Home / Technology / When Strong Passwords Don’t Matter Part II

When Strong Passwords Don’t Matter Part II

There is something compulsive about a telephone. The gadget-ridden man of our age loves it, loathes it, and is afraid of it. But he always treats it with respect, even when he is drunk. The telephone is a fetish.

-Raymond Chandler, The Long Goodbye (1953)

Now more than ever, telephones are black holes of information. Smartphones (iOS, Android, etc) store gigabytes of data about, not just their owners, but their friends, family, customers, and clients as well. Email, documents, pictures, video, etc. all move back and forth from phones to the users computer, or increasingly more likely, “the Cloud.” Convenient? Yes. Secure? It depends. Privileged and confidential? Perhaps.

This is a serious issue for lawyers and clients. Lawyers have an ethical duty to keep client/attorney communications privileged and confidential. Lawyers are often given access to the most private and intimate details of their client’s lives or business. If a lawyer uses a cloud based service, client data is going to be zipping around the internet. But it’s secure! Password protected and encrypted! While this might be true, cloud services are not a closed loop.

Curiosity, Cats, etc

Lieberman Software recently released their 2011 Password Security Survey, taking a look at the “state of password security in large enterprises, and the lack of oversight for this critical security issue amongst senior IT management.” Some highlights:

Nearly 50% of respondents said their systems have been breached. But, this is really out of the lawyers control. Is a computer setup in your back office, really more secure than data storage provided by Microsoft or Google? I’d be willing to bet that most cloud-based services provide better security, updates, and support than 99% of law offices. Hackers can attack any machine hooked up to the Net. It doesn’t matter where it is. More pertinent was that following statistic:

1 in 4 of the most gadget-ridden men of our age, IT professionals, can’t help themselves when it comes to other people’s data. Sure your password is secure, the data encrypted – but these people have über-passwords. Theoretically, these people should not abuse their positions and only access data for work related reasons. Yet, it’s all at their fingertips. Accounting, payroll, emails, documents. It’s just too tempting. There’s a thread on /. right now discussing the report with dozens and dozens of IT pros all saying the same thing: “Oh yeah, I’ve done that, 26% seems a bit low.”

Outsource Your _________, Outsource Your Ethics

New York lawyer Eric Turkewitz coined the phrase, “Outsource your marketing, Outsource Your Ethics.” When a lawyer relinquishes control of their marketing, they are also releasing ethical control of said marketing.A marketer is more than likely not going to appreciate the nuances of an attorney’s ethical duty regarding marketing. See this follow up post by Turkewitz for more details.

If you store client data on the cloud, it is explicitly moving out of your control. While it is likely more technologically secure than on a computer in your office, it will never, ever be as ethically secure as it is in your office. If you outsource your storage and IT, you also outsource your ethics.

It’s not that it can’t be done. Just as there are marketing firms that cater to law firms with an explicit understanding of the ethical concerns of lawyers, there are likely to be cloud based system providers that understand the ethical duties of lawyers.

But due diligence needs to be done. Convenience, functionality, gee-whiz techno cool, all take a distant back seat to ethics.

Enter Your Name and Email Below and Click

About Keith Lee

I'm the founder and editor of Associate's Mind. I like to write, talk, and think about law, professional development, technology, and whatever else floats my boat. I practice law in Birmingham, AL.

One comment

  1. If your information is not secure technologically, it is not secure ethically. If a hacker can breach a solo attorney’s personally-administered email server, then it doesn’t matter if it is “ethically” secure because the information isn’t confidential as a matter of fact. Furthermore, the risk of loss has to be considered. Most small firm attorneys are better off maintaining their confidential information in a manner that will provide better confidentiality as a matter of fact and has a lower risk of loss.

Scroll To Top
My new book is available now. Grab it here.