Data Loss Prevention Systems at Your Firm

By Kevin Woo Law.com | September 16, 2009

In the first century A.D., Decimus Juvenalis, a Roman poet, observed that information is priceless. “All wish to know but none wish to pay the price,” he wrote. Information, of course, isn’t always for sale, but there’s no limit on the amount of information that can either be stolen or distributed, either deliberately or mistakenly.

With IT security breaches on the rise, businesses that do not take proactive precautions to protect sensitive information run the risk of losing their reputations and clients and can suffer incalculable financial losses.

“The risk [of not implementing a network or data security strategy] is extremely high, as law firms deal in highly confidential information and have strict ethical obligations about how they handle and secure client data,” said Craig Carpenter, general counsel at Recommind, a provider of information risk management software. “If they suffer from a security event (e.g., hacker attack, phishing attack, stolen or misplaced data, etc.) that could and/or should have been prevented, they can suffer serious reputational and financial ramifications. Most law firms take the threat very seriously — but the downside is so significant that it cannot be ignored.”

Many legal professionals are under the impression that their organizations have implemented IT strategies and corporate processes to ensure that information does not fall into the wrong hands. While some law firms make sizeable investments in IT infrastructure to keep hackers and other external threats out of the corporate network, others play a game of roulette because they are either too busy or lack the technical knowledge to implement a data security strategy.

Gary Heath of Informative Graphics, a Scottsdale, Ariz., software company, says that small-to-medium sized firms can benefit by making modest investments in technology, which can provide an initial layer of protection over sensitive information.

“Because law firms tend to rely heavily on paper, they should implement a security policy to ensure that sensitive information contained within a document can, at a very minimum, be redacted at the push of a button. The easiest type of information to steal is information that may have been accidentally given way through human error. People make mistakes and if you sit around with Sharpies and tape trying to black out sensitive information, you’re looking for trouble,” said Heath.

“Not long ago, I attended an American Bar Association conference and met a paralegal who told me she’d spent more than a month sitting in a conference room, combing through more than 60,000 pages of documents and redacting private information by hand. I asked her, ‘Why are you going through 60,000 pieces of paper with a Sharpie?’ She said there wasn’t any alternative. Can you imagine the devastation that could be inflicted if a small omission was made — especially if it was the identity or location of a minor in a custody case?” Heath added.

Electronic redaction software can black out sensitive information contained in word processing documents, spreadsheets, PDFs or TIFF files and remove the content that has been redacted when the file is stored in electronic format. Use of redaction software can eliminate the mistakes made by overworked employees and the redaction process can be completed nearly instantaneously. Files can also be unredacted by authorized personnel, thereby eliminating the need for repeat sessions in gloomy conference rooms with Sharpies, tape and photocopiers.

Alan Brill of  Kroll Ontrack, a Minneapolis computer forensics firm says it’s also important to eliminate the digital footprints left behind by electronic files. Every form of electronic media contains metadata that can be unlocked by even an unsophisticated user, but not all redaction tools are able to remove it. While metadata isn’t new (think fax machine bands), it has become infinitely more pervasive as different types of communications devices have been developed.

“There are a number of good commercial solutions to the metadata problem,” said Brill. “For individuals or groups that want to handle [the issue of metadata] simply, there are a number of products that can take a file (Microsoft Word for example) and cleanse it of metadata. Some software applications will leave it as a Word file, while others give you the option of converting the file to PDF format.”

He adds that when using Microsoft Word with the “track changes” feature turned on comments that a lawyer may think are hidden are, in fact, recognizable by accessing the file’s metadata. If the file is sent to opposing counsel, the metadata can easily accessible with a few keystrokes.

Other easy-to-implement solutions for hiding metadata include eliminating the “fast save” and security options within Microsoft Office programs, or saving documents to a flash drive which eliminates any trace of information about the computer or network to which the file is linked.

Working remotely creates another significant security challenge as the loss or theft of a laptop or smartphone can have devastating consequences. The Ponemon Institute, a Massachusetts-based research firm that specializes in data security, estimates that a lost or stolen computer can cost a company $50,000 in costs associated with remediation.

One way to protect computers or hand-held communications devices is to scramble the data when it is at rest or in transit.

“Encryption is one very good solution for laptops,” continued Brill. “Some firms use a combination of hardware encryption (offered by a number of laptop manufacturers) with full-disk software encryption. Good encryption makes it extremely unlikely that someone who gains unauthorized access to a laptop is going to be able to extract useful data from the machine.”

Using encryption, however, can create some additional problems. If it is not controlled centrally, an employee can encrypt data in a way that the firm can’t break, which raises the question of whether or not a data recovery service provider is able to work with a disk that is encrypted by a rogue employee.

“Law firms concerned about protecting data on laptops should look for encryption solutions that can encrypt at the file level, based on the type of content and the context around it,” said Mike Newman, general counsel for Websense, a data loss prevention provider. “Encryption solutions can also make it easy for administrators to manage data security policies by setting and enforcing policies based upon the individual user or the user group.”

When confidential information is sent and received through BlackBerrys or iPhones additional security precautions can be employed. These security features are commonly device specific. Law firms that allow or provide remote access of information through hand-held devices should require users to enter a password on the device so someone who gains unauthorized access can’t simply pick up the device and see its contents.

Most handhelds have a remote destruction feature, which sends a “kill” command when the device is reported missing and causes the data stored on it to be wiped out. Some hand-held devices come with a feature that wipes out the memory if there are too many unsuccessful login attempts.

A more comprehensive approach to security management is to layer a data loss prevention systems strategy on top of electronic redaction, metadata management and encryption.

DLP systems help law firms detect and prevent the misuse and unauthorized transmission of confidential information. DLP systems identify where sensitive electronic data exists throughout the organization, monitor how data is used and protect it from misuse, theft or accidental leaks. The ability to instantly identify where information resides — on the network or on laptops — and understand the business context around data (what kind of data it is, who is using it, what they are trying to do with it) is an efficient way to enforce security policies.