permission of the clients. I reported both my attorney and opposing counsel to the California State Bar.  

  • Jim Hart

    I’m a big fan of keychain – it comes with the Mac and generates new passwords for me.  The only problem is that I can’t access some sites (the ones that won’t remember my passwords) if I don’t have access to keychain…  Perhaps LastPass will assist me with that because it is web-based?

    • Lee Rosen

      Lastpass isn’t perfect. But, it will be an improvement from what you have now.


      —– Reply message —–

  • Jim Hart

    I’m a big fan of keychain – it comes with the Mac and generates new passwords for me.  The only problem is that I can’t access some sites (the ones that won’t remember my passwords) if I don’t have access to keychain…  Perhaps LastPass will assist me with that because it is web-based?

Lee Rosen

Lee Rosen has practiced family law for more than twenty years. With four offices, Rosen Law Firm serves Raleigh, Charlotte, Durham and Chapel Hill, North Carolina. Rosen served as the Law Practice Management Editor of the ABA Family Advocate for more than a decade and received the ABA James Keane Award for excellence in eLawyering. He served as Chair of the Law Practice Management Section of the North Carolina Bar Association, is a frequent speaker and is often sought out by the media as a source of family law insight and commentary.