Protecting Yourself and Your Firm's Information
by Kimberly Pease
(County Bar Update, November 2005, Vol. 25, No. 10)


Protecting Yourself and Your Firm's Information


Submitted by Kimberly Pease at the request of the Law Practice Management Section Executive Committee. Kimberly Pease, along with Dr. Stan Stahl, is cofounder of Citadel Information Group, an information security management consultancy providing clients with discrete and confidential counsel on information security matters as well as information security assessments and security incident management, including computer forensics. She can be reached at (323) 397-5752 or The opinions expressed are her own.


If there is one question that gets asked most often of information security specialists, it is "We have a firewall, so we're protected, right?" Some attorneys mistakenly believe that their firm's information and infrastructure are secure because a firewall has been installed. The realities surrounding information security, however, involve creative, devious, and amazingly simple ways the bad guys get information.


One way, called phishing, is a type of social engineering that exploits the vulnerability of people by using fraudulent scenarios to lure them into providing private financial information, such as credit card numbers, account user names, passwords, and social security numbers. These schemes often use spoofed e-mails that trick recipients into going to counterfeit Web sites and divulging confidential information. Phishers often convince recipients to respond by hijacking well-known brand names such as Citibank, Washington Mutual, Morgan Stanley, eBay, and PayPal.


The Anti-Phishing Working Group, an industry association focused on eliminating identity theft and fraud that result from the growing problem of phishing and e-mail spoofing of all types, has compiled a list of more than 200 different e-mail messages created in the past 24 months that use fraudulent scenarios. For more information, see


Phishing attacks most often target financial data, and a security conscious person can defeat these attacks by simply deleting the e-mail message, and when appropriate, reporting it to the company whose brand is being abused.


Another way of obtaining information is exploiting the vulnerabilities of Bluetooth technology. Bluetooth allows devices such as mobile phones, computers, and personal digital assistants (PDAs) to communicate with each other without cables or wires. It relies on short-range radio frequency, and any device that incorporates the technology can communicate as long as it is within the required distance.


If someone can "discover" your Bluetooth device, that person may be able to send you unsolicited messages or abuse your Bluetooth service, which could cause you to be charged extra fees. Worse yet, an attacker may be able to find a way to access or corrupt your data. One example of this type of activity is bluesnarfing, which refers to attackers using a Bluetooth connection to steal information from your Bluetooth device.


Bluetooth attacks most often target information typically found in phones and PDAs; simple steps can be taken to secure these devices. See the US-CERT National Cyber Alert System Web site at (US-CERT, the U.S. Computer Emergency Readiness Team, is a partnership between the Department of Homeland Security and the public and private sectors. CERT protects the nation's Internet infrastructure and coordinates defense against and responses to cyber attacks across the nation.)


Information security goes well beyond thwarting phishing and bluesnarfing attempts. It is critical that a law firm protect its proprietary information such as financial statements, hourly billing rates, tax information, and partner compensation percentages. Client documents such as litigation pleadings, M&A proposals, and e-mail messages containing client correspondence are undoubtedly just as important. It is essential that a firm take the time and expense to determine how it is going to protect its vital information as well as the confidential information of its clients. Furthermore, it is important to decide who is responsible for protecting this critical information and who is liable in the event of a security breach.


State and federal laws that mandate the protection of information are quickly evolving. Recent large-scale information thefts involving Choicepoint and LexisNexis have highlighted these laws in the media. California Senate Bill 1386, which became effective July 1, 2003, requires that any business discovering its computers have been breached and that personal information of a California resident might have been acquired by an unauthorized person must disclose the breach to all affected California residents. Noncompliance can result in civil penalties.


We live in the Information Age. A staggering amount of information is stored electronically, and there are many, many ways to access all of it. In spite of this enormous challenge, there are also many, many ways to protect it. By becoming aware and acknowledging that everyone and every system is a target, you have taken the first and most important step toward protecting critical information. Information security is not confined to computer systems or technology; it applies to all aspects of safeguarding information. So the next time you think, "We have a firewall installed, so we must be protected," think again.

# # #