Protecting Your Data And, More Importantly, Your Clients’ Data

Law firms deal with some of the most confidential and sensitive data in society and yet so many of them have such lax policies on information security. There are some simple things you can do to dramatically improve your information security and they don’t require you to purchase expensive gear.

Keep Your Passwords Your Own

I can’t tell you how many times I’ve been at a firm and heard an attorney come out of their office and say “Patty, I’m going to Phoenix for a couple of days to meet with Acme Co. Check my e-mail while I’m away; my password is….” I just want to grab that attorney and shake them!

NEVER share your password. Never. This is 2011. You can check your own e-mail from the road if you need to. Practically every gadget in your pocket can check your e-mail these days. Heck you can check your e-mail on a PlayStation if you have to. 

But perhaps you don’t want to do that. Maybe it’s a real vacation and not a client trip. There are ways to have your assistant check your e-mail WITHOUT having to totally compromise your network identity. You can share your Inbox with them; you can have copies of your mail forwarded to them; you can create a separate special folder they can access with client messages. There are a lot of ways to do it.

When you give your assistant your username and password your assistant can log into the system AS YOU. Not only can they check your e-mail they can access EVERYTHING you can access. Everything. Time and billing? Yes. Payroll? If you can, they can. Do you save your banking and other website passwords in your browser? If your assistant can log into your computer as you, they can access all of that.

Your assistant can send e-mails AS you. 

The other problem with having your assistant log into your mailbox and check your e-mail is that they can access more than just the new e-mail you receive. They can access e-mails you’ve saved from before; including that message from the Compensation Committee on staff raises for 2011. And that nostalgic e-mail from your high school girlfriend about that time….well, you remember. And now your assistant does too.

Scared yet? It gets worse. When was the last time you changed your password? How many assistants have you gone through in that time? For one of my clients the answer to that question was “7 years” and “Five. No, six!” So there are how many people walking around out there, who no longer work for you, who know your username and password? Any of those people working for opposing counsel these days?

A password compromised must be changed. Right now.

Not Passwords, Pass Phrases

As long as you’re changing your password, let’s make it a good one. The important thing to remember with passwords is that LONG is better than complex. r6IKjX  is a terrible password. Yes, it’s very random. It’s also only 6 characters long and a brute force attack (that’s when the attacker just tries every combination of characters) will break it in a matter of minutes or hours at the most. Plus it’s really hard to remember – so you’re more likely to write it on a Post-IT and stick it on your monitor. (or under your keyboard, where nobody ever looks)

The better plan is to select a phrase. Something that means something to you. 

“My 2 dogs are cute!”

That’s 20 characters, mixed case, with numbers and symbols. It would take a generation for a computer to brute force that and it’s easy for you to remember. 

Got a favorite song?

“Hey Jude, don’t make it bad”

28 characters, easy to remember, not that hard to type, really hard to break.

Long, personal, easy to remember, hard to guess. That’s the key.

And keep it to yourself. A password compromised MUST be changed. Now.

One Last Secret…

I’ll tell you something your IT guys might not want you to know…in most cases THEY don’t need to know your passphrase either. In a Windows domain, which if you have a Windows server you undoubtedly have, the IT guys can change your password when they need to access your data without your assistance. Then, when they’re done, they can tell you what the temporary password they used was, you can log in and change your password back to your own, secret, pass phrase. That doesn’t work in EVERY case, but in most cases it does.

Keep your identity your own. Don’t share your passwords, select good long pass phrases and change them if they’re compromised.


  1. Andrea Cannavina (aka LegalTypist)

    While I ♥ Ben and almost anything he says is like true gold; I must point out that giving your PC/email password to the same person who probably knows more about you than your spouse, is hardly a way to keep your client’s data secure.

    Law firm assistants work for the firm, and as such, are already quite aware of your clients, their matters and pretty much everything you do. You’ve already entrusted them and chances are, your clients have spoken with them and trust them too.

    That said, I do wholeheartedly agree that it is better to think in terms of pass phrases and having access to email at all times – negating the need to give your assistant your pass phrase.

    I just wanted to highlight that they already have access to the data, so are not a security concern for clients.

  2. I had the same problem, sharing passwords with an assistant, and just found out that lastpass now let’s you share passwords, without your assistant actually finding out your password, which is pretty nifty, especially when you use that password for other things. 

    By the way, dont use your password for other things! It’s a very good idea to use different passwords for any web services you sign up for. If you don’t, and one service is compromised, you’re in trouble.  So if your gumtree account and webmail account use the same password, and someone cracks gumtree, then they’ve suddenly got access to your gmail. This happened late last year to gawker, when they ‘shared’ 188,000 passwords. 

    You should also never send anything sensitive by email. Emails can be read by the administrators for both sender and recipient, and can of course be forwarded to undesirables, or just plain sent to the wrong person, leaving you vulnerable, having failed to protect your clients data. Just remember  that sending an email is about as secure as sending a postcard next time you’re sending out that document full of personal and financial data!

  3. Andrea Cannavina (aka LegalTypist)

    I should have thought to add this above.

    Here’s a blot post from last year with access to a 20 minute podcast of Ben and I speaking about digital security (and a few other things):