Part I of this series, “A shifting Legal Landscape” looked at the changing business environment and the need for secure data access. It then discussed the threats to client confidentiality that accompany such technological changes. Part II, “Protecting Client Confidentiality to Meet Ethical Obligations,” suggests a way you can protect yourself against these threats and fulfill your obligation to protect client information from unauthorized access.
Keeping Control of Your Information
Law firms must keep control of sensitive client information to ensure client confidentiality and to maintain legal privilege. This was straightforward when electronic files were on a password-protected computer without a network connection and inside a locked office. All customer information was keyed into the internal system and no collaboration or electronic links existed with the different parties. In this environment, even if the your internal system was not secure, your data was just as safe as the paper files in the office.
When computers became networked, business became more complicated. Data was no longer stored in one location.Different groups stored data on different systems in multiple locations; hence, security became more complicated.
Businesses established IT departments whose members monitored the networks and built perimeter protections around these silos to prevent unauthorized access. Perimeter protection was relatively effective at that time because you had to be inside the offices to access the network and you had to log in with a user name and password. Access to the network from outside the offices was restricted by the IT departments. You still had some control of your client information.
Once business environments became more collaborative, electronic data was no longer under your control. Data moved to different cloud applications and you lost control of where the data was. At the same time, data access via mobile devices became mandatory for doing business. These technologies challenged the perimeter security concept.
The perimeter model and password protection became less effective as hackers and adversaries became expert at finding network weaknesses and using sophisticated techniques to obtain user names and passwords.
Some businesses are trying to limit the use of these new technologies by storing only non-sensitive material in the cloud. Such a strategy results in a competitive advantage for businesses that solve the security problem. When you enable your clients to communicate with you via different channels (email, file, applications, etc), and enable access to all the latest information related to a case remotely, from anywhere, using any device, you have an advantage over someone who doesn’t have such access.
The keys to success are:
- Enable your clients to communication using different methods (email, files, etc)
- Provide secure access to the data from anywhere through any device.
- Move the data freely without restriction, while marinating full control of it
Control means that only people you authorize can see a particular document. All other information has to remain secure from unauthorized access and only you can let someone see specific information. It’s going back to the kind of control you had when you worked on a computer in your office without a network.
Information Security Solutions that Work (or Not!)
Law firms can meet their ethical obligations for client confidentiality either by keeping all client information on their internal networks or by working with a a cloud provider. In both cases perimeter security is often augmented with file encryption. While such solutions address some of the problems created by mobile and cloud technologies, you end up with neither adequate security nor optimal secure collaboration.
If you are using cloud applications, your data is often safer than in the internal network but there are other issues. Cloud providers now have access to your information and you have no control over them. Government agencies may gain access as well.
What you need is an information-centred process that protects the sensitive parts of your data and lets you work with and access your data almost as if it were not protected. A new technology called data masking or tokenization offers this kind of protection. It works as a browser plug-in and renders data unusable as soon as it leaves your computer by masking the parts you have identified as sensitive. You can authorize people to view a single file or many files. You have full control of your data and nobody, not the cloud services provider technicians, your email provider or even your own in house technicians can read the masked data.
How Data Masking Works
With a data masking browser plug-in, you can define specific information as sensitive. When you work on a file in the cloud or when you send information by email, the masking plug-in replaces the characters making up the data with others of the same type. For example, a number will still look like a number but the digits will have changed. Text is still made up of letters. A date still looks like a date. This means that you can place such masked data into a structured database and many searches remain possible.
With data masking, you retain full control of your data and you fulfill your ethical obligations to your clients. When you wish to authorize someone to view confidential data, they must download the same browser plug-in. With your authorization, their plug-in unmasks the data. You control which files are viewed and which data is unmasked. You retain the kind of control if information and the level of client confidentiality you had when your computer was locked in your office.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
