Attorney Ethical Obligations re Cloud Computing, Computer Security, & Strong Passwords

With all of the sensitive and confidential information entrusted to attorneys, data security is an essential part of doing business.  In Wisconsin, attorneys have an ethical obligation to understand the importance of computer security as outlined by Wisconsin Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing.  It states:

  • “A lawyer may use cloud computing as long as the lawyer uses reasonable efforts to adequately address the risks associated with it.”
  • “To determine what efforts are reasonable, lawyers should understand the importance of computer security, such as the use of firewalls, virus and spyware programs, operating systems updates, strong passwords and multifactor authentication, and encryption for information stored both in the cloud and on the ground.”

There’s a lot to unpack there.  Let’s start with what cloud computing is.  “Simply put, cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet (‘the cloud’),” explains Microsoft.  “You’re probably using cloud computing right now, even if you don’t realize it. If you use an online service to send email, edit documents, watch movies or TV, listen to music, play games, or store pictures and other files, it’s likely that cloud computing is making it all possible behind the scenes.”

Ok, you’re probably using cloud computing and you have a duty to use reasonable efforts to address the risks in keeping your data secure.  As the Ethics Opinion states, that could mean a lot of things from the use of firewalls to encryption.  I’m just going to focus on one area: passwords.

So what’s not a secure way to manage your passwords?

  • Password on a post itWriting down your password and keeping it in the vicinity of your computer.  Even if it’s not on a post-it note stuck to your monitor, putting it under your keyboard or mousepad isn’t quite as stealthy as you think.
  • Using the same one or two passwords for everything. Once your password is compromised, often through a bulk data breach, it doesn’t take long for a thief to try it on every account linked to your email.
  • Using a password so easy to guess that it’s laughable.  According to internet security firm SplashData, “12345” and “password” have been at or near the top of the list of the 25 most commonly used passwords every year since 2011.  Come on, people – really?

I get it.  Unique, secure passwords are really hard to create and remember, especially when it has to be at least x number of characters with some combination of upper and lower case letters, numbers, and special characters and you have to change it every so many days or months.

Enter the password manager, an encrypted digital vault that stores your login information for all of the programs, apps, databases, websites, and other services that you use.  You just remember one master password and the password manager will log you into everything else across multiple devices while keeping your identity, credentials, and sensitive data safe.  It can also generate strong, unique passwords with the click of a button so if a site gets hacked, your stolen password can’t be used on other sites.

So how secure are password managers?  Can you trust them with your passwords and other private information? According to the security experts at Norton, most password managers do not store or have any access to your master password or the encrypted information in your password database.  But can’t they be hacked, too?  “The quick answer is ‘yes.'” says Norton. “Password managers can be hacked. But while cybercriminals may get ‘in’ it doesn’t mean they will get your master password or other information. The information in your password manager is encrypted. And deciphering that encryption, which is usually industry-standard encryption like Advanced Encryption Standard (AES), is almost impossible.”  Much of the security of your password manager depends on the strength and safety of your one master password so it’s important that you put some thought and effort into that one.

There are a number of free and fee-based password managers on the market. Check out PC Magazine’s lists of the Best Password Managers for 2020 and the Best Free Password Managers for 2020.  One of the most popular and highly rated password managers is LastPass which offers both free and fee versions.  In addition to the features outlined above common to all password managers, LastPass also allows you to share access to sites with colleagues or others without revealing your password, allowing you to revoke access at any time.

If you want to learn more, check out this quick video tutorial on why and how attorneys can use LastPass for increased password security.  If you recognized yourself in one of the insecure password management practices described above, I highly recommend looking into a password manager.  They are easy, convenient, and can help keep your data more secure.