This is a good article about data security from the standpoint of a law firm. When I worked in a legal clinic at my university, the policy warned about using email systems outside the school system, which used Micrsoft Exchange (2003, I think). Their thoughts were that an off site email system would compromise security, allowing people outside the firm to access confidential information. My reasoning in using outside email systems, regardless, was __fold. First, checking several email systems would mean that I would check email less frequently, if at all, so I would miss important communications. Second, systems like hotmail, yahoo, and gmail have privacy policies in place: the administrators do not access email, and a security break there is just as likely as a security break at a university, except university-based hackers feel more comfortable hacking into their own school's servers because (1) it's home, (2) it's their own school's computer, where's the harm, and (3) they are inside a firewall, thus giving them more access. Lastly, the clinic's mail server was, in fact, the university's computer for mail which handled the entire law school. As such, a breach by any law student would compromise the clinic's communications too. Well, unless a mail server is within the network bounds of the firm, the extent of vulnerability is a slight matter of degree. I often made the comparison of email security is far better than leaving client files in my car, which I never did, luckily, as my car was broken into for its stereo.
How many small firms know anything about the security of their mail server? How many firms encrypt their communications between attorneys and clients? Moreover, "work product" between an attorney and his in-house investigator with emails flying all over the internet. Wiretapping statutes may make interception a crime, but ethically, is the firm still open to a liability when ALL their mail is sitting at a small internet service provider's server, just waiting for a bored technician to go on an email reading spree?
From iPhone Security: "The problem is not iPhone security. The problem is security. Period. This includes computer security, smartphone security, physical office security, social engineering security, etc. If an attorney puts confidential information anywhere — be it on an iPhone, a laptop, or a legal pad — the attorney needs to be very cautious about what happens to that information. If you lose your briefcase, there is little you can do besides retrace your steps and hope to find it. If you lose an iPhone, you have the option of trying to determine its location using a service like MobileMe or you can immediately tell your system administrator (or use MobileMe) to remotely wipe the iPhone. It won't work if a thief has already removed the SIM chip, but at least those are options that you don't have with a lost briefcase or even a lost laptop. [...] Having said that, if you are an attorney using an iPhone, please use your iPhone's passcode lock feature, and please don't expose your iPhone to potential trouble by jailbreaking your iPhone."
No comments:
Post a Comment