Is it ethical for lawyers to store and send information through the cloud?


Firms considering reducing their paper and physical storage use and costs by switching their data to the cloud sometimes worry about security and trustworthiness. Especially in the business of law, firms want to avoid ethics violations due to data breaches of confidential client information at all costs.

What these firms may not know is they are likely already storing files and communicating with clients using cloud technology. Think Dropbox, Google Drive, and Microsoft One Drive.

The technology exists and is already being put to use. However, there are measures that law firms can take to ensure the security of their information when they put it in the cloud and ways to verify the ethics of doing so.

Is it ethical to use the cloud to store and transmit client information?

In short, yes it is. Lawyers can use cloud-based data storage of confidential information while still maintaining client confidentiality. Over 20 state bar associations have issued ethics opinions on this very topic, and all have reached the conclusion that “lawyers may ethically use cloud computing, so long as they exercise reasonable care to keep client information and files confidential,” according to Attorney At Work. Lawyers just need to be aware of the risks and rewards of technological applications like the cloud and the standards that regulate them. And you certainly don’t need to have a computer science degree to know how it all works — you just need to take due diligence to know everything is secure.

Should law firms store client information on the cloud blog_Afinety, Inc.There are certain steps lawyers can take to ensure data security at their firm.

What steps can lawyers take to ensure the security of their stored data?

There are certain steps lawyers can take to ensure data security at their firm.

Know cybersecurity threats for law firms

The first step is to be aware of threats to security. According to Law Technology Today, this can come in the form of state-sponsored hackers such as those from China, industrial espionage by clients’ competitors, departing employees and even scripts or programs which scan for and attack computer systems and networks.

Prepare, plan and train law practice staff on security awareness

Disruptions in operations and productivity are easily avoidable through planning and preparation. Once you’ve selected your security systems, make sure they’re vetted and tested by a small group of users before implementing them widely. Prepare the new users by giving them ample notice as well as a training plan based on results from the initial test group. Security awareness training is likely the most effective measure you can take when it comes to preventing incidents, says Law Technology Today. When putting together a training, make sure to cover electronic communications, incident reporting, internet access, mobile device security, password policies, remote access, social media use, the firm’s acceptable use policy, visitor policies and wireless access security. You should emphasize the need for good judgment.

Verify law firm vendors

The vendor which provides the cloud technology to your firm should also be following appropriate security protocols. They need to pay close attention to securing and protecting your data. You can learn more about Afinety’s dedication to security for its clients’ data on the website or by calling the office.

Testing your law firm security

Consider hiring a third party to handle your security audits. It will keep you accountable and honest when it comes to the effectiveness of your security measures. According to Law Technology Today, an outside security expert will perform a top-down evaluation of your systems, security policies and practices and access to the systems. After a professional third party audit, you should also try to break in yourself. This is known as a penetration or pen test, and will help you identify areas of vulnerability. Following a security audit or pen test, the firm’s IT department should carefully review the recommended changes in the remediation plan before implementation to consider any possible adverse effects on other systems and end users.

Cloud-based storage has become the standard method for storing and sharing data. The legal profession, like other industries, must adapt to compete in the ever-evolving market. If firms take the right steps to ensure security, there should be no issue with the transition, and all proceedings should move along smoothly.

Cybersecurity checklist to prepare for the new year

Law Firm Cybersecurity Guide For 2020

It is vital, regardless of the size of your law firm, that you utilize astute cybersecurity practices. The IT landscape is constantly evolving, as is the rest of our digital-centric world, and we must learn to proactively adapt and respond to these challenges. Denial-of-service attacks, where perpetrators disrupt services and make a machine unavailable to its users, have decreased since 2018 — as well as ransomware attacks. However, according to the Online Trust Alliance, losses caused by business email compromises have doubled and crypto-jacking incidents have more than tripled.

The ever-changing landscape of the web can make it difficult to truly know if you’re protected against these attacks. The checklist provided here will give you the basics of securing your law firm against a variety of threats, so here are five things to add to your cybersecurity checklist:

Assess law practice risks

Assessing the risks within your own IT infrastructure can be difficult because it relies on a detailed understanding of potential weaknesses before they are attacked; it requires you being steps ahead of any potential threats. To start, you need to address certain questions to develop a plan:

  • How would a cybersecurity attack affect the functions of your firm? Who would be affected, and how would it impact your credibility?
  • What data or client records are critical to your firm’s operations?
  • Are there any specific regulatory requirements your firm should comply with?
  • What is your budget for cybersecurity?

Control company domain

Most companies have a domain controller, used to set up email profiles or provide permissions to users for certain programs. When establishing a new hire in the office, there’s typically an onboarding process to add them to the domain controller. You may be lacking an off-boarding process, however, for when a user should no longer have access to company data, programs and computers, says Inside Business.

The domain controller is where all domain login and password information is stored. Using this can keep the login/permission all in one location, and simplify the process. The list of users and their permissions should be checked and updated frequently. If someone is no longer working at the firm, they should be removed from the domain so they no longer have access to company information.

Keep software updated

Set up your operating system for automatic updates – turning off computers at night will enable them to update (and clean out system clutter) on a regular basis. System updates are particularly important for server operating systems where they should be reviewed on a recurring schedule. While these updates may seem like an occasional inconvenience, they’re important to utilize because they’re often updating security features based on past attacks or flaws in protection.

Also, make sure that none of your software is reaching “End of Life.” All this entails is that the maker is no longer providing updates, support or security fixes. For example, on January 14th, Windows 7 Service Pack 1 will no longer be supported, which puts users at risk for security breaches.

Law firm cybersecurity guide for 2020_AfinetyTactics have changed over time, now including “vishing,” which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface.

Educate staff on phishing

Avoiding uncommon or suspicious links may seem like a simple practice, but there is a reason phishing continues to persist — people still fall for it. Tactics have changed over time, now including “vishing,”  which is the practice of criminal phone fraud, so businesses must remain vigilant and aware of how these scams can surface. Educate staff to never provide log-in information on a website that they’re unsure of, and to be wary of links or pop-up windows that rely on a sense of urgency, suggests My Tech Decisions.

Consider the cloud

Storing your company’s information in the cloud offers extra layers of security and additional steps to ensure your network is protected. You could wrap up 2019 and head into the new year knowing that you’ve made all possible advances towards the best cybersecurity practices and utilize the Afinety Cloud Program, which offers unmatched security through Amazon Web Services.

A guide to stronger passwords for lawyers


Cybersecurity and data protection may not be at the forefront of most lawyers’ minds, especially with pressing deadlines, evolving laws and ongoing work with clients — but that doesn’t mean it should be neglected. Data breaches can have serious consequences, especially when it comes to protecting confidential information at your law firm. According to the Breach Level Index — a database responsible for tracking breach statistics — nearly 5 million data records are lost or stolen every day. With personal client data at risk, taking the necessary precautions can prevent firms against a breach and keep their reputation intact. As having strong passwords can be the initial step in protecting your firm, here are five tips for making sure they are hard-to-crack:

Consider using a password manager

Password managers, like 1Password or LastPass, create unique passwords for all of your accounts. Consumer Reports notes that while there has been growing encouragement across the web to create stronger passwords, there has been no guidance on how to manage them, which means they’re often reused for many different accounts. Cybercriminals will exploit these vulnerabilities. With a password manager, all you need is to create one solid, complicated password that’ll be used as your master key — once you have that created and memorized, the password manager will do the rest for you.

Long and complicated is best

Hackers are familiar, as are you, with the quick and easy picks for log-in credentials. “Password123” is not a viable password, nor are the names of your children or pets. Despite years of advising against it, variations of the word “password” remain one of the most common picks out there. Out of 130,000 passwords analyzed by cybersecurity company Rapid7, 4,000 of those included the word “password,” says Consumer Reports. While unique characters and uppercase letters can be useful for strengthening passwords, length may be the most important aspect of creating a solid line of defense. Once you have a range of 12-15 characters, hackers are much less likely to be able to guess their way in, reports Wired. Avoid simple patterns or pop culture references, and mix it up — or better yet, make up your own phrase and include special characters.

Law firms need strong passwords to protect their practices_Afinety, Inc.Hackers are familiar, as are you, with the quick and easy picks for log-in credentials

Recycling is bad for passwords

This is where a password manager can really come in handy. Researchers discovered that 2.2 billion stolen email and passwords had been posted online, aggregated from years of data breaches across various websites. That means that using the same password for your favorite blog and your bank account could put you at serious risk.

Embrace two-factor authentication

With 62% of Americans using two-factor authentication, it’s becoming a much more commonplace practice throughout the internet. 2FA often involves entering added verification sent to a smartphone, a one-time code, along with your password. By using the multi-step process, which consists of a proof of knowledge (like a password) and physical proof (like having your phone by your pocket), you’ll be ensuring a more trustworthy, secure process that your clients will appreciate, says Law Technology Today.

Change can be a good thing

While updating passwords too frequently can lead to forgetting them — and getting increasingly less creative with adjustments — it is important to remember that the longer a password is used, the more likely it has been deciphered by a hacker. If you hear that a company has had a security breach, one that you’ve used, change your password (even if you’re not sure if it affected your account). Also, if you have accounts that have gone untouched for a while, delete them. This can avoid your log-in credentials getting breached, just because of an old AOL account you had years ago.
In the digital age, it’s vital for everyone to do their best to stay a step ahead. Hackers are becoming smarter, which can be risky for your law firm if not properly secured. Start by taking measures to have strong, complicated passwords. However, if you’re looking to take it a step further, consider utilizing cloud technology for further data protection. The Afinety Cloud Platform is designed specifically for law firms by law firm experts.

To learn more about moving your network, and the data protection of the cloud, click here.

Key Takeaways From The 2019 Cloud Computing Report By The ABA


On Oct. 2, 2019, the American Bar Association released its 2019 Cloud Computing report highlighting the changing relationship between law firms and the cloud. From concerns and questions to moving towards the future, we have summarized some of the most important and surprising information obtained from the ABA 2019 Legal Technology Survey.

Cloud Technology Is Slowly But Surely Becoming The Norm For Law Firms

Some of the most promising news from the survey is more law firms are using cloud services. The number increased from 55% in 2018, to 58% in 2019. Surprisingly, this technology is being utilized more often by individual and small firms, at 60% of those surveyed, while only 44% of larger firms with 50-99 lawyers have adopted it.

Though this increase is small, it’s a move in the right direction.

Security Fears And Loss Of Control Are Holding Law Firms Back

Cloud users and nonusers had similar reservations about the still relatively new technology. The survey found that 65% of current cloud users identified “confidentiality/security concerns” as their biggest concern. Similarly, 50% of nonusers reported not having tried the cloud due to the same concern.

Considering the cloud is one of the most secure ways to store data due to its redundancy, security and safe sharing methods that Forbes outlines, these numbers come as a surprise. If law firms are not adopting the cloud, what are they using? There should always be multiple copies of important documents, ideally stored in different locations. Unlike hard drives and physical paperwork, the cloud will always store duplicates in multiple places, so even if the worst case scenario occurs, your data will most likely still be accessible.

On the same note, lawyers are also concerned about losing control of data. This was the second largest pain point for both users and nonusers. The results from this portion of the survey did not change much from the prior year, which is disappointing. There’s a long way to go when it comes to educating law firms about how beneficial cloud technology is for securing sensitive documents without losing control.

The majority of law firms have reservations about using the cloud due to cybersecurity threats_Afinety, Inc.The majority of law firms have reservations about using the cloud due to cybersecurity threats.

Law Practice Contradictory Behavior On Cloud Computing Is Alarming

One of the biggest, and most concerning, pieces of information gained from the survey is the contradiction between lawyers’ understanding of the cloud and their actual use and implementation of it.

Even though more law firms are now using the cloud, they are dropping the ball surrounding cybersecurity. Considering security and control are their top concerns, it’s odd that their behavior does not reflect this.

The ABA does not hold back with their dissatisfaction with these results, and considers the lack of effort on security to be, “a major cause for concern in the profession.” To give more context, the survey listed 13 standard precautionary security measures. The most commonly used was by only 35%, and it was using secure socket layers. Beyond that, the numbers get more dismal.

Only 28% of respondents reviewed their vendor privacy policies, down from 38% that did last year. Again, if security is a main concern, reviewing privacy policies should be the first thing law firms do with their cloud provider. Numbers for security measures were down across the board, a fact that the ABA is explicitly upset about.

Another interesting point the ABA highlights is the lack of legal formality that lawyers take with their cloud vendors. A meager 4% of respondents negotiated a confidentiality agreement with their provider, and barely 5%, arranged service legal agreements. These disappointing numbers around these actions lawyers should be well-versed in leaves the ABA questioning technology competency requirements.

Finally, the overwhelming majority of law firms (94%) consider vendor reputation to be important when selecting a cloud provider. When looking for a cloud service provider for your firm, consider the Afinety Cloud Platform.   ACP is a cloud network designed for law firms by law firm experts.  With a focus on the legal industry since 1986, Afinety understands the unique challenges law firms face when it comes to data protection and proper configuration of a cloud network.

Legal Profession: The New Frontier For Cyberattacks

Law Firms Are Now Cyberattack Targets

Retail. Finance. Healthcare. Hospitality. Government. Transportation. You name the industry, it’s likely experienced the ills of data theft. Yet one sector that’s remained relatively unaffected by sensitive information hackers is that of private law.

At least, that was the case, until recently. A newly released study from the American Bar Association suggests firms of all sizes are in computer criminals’ crosshairs like never before.

“Nearly 25% of attorneys acknowledge their offices have been affected by a breach.”

Roughly 1 in 4 attorneys in ABA’s 2018 TechReport acknowledge that their offices have been affected by a breach at one point or another. That’s a considerable uptick from as recently as five years ago, when the rate was in the teens. Of those who attest to being victimized, firms with between 50-99 employees on staff were affected the most at 42%, followed by firms employing 100 or more at approximately 31%.

Rich Santalesa, a cybersecurity expert and counsel for the New York City-based law firm Borstein Legal Group, told the ABA Journal that no industry is entirely immune, but one thing that lawyers and attorneys have going for them is hindsight. Because the frequency of attacks on firms have risen only recently and remain fairly low relative to sectors like retail and healthcare, they can glean insight from others’ miscalculations.

“Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” Santalesa explained. “Unfortunately, other industries have had to learn their lessons the hard way – by having breaches that have received media attention.”

At the same time, though, law firms haven’t entirely escaped the fourth estate’s observations. Indeed, as chronicled by the National Law Review, a Washington-based lawyer noted in February 2018 that attempted cyberattacks were a daily frustration at his firm, up 500% during the previous 24 months. In June 2017, multinational law firm DLA Piper was one of several other organizations whose networks were hijacked by ransomware, forcing the shutdown of the company’s IT systems for days in several of the 40 countries where DLA Piper has offices). And in April of last year, a specialist law firm’s computer networks were breached, which wound up exposing the personal commercial insurance policy data of over 1,500 companies in the U.S.

“North of 446 million records were exposed in 2018 and 1.68 billion email-related credentials.”

Ways Law Practice Data Can Be Breached

Part of the problem – both for law firms as well as virtually all other businesses that aggregate data – is the variety of means by which identifying material can be purloined. As previously referenced in this space, ransomware is increasingly common and phishing – which utilizes bait-and-switch emails to bamboozle targets – has never gone away since this means of communication debuted. According to the Identity Theft Resource Center, north of 446 million records were exposed in 2018, along with 1.68 billion email-related credentials.

“When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” warned Adam Levin, founder and chair of CyberScout, a Scottsdale, Arizona-based data security services firm.

Left alone or quickly deleted, phishing emails are benign. But because they look so authentic and are designed to mimic the typeface, tone and design of legitimate companies, approximately 33% of them are eventually opened, according to a 2017 data breach report from Verizon.

Adopt A Security Culture

How can law firms immunize themselves from data disaster? It’s virtually impossible to avoid cyberattacks completely, but it starts by doing what so many other companies have failed to do, which is adopting a culture of security, Verizon Communications CSO Michael Mason. Speaking to ABA Journal, Mason said firms should approach protecting their data like they would vetting a babysitter.

“When you hire a babysitter for your child, what sort of background check do you use? Hopefully, something so precious is not put into the hands of strangers without a background check,” warned Mason. “Your firm’s data is also precious.”

He further advised that law firms often assume a “one-and-done” approach toward data security, obtaining a professional risk assessment a single time and assuming that it alone should suffice. These must be conducted consistently over time to remain above the fray, ideally once a year.

Take your network security a step further by moving to the cloud for enhanced data protection and true mobility.  The Afinety Cloud Platform (ACP) is designed specifically for law firms by law firm experts and runs on the largest, most mature cloud provider in the world, Amazon Web Services.  AWS data centers and network architecture are built to meet the requirements of the most security-sensitive organizations and designed to keep data safe.  This includes built-in, state-of-the-art network firewalls, automated encryption for data in transit and at rest, plus continuous infrastructure testing with summarized results.   This allows you to maintain the highest standard of security without the cost of having to manage your own network or facility. Other options, such as Multifactor Authentication, will enhance your network security even further to guard against cyberthreats or lost data.

Click here to learn more about moving your network, including all data and applications, to the cloud.

Is Paying the Ransom Always a Non-Starter?

What Should Law Firms Do When Faced With Ransomware

Ransomware attacks are increasingly common, with some estimates suggesting that they’ve risen in frequency by nearly 500% from 12 months ago, according to Forrester Research. If your law firm IT were to be affected by such a cyber incident, would you pay the ransom?

Entertaining such a question seems to not only go against conventional wisdom but what IT security experts have long cautioned – that you can’t negotiate with the unscrupulous. Further, capitulating to hackers’ demands in no way guarantees that they’ll wind up surrendering the information stolen or encrypted.

However, given the sensitivity of the data involved, some IT authorities say it’s not so nonsensical a notion after all, as its in bad actors’ best interests to deliver on their promises when those they prey upon pay up.

Florida City Opts To Pay $600k To Retrieve Data

From small-business owners to international conglomerates, companies of all sizes have ultimately decided to cut their losses and pay the amount that perpetrators insist on. Even municipalities are acquiescing, the latest example being Riviera Beach, Florida. Located north of West Palm Beach, the city and its 35,000 residents have been unable to use public service utilities over the last three weeks because attackers hacked into the city’s network servers, disabling phone lines, emails and payment processing, The New York Times reported. Unable to retrieve the hijacked data, local lawmakers voted unanimously to pay the $600,000 ransom, which officials are hopeful will put computer servers back online as happened for a  Georgia county that paid $400,000 when it was victimized in March, according to The Wall Street Journal.

Riviera Beach spokeswoman Rose Anne Brown told the Times that it’s coordinating with law enforcement and informed them of its decision prior to wiring the money.

“We are well on our way to restoring the city system,” Brown explained.

“170 government entities have experienced ransomware infections since 2013.”

In addition to Baltimore, which is steadfast in its decision to not paying the ransom, Riviera Beach is only the latest municipality hit by such a cyberattack. Based on data obtained by CNN, no fewer than 170 government entities – meaning cities, counties or state – have fallen prey to ransomware infections in the last six years. Forty-five of these were sheriff’s or police departments. This may be particularly worrisome for law firms, given they’re often in regular communication with law enforcement regarding pending cases, which entails the sharing of data.

“We were crippled, essentially, for a whole day,” Albany Police Department patrolman Gregory McGee told CNN. “All of our incident reports, all of our crime reports, that’s all digitized.”

Acceding To Ransomware May Be Best Of Bad Options

IT teams were able to resolve the issue in New York’s capital city within 48 hours and did so without giving in to the offenders’ demands. However, given the stakes involved, many believe that paying should not be summarily dismissed as a non-starter.

“There’s a tendency to answer the question by sloganeering: Never negotiate with terrorists,” wrote Stephen Carter, law professor at Yale University, in an opinion piece for Bloomberg. “Otherwise, so the reasoning goes, you will get more terror attacks. But while this argument makes sense for those who are likely to suffer repeated attacks, it’s not clear that those less likely to be regular targets should reason the same way.”

Josh Zelonis, a senior analyst at Forrester Research, feels similarly, noting that cities who hold the line may suffer from diminishing returns as Baltimore is learning first hand. The financial fallout from the attack is believed to be in excess of $18 million and counting. In other words, the ransom demanded may be a pittance compared to the alternative.

“Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack,” Zelonis warned.

He added that while paying the ransom may indeed be inadvisable, it should at the same time not necessarily be completely out of the question, but explored “in parallel with other recovery efforts to ensure you’re making the best decision for your organization.”

Of course, the best solution is to avoid becoming a ransomware victim altogether. This is possible by remaining vigilant.   Perhaps above all else this also means leveraging a multilayered approach to data security, including multifactor authentication, software patches, updates and a good disaster recovery plan.  Look to a reliable cloud solution, like the Afinety Cloud Platform, which runs on the largest and safest cloud provider in the world, Amazon Web Services to reduce your risk of outside threats in today’s world.

Ensuring Cybersecurity For Law Firms

How To Ensure Your Law Firm’s Cybersecurity

Cybersecurity isn’t an issue facing the legal profession alone – across the board, it affects nearly every profession and industry. And usually, not enough attention is devoted to it until something serious happens. For example, Forbes reports that a major breach occurred in the legal field in 2017, when 11 million files were leaked from one law firm.

Research by CNA Insurance showed that 80% of the largest law firms in the U.S. have already experienced a malicious breach. In most of those cases, the firms either failed to discover the breach on their own, or discovered the breach a number of months after its occurrence.

Before your law firm falls prey to a cybersecurity incident, here is some helpful advice for taking preventive measures.

Any Device Can Be Compromised

The ABA Journal warns that almost any type of advanced technology has the potential to be hacked. For example, even obsolete equipment being thrown out with the trash – such as old copying machines containing hard drives – could contain data that you don’t want falling into the wrong hands. In 2010, Affinity Health Plan, a Bronx, New York-based managed care provider, had a cybersecurity breach in which hundreds of thousands of health care records were put at risk. The lease was up on the copy machines, and when the equipment left the building, so did files on more than 344,000 clients.

Graphic of cybersecurity matrix_Afinety, IncLaw firms, like other professions, are facing the need for tighter cybersecurity measures.

Dealing With Cybersecurity Vendors?

The American Bar Association’s Cybersecurity Legal Task Force suggested measures your firm can take when beginning a relationship with a new cybersecurity consultant. For example, when you’re doing a background check of the company, make sure the prospective vendor’s existing clients haven’t suffered any recent security incidents or breaches, or that the vendor doesn’t have any lawsuits and regulatory claims against them as a result of such incidents. Also verify that they have all the staff, certifications, programs and equipment necessary to do what they’ve promised – and that they don’t plan on sharing or sending out your data for offsite storage with any outside third-party contractors without your knowledge or permission.

Under Cyberattack? Know The Signs

The Department of Homeland Security says to be aware of “Denial Of Service” attacks, which happen when legitimate users can’t access computer devices or other network resources because a hacker is flooding your server or network with requests or junk data traffic. This attack typically continues until your system cannot respond or simply crashes. Services affected may include email, websites, online accounts or other services that rely on the affected computer or network. Sometimes the hacker accomplishes this by remotely assembling a large group of unrelated computers and systems from other unsuspecting individuals and organizations to join in the attack. The more devices participating in the attack, the harder it is to trace the origin of the hack.

Have A Policy On BYOD / Bring Your Own Devices

Gathering and sharing information is an essential part of a law firm’s business. Despite the growing trend towards e-Discovery and using various digital media for storing or distributing information however, you need to be very cautious regarding thumb drives and other portable USB devices. The ABA Journal compares mini-storage devices to a dirty needle – they can come preloaded with malicious software and are often used by hackers and penetration testers to exploit human vulnerabilities and gain access to a network. According to CNA Insurance, while BYOD capability makes smart business sense because it enables attorneys to access their firms’ networks and download client data onto their devices, it also creates risks stemming from unrestricted use of outside devices. You might want to consider requiring password protection, encryption or remote wiping capability for BYOD situations. Otherwise, when devices are lost or stolen, you’re not only vulnerable to a data breach, but your firm’s network itself may be exposed to malware and viruses.

The Importance of Secure Document Management for Law Firms

Law Practices Need Secure Document Management

The sheer amount of paper produced by any law firm can be staggering. Contracts, briefs, pleadings, motions, discovery – and that’s not even counting evidentiary documents, letters, emails, and photos, all of which must be painstakingly generated, sorted, annotated, collated, and filed for future reference.

Even with digitization helping legal firms replace paper documents and create paperless offices, documentation must still be scrupulously filed and maintained. Without a standardized, streamlined process in place, information management, security, and file retrieval can be overwhelming. The correct document management program can increase productivity and efficiency, automate many basic filing tasks, improve file security, and simplify document retrieval.

Email systems and shared file drives are clumsy and ineffective as a document management option for law firms. Folder-based filing systems can create problems as you scale, with lack of version control, non-standardized naming conventions, and multiple sub-folders destroying attempts at hierarchy and logical indexing. Implementing an email folder system makes file retrieval difficult and can cause server overload due to massive email files. In addition, unencrypted email is extremely insecure, and even encrypted email is vulnerable to user error when forwarding or replying.

According to the 2015 edition of the annual Legal Technology Survey Report (which is compiled by the American Bar Association’s Legal Technology Resource Center), only 35% of lawyers used email encryption during the four years preceding the surveys publication. When asked what security precautions are used when sending confidential or privileged communications to clients via email, 71% of lawyers said they rely on the confidentiality statement in the message body.

Secure document management for law firms_Afinety Document management systems are more secure than email

Instituting a document management program in place allows sensible, streamlined organization of all files, including email, documents, and electronic media. Searchable and indexable protocols can be readily established, with documents filed hierarchically and indexed in a virtual, centralized, hub for easy access. Email and scanned comment profiling, metadata indexing, and optical character recognition (OCR) conversion make finding documents accurate, easy, and fast.

Lack of document security poses a serious privacy risk for any law firm. Multiple levels of internal and external security that permit users access to read, delete, and/or edit each document are required, and authentication protocols are crucial to client confidentiality. A good document management system will provide a complete audit trail for the document’s entire lifecycle and help ensure that the firm’s intellectual property and confidential client information are being handled properly.

Sharing documents with clients and colleagues is a constant requirement, but while sharing via email or paper copy is easy and fast, it’s neither reliable nor secure. Once an attached document is sent or forwarded to an incorrect recipient, there is no undoing it. If sensitive or confidential information was exposed, there is risk and liability if it is used against your firm or your client. A secure document management program provides safe alternatives to colleague and client communications, with authentication required to retrieve or view any documents.

A designated, encrypted portal can allow documents to be privately sent, received, and reviewed with no exposure.  Only appropriate document access is assured, while version control and document history are maintained. Documents can also be safely collaborating on within the document management program, which creates a secure shared environment within which documents can be reviewed, copied, edited, tracked for changes, saved in the latest format for all users, and shared with pertinent viewers for review or annotation.

A uniform scanning process ensures that scanned files will be organized, indexed, and secured, while OCR can be implemented on image files such as pdfs to enable full text searching across all documents. Physical media such as photographs, DVDs, and CDs, can also be digitized and indexed to reduce the space needed for a physical media library and facilitate sharing these files alongside pertinent documentation. This also improves searching capability and can produce immediate benefits for the entire firm.

The American Bar Association, in Opinion 477, laid out updated recommendations for safeguarding client privacy, and strongly urges the security of client data to be discussed with legal clients to ensure they are aware of risks if less secure forms of document sharing are used. With a safe, secure document management system, many risks can be eliminated or minimized.

How To Spot Phishing In A Legal Firm

Alert: Phishing Methods That Law Practices Need To Know

Everyone has experienced phishing in some way, whether through a phone call from an obscure agency, a letter claiming its recipient won a contest he or she didn’t enter or an urgent email either offering a fortune or threatening legal action. Phishing is one of the oldest scams in existence, and this is what makes it so dangerous.

With powerful new ransomware being developed by cybercriminals, some may believe that all cyberattacks are increasingly sophisticated, but this is only partly true. Phishing today is more cunning than it was years ago, but it still operates on the same simple principle: trick the user into a response. With legal firms handling so much confidential data, they cannot afford to ease up on phishing. Firms don’t need to be hit with ransomware like WannaCry to suffer a breach.

Phishing Is Evolving

Phishing isn’t what it was even five years ago. The days of the Nigerian Prince are largely over. These cyberattacks depended on malicious attachments to infiltrate a secure network. Thanks to providers like Google and Microsoft, however, these emails were increasingly filtered to spam folders. The suspicious attachment, especially from an unknown source, was easy to detect.

In order for phishing to work, the recipient first needs to see it. Recent Proofpoint research has uncovered a switch in phishing tactics. Phishing emails are now far less likely to use the filter-catching attachments, opting instead for emails with dangerous hyperlinks and attached archives like compressed Javascript files. This change is designed to beat the automatic filters and deliver the message into a regular inbox where it has a much higher chance of being read.

This change also allows phishing to deliver far more than ransomware and malware. Adware, banking trojans and generalized information theft are now possible through these malicious messages.

Phishing can be used to deliver a host of unfriendly software into a network, or to steal confidential employee information_fraud alert image_Afinety, Inc.Phishing can be used to deliver a host of unfriendly software into a network, or to steal confidential employee information.

Why Comprehensive Employee Training Matters

One of the most dangerous aspects of phishing is that every employee is at risk. Cybercriminals can target executives, assistants and everyday employees once they have the right email address. It only takes a breach at one level to potentially expose an entire network.

Take this real world example: an HR officer preparing the office W2s. This officer receives an urgent email from the CEO (or at least from a very similar email address), stating that there’s been a problem and HR must email the W2s back right away, so that they might be fixed. The tone of the email implies that the problem is severe and that immediate action must be taken. Given that it’s the boss, why hesitate?

In this instance, personal identifying information of not just the HR rep but the entire staff has been exposed. Life-crippling data like Social Security Numbers are now in malicious hands that can use the information for a variety of nefarious deeds.

Phishing can also retrieve passwords, usernames and a host of other information that can enable network access. Many legal firms operate on older systems, ones created before the principle of least privilege, software construction designed to limit employee access to only the files they need, was widely implemented. This means that an assistant might have full access to case files and other sensitive data.

“Most successful phishing attacks are designed to look like emails the recipient is expecting.”

The Telltale Signs Of Phishing

According to Verizon’s 2017 data breach report, roughly a third of phishing emails are opened. Organizations cannot be dismissive of any kind of cyberattack that has this level of success. While phishing has evolved, the benefit is that it has retained certain common characteristics. This makes the malicious messages easy to spot, so long as an individual knows what to look for.

A Wombat security report claimed that the most successful phishing attacks were, unsurprisingly, designed to look like emails the recipient was expecting. That HR example was one such instance. This practice, known as spear phishing, is designed to camouflage into the regular inbox traffic. However, the email – while similar – will always be at least slightly different.

Be weary of suspicious domain names. For example: may be real but is likely malicious.

Instruct staff and partners to never click on an embedded link from an unknown source, even if the email looks legitimate. Employees should also be weary of any correspondence containing multiple spelling or punctuation mistakes. Hackers rarely have the same commitment to standards that corporations do.

Lastly, train all staff to beware of any messages with intimidating or overly urgent tones. Phishing schemes are designed to make a person act first and think later. It is not uncommon for these malicious messages to threaten legal action or firing in an attempt to force an immediate response. Employees should be advised to contact a supervisor if they ever feel threatened before responding to an email.

You've Been Hacked image_phishing_Afinety, Inc.Phishing tones are typically charged, whether ecstatic or enraged. They are trying to discourage rational thought.

How A Cloud Solution Helps

Unfortunately, many legal firms do not have the budget to retain a full time information security specialist to monitor for phishing schemes and keep employees up to date on cybersecurity trends. Many do not even have the resources to fully meet all cybersecurity needs.

In an increasingly dangerous technological landscape, legal firms can feel like little fish in a very large pond. However, passing off data solutions to a trusted cloud provider can help. Cloud companies typically have much more in the way of resources to help prevent data breaches. Companies like Microsoft annually invest $1 billion in cybersecurity research, according to Reuters.

At Afinety, we take all aspects of cybersecurity seriously. Our cloud platform has been tailored to the legal industry, making sure all of your needs are met. As phishing and other cyberattacks continue to evolve, so will our product. Contact Afinety today to learn exactly how our experts and software can help your firm.

Why Legal Firms Are Switching To Cloud Computing

 What’s Driving Law Firms’ Need For The Cloud

While many sectors have been quick to embrace cloud computing, law offices have traditionally lagged behind. Part of this has to do with regulation concerns governing case data and another aspect is the lack of technical expertise not infrequently present within a law firm. However, according to a recent article from Big Law Business, legal firms are finally starting to make the shift away from in-house data centers.

This move is being prompted not just by the advantages of cloud computing but by shifting international laws and data regulations. Larger legal offices that deal with clients from around the world are finding it easier to rely on cloud technology.

Help With GDPR Adoption

A large factor driving this change is the deployment of the General Data Protection Regulation (GDPR) by the European Union. This law was written to better protect user privacy rights within an increasingly digital world, setting clear definitions as to what information can and cannot be discretely collected and used without the user’s informed consent.

While much of these new regulations link back to the growing prevalence of social networks, even basic communications like email and instant messenger fall under GDPR review. As such, many tech companies that service international clients, including cloud service providers, have updated their solutions to be in full compliance of the GDPR. By making the switch to the cloud, legal firms save themselves the time and energy that would be needed to ensure their data infrastructures follow the new EU law.

Reduced Storage Needs

Another large benefit of cloud solutions is the reduced need for space. Traditional filing systems included filing cabinets and, typically, an off-premise third party storage provider. This infrastructure, while solid, was easily impacted by lost or missing information, in addition to piling up sizeable annual costs – even for smaller legal firms.

Switching to a cloud solution relegates the majority of data, especially archived cases, to digital only, freeing up space and eliminating third party storage costs.

Even on-premise, digital storage requires devoting a room to servers and other hardware_Afinety, Inc.Even on-premise digital storage involves devoting a room to servers and other hardware.

Secure Data That Is Readily Available

However, space saving is not the primary reason to digitize confidential information. As the American Bar Association pointed out, cloud platforms offer a variety of benefits including improved mobility and, more importantly, data security. The vast majority of cloud solutions are designed to be transparent, letting administrators keep an eye on each aspect of the system. This reduces the time needed to detect malicious data breaches, allowing the cloud security to crack down on the problem before it is severe.

Most cloud software builds in automated responses, working to close breaches as soon as they’re detected. Storing data on the cloud also allows it to be encrypted and stored behind multiple levels of authentication, including at least one password. In addition, cloud infrastructures tend to utilize the principle of least privilege. This means that the average user has their permissions restricted to only the files they need. Doing this lowers the risk of accidental change and makes it so that, if a cybercriminal gains access to an account, the whole system does not have a chance of being compromised.

As digital laws continue to shift in response to the GDPR and other regulations, expect even more legal firms to adopt cloud platforms. A modern world calls for innovative solutions.