Tuesday, November 26, 2013

Effective Security Starts at the Top: The S.C. Supreme Court Mandates Strong Passwords

Earlier this month the South Carolina Supreme Court ordered all members of the South Carolina Bar and all foreign legal consultants to log-in to the Attorney Information System (AIS) and 1) adopt a stronger password; 2) choose and answer updated security questions; and 3) update and verify their contact information in AIS.  Pursuant to the terms of the Order, those who fail to do so by December 15, 2013 may face suspension.

The Court's Order offers good lessons for all attorneys (and others) attempting to secure their firms and businesses.

Security is a Process, Not A Product

The Court recognizes that the security of the AIS relies in no small part on strong passwords created by attorneys, and mandates a process to attain that end.  As discussed here, human mistakes (as opposed to software or hardware inadequacies) account for most security breaches.  Using a  "weak" password (one that a computer can guess by means of generating many characters) or a "common" password (one that a person can guess or read) is like leaving a door open or a safe unlocked.

Although various technology products offer essential parts of an effective security program, (as discussed here and in  Locked Down: Information Security for Lawyers) no product will save you from yourself if you decide to use "password" as your password, use the same password on multiple sites, click on bad links, or voluntarily share your bank account number in response to an email message.

Consider how to make security a priority in your firm, through the use of policies, training, and/or other methods.  And understand that the combination of people, processes, and technology is necessary for appropriate security.  

Any Effective Security Process Has Support From The Top and Appropriate Teeth

A Supreme Court mandate with Chief Justice Toal's signature and the threat of losing the ability to practice law is an effective way to get an attorney's attention and ensure compliance.  Moreover, the fact that attorneys will not be allowed to pay their license fees until they have complied with the Order all but ensures 100% participation.

By contrast, how many attorneys would have updated their information in response to an email memo from a systems administrator for the AIS suggesting the use of stronger passwords?  How many of you consider the recommendations of your IT staff, implement same, and follow through to make sure they are followed?

Protecting the client file as required by Rule 1.6 (“Confidentiality of Information”) and Rule 1.15 (“Safekeeping Property”) of the South Carolina Rules of Professional Conduct ("RPC") includes securing electronic information.  A security breach caused by a weak password or indiscriminate browsing may cause the same unauthorized disclosure of a client's confidential information as the theft of a paper file.


Although strong passwords may be a hassle and create yet another thing for attorneys to remember (and for some assistance with "password fatigue" click here), clearly their use is one part of an effective information security program.  Just as incentives and discipline are used in connection with other corporate purposes and obligations (e.g. to "encourage" lawyers to get their time in), so too should lawyers consider how to best encourage and enforce the development of a culture of security in their firms.