The leak of the Panama Papers has done more than reveal the underbelly of the international tax-dodger trade. This massive security breach, the biggest document leak in history, also serves as a wake-up call for lawyers and law firms about our responsibility to keep client information confidential.

The files, leaked to the International Consortium of Investigative Journalists, came from the Mossack Fonseca law firm in Panama. Their contents are incredibly incriminating for several multinational organizations and many world leaders as they describe the ways powerful and knowledgeable people have gamed the financial system to create tax havens in off-shore accounts. It’s important that you understand the contents and repercussions of the documents, certainly, but even more important is that you understand what this leak means for law firm security in the future.

Here’s the takeaway:

  1. If you keep it, it can be stolen. Encrypt.
  2. If you send it, it can be misdirected. Encrypt.
  3. If you give access to it, it can be retained. Restrict Downloads.
  4. If your data is stored on your network, it can be accessed by anyone who has network permissions. Firewall it.

Encryption 101

You’ve been told countless times that you need to encrypt your files. And yet here we are. I’m typing, and you’re reading, and wondering if you really need to encrypt. If so, how should you do it? The answer to your first question is “YES!” Encrypt. If you do nothing else today, stop reading this article, and buy software to encrypt your documents. I know you have questions, so let’s break this down.

There are three types of data: 1) Data in Use, 2) Data in Transit, and 3) Data at Rest. Data in use is data that is being created or modified right now. If you are working on a document, that document is in use. Data in transit is data that is being sent or received. That email you just sent is data in transit. That file you just saved was data in transit for a couple of milliseconds. Data at rest is any data that is not currently being sent, created, or modified. You have thousands of documents on your computer. All of that is data at rest. It’s important that you encrypt at every single step, every time you communicate confidential client information.

You need a system to encrypt your email, encrypt your documents, and if you’re good, you’ll encrypt your phone calls by using WhatsApp, Signal, or Facetime with encryption turned on.

Encrypting Your Data at Rest (Storage)

Encrypting your files has never been easier. You can trust a third-party vendor, like a cloud storage service, to encrypt your data on their server with absolutely no additional action required from you. Alternately, you can purchase a service to encrypt your documents yourself. In a perfect world you would do both of those things. Dropbox and Carbonite are popular, easy to use cloud storage vendors that will encrypt your files. Boxcyrptor is the most popular tool for encrypting documents on your computer, or on a third party server.  You want to make sure that your documents are encrypted wherever they rest. In addition to encrypting your documents, you should also encrypt your hard drive. If you’re on a Mac, encryption is automatic. If you’re on a PC, you generally need to enable encryption. You can find your built-in encryption tools on your PC by going to the Start menu, and typing “encryption” in the search field. You’re looking for a program called BitLocker.

Encrypting Your Files in Transit (Sending)

You already know that email is usually not secure. You need to make sure that you are using an email provider with built-in encryption features, or you need to use an “add on” from a company that sells encryption tools that work with your email (AppRiver, Baracuda, or Virtu for example). For a solution that’s generally easier and just as safe as encrypted email, consider client portals. A client portal is a communication tool that is encrypted end-to-end. That means that the system verifies that you are who you claim to be, and that the recipient of your message is who they claim to be. Email encryption does the same thing, but many lawyers find email based programs to be clunky, and that their clients are reluctant to use them. If you already use practice management software, you may have access to a client portal as part of your suite of services. You can also purchase client portals as a stand-alone product.

If you need to share, send, or receive files, you may be able to use your document storage provider. Dropbox, Google Drive, and ShareFile all have easy to use sharing solutions. If you choose to share document from your storage vendor, make sure you have closely guarded controls on access. And that leads us into our next point.

Access to Stored Documents (Restricting Downloads)

If you are sharing documents with your employees, your clients, your vendors, or opposing parties, it’s important that you restrict the rights of each party.

In most cases, when you share documents with another party, you have a shared folder, and the party can view anything in that folder. Some document storage providers allow you to button-down what people can do beyond limiting access to only one folder. ShareFile, for example, lets you limit upload, download, and viewing permissions at a granular level. Not only can you manage access to a particular folder, you can manage access to individual documents. Equally as crucial as upload/download permissions, is the ability to totally kill access to any document for a particular user. Make sure that it is part of your standard operating procedure that you terminate access to sensitive files BEFORE you terminate an employee.

Network Attached Storage (Doors and Firewalls)

When you use a vendor to store your digital files, you generally have a folder which regularly syncs to the vendor’s remote server. Anytime you change your local copy, the remote copy is changed, too. Consider then, the risks of backing up your data on something like Dropbox, but failing to encrypt it. Even though you have a backup, if you are overtaken by ransomware, your back up copies are going to be subject to the attack. Don’t accept that backing up your files is enough. Make sure there is a second layer of protection. And as I’ve said multiple times already, the solution is encryption.

In addition to keeping your files encrypted, make sure that you are also mindful of the points at which your network can be accessed. Limit which users have full access to your network, and keep sensitive documents behind a firewall, a password, and a layer of encryption.

Security threats from internal and external parties are just getting harder to ignore. While I hope you aren’t helping your client commit illegal acts, I do hope you take their security, and your duty to maintain confidentiality very seriously.

If you have any questions about anything mentioned in this article, or would like to get more information about the Center for Practice Management, please visit http://www.ncbar.org/members/practice-management/