Telephone calling cards and computer accessories

By Douglas S. Malan
Harold Cort knows a thing or two about security breaches. He received a letter from the state of Connecticut informing him that he was among the more than 100,000 taxpayers whose Social Security numbers were on a Department of Revenue Services laptop stolen from a car on Long Island this summer.

As executive director of New Haven, Conn.-based Tyler Cooper, he also works closely with information technology staff to ensure that the firm's and its clients' sensitive information is protected.

Tyler Cooper, Cort said, constantly reviews security software on laptops and handheld personal digital assistants, such as BlackBerry devices. The firm chooses its network with a keen eye toward security, meaning it avoids high-profile companies that may be easier to breach, Cort said.

"Some software houses have a target on their backs because people want to do damage to them," he said. "We don't use Microsoft Outlook because it's such a big target. We've never had problems with people trying to hack in" to our network.

Other law firms employ various security measures and policies in place to combat hackers, thieves or the simple carelessness of lawyers.

The issue of data security was put in the spotlight this summer by thefts of Connecticut state-owned laptops that compromised taxpayer and state information involving Social Security numbers, state payroll, accounting, purchasing and additional classified data.

According to one report, state employees have had 29 laptops lost or stolen since July 2006. Three of those were purchased by the Judicial Branch and stolen in July 2006 following a break-in at the Alternative Incarceration Center in Bridgeport. Also taken were telephone calling cards and computer accessories.

The Judicial Branch did not deem the theft serious enough to terminate its contract with Community Solutions Inc., the nonprofit contractor that runs the AIC, branch spokeswoman Rhonda Stearley-Hebert said.

The AIC location in Bridgeport was not yet in operation when the theft occurred, and the laptops "probably didn't have anything them because we were just opening," said Sherry Albert of Community Solutions Inc.

Laptop thefts from a law office are not uncommon, either, said Dennis McCarthy, chief operating officer and IT guru of Pepe & Hazard in Hartford. Before the firm's offices were secured in the Goodwin Building 18 months ago, people came off the street and stole six laptops, which never resurfaced, McCarthy said. Pepe & Hazard has since implemented a key card system to secure its office space.

With passwords and other levels of encryption, Pepe & Hazard never suffered any loss of confidential information from the stolen computers, McCarthy said. The firm also takes security measures by creating strict user policies for the computers.

"We ask that no one store information on the laptop itself," he said. "We want [lawyers] to take a memory stick with them in the event that the laptop is stolen.

The Judicial Branch's policy regarding remote use of computers is similar.

"These computers should not contain any restricted, sensitive or confidential material unless the information is stored in encrypted form or is password protected," it states.

Smaller information storage devices, made by BlackBerry, Treo and other companies, present problems based on their compact size. They are more likely to be accidentally left behind at dinner or in transit. But many firms have a remedy for such instances.

If a lawyer were to lose one, "we can wipe it clean [of information] remotely," said William M. Rubenstein, a partner in Axinn, Veltrop & Harkrider's Hartford office. Once a call is placed to the IT department about the loss, a software program allows the law firm to automatically erase the device the next time it is turned on.

Reloading a new PDA is "actually really simple and very quick," Rubenstein said.

CARELESS E-MAILS

Some breaches come down to carelessness, such as when a lawyer uses the automatic e-mail address function and sends confidential files to an incorrect recipient that happens to have a similar address as the intended recipient.

"Officially," no one at Pepe & Hazard has ever made such a mistake, McCarthy said. But, he said, "I would have to believe that happens, but I'd be the last person they'd notify, unless they want to get the information back."

He added that he has received some "what if ..." questions about retrieving information from misfired e-mails, and sometimes the inquisitor "turns white and walks away" after hearing his answer. Thus far, McCarthy said such e-mails have caused no crises.

The current efforts to control remote devices will stop most unauthorized parties from viewing any sensitive information, said McCarthy. But with technology developing rapidly, even the most prudent firms can be at risk if they're in the crosshairs of a dedicated code-cracker. "The bottom line is, if someone wants to get the information, they can get it," McCarthy said.
Link