The age of the pocket computer is upon us. Smartphones are no more than small computers that happen to make phone calls. According to a Nielsen report, more than 50 percent of mobile phone subscribers in the United States now own a smartphone. Lawyers are at the forefront of this technology wave, with 89 percent of them owning smartphones. Smartphones are extremely powerful devices, capable of storing contacts, calendar entries, email communications, electronic files, voice messages, and a host of additional confidential client information. As an attorney, you have an ethical obligation to protect the client data that is stored on your smartphone. Here are some security tips for protecting the data and some easy measures to take to avoid compromising data.
Such a simple word, but many attorneys are petrified at the prospect of having to encrypt anything. Encryption is simple to accomplish on many types of smartphones. BlackBerry devices are built with encryption as part of the base design. Enabling "content protection" on the BlackBerry will encrypt the device. If you use BES (BlackBerry Enterprise Server), you enforce encryption as part of the security policy. Just setting a personal identification number (PIN) on an iPhone enables encryption, and many Android devices have encryption capabilities as part of the operating system installation. Bottom line: enable encryption and you’ll go a long way toward protecting the data on the phone.
2. Encrypt Memory Expansion
Be sure to also encrypt any memory expansion cards you might use. This is not an issue for iPhone users, because iPhone memory cannot be expanded, but users of other types of phones need to protect any data that they save to expansion cards.
3. Set a Lock Code
Set a lock code for your smartphone. This will help prevent other people from getting access to the information on the phone. Set a code that is longer than the typical 4-digit PIN to make it more difficult to crack the number. iPhone users should turn off “simple passcode” and then enter a passcode that contains more than four digits. Why? Because there is software available that can figure out an iOS four-digit PIN in only a few minutes.
4. Set the Inactivity Timer
Set the inactivity timer on your smartphone for a very short interval. The inactivity timer will automatically lock the phone if the phone has not been used for the time set. Don’t be tempted to set the timer at five minutes or longer. Instead, the time should be no more than two minutes. Longer times leave you exposed if you accidentally leave your phone behind (for example, in a cab, as one of us has done).
5. Enable the Location Service
Turn on your smartphone’s location-service function to make it easier to find the phone if you lose it or it is stolen. iPhone users should enable the “Find My iPhone” feature through iCloud. Many users are not aware that the location-service function must be turned on while the phone is in their possession. Android users can install the free “Lookout” application, which has device-location capabilities. Another advantage of the location service is that you can send a message to the device or have the smartphone emit an alert sound, even if the sound is turned off or the phone is in vibrate mode.
6. Get a Remote-Wipe Function
Make sure you have the ability to remotely wipe the phone should you lose it. This is different than being able to locate the phone. Remote wipe means you can remotely send a command to wipe the information from the phone. This feature is built in on BlackBerry devices, is part of the “Find My iPhone” feature for iPhones, and is included with “Lookout” on Android phones.
7. Install Security Software
Security software for mobile devices is no longer optional; it is a necessity. Malware writers are now targeting smartphones. All major security-software vendors have products for smartphones. “Lookout” is a free product for Android devices. iPhone users must trust Apple, which does not allow any third-party access to the core of the operating system. There are security products for the iPhone, but they are not real-time scanners, such as those available for the other smartphone operating systems.
8. Avoid Unfamiliar URLs and QR Codes
Do not click on any URL that you receive in a message (email or text) that you are not familiar with. Also, there are hazards to clicking on shortened URLs (for example, ones from tiny URL or bitly), because you don’t know where they will take you. The same is true for QR codes. A QR code is a picture-type barcode, and it provides no clues as to where it will take you. Think of it as the Wild, Wild West of the Internet.
9. Do Not Use Unsecured Wireless Networks
Many smartphone users connect to wireless networks to avoid the data charges associated with accessing the 3G/4G data network of their cellphone service provider. Using wireless networks is not inherently a problem, but make sure you are connecting to a secure wireless network. Many of the free wireless networks available at businesses (for example, McDonald’s or Starbucks) are open networks with no encryption, so someone could be monitoring the network traffic and capturing data transmissions. Thus, you should only use secure wireless networks. WPA2-encrypted wireless networks are the only ones we recommend. WPA encryption was cracked long ago, and WEP encryption can be broken in a matter of minutes.
10. Update Your Device
Always run the most up-to-date version of the operating system for your smartphone. Just as is done with computers, smartphone vendors provide updates for phones’ operating systems to patch security vulnerabilities and add additional features. iPhone users can get the latest updates through iTunes. Users of other types of smartphones typically get the updates directly from the cellphone provider. You might not have a choice when it comes to updates; the carrier might force it to your phone.
Security software for mobile devices is no longer optional; it is a necessity.
There is little consistency among operating system updates. Our Windows Mobile phones required us to manually download updates from the carrier’s website. We updated our BlackBerry smartphone by checking for updates from the phone, which would download them directly from RIM. And our Android phone has updates pushed to it automatically from the cellphone services provider.
11. Don’t Jailbreak or Root
Do not attempt to bypass the security or normal operation of the smartphone by jailbreaking or rooting the phone. Bypassing the security systems makes you vulnerable to security breaches, and may void your warranty. (Jailbreaking in the context of smartphones is to allow the phone to install and run third-party applications that have not been approved by Apple. Phones that are not jailbroken can only run applications obtained through Apple’s App Store. Rooting is a term used in reference to the Android operating system to describe a similar process.) In both jailbreaking and rooting, you take administrative control over the operating system.
12. Choose Applications with Care
Be wary of applications from unknown sources. The applications available through iTunes generally are safe, but there have been several instances when malware slipped past Apple’s review process. Google has been criticized for letting malware-laden applications “camp out” in their store. Google’s Bouncer program has improved the policing of applications, although Bouncer is not bullet proof and some malware is still slipping into Google Play. RIM seems to be pretty clear of malware apps, but that may be because there is so little interest in third-party apps for the BlackBerry. Before loading any application, look at user reviews; doing so should help you avoid problematic apps.
13. Read the Terms of Service
It still amazes us that lawyers tend not to read terms of service. Lawyers read contracts for their clients, but many do not read ones that accompany products they own or use. A product’s terms of service will explain what you are agreeing to, which in turn tells you what the application wants to do. The app may be designed to record your phone number and location, or it may have the ability to make a phone call without your involvement. Some apps even state that they can access your contacts. Reading the terms of service could protect you if you decide to not use an app that would allow unwarranted access to information on your phone.
14. Turn Off Unneeded Interfaces
Turn off anything you do not need or you are not using at the moment. This will make your phone more secure and help extend the life of the battery. For example, shut off the Bluetooth if you are not using it, and shut off the WiFi radio if you are not connected to the Internet.
15. Install a Mobile Device Manager
You might not need a mobile device manager (MDM) to enforce policies on the smartphone. (MDM software secures, monitors, manages, and supports mobile devices deployed across mobile operators, service providers, and enterprises.) Many law firms use the free BES Express, for BlackBerry devices. There are other MDMs, but they tend to be implemented in larger environments. Whether you purchase a MDM or not, something should be in place to enforce and control certain aspects of the smartphone. Items such as enforcement of a password, password complexity and length, encryption, inactivity timeout, and so on should all be required items, and the user should have no option to bypass them. The ActiveSync policies available with a Microsoft Exchange server should be sufficient for most small firms.
16. Back Up Frequently
Back up your data and applications. iTunes (not iCloud) should be used to back up iPhones, because iTunes provides a local backup and because the iCloud’s terms of service are not security-friendly. BlackBerries can be backed up using the BlackBerry Desktop Manager. Typically, a smartphone’s manufacturer provides software to be used for backup. If possible, you should also encrypt the backup. There are also third-party applications that can be used for backup. Backing up your phone regularly will preserve information that might be lost if you misplace your smartphone and have to remotely wipe it.
Some lawyers say that they don’t store client data on their smartphones, but in many cases, data is written to your phone without your knowledge. Merely opening and reviewing a document may result in the document being written to the phone. This is particularly true of iPhones.
No matter what type of smartphone you use, be conscious of the changes to the ABA Model Rules of Professional Conduct. You are now required, under those rules, to use technology competently and to assess the risk of using any particular technology and the sensitivity of the data you are handling against the expense and trouble of measures to secure the data. If you follow our 16 tips, you’ll be far more secure than the average lawyer and you will have adopted reasonable precautions for protecting client data – without breaking the bank.