Are your passwords strong? Do you change them regularly? These and other practices will help you protect client information and keep hackers at bay.

"Ten cybersecurity tips for lawyers"
By Margo Lynn Hablutzel
Intellectual Property - January 2017

"Lawyers have an ethical obligation to protect their clients' information," and in this day and age that means electronically stored information, observes Margo Lynn Hablutzel in the January issue of the Intellectual Property Section newsletter.

With that in mind, she offers 10 cybersecurity tips for lawyers to consider. A recent CLE program co-sponsored by the IP Section, Cybersecurity: Protecting Your Clients and Your Firm, takes a more detailed look at cybersecurity planning and practice. It is or will soon be available in the ISBA's Free CLE catalog - visit www.isba.org/freecle to search for it.

1. Change the factory password. "When you receive a device from the manufacturer, or a new software system from the developer or company, it probably has a default password," Hablutzel writes. "Always change the password to something different and uncommon as soon as you can" so hackers don't gain access through factory-installed passwords.

2. Change passwords often. "While annoying, this prevents access from former employees and contractors, or by anybody who has obtained a password when you use an unsecured Wi-Fi at coffee shops, hotels, and airports," Hablutzel writes.

3. Use strong passwords. "Strong passwords include a combination of letters (sometimes requiring both upper- and lowercase letters), numbers, and symbols," Hablutzel writes. And please, don't put your password on a sticky note pasted to your monitor.

4. Consider using dual authentication. "This requires two items to confirm a person's right to access your systems, the simplest being an email address and a password," Hablutzel writes. This higher level of security might be worth the inconvenience these days (see tip 8).

5. Limit file access to those who need them. "Some firms set up secure areas for major clients which are accessible to only specific persons from both the firm and the client," Hablutzel writes. You should also limit an administrator's access so he or she "can maintain from the outside (as if s/he were dusting a locked cabinet) but not access the information within."

6. Disable passwords when someone leaves the firm. Firms often forget to change the password when someone moves on, "so the departing person could potentially access the email or files remotely." Always change it, "and be sure it's not something easy to guess."

7. Plan for a cyberattack or breakdown. "Develop a plan for how to respond" to cyberincidents as you would for other disasters, "including cutting off access and restoring information," Hablutzel writes.

8. Train your team to avoid spoofing and phishing. Teach your staff and attorneys to "'trust but verify' before clicking on a link or sending out any information," Hablutzel writes.

9. Require cybersecurity in nondisclosure and employment agreements. Doing so reminds staff and outside consultants "of the need to respect the confidentiality of information and to follow specific protocols to protect that information," Hablutzel writes.

10. Investigate your vendors' cybersecurity practices. "Ask vendors, especially those with access to your systems," what security steps they take "and ensure that your agreement has language putting the onus on the vendors to remedy any breach that comes from their system to yours," Hablutzel writes.