Summer is a popular time for taking a vacation. Or you may be traveling for work. Even when taking a vacation, many attorneys unfortunately can never truly leave work behind. That usually means traveling with a laptop or other device to be used for completing work. Yet your ethical duty to maintain client confidentiality pursuant to ORPC 1.6 remains the same when working outside the office.
In addition to security risks such as lost or stolen devices, you may be subject to searches or detainment of your devices when going through airport security. For example, pursuant to the Fourth Amendment the United States Department of Homeland Security has authority to search anyone crossing the border without probable cause. This includes searching “[a]ny device that may contain information in an electronic or digital form, such as computers, tablets, disks, drives, tapes, mobile phones and other communication devices, cameras, music and media players.” See the directive issued on January 4, 2018 for more information. As part of this authority, the department takes the position that this allows for searching of incoming and outgoing travelers’ electronic devices for data, including the ability to demand passwords and decryption of confidential information. They may even detain the device or information taken from the device if deemed necessary for security purposes. The directive clarifies that only material stored on the device itself may be searched, and nothing stored in the cloud should be accessed. Yet the department can still request passcodes to a cloud storage program.
Below are helpful tips to decrease your vulnerability to security risks if you intend to work while traveling:
1. Consider traveling with "clean" devices
A good option for protecting client information while traveling is to use a “clean” laptop or device, otherwise known as a “burner” device, containing no client information. Remember that “delete” does not completely remove information from a device. So either purchase a clean device or use a program that scrubs the device of all client information. See Hong Dao’s InPractice blog post for more information about permanent data erasure. As discussed below, then use the clean device to securely connect to the Internet and access client information stored in the cloud or connect directly to your firm’s office network. See Hong Dao’s InPractice blog post for more information about security when using cloud storage. Also do not keep any visible link to a cloud storage program or your firm’s network on your device. The same approach should apply to your phone since many of us use our personal phones for work purposes, such as checking email or accessing client information and documents through a mobile application
2. Use a secure Internet connectionDo not conduct work activity using public WiFi or a public computer. Hackers can easily gain access to the network and redirect Internet traffic to their device or broadcast their own network that appears similar to the public WiFi network, and proceed to steal information. Be sure you always have a secure Internet connection if working remotely to ensure all activity is encrypted. Many devices contain a feature that automatically connects you to known wireless networks. Turn off the feature so that you are required to connect manually to be sure you are connecting to the intended network. Obtain guidance from your IT support person to assist you with setting up secure remote access. Rather than using public WiFi or a public computer, options include:
Using a virtual private network
A virtual private network (VPN) creates a secure private Internet connection that requires your computer to communicate using only encrypted information while connected through a public network. It essentially creates a secure tunnel within a public network. There are many options for VPNs on the market, including Encrypt.me, TunnelBear, PrivateInternetAccess, and NordVPN.
Setting up your own WiFi hotspot
This can be done using your smartphone or a standalone device that taps into a cellular network, also known as MiFi, to create your own secure wireless connection. Keep in mind that use of your smartphone as a hotspot may drain your phone’s battery and use up your data plan quickly depending on the type of work you’re doing. Check with your cellphone provider to determine your options. Options for MiFi devices include the Verizon Jetpack MiFi 7730L, and the AT&T Nighthawk LTE Mobile Hotspot. If not using a cellular network, other hotspot devices may require a physical hard-wired connection to the Internet. Know your needs before making any purchase, including accessibility to wired networks. Ensure that any hotspot you use provides a secure encrypted connection.
3. Make sure all devices are protected from unauthorized access
Lost or stolen devices is a common occurrence when traveling. Be sure all devices are protected from unauthorized access. Use two-factor authentication or biometric authentication, such as fingerprints or retina scans. See Sheila Blackford's InPractice blog post for more information about two-factor authentication. Also encrypt and lock or turn off all devices when not in use.
4. Update all operating systems and software programsBefore you leave, update your operating system and software programs on all devices you will be taking with you when traveling.
5. Be aware of your surroundingsIf you perform work while in a public place, use a privacy screen so that those nearby cannot see the information being accessed. And remember to be cognizant of phone calls or discussions with others regarding a client matter in case it could be overheard.
ConclusionThe main takeaway is to know where your client data is stored and how secure the network is before you use it to do work, and take special precautions when working while traveling to protect client confidentiality.
- PLF Practice Aids
- Protecting Yourself and Your Law Firm from Data Breach Checklist (www.osbplf.org > Practice Management > Forms > Category > Cybersecurity and Data Breach)
- Online Data Storage Providers (www.osbplf.org > Practice Management > Forms > Category > Paperless Office and Cloud Computing)
- Floating in the Cloud (www.osbplf.org > Practice Management > Forms > Category > Paperless Office and Cloud Computing)
- Oregon State Bar
- United States Department of Homeland Security