CBA Record November 2017

LPMT BITS & BYTES

A longer version of this article first appeared in Probate & Property Magazine, Vol. 31, Septem- ber/October 2017 security study. Learn to know the signs of scams and do not sacrifice security for convenience. For instance, there has been a lot in the news about scams involving intercepted and redirected wire transfer information, especially in real estate transactions. Do not send wire instructions via email. Tell clients whether to expect this type of informa- tion from the firm. Let clients know that the firm will not request wire transfer or electronic payment information or, if the firm does, exactly how and what it will look like. Encrypt Email Attachments If the firm sends out documents via email that contain protected or sensitive informa- tion, such as NPI or PII, then at the very least those documents should be encrypted via password protection. Current versions of Microsoft Office (versions 2013 & 2016), Adobe Acrobat Document Cloud, and Nuance Power PDF Advanced provide password protection, which trigger encryp- tion of the document. This encryption is enabled by setting a password to open the document. Strong passwords (at least 12 random characters,) should be employed. Also, do not email the password to the document with the attachment or even in a separate email. Call the client or use a secure messaging application to send the password in a different way than the docu- ment was sent. Tools on the market make it relatively easy for someone to access file content from older versions of Microsoft Office documents, bypassing the password altogether. There are more comprehensive ways to protect documents and communi- cation, but this method helps protect the document from inadvertent and unauthor- ized access. “No Cloud” Options Some law firms have a mistrust of any product or service that employs “the cloud.” For this discussion, “the cloud” is

BY CATHERINE SANDERS-REACH

ENCRYPTING DOCUMENTS AND COMMUNICATIONS Keep It Secret, Keep It Safe

Catherine Sanders Reach is the Director, LawPracticeManage- ment & Technology at the CBA. Visit www.chicagobar.org/lpmt for articles, how-to videos, upcoming training and CLE, services, and more. It does not stop at ethics opinions. Law firms also hold information protected by statute and regulation, including data breach notification laws in 48 states, HIPAA, FINRA, PCI, and others. Real estate attorneys have special requirements T he security landscape has become overwhelming for many lawyers. The last ten years have witnessed an increasing awareness that a lack of compli- ance with security best practices may put lawyers and their clients at great risk. The updates to the Model Rules of Professional Conduct in 2012, now adopted by nearly 30 states, including Illinois, served as a wakeup call to the fact that security and technology awareness are an essential part of running a law firm. Rule 1.1 (Compe- tency) now requires a lawyer to understand the benefits and risks of relevant technol- ogy. The expansion of the comments in 1.6 (Confidentiality) includes taking reason- able precautions to prevent client infor- mation from unauthorized access as well as inadvertent or unauthorized disclosure. Recent ethics opinions promulgated by bar associations and disciplinary agencies regarding email encryption, cloud com- puting, records management, and related subjects provide guidance on how a law firm should go about securing a client’s confidential information.

in residential real estate transactions involving mortgage financing. Attorneys acting as title agents in mortgage financing transactions have data security require- ments under obligations expressed by TRID (Truth in Lending Act/Real Estate Settlement Procedures Act Integrated Disclosure), enforced by the Consumer Financial Protection Bureau. Create a Risk Profile To comply with regulations and ethical requirements law firms should first map out their risk profile. What kind of data does the firm store and access? Transmit? Is it data defined by statute such as PII (Personally Identifiable Information), PHI (Protected Health Information) or NPI (Non-Public Personal Information)? Financial information? Read the laws and regulations to see what guidance they may provide to help protect the data. Next consider what the firm may keep that is privileged or confidential. How is that data protected? Look at where the data is stored, how it is transmitted, who has access to it, and what steps the firm takes to protect it–is it enough? Follow Best Practices Security is a moving target. Don’t let the firm get too complacent in its practices. The most important thing a firm can do to protect client data is to keep up with the latest recommendations in cyber protection and keep attorneys and staff constantly vigilant to maintain security and privacy protocols. Ninety-one percent of cyberat- tacks begin with a spear phishing email and 96% of executives cannot distinguish a phishing email from a legitimate one 100% of the time, according to an All Covered

46 NOVEMBER 2017