Mobile device security for lawyers

By Audrey Herrington

In the last five years, many law firms and companies have adopted a bring-your-own-device (“BYOD”) policy where employees use their own smartphones, tablets and laptops for work. A BYOD policy allows a business to shift the cost of providing equipment to the employee while increasing morale and productivity.

In the era of the iPhone, this is incredibly convenient for employers and employees alike. However, mixing personal and business on one device can be tricky, and not just because you wouldn’t want to send pictures of your weekend lake trip to your work wife. The issues related to BYOD policies can be more than just awkward, BYOD policies can create major cybersecurity headaches for firms and companies.

One of the biggest cause of these headaches? Apps. The greatest threat to mobile device security is hitting “I Accept” on the Terms & Conditions for mobile apps. Ironic, isn’t it? We lawyers are getting a taste of our own medicine. Some personal apps for social media and mobile games request access to your camera roll, photos, location, contacts, speech recognition, microphone and first-born child.

This data can be mined by cybercriminals and puts a law firm or company at a huge risk for a major data breach. Businesses should have policies in place to keep employees from downloading apps that request broad and unnecessary permissions to devices where work information is stored. The cost of a data breach, on average, is now in the millions. Apps to keep you entertained while you wait for your lunch order just aren’t worth that risk.

Bad news if you’re a lawyer that likes to work out of your local coffeeshop: The network you’re using may be unsecured. Hackers like free Wi-Fi for the same reason consumers do, they’re convenient and easily accessed. If you’re a lawyer working on an unsecured network, a hacker can obtain your emails, log-in credentials, credit card information and those weekend lake pictures. Companies should make sure employees know to avoid Wi-Fi networks without a password. Employees should also use a virtual private network (VPN), which provides encryption and allows users to use a public network as it if were private.

All firms and companies can employ the use of strong passwords and multi-factor authentication to protect a mobile device if an attorney misplaces a phone or laptop. Encryption can also protect mobile devices and comes standard with iPhones with a PIN or passcode set up. Attorneys working with information that requires a higher degree of security, such as protected health information, may be required to use extra security precautions.

For guidance on this matter, attorneys should refer to the ABA Formal Opinions. Formal Opinions 477R: Securing Communication of Protected Client Information, and 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, are particularly relevant. BYOD policies can work successfully in large firms and small companies alike, so long as attorneys are adequately informed of the risks and have the software in place to thwart attacks on client and personal information.

Audrey Herrington is a 2018 graduate of Saint Louis University School of Law. She provides insight for newly minted lawyers in the fast-changing legal field.