As COVID-19 cases have raged across the United States, we have all realized that we must be better prepared for future pandemics. Moreover, businesses must be ready to adapt to future public health restrictions, including the possibility of future lockdowns. As such, businesses cannot stick to a status quo, and should anticipate long-term remote work. Public health experts have a far less optimistic outlook on a return to normalcy than the general public, and businesses should heed the expert position rather than public opinion. Therefore, businesses – especially law firms – must prepare for the possibility of continued pandemic-related public health restrictions until at least the end of 2021.
Dr. Anthony Fauci, the director of the National Institute of Allergy and Infectious Diseases, has warned that even with a vaccine, normalcy will not be established until the end of 2021 at the . This is because of multiple issues, including: the logistics of distributing the vaccine to the entire population, difficulty educating the public about the vaccine, and the struggle to ensure that the vaccine is able to reduce the number of new COVID-19 cases. The vast amount of viewpoints – from experts and non-experts alike – and mixed messaging from the media and government has also contributed to uncertainty about when the public will consider it to be safe to return to work in-person.
There is also the possibility of future returns to complete lockdowns. As we have seen abroad, returning entirely to normal is not feasible at present. In Israel, after almost defeating COVID-19 (with numbers lower by percentage than the most successful of US counties) a full lockdown was reinstated after the spread of COVID-19 again increased. In the US, even in states that may be starting to re-open or are already fully open, law firms should be prepared for the possibility of re-lockdown, and the effects of this on workflow.
This article will outline the specific problems related to privacy and security issues, and technological solutions to address them.
Problems: Privacy and Security Issues when Working from Home
Attorneys and law firm support staff face unique challenges in light of the COVID-19 pandemic. At the forefront of this new wave of difficulties is attempting to manage workplace productivity while still ensuring the integrity of client information. Law firms are especially vulnerable to cyberattacks and security breaches because of the high-volume of sensitive client data. The FBI recognized the increased likelihood of cyberattacks and security breaches in the COVID-19 pandemic, due to the sudden shift of businesses relying on technology for working from home. The legal field relies on protecting confidential communications between attorneys and their clients, which raises an important question amid the new work from home (WFH) norm: when attorney work product is created at home, client information is accessed outside the office, and non-attorney employees correspond about active legal matters?
The main data privacy issues for firms operating out of residential living spaces rather than offices include:
- Maintaining confidentiality of client information when working from home, potentially in shared living spaces;
- Preventing unauthorized access of physical documents in transit to non-office spaces and at home; and
- Restricting unauthorized wireless access to firm systems.
These problems can be difficult to remedy without a dedicated IT professional monitoring employee access – may find it challenging to adapt to employees’ WFH habits. In the absence of dedicated IT staff, firms can also proactively establish proper access protocols with employees, including:
- Restricting unauthorized use;
- Ensuring client information is not divulged to unauthorized persons; and
- Requiring encryption on emails and other firm documents.
These are all reasonable means to avoid data security issues, and do not necessarily require a tech professional to implement.
Other issues may arise depending on the size of the firm: the number of employees that have access to confidential or sensitive client information can multiply security issues. Firms that do not provide electronic devices on which employees can perform work – instead having employees use personal devices – may also require additional measures to prevent misuse or unauthorized access. Because professional and private spaces are being shared, firms should be especially wary of suspicious access patterns. Clients in the early stages of litigation may be particularly concerned about data privacy, since sensitive materials like medical records or financial documents may not yet be publicized in court documents.
Despite these issues, law firms can easily adapt to WFH through meaningful tech training, document-access protocols, and downloading modern communications protections to stay ahead of the COVID-19 curve.
Solution: Technological and Workplace Management Solutions
Technological Solutions
Any firm transitioning its employees to a WFH format should be equipped with a comprehensive plan that addresses as many of the above-mentioned challenges as applicable. Proactive measures should include purposeful research into secure communication technologies that allow safe and efficient collaboration between firm employees. Without the support of dedicated IT staff to upgrade existing infrastructure or remotely install new software on work devices, determining which software can adequately protect client data falls on the shoulders of firm management.
Like physicians, legal practitioners enjoy the privilege of being able to leverage a wide spectrum of profession-specific software. Many software companies employ former attorneys or have consulted with a large number of firms to tweak software settings to firm preferences. Most firms mandate that work devices also run software for encrypted, secure access. Remaining diligent in educating employees on safe communication practices can also prove useful in limiting unauthorized access to firm documents.
Before delving too extensively into available software to protect confidential information or purchasing such software, it is critical that decision-makers understand relevant terminology. The following analysis weighs several methods for securing communications software for legal staff.
1. Encryption of Messaging Software
Most attorneys have a general understanding of what encryption does and how this feature is typically used. However, firm management may not be aware of the degree and quality of encryption that messaging software companies offer. For instance, various methods of encryption serve different purposes for different organizations that may not need identical levels of protection. However, in the legal industry where client information is expected to remain confidential, advanced encryption methods – like AES 256 and Blowfish – may be necessary. As discussed below, these algorithms utilize longer strings of encryption to protect data.
How does encryption protect client data or a firm’s communications? Although some of the more secure encryption methods involve additional protective measures, most encryption algorithms in software operate under the same principle. Generally, when sending a message to a coworker or client, firm staff send an email with readable text in the body of the message. If the messaging software uses encryption technology, these plain-text messages (i.e. the text that is readable in your inbox) are converted to “cipher text,” making communications unreadable to unauthorized users. In a sense, encryption turns plain-text messages in emails or other messaging software into a coded language, which is then translated by the reciever’s cooperating encrypted device. Because the textual information is scrambled and then unscrambled by the receiving device, encryption technology facilitates secure communications between devices or servers that utilize the same encryption software.
Much like the secure transmittal of patient treatment information in a hospital setting, law firms can find solace in software. The good news is that most commonly used messaging software already implements some form of encryption. However, firms may need to upgrade their current software to remain fully protected. Most software providers, like Microsoft for its Outlook mail application, offer enterprise-level encryption for communications at no additional cost. The table below provides an overview of available software packages:
Software | Cloud-Based | HIPAA-Compliant | Security/Encryption | Price | Mobile App |
| Yes | No* | Freemium | Yes | |
Yes | No* | Freemium | Yes | ||
Yes | No* | Only in-transit | Free | Yes | |
Yes | Yes | End-to-end | $4.99/mo. | Yes | |
Yes | No | End-to-end | Free | Yes |
*Not HIPAA-compliant upon install, but can be configured to be HIPAA-compliant
2. Cloud-Based Storage of Electronic Communications
Additional scrutiny should apply when logs of client communications or client information are stored in cloud-based servers. The security of cloud-based technology can be difficult because client information stored in a cloud-based CRM system, for example, is at the mercy of the third-party’s security infrastructure. Firm management should become familiar with their preferred cloud-based storage technology company’s data management policies and analyze the firm’s liability for potential data breaches. Reliance on third-party software providers or data storage companies may result in increased liability for clients’ information. An attorney’s ethical duty to protect client data obliges firm management to assess several factors when using cloud-based software, such as the vendor’s security policies and the use of confidentiality agreements. Cloud-based systems offered by Google and Amazon make data storage simple and safe.
3. Network Security: VPNs
Unauthorized access through unprotected wireless networks can also prove difficult to manage, but installing and mandating use of a firm-wide virtual private network (VPN) can provide the security of a traditional firm network. are essentially secure ways to create a reliable internet connection, encrypting network access by rerouting it through a proxy server. Law firms operating with WFH models may wish to implement VPNs because residential Wi-Fi access typically lacks adequate protection from cybersecurity attacks.
While working outside the office, employees may be tempted to join public wireless networks at cafés or libraries for convenience. Firm management should discourage this in order to preserve data security. Because employees’ home internet services may pale in comparison to that provided at the office, partially funding employees’ wireless connection can facilitate the use of a secure wireless network, while also incentivizing work productivity. Reimbursing employees who upgrade their Internet service may also be beneficial, as the expense of these upgrades will be far less than the costs of a data breach. The following chart provides some VPN software that could be an ideal fit for a law firm moving to a WFH structure:
Software | OS Compatible | Device Limit | Security Features | Price |
Windows, MacOS, iOS, Android, and Linux | 6 | No logs of web access and communications, so no data tracking | $11.95/mo. | |
Windows, MacOS, iOS, and Android | Unlimited | Encrypted logs of web access and communications | $9.99/mo. | |
Windows, MacOS, iOS, Android, and Linux | 5 | No logs of web access and communications, but features multi-layered security to provide ad- and malware-free private browsing sessions | $6.95/mo. |
4. Antivirus and Antimalware Software
Similar to employee-caused data breaches, external cybersecurity threats to law firms can be prevented and mitigated with relative ease. By installing anti-malware software onto firm devices, employees may not have to be as diligent in identifying phishing emails. Consider the following , all of which allow for weeks-long trial periods to test functionality:
Software | OS Compatible | Device Limit | Security Features | Price |
Windows, MacOS, iOS, Android | 5 | Threat detection, privacy firewall, secure VPN built in, webcam & microphone protection, real-time threat ID | $49.99/mo.* | |
Windows, MacOS, iOS, and Android | 5 | Real-time antivirus protection, blocks ransomware, cryptolockers, prevents cryptomining malware infections | $49.99/mo. | |
Windows, MacOS, iOS, Android | 5 | VPN software, LifeLock identity theft protection, SafeCam feature, 24/7 tech support | $99.99/yr. | |
Windows, MacOS, iOS, Android | 10 | Real-time anti-malware protection, virus & ransomware detection, blocks compromised or dangerous websites, secures multiple devices in any location through the website, advanced real-time antivirus security, password data protection, anti-keylogger software, premium live chat support. | $45/yr.* | |
Windows, MacOS, iOS, Android | Unlimited | Vulnerability Scanner, Web Advisor (identifies potential ransomware/threats on internet sites), App Boost (optimizes computer processing power), Quick Clean (optimal metadata & document deletion), VPN and identity theft protection | $59.99/yr.* |
*Free version available with fewer security features
In conclusion, the of sticking to the status quo for law firms that operate in their physical office is that the remote work circumstances continue beyond current expectations. The current model, where the law firm’s office Internet has encryption and security features, and firm-provided devices may have the security software but be used on an employees’ less robust home Internet connection, means that the corresponding increase and prevalence of cyberattacks and data breaches will become more serious threats to the industry. To minimize these risks, law firms must be able to switch to working remotely and have efficient ways of managing the subsequent effects of this switch.
