Is It Possible to Secure Law Firm Data?

To answer the question, we interviewed our friend and colleague Matt Kesner, the CIO of Fenwick & West LLP, a West Coast law firm representing high tech and bio-tech clients. Matt has “walked the walk” when it comes to security and protecting data.

Is the data at a law firm really different or are there “special” considerations when dealing with security within a law firm? Matt suggested that there are a lot of tensions at play within a law firm. There’s always the tension between IT and end-users. The end-users are more difficult to tame and are more independent than most other users. They don’t necessarily want to comply with the stated policies and procedures, thereby making security a more difficult task. Also, they tend to be driven by what the client wants, which may be in contradiction to the security procedures of the firm.

The press hasn’t really identified many data breaches that have involved law firms. Since law firms are very much reputation based, they are not all that willing to publicize any data breach that may have occurred. Current data breach laws have changed that practice, but we still don’t hear of many specifics concerning law firms. Matt acknowledged that there have been two breaches at his own firm. His advice for security is to learn lessons from breaches so you can avoid a recurrence – at least a recurrence of the same sort of attack. Fortunately for Matt’s firm, the security incidents did not involve access to their network. Both occurrences involved their website, which was hosted externally.

We are aware of some other firms being compromised, primarily through mobile devices and unprotected laptops. As a minimum you should have a lock code on your mobile device and the drives on laptops should be fully encrypted. Matt’s excellent advice is “When in doubt, encrypt it.”

Not to scare our readers (OK, maybe just a little), but Matt confirmed that law firms are seeing an increase in hacking attempts. Reviews of his own firm’s logs show repeated “door rattles” and attempted infiltration of the network. They are being probed a lot more often, tested with various scripts being used to determine vulnerabilities and have experienced a higher proportion of successful malware and phishing attacks against their users.

Many attacks appear to be originating from China, which is consistent with our experiences gleaned from security investigations involving these attacks. Our own government has cautioned us that every cell phone and smart phone that goes into China has spyware downloaded on it by the Chinese communications infrastructure. This spyware pretty much has unfettered access to the data that you are sending and receiving even if it is encrypted in transit. Another concern is bringing laptops to China. Matt advised us to weigh the laptop before and after taking it to China as many times hardware monitoring devices will be installed in the laptop itself. He also suggested taking a disposable cell phone when traveling to China. Many in the security field have stated that we are seeing activity from China’s “C-level” (rookie) hackers since law firm systems are fairly easy to penetrate. China isn’t even wasting the efforts of their “B-level” or “A-level” teams when attacking U.S. systems. Essentially, China’s entry level hackers are practicing on U.S. law firm networks before “graduating” to more advanced hacking activities. Matt told us that Chinese students actually take hacking classes and hack Western websites as part of their homework. Pretty scary stuff.

Increased usage of the Internet, voluminous amounts of data and the sharing of that data for legitimate purposes has made the task of security even more difficult. There are many more attack points as the data grows and reaches out to many more parties as part of our normal business activities. Matt cautioned us to be wary of USB flash drives that we obtain at conferences since they may be infected with malware such as the Stuxnet virus.

We queried Matt if there really is a fix for the security state that we are currently observing. The answer, as you might have guessed, is that there is no silver bullet for security. His primary advice is to partner with a trusted security advisor and be prepared to budget some funds for security. Your firm needs to be constantly vigilant since the security risks of tomorrow will be different from those we see today.

If you’d like to listen to our interview with Matt on Legal Talk Network’s Digital Detective podcast, you can find the podcast at



  1. Good article!

    I am one of the co-founders of, which is addressing this exact need. We believe attorneys and the firms they work for should take digital security seriously and stop using email as a medium for distributing sensitive information.

    I agree, there is no “silver bullet” for security as it requires using appropriate tools as well as modifying entrenched behaviors. “123456” is clearly not a password that gives much protection, and your password for your bank’s website should be different from accounts on insecure websites (sites not starting with “https” send your password in plain text over the Internet).

  2. Good article….

    The best course of action is to assume everything will be hacked.

    Secure all documents using the documents security device. As an example look at Word. Open a document, go tools, go options, go security and then select your advanced tab, then make sure the “key” length is set at 128, then choose one of the stronger encryption levels like RC4, SChannel or RSA or RES. Then return to the password option and enter a password. You can also enter a password for modifying the document as well.

    For passwords I recommend several methods. One; think of a song, soliloquy or famous speech you are fond of. Then take the first or second (your choice) letter of each word in that stanza or paragraph and presto!!!…there is your password. Make it even tighter by adding characters.

    Second, encrypt the folder or file itself. Now you have a double layer of protection. One of the very best and easiest to use is a free, open source, encryption program called , download and run it. But understand on thing…if you forget your password using Truecrypt it will take about 25 years using a brute force attack just to crack it.

    Now you have a riddle, wrapped in a mystery…….but wait…..that’s not all!!!!

    Look into your bios password. You will find it at start up under setup, either F2 or F12…..this is usually available with XP Pro, but may be available with 7…again be very very very careful setting up a password on your bios as if you forget it, well lets just say the NSA would need about 25 years to crack it. There are ways to backdoor it but its primarily used as a first line of defence against snooping hotel maids, nosy lovers, prying workmates. You cannot even complete the power-up phase without the password.

    Now you have a riddle, wrapped in a mystery, surrounded by and enigma….

    Last couple of words. All Law firm computer systems should be off-line at all times!!!….its a pain but its the only way to truly be sure no one gets in….sort of like a house with no doors.

    Lastly…be very very very careful about using flash drives and external hard drives…those sneaky Chinese were loading them up with viruses that would automatically download the contents of the external hard drive to websites in China.

    You can use to install or “mount” an encrypted volume on all hard drives and flash drives.

    Lastly, do your HOMEWORK!!!!!!

    Research truecypt and play around with the mounting and dismounting of a couple of encrypted volumes. Become familiar and comfortable before you start storing sensitive information. There is also a school of thought that says use three storage areas. One, your hard drive, Two, a flash drive, Three, an external hard drive.

    The beauty of truecrypt is that the mounted volume is completely invisible….seriously, completely invisible. So, in the event of traveling abroad and running afoul of the Jackboot Crowd, they can’t ask you to decode what they can’t see. This is the beauty of two levels of plausible deniability.

    For sensitive information be extremely careful, repeat EXTREMELY CAREFUL!!!, about using “off-site” data storage….seriously…I would not ever use a service like that….but that’s just me.

    So that’s it….in a very large nutshell.

    Regards, Don Laird
    Edson, Alberta, Canada

  3. David Collier-Brown

    At the technical level, it’s been possible to secure the kind of data that law firms deal with since 1976 or so. The only people who use this level of security is the military, who sponsored the “Orange Book” work, and a very few computer companies, as it requires you have a team of fairly brilliant security officers working behind the scenes keeping it invisible to the lawyers.

    I’ve been the user of such a system, on Honeywell Multics in the 1980s, and administered one in the late 1990s. As a user, I didn’t notice anything unusual. As an administrator, I had to take a week course to get started and the first few months were hard. If you make a mistake, everyone notices!

    These days, I use an orange-book system on Linux, courtesy of the U.S. National Security Administration, but only for some fairly trivial bits of consulting data.

    If asked, I’d say you can have a high degree of security, but it would be worth it only if you know you have an espionage problem. It’s not worth the effort if all you’re suffering from is spam and people defacing your web page.

    -dave ( cb

  4. I thought I would add a couple of points to the security precautions above.

    Firstly, the destruction of documents.

    When one “deletes” the document on a computer all that is done is the link to the document is deleted. The document is still there…believe me.

    A story….

    I had some problems with a laptop and called the manufacturer…no names mentioned but it rhymes with smell…

    We had to do a reformat which involved wiping the hard drive clean, twice. We started to do the reformat and I noticed my external hard drive was still hooked up. I asked the tech as to whether this would wipe the external as well. The tech said no. When the reformat was done…my computer was as clean as a whistle……I checked my external and voila!! it was as clean as a whistle too……I started to cry……(not really but kinda sorta….)

    Long story short, down at corporate headquarters the roof came off of Smell Inc…the mice were scrambled and several other trouble shooting techs were put in touch. I was directed to a couple of websites and downloaded a few programs and with their assistance, ran them…..lo and behold, in spite of the hard drives being wiped twice there was all my work!!!…thousands of hours of work and photos etc etc…….I was very pleased.

    The recovery process took me about 5 days as the recovery of the files was very labour intensive, similar to picking fly shit out of pepper… but I did recover them. I worked mostly on the external as for some reason it was easier..but in the end all was recovered.

    My point is….delete is not delete. So………get a “file shredder” program. A “file shredder” does not actually shred the file it simply overwrites it. Meaning the program takes the actual file and writes gibberish over it as many times as you indicate. For example; a “military standard” overwrite can range from 3 to 12 overwrites.

    The result, if you had read my first post above, results in this; a file with encrypted documents, in an encrypted file is then overwritten 3 to 12 times…result…gone.

    There are many good open source file shredding programs out there simply do your research, a good place to start for reviews and analysis is, a division of the most excellent….a wealth of information and independent reviews. Once you have selected your program look for reviews on the internet…and go at least 3 to 4 pages back in your search, don’t just look at the first Google selection.

    Now, lets deal with the actual paper file. I will make this short. Get a “confetti cut” paper shredder for your office. I recommend the Fellowes brand and they can be bought at any office supply. I have one at home, and yes, all my personal correspondence and bills etc are shredded before I throw them out.

    I strongly advise you pick one up for your office as even though your law firm may retain the services of a secure mobile shredding company the most secure method, with the most sensitive documents, is to simply walk over and shred it yourself.

    Think about it…snoopy colleagues, assistants, secretaries and janitors all have access to a document while it is “shredder bound”, who knows who read it, copied it or stole it. All it takes is 2 to 3 seconds to take the most sensitive documents over to the shredder, turn it on, shred them, and then back to the desk for a sip of coffee.

    Then there is the issue of the actual destruction of a hard drive located in either a laptop or tower. Do not, I repeat do not, trust anyone other than your self to see to this task. Simply look around on the net and in your local area for a hard drive shredder and take it down and personally watch its destruction….sorta like this (just a video I found on YouTube…not a plug)

    This also works well and is recommended for old PDA and cellphones.

    The reality of the world we live in is snoopiness abounds….be careful…..I don’t live in a little closet with my tin foil hat pulled down tight but prudence and caution dictates a that measures must be taken, to protect both your clients interests as well as your own.

    Here is a little video you can watch on streaming internet. It’s produced by the award winning PBS and illustrates how vulnerable information really is….note the portion relevant to ATT….a little unnerving…

    Note the points above, do a little research and get into the habit of encryption and destruction of sensitive information and you will never be set upon with a scrum of reporters or a blizzard of statements of claim for negligence.

    So…in the end…Be Educated, Be Informed, Be Cautious.

    Regards, Don Laird
    Edson, Alberta, Canada