"AvoidAClaim" Blog

LAWPRO's blog helps you avoid legal malpractice claims
Subscribe

Conflicts rules leave room for (careful) collegiality

April 24, 2014 By: Nora Rock Category: Conflicts of Interest

Consulting with more experienced colleagues to confirm that you’re on the right track in resolving a problem is natural and commendable in any profession. Working in isolation is inefficient, and leads to preventable errors. Without access to information about others’ experience, we’re forced to make our own mistakes. For this reason, sole practitioners are routinely encouraged to seek out mentors and advisers from among the broader bar.

But what if every time a colleague outside your firm asked for your opinion on a legal issue, you became conflicted out of representing any party whose interests were opposed to those of that colleague’s clients?

You’d stop giving advice, that’s what.

In a decision that recognizes the importance of fostering informal mentorship, the Ontario Superior Court held (in 1623242 Ontario Inc. v Great Lakes Copper Inc., 2014 ONSC 782 (CanLII) ) that a lawyer who provides a general opinion about the state of the law to a colleague without being privy to the specific details of the colleague’s case or the identity of his or her client and is later retained by a client opposed in interest to the colleague’s client is not thereby disqualified from representing his own clients.

In 1623242 Ontario Inc., a “veteran” lawyer provided what the court found to be a legal opinion of general application to a colleague. The colleague did not identify his own client or any of the litigants in the action to which the opinion applied. A few months later, parties (hereafter the “purchaser clients”) opposed in interest to the colleague’s client (and for whom the veteran lawyer had acted in the past) retained the veteran to represent them in a dispute about the purchase of a property contaminated with PCBs.

The information the veteran lawyer had provided over the phone related to mortgage foreclosure proceedings. The threatened foreclosure was still a live issue when the veteran lawyer was retained. With the assistance of a new lawyer, the advice-seeking lawyer and his client brought a motion seeking to prevent the veteran lawyer from continuing to represent the purchaser clients.

In considering the motion, the court applied the following two-part test for whether a lawyer should be disqualified due to a conflict of interest, articulated in MacDonald Estate v. Martin (1990 CanLII 32 (SCC))

  1. Did the lawyer receive confidential information attributable to a solicitor-and-client relationship?
  2. Is there a risk that the information will be used to the prejudice of the client?

With respect to the first question, the court noted that Rule 1 of the Rules of Professional Conduct makes it clear that a solicitor-client relationship can arise even where the client does not explicitly retain the lawyer. However, the court held that “[i]t is a client imparting confidential information about him/herself to a lawyer, and the lawyer’s receipt of such information, that brings a solicitor-client relationship into existence.” The advice-seeking lawyer did not reveal his client’s or the opposing parties’ identity, and the details of the advice provided by the veteran lawyer were included in the pleadings, and hence not kept private. For this reason, the first test question had to be answered in the negative. Since no confidential information was communicated, there was no possibility that confidential information could be used to the prejudice of the moving party. The court concluded that “the public, represented by the reasonably informed person, would be satisfied that no use of confidential information would occur.”

The court also reviewed, with references to the Rules of Professional Conduct, such issues as: at what point a solicitor-client relationship arises (hint: BEFORE the retainer is in place); what constitutes “legal advice” and the boundary “between general legal information and legal advice”; a lawyer’s duty of confidentiality (including in respect of non-clients); and a lawyer’s duty of care to non-clients. The decision provides a useful refresher about all of these topics.

Finally, in holding that the veteran lawyer’s provision of information did not put him in a conflict position, the court acknowledged the public policy implications of ruling otherwise: “A lawyer who receives a request for legal information from a more junior or less experienced colleague is entitled to assume, unless alerted either explicitly by the lawyer calling, or implicitly, by the confidential nature of the information imparted, that the consultation will not give rise to a conflict of interest or impose liability on the recipient of the request. To hold otherwise would have the effect of discouraging a sharing of general information that is beneficial to both the profession and the public.”

This decision should bring comfort to lawyers who take seriously their professional duty to mentor more junior members of the bar. However, it’s important to remember that decisions like this one are very fact-dependent, and that advice-giving situations may present in a variety of ways, so caution is important. To avoid putting yourself in a conflict of interest situation when giving advice, consider these tips that arise from the court’s reasons in this decision:

  • Learning confidential information about a party immediately creates, at minimum, a duty of confidentiality. If asked to give advice, remind the asker not to reveal identifying details about his or her client, opponent, or the matter (where the facts are fairly unique).
  • Keep your advice general. In 1623242 Ontario, the court held that the information given would have been available in a textbook on mortgage foreclosures. “Textbook” information is generally safe; tailored information is less so.
  • Remember the difference between “giving advice” in the broader sense, and giving legal advice. In particular, avoid recommending one possible course of action over another.
  • Speak with the lawyer, not his or her client. Not speaking with the client is not determinative with respect to avoiding a solicitor-client relationship, but at least the lawyer will not be able to testify that he or she mistook the conversation for legal representation.
  • Make it clear to the advice-seeker that you are giving general information that may or may not be applicable to a particular set of facts, and that it is not meant to be relied on as legal advice.
  • Make notes about the conversation, just in case the details of your involvement are ever questioned.

Wondering about the insurance implications of mentoring relationships? In an effort to promote mentoring – which can help inexperienced lawyers receive the support they need − LAWPRO will waive any deductible and claims levy surcharge on any claim made against a lawyer mentor arising out of a mentoring relationship, provided that:

  • the mentor and mentee agreed to enter into a formal mentoring relationship, as evidenced by a written document of some kind;
  • the mentor had no contact with the mentee’s client that would create a solicitor/client relationship; and
  • the mentee understood that she/he was responsible for individually and independently satisfying her/himself of the soundness of any suggestions,
  • recommendations or advice-like comments made by the mentor.
  • The Canadian Bar Association offers a useful resource on managing conflicts of interest: Conflicts of Interest Toolkit. You can also visit practicePRO’s conflicts page and/or topical listing of articles.

Commercial debt collection scam using the names Steven Patel and Allerton Steel

April 24, 2014 By: FraudInfo Category: Confirmed frauds

A New Hampshire firm notified us that they received an email from the purported Steven Patel of Allerton Steel looking to retain him with regards to a commercial debt collection.

This is a classic bad cheque scam that presents as legal matter requiring the assistance of a lawyer. In this scam lawyers will be duped into wiring real funds from their trust accounts after depositing a fake cheque received as payment from the debtor (who is part of the fraud). See our Confirmed Fraud Page for more of an explanation of how these frauds work and to see other names associated with it. Our Fraud Fact Sheet lists the red flags of a bogus legal matter that is really a fraud.

Here is the initial contact email sent by the fraudster to the lawyer:

From: Steven Patel steven-patel@live.com
Date: April 24, 2014 at 8:02:17 AM EDT
To:
Subject: RE: Inquiry

I want to inquire if your firm handles breach of contract cases. A referral will be welcomed if this is not your area of practice.
Regards
Steven Patel

Replying to the email brought this response:

Please let this email serve as our response regarding your firm representing our company. Find below our debtors information for a conflict check, before we can schedule for a telephone conference.

Jay Steel, LLC,
62 State Route 101A # 3 Amherst, NH 03031

We hope to hear from you at your earliest convenience.

Sincerely,
Steven Patel.
Executive Board of Director
Allerton Steel LTD
Allerton House Thurston Road,Northallerton,
North Yorkshire DL6 2NA United Kingdom.
T: +44 793 701 4296
F: +44 809 174 0930

How to handle a real or suspected fraud Read the rest of this entry →

Breach of license agreement scam using the names Allen Chen and Bioway Corporation

April 23, 2014 By: FraudInfo Category: Confirmed frauds

Lawyers in Ontario and South Carolina reported to us that they’ve been contacted by the purported Allen Chen of Bioway Corporationwith regards to retaining their services to collect on a breach of a copyright agreement.

This is a classic bad cheque scam that presents as legal matter requiring the assistance of a lawyer. In this scam lawyers will be duped into wiring real funds from their trust accounts after depositing a fake cheque received as payment from the party in breach of the agreement (who is also part of the fraud). See our Confirmed Fraud Page for more of an explanation of how these frauds work and to see other names associated with it. Our Fraud Fact Sheet lists the red flags of a bogus legal matter that is really a fraud.

Here is the initial contact email sent by the fraudster to the lawyer:

From: bioway-corporation1@qq.com
Date: April 22, 2014 at 11:32:52 PM EDT
To:
Subject: Breach of license agreement,
Reply-To:

ATTN:,

I am contacting you in regards to a breach of license agreement, unfair competition, and trademark infringement with a client in your locale. Our client was granted an exclusive license to use and modify our Japanese language software products to create and manufacture English language versions of the Products and derivative products in the English language, and the exclusive rights to distribute the English language versions of the Products throughout the USA. However, it was later uncovered that our client was equally manufacturing the Spanish language of our product without license. In addition, our client was equally distributing the unauthorized products within and to other regions outside USA and this is a complete violation of our agreed terms.
On behalf of my company, I will like to enforce our intellectual property rights with respect to the unauthorized production of the versions of our products in Spanish language and the unauthorized distribution of the products within and to other regions outside USA . If these falls under the scope of your practice and my request could be reasonably accommodated, please contact me as soon as possible so that I can provide you with further details. Otherwise, if you are not in a position to assist on these issues, your advice on the appropriate measures to take could be of assistance.
I will appreciate your prompt response. Thank you.
Warmest regards,
ALLEN CHEN
President/Ceo
BIOWAY CORPORATION.
Address: 3rd FLOOR, NO. 169-6, SEC
CHANGAN EAST ROAD IN TAIPEI 2 TAIWAN
TELL: 02-2771-2196
FAX: 02-2741-3770
WEBSITE: http://www.bioway.com.tw

How to handle a real or suspected fraud Read the rest of this entry →

Protecting Yourself from Cybercrime Dangers: Secure Your Mobile Devices to Protect the Data on Them

April 23, 2014 By: TimLemieux Category: Fraud prevention

sec

Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cyber criminals have considerable resources and expertise, and can cause significant damage to their targets. Cyber criminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LAWPRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber-related dangers. This article, from the December 2013 issue of LAWPRO Magazine, reviews the specific cybercrime dangers law firms need to be concerned about, and how they can mitigate their risks.

Lost or stolen laptops, smartphones and USB sticks are frequently involved in major data breaches. This is because they often contain large amounts of confidential or sensitive information (e.g., client data, firm and personal information, usernames and passwords, etc.) and they are also easily lost or stolen as they are small and very portable. You can significantly reduce your exposure to breach involving a mobile device by doing the following things:

  • Take steps to prevent mobile device theft or loss;
  • Make it harder to access information on the device; and
  • Configure remote “find and wipe.”

Preventing theft or loss
Here are some very easy ways to prevent the loss or theft of your mobile devices:

  • Never leave your portable devices unattended in a public place.
  • In particular, don’t leave them in your vehicle – even locked in the trunk is not safe;
  • To be a less obvious target, use a briefcase or bag that does not look like a standard laptop bag;
  • Inexpensive cable locks from Targus (targus.com) and others can help deter a casual thief, but are no obstacle for a determined thief with cable cutters; and
  • If you are staying at a hotel, put the device in a safe in your room or at the front desk.

Making it harder to access data on the device

If a device is lost or stolen, you want to make it as difficult as possible or someone to access the information on it. This is very easy to do. As a first line of defence, you can enable the startup password. After nabling this feature, anyone turning the device on will be challenged or a password and they won’t be able to see any information on the device. Most laptops and smartphones have this feature. However, while this should protect the data on the device from the average thief or person that might find a lost device, someone with specialized knowledge can bypass these built-in password-protection features.

For an extra level of security you can use encryption, which scrambles the data on a device making it very difficult for someone to access it. Some devices have an encryption feature in the device operating system, and, if not, you can use a third party encryption program or app. Truecrypt is a widely used encryption tool that works on many different platforms.

One other option to consider: if you allow remote access, have people travel with a device that has no client data or other sensitive information on it. They can use it to access client data in the office via remote access and if the device is lost or stolen there is no lost information to be concerned about.

You may want to keep in mind that current case law provides that law enforcement does not need the permission of a device owner to access information on a device that is not password protected.

Device locators and remote wipe
To prepare for the eventuality that of one of your smartphones, tablets or laptops gets lost or stolen, you should enable or install device locator and remote wipe functionalities. These features are built in on some devices, and there are many third party programs and apps that do the same things. Using GPS technology or the tracing of IP addresses, you can potentially view the location of your device on a web-based map, sometimes along with where and when it was last used. Just in case the device is lost in your residence, you can also trigger a high volume ring to help you locate it, even if the device is on silent or vibrate. If the worst has happened and it appears that the device is permanently lost or was stolen, you can usually lock the device so no one can use it or access the data, and you can also remotely tell the device to do a factory reset, which
will delete all data on it.

Beware of data theft with USB sticks
Tiny, high-capacity USB sticks are commonly used for moving data around. A combination of three things makes them a major security concern: (1) they are very easy to use, (2) they are compact, lightweight and ultra-portable, and (3) they can store huge amounts of information. They are, in other words, the perfect tool for a disgruntled or soon-to-be ex-employee who plans to easily and
quickly steal firm data.

How do you protect yourself? Make sure you have appropriate security and access rights to confidential client and firm information on your firm’s computers and servers. Auditing file access may help you spot someone who is accessing information they should not. Consider disabling USB ports on firm computers used by people that have no reason to use USB sticks.

Full list of posts in this series:

LAWPRO Magazine practice tip: Steer clear of real estate claims by asking these five questions on every deal

April 22, 2014 By: TimLemieux Category: Real estate

RE questions

The real estate lawyer’s job is more than just conveying title, and not every matter will be straightforward. Communication errors and inadequate investigation are the biggest causes of real estate claims at LAWPRO, respectively 41 per cent and 26 per cent of claims reported between 2001 and 2011. Busy, high-volume practices often lead to situations where the lawyer is not taking the time to communicate with the clients properly.

Lawyers need to take the time to speak to clients to ensure they’ve gathered all the relevant information.

Here are five questions lawyers should be asking their clients or themselves on a real estate matter:

  1. Is there a spousal interest in the property? Although only one person may be registered on title, there could be a spousal interest in a matrimonial home. LAWPRO has seen a number of claims where the lawyer did not get the consent of the spouse to change the ownership status or encumber the property with a mortgage. Take the time to discuss the client’s marital status to determine whether the consent of a spouse – or any other person with an unregistered interest.
  2. Even with title insurance, are there more inquiries I should be making? Even if a title insurer waives certain searches or a survey requirement, lawyers still need to ask clients if they want the searches or survey done, and explain what the consequences could be of not doing so. The title insurance policy may rectify a problem to some extent or indemnify the client, but going through the process of dealing with the problem may still not be a situation the client welcomes. Think of a boundary dispute which leads to a hostile relationship with the neighbours, a deck needing to be torn down without the possibility of replacement or grow-op damage that could be harmful to the family’s health: All things that searches might have uncovered depending on the circumstances. The lawyer should also look beyond the searches that are required by the title insurer and apply his or her own knowledge of the particulars of the transaction to determine which searches ought to be considered. For example, is it a property on a ravine that may be under the jurisdiction of a Conservation Authority?
  3. What is the future use of the property? Often the lawyer fails to ask clients about possible future uses of the property that the client might have in mind, and as a result fails to get a title insurance endorsement that would protect the clients (e.g., they planned to build a pool, but later discovered an easement prevents it). In the alternative, the lawyer must personally investigate the feasibility of the plans (and presumably bill accordingly) or document with the clients that they did not wish to undertake the expense of investigating their options at this time and therefore no assurances are being provided beyond the existing legal state of the property.
  4. Is the person obtaining the mortgage actually the person who will be living in the house? Shelter fraud, unlike other mortgage fraud, involves real people who want real places to live. In this scenario, people who don’t qualify for a mortgage enlist the help of a “friend” or family member. For a payment, the “friend” becomes the borrower and takes title to the property and presents himself to the lawyer as the purchaser of the home. In effect he’s selling his good credit. Of course he has no intention of living there, and the person(s) who hired him will move in and promise to make the mortgage payments. If the person(s) behind the scheme default on the mortgage, the “friend” is on the hook, pursued by the bank and facing financial ruin. The friend may sue the lawyer claiming that he was not aware of what he was getting himself into, and that the lawyer knew (or should have known) that he was buying on behalf of others and should have made him aware of the consequences of defaulting on the mortgage. While there is only so much lawyers can do to ensure the borrower is in fact the person planning to live in the house, a good intake process can ensure that the client’s answers to relevant questions are documented. After all, most real estate lawyers will also wish to know if there will be a tenant in the house instead of the owner, as residential rental investment properties bring many other legal issues of their own.
  5. What information should I pass on to the lender? Lawyers need to remember that lending institutions are also their clients in many real estate transactions. We’ve seen claims in which lawyers have failed to communicate material information to the lender client so the lender can make an informed decision on whether to advance mortgage funds. Throughout the course of the transaction, lawyers should always consider whether information received from any party, a title search, or other due diligence may be considered information material to the lender’s decision to advance funds under the mortgage or is expressly requested in the lender’s instructions. This includes, for example, information that may suggest that the property is being purchased at an inflated price. As well, information that suggests that the purchaser is misrepresenting the true circumstances of the purchase (as in the shelter fraud described above) should be reported to the lender before the lawyer proceeds to close the transaction and advance funds under the mortgage. In such circumstances lawyers must be careful to fulfill their duties to each client, as required by the Rules of Professional Conduct, and in particular Rules 2.02(5) and 2.04(6.1)
  6. This article originally appeared in the September 2013 issue of LAWPRO Magazine. All past issues of LAWPRO Magazine can be found at www.lawpro.ca/magazinearchives

Separation agreement scam using the name Mariam Jacob

April 22, 2014 By: FraudInfo Category: Confirmed frauds

Two Ontario lawyers notified us that they received an email from the purported Mariam Jacob looking to retain them with regards to a collecting overdue payments resulting from a separation agreement.

This is a classic bad cheque scam that presents as legal matter requiring the assistance of a lawyer. In this scam lawyers will be duped into wiring real funds from their trust accounts after depositing a fake cheque received as payment from the debtor (who is part of the fraud). See our Confirmed Fraud Page for more of an explanation of how these frauds work and to see other names associated with it. Our Fraud Fact Sheet lists the red flags of a bogus legal matter that is really a fraud.

Here is the initial email sent by the fraudster to the lawyer:

From: mj81021@gmail.com [mailto:mj81021@gmail.com]
Sent: April 19, 2014 8:02 PM
To:
Subject: I need your legal advise

Dear Counsel,

I am seeking legal representation from your law firm regarding a breach of divorce settlement agreement I had with my ex husband who now reside in your jurisdiction. We had an out of court agreement for him to pay me $641,000.00 plus legal fees. He has only paid me $71,000 ever since this agreement was reached.

He has agreed already to pay me the balance yet he kept turning me around with numerous excuses. So it is my belief that a Law firm like yours is needed to help me collect my due settlement from my ex-husband or litigate this matter if need be.

I need proper legal advice and assistance to know the best way to handle this issue. If this is your area of practice, please contact me to provide you with further Information.

Regards,

Mariam Jacob

Please kindly reply me at my email (mariamjacob156@gmail.com)

How to handle a real or suspected fraud Read the rest of this entry →

Protecting Yourself from Cybercrime Dangers: Be Safer When Using Remote Access and Public Computers

April 21, 2014 By: TimLemieux Category: Fraud prevention

800px-Fort_Worth_Library_Computer_Lab

Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cyber criminals have considerable resources and expertise, and can cause significant damage to their targets. Cyber criminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LAWPRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber-related dangers. This article, from the December 2013 issue of LAWPRO Magazine, reviews the specific cybercrime dangers law firms need to be concerned about, and how they can mitigate their risks.

Being able to access your work network while you are out of the office can provide increased productivity and flexibility. However, opening your systems to remote access creates a number of security risks as external network connections are a ripe target for cyber criminals. And you should think twice about using public computers for firm work.

Setting up safe remote access

There are many tools that allow you to easily set up remote access (e.g., PCAnywhere, GoToMyPC, LogMeIn, TeamViewer, SplashTop). If properly configured, these are suitable for a smaller law office or home setting. Virtual private networks or VPNs may make remote access more secure. A VPN is a network connection constructed by connecting computers together over the Internet on an encrypted communications channel. VPNs are secure and fast, but may be expensive and harder to configure.

Securing remote access may require a degree of technical knowledge and advice from a computer expert. To make your remote access safe, you must secure your network and your remote access devices.

Do the following to secure your network:

  • Use a firewall and security software to keep out unwanted connections.
  • Only give remote access to people who really need it.
  • In order to protect sensitive information, restrict the type of data that can be accessed remotely.
  • Make sure all computers connecting to your network, including personal home computers, have up-to-date security software installed.
  • Review firewall and other server logs to monitor remote access and watch for unusual activity.

Do the following to secure remote access:

  • Ensure installation of remote access clients is done properly.
  • Restrict access to the minimum services and functions necessary for staff to carry out their roles.
  • Ensure that all staff use strong passwords on devices accessing your network remotely.
  • Change remote access passwords regularly.
  • Make sure that staff do not set their devices to login automatically and that they never store their passwords on them.
  • Use strong authentication that requires both a password and token-based authentication.
  • Have a formal remote access policy that clearly describes what staff are to do or not do with remote access.
  • Delete staff remote access privileges if they are no longer needed, and immediately when a person leaves or is terminated.

The extreme dangers of using public computers

Public computers in libraries, Internet cafes, airports, and copy shops are an extreme security risk. While you can take steps to reduce these risks, it is still very dangerous to access sensitive client information on them. Start with the assumption that most public computers will have malware on them and let this govern your activities accordingly.

The following steps can reduce some of the risks associated with public computers:

  • Try to turn on the “private browsing” feature.
  • Watch for over-the-shoulder thieves who may be peeking as you enter sensitive passwords to collect your information.
  • Uncheck or disable the “remember me” or “log in automatically next time” option.
  • Always log out of websites clicking “log out” on the site. It’s not enough to simply close the browser window or type in another address.
  • Delete your temporary Internet files, cookies and your history.
  • Never leave the computer unattended with sensitive information on the screen, even for a moment.
    Never save documents on a public computer.

These measures will provide some protection against a casual hacker who searches a public computer you have used for any information that may remain on it. But keep in mind, a more sophisticated hacker may have installed a keylogger to capture passwords and other personal information entered on a public computer. In this scenario the above steps won’t prevent your information from falling into the hands of the hacker. This is why it is not a good idea to access sensitive client information or enter credit card numbers or other banking information on a public computer.

Full list of posts in this series:

Separation agreement scam using the name Angela Azuma

April 21, 2014 By: FraudInfo Category: Confirmed frauds

Two Ontario lawyers notified us that they received an email from the purported Angela Azuma looking to retain them with regards to a collecting overdue payments resulting from a separation agreement.

This is a classic bad cheque scam that presents as legal matter requiring the assistance of a lawyer. In this scam lawyers will be duped into wiring real funds from their trust accounts after depositing a fake cheque received as payment from the debtor (who is part of the fraud). See our Confirmed Fraud Page for more of an explanation of how these frauds work and to see other names associated with it. Our Fraud Fact Sheet lists the red flags of a bogus legal matter that is really a fraud.

Here is the initial email sent by the fraudster to the lawyer:

—- Message from Angela Azuma harmonyyoung11@gmail.com on Thu, 17 Apr 2014 11:08:32 +0100 —–
To:
Subject: Assistance for failure to complete court ordered payments

Dear Counsel ,

I wish to file a case against my ex-husband ( Michael Azuma ) for
failure to complete court ordered payments of Child Support, Spousal
Support, Equitable distribution and Medical support in our separation
agreement. Kindly respond to confirm your readiness to assist.

I am earnestly waiting for your reply.

Warmest Regards,

Angela Azuma .

How to handle a real or suspected fraud Read the rest of this entry →

Protecting Yourself from Cybercrime Dangers: Scrub Confidential Client Information on Discarded Equipment

April 18, 2014 By: TimLemieux Category: Fraud prevention

Remote-Data-Scrub

Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cyber criminals have considerable resources and expertise, and can cause significant damage to their targets. Cyber criminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LAWPRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber-related dangers. This article, from the December 2013 issue of LAWPRO Magazine, reviews the specific cybercrime dangers law firms need to be concerned about, and how they can mitigate their risks.

Many of the technology devices used today are essentially disposable. When they get old or break down, they are simply discarded as it is too expensive to upgrade or repair them. As a result, law offices will frequently find themselves discarding older computers and other devices. This is problematic as these devices often have confidential client information on them.

There are risks in donating your old computers to charity or a local school where a classroom of technology-savvy students will be itching to recover your data. Be sure to remove the hard drive from any computer you donate, or make sure the data on the drive has been thoroughly removed (see below).

Third party access to confidential client or firm information can also be an issue if you are sending your electronic equipment outside the office for repair or maintenance. Client information can be in unexpected places. Most modern photocopiers and printers actually have hard drives on board that store copies of the images that go through them. This data can easily be found on, or recovered from, the hard drives on these devices.

Deleted doesn’t mean deleted

It’s a common misconception that deleted files are gone for good.In fact, the deleted files on most devices (e.g., computers, tablets, smartphones, etc.) are easy to recover using widely available forensic recovery tools. Even reformatting or repartitioning a hard drive will not completely destroy all the data on it.

Keep in mind that forensic technology can also be used to restore deleted files on portable media (e.g., CDs, DVDs, USB sticks, SD cards), so you should always use new media when sending data outside your firm.

Physically destroying a hard drive or other device with a hammer is the free and low-tech option. You can also use specialized software that will “scrub” all data from a hard drive so that it is not recoverable. Widely used free tools for this task include CCleaner, Darik’s Boot And Nuke (DBAN), and File Shredder.

Full list of posts in this series:

Protecting Yourself from Cybercrime Dangers: Lock Down and Protect Your Data Wherever it Is

April 16, 2014 By: TimLemieux Category: Fraud prevention

lock-down-computer

Cybercrime dangers are many, complex and ever-changing. Hardly a day goes by without another news report of a data breach or other cyber-related scam or theft. Cyber criminals have considerable resources and expertise, and can cause significant damage to their targets. Cyber criminals specifically target law firms as law firms regularly have funds in their trust accounts and client data that is often very valuable. LAWPRO encourages all law firms to make dedicated and ongoing efforts to identify and understand their potential cybercrime vulnerabilities, and to take steps to reduce their exposure to cyber-related dangers. This article, from the December 2013 issue of LAWPRO Magazine, reviews the specific cybercrime dangers law firms need to be concerned about, and how they can mitigate their risks.

Long gone are the days when you had to worry about a single file folder that held all the documents for a particular matter, which you could easily secure by keeping it locked in a file cabinet. Today, client data can exist in electronic form in many different places inside and outside your office. You need to know where that data exists, who can access it, and what steps should be taken to secure and protect it from cyber criminals.

Physical access to servers, routers and phone switches
Protecting your server(s) and other key telecommunications equipment such as phone switches and routers starts with physical security. Intruders who have physical access to a server can get direct access to files and data on the server’s hard drives, enabling them to extract the usernames and passwords of every user on the system, destroy data, or give themselves a backdoor for accessing the server remotely. Even curious employees who want to change settings can unintentionally cause serious problems. Put your servers and other key telecommunications equipment in a locked room to protect them from unauthorized access. Be cautious about any wall jacks for your network in unsecured areas of your office.

Access to devices on startup
To protect the information on them, and the information on any network they connect to, every computer, tablet and smartphone should be configured to require a password at startup. Devices without a startup password allow free and unfettered access to anyone that turns them on.

Better yet, in addition to a startup password, consider encrypting the data on devices. Passwords will prevent the average person from accessing your device, but can be bypassed by people with greater expertise. Encryption will make information on devices far more secure. The operating systems on some devices have built-in encryption capabilities or you can install third party encryption programs or apps.

Put a password on your screensaver
Activating a password-protected screensaver is a simple and very effective way to prevent an unauthorized person from rifling through the data on a computer or other device that’s been inadvertently left on. All versions of Windows and Apple operating systems allow you to add a password to a screensaver. Remember to log out of any applications containing sensitive data and lock your screen when you leave your desk, or set a fairly short wait time on your screensaver so that it locks automatically if you step away. BlackBerry, Android, iOS and Windows mobile devices also have an automatic screenlocking feature.

Access across a network
Almost every law office has a computer network with one or more central servers. Client and firm information can be stored on these servers, making it accessible to everyone in the office. To better protect information from unauthorized access, take time to understand what information is stored on your network servers, and who has access to that information.

“Network shares” make folders available and visible across a network. “Permissions” control what people can do with the data in a folder. Someone with “full access” can create, change or delete a file, whereas someone with “read only” access can open and copy a file, but not delete it. Segment your data and set appropriate access levels (e.g., public, sensitive, very private) so that access to sensitive information is limited or prevented. Remember that privacy legislation requires that you limit access to some types of personal information (e.g., financial and health-related data) on a need-to-know basis.

Restricting access to more sensitive data can help protect it in the event your network is hacked or an unhappy employee with bad intentions goes looking for data. Your desktop or laptop computer can act like a server in some cases, and content on your hard drive could be shared and accessible to someone across a network or through the Internet. To prevent this from happening, you need to make sure that file and printer sharing is turned off on your computer.

Full list of posts in this series: