COVID-19 Resources for Lawyers
Featured Guest
Barron Henley

Barron Henley, Esq. is an attorney and one of the managing partners of Affinity Consulting Group’s Columbus Ohio office. Henley...

Your Hosts
Tish Vincent

Tish Vincent is the Program Administrator of the Lawyers & Judges Assistance Program at the State Bar of Michigan. ...

JoAnn Hathaway

JoAnn Hathaway is a practice management advisor for the State Bar of Michigan.  She previously worked as a legal...

Episode Notes

Last time on the State Bar of Michigan’s On Balance podcast, Tish Vincent and JoAnn Hathaway talked with Barron Henley about new rules coming January 1, 2020 related to Michigan’s adoption of the ethical duty of technology competence. Following up on that conversation, Barron offers insights on lawyers’ ethical responsibilities for data security. He outlines various security measures lawyers should employ in their practice (encryption, password managers, VPNs, and more) and advises them to be upfront about security with their clients.

Barron Henley is an attorney and a legal technologist with Affinity Consulting Group.

Transcript

State Bar of Michigan: On Balance Podcast

Tech Competency: Security Fundamentals

12/18/2019

 

[Music]

 

Intro: Welcome to State Bar of Michigan’s On Balance Podcast, where we talk about practice management and lawyer wellness for a thriving law practice with your hosts JoAnn Hathaway and Tish Vincent, here on Legal Talk Network.

 

Take it away ladies.

 

[Music]

 

Tish Vincent: Hello and welcome to another edition of the State Bar of Michigan’s On Balance Podcast on Legal Talk Network. I am Tish Vincent.

 

JoAnn Hathaway: And I am JoAnn Hathaway. We are very pleased to have Barron Henley, attorney and legal technologist with Affinity Consulting, join us today as our podcast guest to talk about Tech Competency: Security Fundamentals.

 

We are returning to the topic of Tech Competency again with Barron Henley, who you heard in our previous episode. If you haven’t heard Barron’s first episode with us, we encourage you to listen. Michigan has now become the 37th state to adopt the Ethical Duty of Technology Competence to be effective January 1 of 2020.

 

Tish Vincent: So Barron, would you share some information about yourself with our listeners?

 

Barron Henley: Sure. I am one of the Founding Partners of Affinity Consulting. We automate and streamline law practices, private and public and in-house using — we fix processes and apply technology and try to help them build culture that will propel them forward and make them successful, that’s our job.

 

Tish Vincent: Very interesting. I am glad you are joining us today. I have heard lawyers say that it used to be a lot easier to protect confidential client information. What factors do you think are contributing to that?

 

Barron Henley: Well, back in the day, when I was your age, everything was paper and now hardly any of it is. It’s pretty easy to protect and secure analog data, put it in a filing cabinet and lock it and you are done and if you can get people not to gossip and engage in “shop talk” in public, then you have covered all the bases. But as anyone knows who reads any newspapers or consumes media, the electronic data is much harder to protect and keep under wraps.

 

And the problem is like there is a lot of folks who didn’t really like this development, but very little can be done about it. I mean email has just exploded, everybody wants to communicate via email, hard to keep track of and now text messages. We get lots of calls; JoAnn, I am sure you hear the same thing, all my clients want to text message me, what do I do about that? Well, you tell them no, but if that doesn’t work, then you are going to have to figure out some way to get control of that and make copies of it and store it and put it someplace not in your phone.

 

And then scanners became, in the intervening years, scanners became — they are everywhere, cheap, they are fast. So previously law offices generally had hundreds of thousands of word processing files they couldn’t readily find and then they started scanning PDFs like crazy, adding hundreds of thousands of additional files on top of the ones they already couldn’t find and it’s a lot of times — I think it’s normal, I am sure you encounter this, where you go into an office and they are scanning everything, but they are still using the paper file as well. So they have two filing systems and they are trying to do a complete electronic filing system, but they are not actually relying on it because they are not — maybe they don’t have confidence it contains everything or whatever the issue is or they might lose access to it.

 

Anyway, people are being overrun with electronic files, and then of course if you need — during the discovery process, most of that’s going to be electronic today, and then of course a lot of jurisdictions have gone to electronic case filing. So now when I used to like print off an original and three copies of a pleading and walk over to the clerk’s office and give them the original and get three time stamped copies back and walk back to my office, that’s a thing of the past. It all is done electronically.

 

All the forms we fill out, pretty much electronic, either web forms or PDFs. And then if you are a lawyer and you ask your client, if I am — say I am an estate planning lawyer and I ask my client for their tax returns, I am probably going to get those as PDFs, they are going to come electronically.

 

So even if you wished you didn’t have to deal with any of that electronic stuff, unless you print everything and destroy it instantly when it comes into your office, you are going to have to deal with a lot of electronic data, and unfortunately or fortunately, the Ethics Rules require that we protect it, even though this is much more difficult to protect really, I guess that’s the subject of this is what about the Ethics Rules and what can we do and that’s what we will talk about.

 

JoAnn Hathaway: So many states have adopted rule changes related to technology and security in recent years. What has Michigan done thus far?

 

(00:05:00)

 

Barron Henley: Well, as you mentioned, as of January 1, 2020, they will now have a new phrase in the Comment, the Maintaining Competence Comment in Rule 1.1 and specifically adding the text, including the benefits and risks associated with relevant technology.

 

So the whole thing reads, To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, and then it goes back to the rest of the old comment, engage in continuing study and education and blah, blah, blah. But the big thing there was, including the benefits and risks associated with relevant technology.

 

Now, interestingly, because I teach a lot of ethics classes in a lot of states, so I spend an inordinate amount of time reading Ethics Rules, it’s really unpleasant with your time, but like —

 

JoAnn Hathaway: It’s good somebody is doing it.

 

Barron Henley: Yeah. So like the ABA Model Rule 1.6(e), which has this additional provision, a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of information relating to the representation of a client.

 

Now, I know Ohio and many, many, many states have adopted that, but Michigan has not. So Michigan doesn’t say anything about reasonable efforts, and I don’t know how it’s going to — I don’t know how Michigan can remain silent as to what standard is going to be applied to lawyers when it comes to protecting client data.

 

But most states have now addressed that and that’s part of the ABA Model Rule changes that occurred at the same time as the one I just read in Rule 1.1, but for some reason Michigan hasn’t adopted that. So most of the other states have two additional comments as well that explain, because when you read that, a lawyer shall make reasonable efforts, and of course that makes everybody go, what exactly must I do to use reasonable efforts and they have comments that explain it. And basically there is a test.

 

I want to explain this because I think ultimately if there were a problem, I suspect that if there were an ethics violation, they are going to end up looking at the same test since all the states are doing it except for maybe Michigan and a few others. But it says basically to determine if you made reasonable efforts, you look at a couple of things; the sensitivity of the information, the likelihood of disclosure, the cost and difficulty of implementing safeguards, and then there is another important part of that comment says, clients can ask you to do more than required by the rule.

 

And then there is a second comment that usually goes along with that section and it begins, when transmitting a communication that includes confidential client data, the lawyer has to use reasonable precautions to prevent that from falling into the hands of unintended recipients.

 

And it says you don’t have to do anything special if the method of communication affords a reasonable expectation of privacy, but special circumstances should warrant or could warrant special precautions. And they have another little mini test, you have to look at the sensitivity information and whether it’s already protected by law or contract.

 

That’s really valuable guidance for lawyers and I think in states where they have passed that, they say okay, what do I have to do to do this, I feel like this is an achievable goal, and it certainly is and it doesn’t have to be super expensive or anything.

 

But I think that if I am a Michigan lawyer and I am aware of all the other states having adopted these things, I should reasonably expect that that’s going to happen in Michigan at some point and regardless of whether or not there is an ethical requirement, it makes business sense to do it in this current climate, where if I suffer a big data breach and it becomes public or I have to disclose it under Michigan’s Breach Disclosure laws, I mean that could sink my whole firm. I mean the consequences are severe if I don’t do this right.

 

And so we get a lot of calls about well, what should I do about these issues and how do I protect myself, but I think ultimately, regardless of what state you are in, the test today is you cannot disclaim responsibility for understanding how to use the technology tools necessary to do your job.

 

And if you are not the one that does it, then you just need to make sure the people doing it are doing it correctly and they have the tools that they need to do it correctly. Otherwise, I think you are leaving yourself wide open. And it is easy and that’s — I have some recommendations that we try to give to people and I should point out that like we don’t sell security anything and I don’t hold myself out as a security expert, but we have gone through this whole thing ourselves.

 

We are not huge, we have 52 employees, but there is a lot of moving parts and a lot of people and there is a lot of electronic data and almost all the data that we possess is law firm data. So we get it. we actually feel like we have a fiduciary responsibility protected, just like lawyers do, and obviously many of us are lawyers, so we have kind of been through that whole exercise and found a lot of really great things that are easy to do that you can use to protect yourself and your clients’ data.

 

(00:10:07)

 

Tish Vincent: So what recommendations do you have for Michigan lawyers as it relates to keeping this information secure?

 

Barron Henley: Well, you know, the first one is I think you need to talk to your clients about this at the engagement stage, and I was just in Connecticut, I just did a CLE in Connecticut, in Hartford and a guy came up to me and he was like, he was just complaining about email encryption, he is like email is this. And I am like why? He is like my clients won’t use it.

 

Like I told him, I am obliged because Connecticut has adopted the rule changes that I previously mentioned and he felt, I think validly, that if he is going to email confidential information that he should use email encryption, and he is like I get all this push back from my clients who are like, I am not even going to open your email. If you make me like click one extra thing, I am not even going to open it. So he was just exasperated that he couldn’t, and I will talk a little bit about that — well, maybe I will just jump into it right now.

 

But the email encryption, there is a whole bunch of really good services out there, they are not expensive, most of them; the most I have seen one cost is $15 per month for all you can eat.

 

Tish Vincent: That’s not bad.

 

Barron Henley: No, I mean it’s not. So like the one — I have three different email encryptions just because I like that stuff, but one of the really accessible ones can be included with a Microsoft Office 365 subscription. So there is Business, Business Essentials, Business Premium and then there is E3 and there is E5, there is different bundles of services and software that you can get with various Office 365 bundles.

 

If you get E3 or E5, you get by default included email encryption and it’s ridiculously easy to use and I don’t have to make up a password. So if I sent JoAnn an email that’s encrypted using that method, there is a little button at the bottom that says — like you get an email and you click on it, it says, well, this is encrypted and then there is a button to say send me a one-time passcode. You just click on that and it makes up a password and emails it to you.

 

And that’s beautiful, like I didn’t have to come up — you would think that would be easy, but it’s actually not. If I have to come up with passwords and then somehow get it to the client not using email and they are going to forget it in five minutes and I am going to forget it in five minutes, so I have got to write that down and record it someplace, and then every time they get the email, they have got to enter the password and it is annoying.

 

But with this, I didn’t have to make it up. I don’t care what it is. I just want them to have to authenticate themselves. So the difference between Business Premium, which is an Office 365 bundle and E3 is only $7.50 a month per user.

 

Tish Vincent: Wow.

 

Barron Henley: I mean I looked at that and said, the email encryption alone is worth $7.50 a month, aside from all the other stuff that comes with it, and it’s easy.

 

One piece of advice I would give people, if you are thinking about doing email encryption, I also have — ShareFile has a really cool email encryption add-on that comes with it, depending on the package that you get with ShareFile, which is the way ShareFiles obtain files from other people, using like a client portal.

 

I have another one called Protected Trust. They all cost $10, $11, $12, but one of the things you should do, if you are test driving, they all have free trials. So what we always encourage people to do is work with your client, call them up and say hey, I am testing out this new email encryption service, pick like the least tech savvy person you can think of that you are going to — that represents a demographic you are going to have to deal with on an ongoing basis and send them an email and be on the phone with them and go okay, what does it look like, what do you think, is this too hard, is it okay, and get some feedback, because it needs to be easy on the sender and it needs to be easy on the recipient.

 

Tish Vincent: That’s a good idea.

 

Barron Henley: I prefer systems that do not require me to sign up for something and I don’t want to disclose personal information, like I don’t want to have to create an account. So if it’s possible for me — so for example, the Office 365 message encryption doesn’t require I sign up for anything or disclose anything, and I like that.

 

So there are certainly systems that will provide the benefits you are looking for and still be inexpensive, but you probably, since they all have free trials, you probably want to experiment, there is nothing wrong with that. You may as well test drive it before you buy it.

 

So back to the idea of talking about clients upfront, talking to clients upfront about security, when do you want to use an email encryption, because they could — even if your comment doesn’t say they could ask you to do more than required by the rule, if somebody comes into my office and I am a Michigan lawyer and says I don’t want any of my stuff on the Interwebs. Okay, then I either have a choice of not representing them or representing them and protecting their data and not storing it, like if I am storing my data in the cloud, then I would want my engagement agreement to say that by signing this, you authorize that.

 

(00:15:01)

 

And I might even include a disclaimer that it’s impossible, it’s encrypted in transit, it’s encrypted at rest, but obviously Internet security will probably be an oxymoron for the rest of our natural lives. You can have all sorts of defenses up and still sometimes hackers can get in or more likely people make mistakes and let them in.

 

But I would talk about that and how are we going to communicate, communication parameters upfront, is texting okay or not, is cell phone okay or not, is email okay or not, and if you are going to do email, you talk about the encryption issue, you talk about are you going to be super responsive to email. If they want to get a hold of you right away, what method of communication should you use? I mean all that stuff has to do with security and electronics, but those are all things that need to be talked about today.

 

And if you get a client, for example, I mean based on the number of advertisements I hear for these identity theft protection services, this must be rampant. I mean I would assume that a lot of people have gotten their identity stolen based on the number of commercials I hear. So I want to know up front if my client has had — if they have spent a lot of money rebuilding their credit score and they have been through the wringer because somebody stole their identity, they are going to be super sensitive to any of that stuff.

 

I don’t want to find out after the fact, that’s the point. I want to know up front. And if I have got to do everything analog with a client when my practice is primarily electronic and smooth and efficient, that’s going to slow things down and I want to talk about that with them, and it might also increase costs and we should talk about that as well.

 

And then the basic thing is device encryption. So I want to make sure my phone, which probably already is encrypted. If I have got a tablet that has access to client data, it needs to have its encryption turned on, which of course that software is included with every tablet. And if you have got a mobile device, like a laptop, that also needs to be encrypted. And if you have got Windows 8.1 or 10 Pro, you already have BitLocker, which would allow you to encrypt the entire hard drive. And if you have got a Mac, you have got FileVault, which will allow you to encrypt the entire hard drive. So it just has to be turned on.

 

A lot of times people call us and they are like, oh my God, I have to get a new laptop and I went to the computer store and my head exploded and I saw all these options and the salespeople were confusing me. What do I look for? Well, if you get a new machine, a business machine, first of all, you want Windows Pro, not Windows Home. Pro provides all the security functionality and the operating system and Home does not.

 

But if I am looking for something I would want to try to find something that complies with the Ultrabook Configuration Standard, which is a laptop configuration promulgated by Intel, who makes the chips, but doesn’t actually make the laptops. One of the criteria one must satisfy in order to be classified as an Ultrabook is hardware level security. So in other words, the security is built into the device. It’s not even necessarily relying upon a piece of software and you would obviously want that. So like a biometric fingerprint reader built into the deck.

 

The new computer I just ordered has the — the fingerprint reader is built into the Power button and you can have it scan all your fingerprints and then the act of just turning on the power also logs you in, which is pretty handy. So it’s not even a separate thing now on the device.

 

And I would just — I am not going to get a Home version of anything. There are two sides to the computer market; there is the home user and the business user, and the business users are going to be devices that are designed with more security in mind.

 

I might think about recovery software for my laptop, which there is — like LoJack for laptops, there is a bunch of different programs that can be installed on computers, which cannot be uninstalled no matter what they do to the computer, and you could contact the service if your laptop was stolen and it can send out a homing beacon and they can triangulate its location and work with law enforcement to get your device back.

 

I would absolutely — like I have laptop privacy screens on all my laptops; I even have one on my phone, because I am always in an airplane and there is somebody sitting next to me and if I don’t have a privacy screen, they can read everything and I am doing email and other things I don’t want them to see. So I think if you use your laptop in public, you absolutely have to have a privacy screen so that you can only see what’s on the computer screen if you are sitting dead in front of the computer and they make them for every size and every model, it’s very easy to find. 3M, they kind of pioneered that and now Belkin and other companies make them.

 

But you can go to amazon.com or into any computer store and they make one to fit every single device. They can be removable or they can just be attached with this fancy clear double back tape and you can’t even see it once it’s on.

 

(00:19:46)

 

And the privacy screens now will work even with touch screens. So when they first came out, they would disable your touch screen functionality because the touch screen underneath the film didn’t know you were touching it, but now that all works fine. So you can put them on tablets, you can put them on phones, you can put them on laptops. Most lawyers today I find are primarily relying upon a laptop and pretty much everything they care about in need is on that laptop. So therefore we try to make sure they’ve got a couple of different backup methods going on because you never want to have to rebuild a computer by reinstalling software from scratch, you would like to put it all back the way it was before the crash.

 

And so we like to have, we always advise to — like I’ll just take myself for example, I’ve got a laptop and everything that is good and holy in the world to me is on that laptop, so I want to protect it. So I have two, I have an on-site and I have an off-site backup. My offsite is Carbonite. I pay like $72 a year, some ridiculous low amount, and that gives me unlimited gigabytes or terabytes of storage. I can use as much as I want and it works in the background all the time without me even thinking about it just if it sees, I made a new file and backs it up. So I don’t have to run a backup or any of that stuff.

 

And then I’ve got another program called Acronis True Image, which I got off Amazon for 35 bucks and it makes a mirror image of the entire hard drive in my computer to the external 3 terabyte drive that sits on my desk in my office. So I run that, whenever I’m in the office I just run a mirror image.

 

So that’s not as current as the Carbonite, which is happening all the time but so I spent like $89 for the 3 terabyte hard drive, I spent $35 for the software and I spend like $72 a year for Carbonite. So even though I have two backups going on simultaneously and hardly spending any money and it’s extraordinarily unlikely knock on wood that I would ever lose anything. So I feel like you should rely on just one and particularly because they are so inexpensive and easy to use.

 

We talked about this in the last podcast but the policies, you got to have Internet usage, social media, password, mobile security policies and there’s a lot to sample as you can find on the Internet that you can copy and paste and then modify, and here’s a really important one.

 

Using a Password Manager, and I mean, I’ve read a ton of security articles about what can the average person do to improve their security profile and invariably they talk about password managers. Now, when I first got mine, I did it mostly as part of my estate plan because in our family, I handle all the bill, I pay all the bills, I handle all the banking investments and all that stuff, my wife doesn’t want to deal with that and that’s fine. But I’m definitely going to die before my wife does, if you met my wife, you would know.

 

So I need to have if the way it’s going to play out, she wouldn’t know where anything was, I don’t know how she could administer my estate when she couldn’t find anything. So I wanted some way of sharing with her all the account numbers and all the passwords and all the logons and everything, and it turns out so the idea of a Password Manager is that you only have to know one password and that unlocks all the other passwords.

 

And so that the concept is it’s a vault, it’s not stored on the Internet, it’s stored on your local device and you enter that, you just have to remember one ridiculous and in my case I made a passphrase, so it’s like 38 characters long and it’s like a sentence and then I substituted certain symbols and numbers for some of the letters and it’s impossible to break, but I can actually remember it even though I do have it written down in a couple places and put in books. But, they all have a way of sharing, like I can say I want to synchronize this with someone else’s account and so, I encrypted her a Kindle Reader which is basically an Android tablet and I loaded the app and then you had this two-factor authentication so I had to put in my login, my password and then set a code to my phone, I had end of the code in my phone and then finally it unlocked.

 

So now whenever I add a new password or something like one of my credit card — my credit cards are stolen all the time because I buy so much stuff online, it happens, so I got to — I had to cancel a credit card and I got a new credit card to replace that, it’s already on her Reader like I didn’t have to say anything to her. I’m like, you know, oh, by the way that card was cancelled and the new one is already on your Kindle Reader, so it’s awesome.

 

The other things they do, they fill in all the blanks for you. So when I’m buying something on the Internet, it’ll show me all my credit cards and I can pick the one I want, it fills in the expiration date and the security ID and the card number, it fills in my logins and my passwords.

 

If I have two logins and passwords for a service which I do on some services, it’ll show me the alternatives and I can click whichever one I want. So it stores my IDs, so my NEXUS Global Entry ID is in there, my passport is in there, my driver’s license is in there, it tells me when they’re going to expire.

 

All my credit cards are in there plus all the phone numbers. I got a call if something goes wrong, all my logins and passwords and it has this thing called Secure Notes where you can just put extraneous information that you sometimes need. So for example, my daughter’s Social Security numbers, I need those occasionally, they’re in there.

 

License-plate numbers for cars that I pay for it. I might need that once a year, that’s in there. The router password for my home router, it’s not like I log into that thing but I need to know what the password is, that kind of information.

 

(00:25:06)

 

If you think about all these little pieces of information that you need once a year, once a quarter, you don’t know where to put it, that’s where you put it, that’s like my account number for national rental car, that kind of stuff. You’re like where do I even store that? You put it in the Password Manager.

 

So we feel so strongly about that that we rolled out a corporate Password Manager, so we use one called Dashlane. I’m not saying that’s the best one. There’s a ton of them out there that either one or came in second place in all the reviews I read and I tried it and loved it so much, I never tried anything else, so that doesn’t mean it’s a good recommendation, it works for us.

 

They have a business option as well, so I have two vaults so I can say show me my Affinity Consulting passwords, show me my personal passwords and I can share like we have a lot of public resources here that other people need to know passwords to use and I can share it with whoever I elect to share it with.

 

And then if an employee were to leave Affinity then their corporate side just disappears, that access goes away that they can keep their personal. So I can just revoke all those passwords, they don’t have any access to that anymore but they can continue using it for their own personal thing. And so it has a — I should say it has a password generator.

 

So the first thing it did when I installed is it harvested all the passwords out of my browser, which was frightening how many passwords were in there and I like literally hundreds were in there and if I had changed the password three times, I had all three of them.

 

So anyway, it immediately calculates a security score and Dashlane basically told me I was a pathetic loser because I was using the same password for like 300 different logins, you’re not supposed to do that and they are like in — we scan the dark web and we think this has been compromised and you need to start changing this right now.

 

So I’ve been methodically so they has this little password generator I can say, I want 20 characters with a random mix of numbers, letters and symbols and mixed case letters and it cooks up some crazy thing you could never remember in a million years and you just go copy and you paste, that’s all I do. So it comes up with some crazy password I can never think of I copy and I paste and I make that my new password and I’ve just kind of been knocking that out and I got, I started out with like a 7% security score, which is really horrible.

 

And I’m up to 89, I’m still not there yet, but I’m getting there, and I feel so much better about all of that because I don’t know any of my passwords, I never thought I’d be happy about not knowing any of my passwords but I only know one and that’s how — that’s actually where you want to get to.

 

So these are very inexpensive, a couple of dollars a month, well, they all have free trials and you really need to think about doing that if you want to improve your passwords. If you can remember all your passwords, then they are probably weak unless you are a genius.

 

And then other few miscellaneous things, if you’re going to use flash drives and external drives, guess what, they make encrypted versions of those. You can go on Amazon and find them, email encryption service we talked about. If you’re going to use a file sync service like Dropbox, your files are encrypted in transit and are encrypted at rest but your Dropbox can get to your files.

 

So if your data were subpoenaed or seized by the government, they would be able to turn over readable data unless you added in an additional security layer like there’s a couple of them Sookasa or Boxcryptor, which those are services that encrypt your Dropbox or your Google Drive or your OneDrive data before it ever gets to their servers.

 

So it’s encrypted before they get it so they cannot unlock your stuff. So the service works the same but it’s encrypted. The only thing you would give up in that case is you can no longer use Dropbox to share files with people external to your organization, and the reality is, a lot of people have Dropbox for that exact reason. So again security is annoying and you give up some abilities to share if you employ security or you could just say, look, I’m going to go to a completely different service like Tresorit.com, which is a zero knowledge service that works just like Dropbox.

 

They don’t hold your decryption keys and they cannot, and the risk there is, if you forget your password, no one can let you in. You can’t call them and authenticate them to yourself and have them let you in because they don’t hold the password, but they do have services that work the same and you can use things like that and there’s no way anybody could ever get to your data except you.

 

The other another easy thing you could do is to enable two-factor authentication. Almost every good legal case management program offers it, banks all offer it, like Google Offers it, Microsoft offers it, if you got a 365 account and all that means is my login password isn’t enough to get you in.

 

They’re going to send a code to your phone or something and there’s got to be this extra piece of information that you possess in order to get in. So, I mean, it’s going to take longer to get in but it makes it way harder for somebody to hack in because if they get your password, that’s not enough.

 

(00:30:05)

 

And then maybe the last couple of things would be if I’m constantly connecting from — to ad hoc wireless networks and I’m transmitting confidential data there, I would probably want to get a virtual private network service that would lock down my connection to another wise wide open Internet connection like at an airport of Starbucks or wherever you might be.

 

Those are just called VPN services that the acronym for Virtual Private Network and they are very inexpensive and like, one, that I see is winning and winning and winning reviews is called Nord. I think their URL is in nordvpn.com probably, a couple of dollars a month. You go ahead and connect to the service or the Internet connection wherever you are and then you just run that service and it will lock down basically give you a private connection to the public Internet.

 

And what I’m trying to protect against is a technology called Packet Sniffer software so that — that even sounds bad but it’s perfectly legal, but it would allow somebody sitting in the same Starbucks as you connected the same network as you to intercept your wireless transmissions and read them.

 

So, a VPN prevents someone from doing that. So it’s just an extra layer of protection, and interestingly, Dashlane, my Password Manager added its own VPN. So there’s literally a little button in my Dashlane that I just click on and it locks down my connection. I already have another service that I am still — I still have like several months on it. So I’m going to — I’m kind of using both back and forth but it works fine and that’s just another way to protect yourself.

 

And then finally, you might want to consider a digital signature service like RightSignature or DocuSign or something like that for securely executing documents yourself and having clients and others execute documents and those all have free trials and are very inexpensive and make sure that they authenticate in a way that wet signatures can never be authenticated.

 

And then finally learning about metadata, if you’re in the business of trading documents electronically with other hostile parties like opposing counsel understanding the electronic files you’re trading can contain information beyond the text that you intended to disclose and all that hidden information is called Metadata and like Word has a way of taking that out and Acrobat has a way of taking that out or you can buy third party programs to do that. But your files also matter and you want to make sure you’re not disclosing anything you didn’t intend to disclose.

 

But all those things we talked about, you’re talking like five bucks, $10, $7 a month, none of that stuff is expensive. Turning on two-factor authentication doesn’t cost anything and any of the services. I’ve never seen that cost a penny more.

 

Password managers, a couple of dollars a month, you’re encrypting your phone and your tablet, your laptop is very likely a free proposition. Privacy screens, 40 bucks, none of this stuff is really expensive, and I think if you did all these things, you would clearly be in the safe harbor of having used reasonable precautions to protect client data.

 

You don’t need a higher super-expensive consult to do all that stuff and you can really test out these things before you buy because almost everything I mentioned has a free trial.

 

JoAnn Hathaway: Wonderful information, Barron, as usual. Well, it looks like we’ve come to the end of our show. We’d like to thank our guest today, Barron Henley, for a wonderful program.

 

Tish Vincent: Barron, if our guests would like to follow up with you, how can they reach you?

 

Barron Henley: Just shoot me an email at [email protected].

 

Tish Vincent: Thank You Barron. This has been another edition of the State Bar of Michigan: On Balance Podcast.

 

JoAnn Hathaway: I’m JoAnn Hathaway.

 

Tish Vincent: And I’m Tish Vincent. Until next time, thank you for listening.

 

[Music]

 

Outro: Thank you for listening to the State Bar of Michigan On Balance Podcast, brought to you by the State Bar of Michigan and produced by the broadcast professionals at Legal Talk Network.

 

If you would like more information about today’s show, please visit legaltalknetwork.com, subscribe via Apple Podcasts and RSS. Find the State Bar of Michigan and Legal Talk Network on Twitter, Facebook, and LinkedIn or download Legal Talk Network’s free app in Google Play and iTunes.

 

The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by Legal Talk Network or the State Bar of Michigan or their respective officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

 

[Music]

 

Newsletter

Notify me when there’s a new episode!

Episode Details
Published: December 18, 2019
Podcast: State Bar of Michigan: On Balance Podcast
Category: Security
Podcast
State Bar of Michigan: On Balance Podcast
State Bar of Michigan: On Balance Podcast

The State Bar of Michigan podcast series focuses on the need for interplay between practice management and lawyer-wellness for a thriving law practice.

Listen & Subscribe
Recent Episodes
05/04/20
President Dennis Barnes — Practicing Law During COVID-19

President Dennis Barnes shares updates on how the State Bar of Michigan is addressing issues arising from the COVID-19 pandemic.

04/13/20
How to Make LinkedIn Work for You with Allison Shields

Allison Shields shares tips for enhancing your LinkedIn use.

03/23/20
New Michigan Supreme Court Orders: What Lawyers Should Expect During the COVID-19 Pandemic

Chief Justice Bridget Mary McCormack discusses the Michigan Supreme Court’s recent orders regarding state trial courts during the public health crisis and the order...

02/10/20
Mentoring Professional Identity to Improve Lawyer Wellbeing

Ryann Peyton discusses the importance of helping lawyers define their professional identity and offers guidance for developing successful attorning mentoring programs.

12/18/19
Tech Competency: Security Fundamentals

Barron Henley discusses best practices for law firm security.

11/20/19
Tech Competency: Core Technologies For Your Law Firm

Barron Henley discusses Michigan’s adoption of the ethical duty of technology competence.