Security is taken seriously at GeyerGorey LLP. We take pride in our ability to safeguard sensitive client information. Let’s face it, a law firm’s adeptness at preserving and protecting attorney-client privilege through creative, but appropriate, means, is high-value service that a client can only get form a top-flight law firm. But as powerful as this privilege can be when properly interpreted and administered, its protections can be mooted by poor computer security that results in data loss. For this reason, operating effectively within a contained system protected by appropriate safeguards is crucial. As with all practices that rely on one or more online applications, data protection and reliability is something we think long and hard about in choosing our systems and software, our service providers and our procedures and methods for protecting client data.
Perhaps the best way to protect client information would be to keep it under lock and key in a safe stored in an underground bunker and to review it or talk about it only within the confines of a Sensitive Compartmented Information Facility (SCIF) — soundproof rooms utilized by law enforcement agencies, intelligence agencies and government contractors when working with highly classified information. As former prosecutors, we have operated under these ground rules when required to do so, but such safeguards would impose completely unacceptable burdens in a world where success is often a function of speed, adaptability and collaboration in real time. At GeyerGorey, therefore, we have identified the systems, vendors, equipment, software and procedures that will reasonably protect client information, but allows the sort of access to it that is necessary to operate in a modern world.
1) Proprietary Password System and Computer Use Policy
To ensure adaptability, flexibility and interoperability, GeyerGorey uses three types of systems: Personal computers (Windows 7 (soon to be upgraded to Windows 8)), laptops (Windows 7 (soon to be upgraded to Windows 8) or Apple Mac OSX) and cell phones (BlackBerry, Android or iPhone). These devices are all used in accordance with a strict set of “Rules of Behavior” (ROB) related to the use of these devices. We also monitor innovations to the various platforms and review the capabilities of the data wiping services. GeyerGorey updates its ROB as warranted, without notice to clients.
2) Unparalleled Physical Security
Less sophisticated security breaches, such as data being physically extracted and taken from a premises occurs much more frequently than high-tech security breaches. Many companies and firms do not actually know the full range of people who have access to their systems, such as night staff and landlords. Unlike those organizations, we do know who has that sort of access: our attorneys, all of whom were thoroughly vetted by the federal government as a condition of their employment. Each of them has (or had) an active security clearance and has worked in confidential or high-classification security environments for years. A market-leading company that houses a portion of the data we receive from clients at its various data centers (compartmentalized from other clients) restricts access to its machines via biometric scanning, constant security camera monitoring and independent security auditors. A 24/7 security staff provides continuous protection against unauthorized entry.
3) Encrypted Communications
SSL (Secure Sockets Layer) is a protocol that provides secure communications on the Internet for such applications as Web browsers, email, instant messaging and other data transfers. GeyerGorey LLP attorneys are required by ROB to download and install Google Chrome, which forces HTTPS (Hypertext Transfer Protocol Secure) when users access most services in Google Apps. SSL varies by service and is available for Email, Chat, Calendar, Google Groups for Business, Docs and Sites. (Notes that SSL access is not available for Google Video for Business or the Google Talk desktop client, all applications that we do not use.)
Another advantage of SSL is added security for our users. If our users access Google Apps on a non-secure Internet connection, such as a public wireless or non-encrypted network, our users’ accounts may be more vulnerable to hijacking. A secure connection prevents hijacking by protecting the cookie session. Cookie session hijacking refers to a situation where an impostor gains unauthorized access to cookies and seizes control of a legitimate session while it is still in progress.
Our law management provider also runs in a Web browser over SSL that effectively renders all traffic between our browsers and our their servers impenetrable. In fact, its 128-bit encryption exceeds military standards of communication. Since this encryption takes place on our computers, this allows us to safely access this provider from any Internet connection, whether at home, office or public WiFi connection. Our email provider (proprietary) also provides an encrypted communication channel that is programmed to disallow a user from deactivating it and accessing their email through a non-secure channel.
4) Threat Modeling
We chose our providers based on their competence regarding threat modeling, which is the practice of identifying and countering computer attacks. Our providers don’t just put guards in place as an afterthought. Rather, they have built their systems from the ground up using engineering techniques designed to mitigate potential security breaches via SQL Injection Attacks, Cross-Site Scripting Attacks and other Web threats.
5) Continuous Monitoring
Our providers perform continuous audits with the independent security specialist firm McAfee. On a nightly basis, our provider is subjected to a barrage of attacks, probing its vulnerabilities. And every night, we understand, our provider has passed the test. So even when our provider rolls out a new functionality, it is fully protected and no new vulnerability has been created.
6) Backups and Disaster Recovery
Our provider has a multi-point backup system, such that
- its databases are backed up continuously throughout the day to other standby machines;
- its backups are copied to a remote, geo-redundant facility on a daily basis; and,
- in addition its data center specialists maintain backups of our data as well.
7) System Security
One of the biggest security challenges a firm faces is maintaining its computers’ security patches. Our proprietary systems are protected by security systems installed at the factory and they are set to upload and install new virus patches in near real time. We have extensive firewalls installed and a proprietary password system that meets or exceeds what is required by federal law enforcement agencies.
8) High Availability
Our provider’s production servers are duplicated, with hot standby machines ready to take over in case a production server fails. It has leverage RAID technology, adding redundancy at the hard-drive level. Its data center, a SAS70 Type II certified facility, is served by nine different Internet providers, each entering the facility through different access points. The data center is served by three independent power sources and features a battery of backup generators.
9) Hand-Held Devices
Our handheld devices are each protected by a multi-level proprietary password system. We have implemented a 24-hour hotline to enable our attorneys call within minutes of the time a phone has been misplaced or lost. Our staff can coordinate the “wiping” of any data with the telecommunications and/or data provider. The non-proprietary aspects of these system procedures may be found in our ROB agreement which is updated on an as-needed basis.