Cybersecurity: Solo and Small Firm Perspective on Protecting Client Data

By:
Stephen S. Wu, Shareholder, Silicon Valley Law
Drew Simshaw, Assistant Professor, Gonzaga University School of Law

July 2, 2019

Sweeping advances in technology are not only changing the law that attorneys practice, they are also causing profound changes to the way attorneys practice law. For instance, the combination of consumer-friendly mobile devices and cloud computing means that attorneys now have the technology to access all their work data with any device, at any time, and anywhere in the world, as long as they have an Internet connection. Nonetheless, new technologies create new threats to the confidentiality of client data.

Ethics rules impose duties on attorneys to protect client confidences. They also require attorneys to practice competently and to supervise office staff and third parties with access to client data. The operation of these rules will require attorneys and law firms to implement reasonable information security practices to protect the confidentiality, integrity, and availability of client data. The failure to protect client data may lead to attorney discipline or malpractice liability. Solo lawyers and small firms are subject to the same rules as large firms. Consequently, they cannot ignore information security requirements.

Moreover, information security is not just a “technology issue” that can be delegated without supervision to information technology support staff. Attorneys themselves have an obligation to manage and oversee the security function in their firms. Lessons learned from other industries and industry standard security frameworks can help law firms implement effective security programs. We present a set of sample security safeguards that solos and small firms can use to implement administrative, physical, and technical safeguards to protect client data.

With advancing computing technology, we live in an era of unprecedented computing power and connectivity. Modern computing devices have as much power as mainframe computers running entire government agencies in the 1960s. Desktop and laptop computers are standard equipment for modern knowledge workers. Workers frequently telecommute by using their laptops or home computers.

Moreover, mobile device usage is now a way of life. Walking around our cities and towns, it seems that everyone has a smart phone in hand. In the office, at home, and in planes, trains, and automobiles, people are communicating, writing, and doing their work using smart phones, tablets, and laptops. Besides offering us voice, email, and text communications on the go, our mobile devices are giving us access to the world’s information via the Mobile Internet more or less anytime and anywhere. If a law firm’s systems are connected to the Internet, technology enables today’s lawyer to obtain access to client data at any time from any device from any place in the world with Internet or cellular connectivity.

With these advances in technology, information security threats have increased. Data breaches continue to be an everyday occurrence. We see them in the news all the time. Competitors, former employees, and state-sponsored groups seek companies’ trade secrets in order to bolster competing businesses. Hacktivist groups seek to damage the reputation of companies by publicizing sensitive information. Organized crime rings seek sensitive information for profit.

Law firms are not immune from attacks. ^[2] For instance, in 2011, a Chinese hacker group gained unauthorized access to the systems and data of Wiley Rein LLP in Washington D.C. Wiley had pursued unfair trade claims against exporters in China and, in just one case, obtained tariffs on more than $3 billion in exports of solar cells. The Chinese hacking group not only penetrated the firm’s networks, it stole large amounts of data from a various entities, including the president of the European Union Council, Haliburton Co., and a Canadian magistrate. ^[3]

One FBI agent put it succinctly: “Computer attacks on law firms happen every day . . . .” ^[4] Many of these attacks fail, but some succeed. The bottom line is, “Many large law firms have been hacked; the FBI has warned that law firms are being targeted.” ^[5] We, as attorneys, are on notice of the threat.

More recently, “Petya” malicious software, a kind of “ransomware,” attacked international firm DLA Piper in June 2017 and brought the firm’s information technology infrastructure to its knees. ^[6] Ransomware is a kind of malicious software that attacks systems by encrypting a user’s or network’s files and displaying a screen demanding a payment of ransom to obtain a key to decrypt and recover the user’s or firm’s data. For DLA Piper, old emails and files were unavailable more than two weeks after the attack, and the lost business and recovery costs were probably in the millions of dollars. ^[7]

Moreover, ransomware and other malicious software attacks are not limited to large law firms. Although the most publicized breaches involve large law firms, and we do not have large, comprehensive surveys about exact numbers, our discussions with security professionals lead us to believe countless numbers of small firms have been victims of attacks as well. The loss of an entire practice’s worth of data may be more devastating to that small firm than a similar attack against a large firm. A large firm may have in-house and retained expert technical support, the resources to fund data recovery operations, and the ability to recover data after perhaps weeks in the case of DLA Piper. For some solos and small firms, the attorneys may never be able to recover their client data and may have to start their electronic recordkeeping from scratch.

In addition to anecdotal evidence, one survey of 200 small and medium sized firms found a general lack of risk management mechanisms and procedures. ^[8] Among the key findings were:

• Most firms in the survey are not implementing key security controls
• Almost half of the respondents don’t have formal security policies and procedures or a documented training program.
• Most firms don’t have response plans or backup procedures in place. ^[9]

The ABA, recognizing increasing cyber threats, adopted a House of Delegates resolution calling for “all private and public sector organizations to develop, implement, and maintain an appropriate security program.” ^[10] The report accompanying the resolution made it clear that the resolution covers law firms and legal services organizations. ^[11] This resolution followed an earlier 2012 House of Delegates resolution proposed by the Commission on Ethics 20/20 approving changes to the ABA Model Rules of Professional Conduct. The resolution amended the Model Rules to impose a duty on lawyers to use reasonable efforts to prevent unauthorized access to client data and made related changes to address the advances of technology. ^[12] The ABA has also created a number of publications to help lawyers and law firms improve their information security programs.

In 2012, the ABA created a Cybersecurity Legal Task Force. The Task Force’s mission is to “identify and compile resources within the ABA that pertain to cybersecurity, and will focus and coordinate the ABA’s legal and policy analyses and assessments of proposals relating to cybersecurity.” ^[13] The most important output of the Task Force was its comprehensive cybersecurity guidance book for lawyers and law firms in 2013; the ABA issued a second edition of the book in 2018. ^[14]

Law firms are recognized targets for attack for a number of reasons. First, law firms have large amounts of information that would be valuable to state or non-state actor attackers. “They collect and store large amounts of critical, highly valuable corporate records, including intellectual property, strategic business data, and litigation-related theories and records collected through e-discovery.” ^[15] For instance, attackers might want to steal trade secrets about a firm client in order to gain an advantage in the marketplace. Moreover, attackers may be interested in the identity of potential acquisition targets in order to profit by the information via stock trades. ^[16] Also, some firms hold personal information about individuals, whether clients or opponents, that could be used for identity theft purposes, such as names, birthdates, and social security numbers.

Second, law firms are perceived as easy targets for attacks. Attackers seeking information about a particular company may find it easier to find out the identity of the law firms representing it, and to try to attack the law firms’ systems, than to attack the company’s systems directly. Law firms are “perceived to have fewer security resources than their clients, with less understanding of and appreciation for cyber risk.” ^[17] Finally, a hack against a law firm may be more efficient and save time, compared to an attack against a firm client. “[L]lawyers are usually involved in only their client’s most important business matters, meaning hackers may not need to sift through extraneous data to find the more valuable information.” ^[18]

Threats to law firms may arise from a number of sources. For instance, some law firms may fall victim to malicious insiders. Malicious insiders may be motivated by job dissatisfaction or may seek to compromise client data for financial gain. For instance, in 2001, a paralegal at a large firm in New York downloaded a copy of a trial plan from his firm’s computer system and tried to sell the plan to opposing counsel for $2 million. Fortunately for the firm, the scheme was exposed and the paralegal made the sale to an undercover FBI agent. He eventually pleaded guilty to Computer Fraud and Abuse Act violations, wire fraud, and related charges. ^[19] Some insiders may also have political or social activism motives.

State-sponsored attacks are another source of information security threats. State actors may be motivated by economic espionage, terrorism, or politics. ^[20] Foreign or domestic criminal enterprises may seek information to sell or use in order to make money. Non-state “hacktivists” may hope to achieve a political objective through attacks. Terrorists may make hacking attacks both for profit and to terrorize their victims. Finally, business competitors sometimes seek information about other companies in their markets using extra-legal techniques.

Given these increasing threats, our clients are now asking law firms about their security programs and are seeking written assurances of security as a condition of giving business to their outside counsel. For instance, “Wall Street banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets either for their own use or sale to others . . . .” ^[21]

A law firm’s failure to protect client data may cause considerable damage. “Clients and third parties may find themselves victims of fraud, identity theft, and bankruptcy, not to mention negative publicity and tarnished business reputation.” ^[22] Following a breach, a law firm’s clients or third parties could incur liability in civil actions, administrative proceedings, or even criminal charges. ^[23] Attorneys or law firms that fail to protect data may face discipline from their state bars, government investigations, fines, private law suits, and malpractice claims by clients. In fact, in 2016, a putative class of clients filed a malpractice suit against a law firm alleging that the firm’s time tracking web-based application used out of date supporting server software, the application was thus insecure, and the firm thereby put client data at risk. ^[24] Although the case ended in an order compelling arbitration, ^[25] we expect that the firm filing this action, Edelson PC, is continuing to look for other opportunities to assert claims against law firms with vulnerable or hacked systems. Most importantly, a data breach may cause considerable harm to the reputation of a hacked law firm and its lawyers. Clients, judges, the legal community, and members of the public may lose trust in the firm. ^[26] If sufficiently serious, a data breach could be a threat to the very survival of a law firm.

Lawyers and law firms have ethical obligations under the rules of professional conduct in their jurisdictions. The ABA published and regularly updates the ABA Model Rules of Professional Conduct. ^[27] States have their individual ethical rules, although most are based on the ABA’s Model Rules. As mentioned above, the ABA Commission on Ethics 20/20 proposed changes to the Model Rules based on their evolving views about the impact of technology on the practice of law. The House of Delegates passed a resolution approving these changes. ^[28] Various ABA opinions provide additional guidance on security issues.

State ethics opinions provide an additional source of guidance for understanding attorneys’ ethical obligations under their rules. In addition, secondary sources of information are available for guidance. In 2006, the ABA Section of Science & Technology Law published a book on law office security. [29] In 2013, moreover, the ABA published The ABA Cybersecurity Handbook. which the ABA updated with a second edition in 2018. ^[30]

The following sections discuss the core duties under the ethics rules bearing on information security: the duty of confidentiality, the duty of competence, and the duty to supervise.

The most important ethical rule relating to lawyer and law firm information security is the duty to protect the confidentiality of client confidences. In general, under ethical rules, “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.” ^[31] The ABA Cybersecurity Handbook.xplains that “[t]his obligation to maintain confidentiality of all information concerning a client’s representation, no matter the source, is paramount,” and “is no less applicable to electronically stored information than to information contained in paper documents or not reduced to any written or stored form.” ^[32] Confidentiality is a “core” obligation of a lawyer in the conduct of the lawyer’s practice. ^[33]

Following the ABA resolution in the wake of the work of the ABA Commission on Ethics 20/20, ABA Model Rule 1.6 Part (c) now says that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ^[34] In addition, and perhaps most significantly, Comment 18 now elaborates that “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include” “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” ^[35]

The Ethics 20/20 Commission’s work was intended to address a lawyer’s obligations in the face of changing technologies. Although not specifically calling out the concept of information security, the Commission’s language is similar to the language in information security legislation. The requirement to protect client data is, in essence, an information security obligation. Commentators have noted the significance of this change, and the new affirmative duty of care for securing client data. ^[36]

The rules do not specify requirements for the exact security measures necessary in any given situation, such as an attorney-client communication. Indeed, the rules contemplate that the lawyer and client will discuss and then decide what security is necessary. “A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.” ^[37]

Model Rule 1.4 also requires attorney-client communications, specifically “about the means by which the client’s objectives are to be accomplished.” ^[38] In other words, attorneys should keep their clients reasonably informed about their work together. By implication, this rule requires communication about the law firm’s technology for communicating with clients. ^[39] Likewise, these rules require a notification in the event of a data breach that compromises client data. ^[40] ABA Formal Opinion 483 cited Rule 1.4 to state that when a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have an ethical duty to notify current clients of the breach. [41] Lawyers may also have statutory duties to inform clients of data breaches, depending on the type of information compromised and applicable laws.

In order to maintain client confidences, lawyers must be competent and must keep abreast of changes in information technology they are using in their practices. They cannot protect client confidences unless they know of the nature of the technology they are using, the threats to that technology, and the use of safeguards to mitigate risks. “A lawyer shall provide competent representation to a client.” [42]

“Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” ^[43] “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .” ^[44] Competence includes the knowledge of substantive law and specific skills, such as knowledge of applicable law, advocacy, writing, and negotiation, but it also includes competence in using the technologies commonly used for law practice.

A lawyer does not need to personally have all the needed technology competencies. The lawyer can, and indeed must, turn to the expertise of staff or outside experts when needed. ^[45] According to The ABA Cybersecurity Handbook. “If an attorney is not competent to decide whether use of a particular technology (e.g., e-discovery, cloud storage, public Wi-Fi) allows reasonable measures to protect client confidentiality, the ethics rules require that the lawyer must get help, even if that means hiring an expert information technology consultant to advise the lawyer.” ^[46]

Nonetheless, a duty of competence means that the lawyer cannot simply turn over all aspects of the security function to others. All workers at the firm have control over certain aspects of their client work and must maintain secure work practices. For instance, attorneys have control over what they talk about in public. They have a duty not to discuss confidential client matters in public places. This is a concern of the attorney, and not just the staff.

Similarly, attorneys must protect paper records. They should not read sensitive paper documents in places where others can view them, such as on the plane or in coffee shops. Again, this is an attorney responsibility.

In addition, lawyers can control their use of technology. For instance, the careless use of social media can lead to compromises of client data. Preventing careless social media usage by lawyers is not a “tech issue” to be handled only by staff.

Lawyers in a law firm must supervise junior attorneys, support staff, and third parties with access to client data. Under the ABA Model Rules, lawyers “shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that,” first, “all lawyers in the firm conform to the Rules of Professional Conduct,” ^[47] and second, that the conduct of a non-lawyer employed by, retained by, or associated with the lawyer, “is compatible with the professional obligations of the lawyer.” ^[48] Moreover, in the future, as lawyers and law firms delegate some lawyering tasks to autonomous automated data processing, machine learning, and artificial intelligence systems, these rules will, in our opinion, need guidance from state bar authorities, or even amendments, to clarify that lawyers’ responsibility for the firm includes a duty to supervise these non-human systems as well.

Again, the ethical obligation of the lawyer is to maintain ultimate responsibility for the security function in his or her practice. This is not a duty that can be delegated to others. To the contrary, the lawyer must oversee subordinate attorneys, support staff, third parties, and automated systems.

One specific issue that has come up in the context of supervision is whether a law firm may ethically use cloud computing services to store, share, use, and communicate client data. While a thorough discussion of choosing and supervising cloud service providers is beyond the scope of this paper, ethics opinions have stated generally that cloud computing is permissible, as long as lawyers take proper steps when selecting and using services. ^[49] For example, in 2013, an Ohio opinion acknowledged that lawyers may use cloud services as long as they competently select an appropriate vendor, preserve confidentiality and safeguard client property, provide reasonable supervision of cloud vendors, and communicate with the client as appropriate. ^[50]

Ethics opinions recognize the limitations of lawyers’ competencies. As the New Hampshire Bar has stated, “a lawyer’s duty is to take reasonable steps to protect client data, not to become an expert in information technology,” and “[w]hen it comes to the use of cloud computing, the Rules of Professional Conduct do not impose a strict liability standard.” ^[51] The ABA Cybersecurity Handbook.otes that “rapidly evolving technology means that these factors cannot provide a ‘safe harbor.’” ^[52] Instead, “[l]awyers should monitor and reassess the protections of the cloud provider as the technology evolves.” ^[53]

The upshot of the ethics rules is that a lawyer must make “reasonable efforts” to prevent inadvertent or unauthorized disclosure of client data, and to prevent unauthorized access to client data. [54] Nonetheless, the rules don’t say what “reasonable efforts” are or what specific safeguards are necessary. How much security is enough under this standard? What is “reasonable”? The factors listed in Section III.A above (such as the level of sensitivity of the client data, risks to data, cost of safeguards, etc.) provide guidance, but they don’t provide ideas to develop specific security safeguards for a security program.

The issue of what is reasonable is especially acute for solos and small law firms. On one hand, the ethical rules apply equally to small and large practices. On the other hand, compared to larger firms, solo and small firm practices have fewer resources to manage a security program. They don’t have large budgets to spend on information technology and security. Further, small practices won’t usually have a knowledgeable security professional on staff. Larger firms can afford to hire an information security director and may have an in-house team to oversee security. Lawyers and staff in smaller practices may not have the expertise to manage a security program effectively.

For small practices, the good news is that the rules are flexible enough to accommodate the differing circumstances of small practices. As mentioned above, in considering measures to protect the confidentiality of client data, the practice can consider “the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” ^[55] Thus, the rules allow small practices to account for the cost and difficulty of implementation in deciding what safeguards are reasonable. They do not require small practices to spend all their income on security safeguards; that would not be “reasonable.” The expectations for security safeguards in a solo practice are much different from those for the largest megafirms. Some expensive, difficult-to-implement security measures appropriate for a megafirm are not reasonable for small practices and therefore not required.

In essence, there is a sliding scale of “reasonableness” for small versus large practices. Small law firms can and should implement security safeguards that are reasonable and appropriate to the context of their small size. A full listing of all the security safeguards a law firm could implement is beyond the scope of this paper. The other Cybersecurity panel speakers will be presenting ideas for specific safeguards that a law firm could implement. The secondary sources, such as The ABA Cybersecurity Handbook. also present safeguards a law firm can implement. Nonetheless, this section provides what we believe are practical, concrete, and reasonable examples of security safeguards a small practice can realistically implement. The list is not meant to be exhaustive.

The list breaks down security safeguards into three categories: administrative, physical, and technical safeguards.

• Administrative safeguards create procedures for operating the security function in the firm, focusing on the steps the firm takes to secure client data and how the firm manages the people working at the firm.
• Physical safeguards protect the office setting and tangible items comprising or storing client data, including paper records, workstations, mobile devices, portable electronic media, and any servers.
• Technical safeguards are the computer- and network-related security mechanisms implemented using software, hardware, and networks, and how people and devices interact with them. [56]

Small practices should conduct their own security assessment and review the safeguards in this section. If they don’t have the knowledge to conduct an assessment themselves, they should obtain qualified help. They should consider which safeguards are reasonable and appropriate in light of their individual practices. Following this assessment, they should implement the safeguards they consider reasonable and appropriate.

Different small practices will come to different conclusions about what is reasonable and the details of how to implement different safeguards. For instance, solo practitioners with no support staff will be different from a ten-lawyer firm with support staff. The solo in this example needs no separate responsible person for managing the security function. The solo does everything. Moreover, the solo will be focusing on software for a single individual’s set of devices and can use consumer versions of security software suites and ”endpoint” security packages. The term “endpoints” in data security jargon refers to the computers and mobile devices an individual user would use. By contrast, the ten-lawyer firm with support staff is large enough to have centralized management of some computer and network functions and may make use of “enterprise” (company-wide) versions of endpoint security software.

Small firms with a handful of lawyers with enough sophistication to manage their own devices may be able to operate like the solo in our example. But small firms with more lawyers and staff, or those without professionals having the expertise to manage their own devices, will likely find it useful to have a lawyer or staff member to centrally manage some of the technology functions of the firm.

With these caveats in mind, here are examples of administrative, physical, and technical safeguards of typical small practices to protect client data.

1. Examples of administrative safeguards:
   1. The practice has written policies, procedures, guidelines, and training materials to govern the security function. The practice communicates these policies to individual users.
   2. The practice undertakes a risk assessment and updates it at least annually to determine the threats to its client data in light of the sensitivity of the information.
   3. The practice follows up with its risk assessment by implementing safeguards that manage its risk to a reasonable level. It should start with the easy, inexpensive controls with the most protective benefits and continue from there to implement more expensive safeguards. Eventually, the practice will reach a point where it has implemented the reasonable safeguards and additional safeguards would not be worth the added expense.
   4. The practice has designated a person or team to be in charge of information security. ^[57] The practice obtains the help of outside consultants as needed to provide additional security management expertise.
   5. The practice investigates the background of new hires with access to client data to provide assurances that they are trustworthy and competent.
   6. The practice manages which lawyers and staff have access to which kinds of information and change such access when job duties change.
   7. The practice has a program of security and privacy awareness and training, including periodic reminders and updates. Topics include the protection of electronic information, controlling access to computer systems, preventing ransomware and other malicious software, phishing risks, social media practices, ^[58] the protection of paper records, and not discussing client matters in public places.
   8. The practice has employment procedures by which lawyers and staff are evaluated in part based on their compliance with security policies and procedures. Lawyers and staff face discipline if they violate those policies and procedures.
   9. The practice has procedures for when a lawyer or staff member leaves the practice to stop the departing user’s access to client data.
   10. The practice has procedures for security incident reporting and handling. It should have a person or team to take the lead on responding to security incidents.
   11. The practice should have procedures for backing up client data. In case something happens to an individual computer or entire server, the practice can recover the data to make sure lawyers and staff members can continue having access to their emails, texts, and files after their loss.
   12. The practice has a disaster recovery and business continuity plan involving procedures and technology to provide assurances of continued operation in the event of a natural or man-made disaster. Capabilities for continued resilience of practice operations are important especially for firms in areas prone to natural disasters such as hurricanes, floods, tornados, and earthquakes. ^[59]
   13. The practice has procedures for assessing the effectiveness of its security safeguards.
   14. The practice supervises third parties, such as service providers and temporary workers, with access to client data.
   15. The practice has certain approved online applications, such as online storage and file transfer services, and does not permit users to store client data in online accounts controlled by individual users outside the practice’s control.
   16. The practice has cyber risk insurance coverage with appropriate limits of liability and with appropriate types of coverages.
   17. The practice has procedures to minimize the creation of “metadata” (such as comments and tracked changes) that could reveal attorney-client communication or other sensitive information to opponents when exchanging word processing programs, perhaps with the assistance of a metadata scrubbing program. ^[60]
2. Examples of Physical Safeguards
   1. The law office has walls, doors, and windows that reasonably prevent physical intrusion. Any servers are kept in a separate, locked area away from places where visitors may access.
   2. People in waiting areas cannot see the screens of computers in the reception areas.
   3. Workers are trained to prevent the loss or theft of mobile devices or media, e.g., while out of the office. For instance, workers are trained not to leave electronic devices in visible areas of parked cars.
   4. The practice maintains an inventory of computing devices used by lawyers and staff.
   5. Paper records are locked and desks are cleared of paper documents when they are not needed.
   6. The practice wipes electronic data off of computers, mobile devices, and portable electronic media before they are transferred, sold, or reused. The practice shreds discarded work papers.
3. Examples of Technical Safeguards
   1. The practice controls access to systems with client data using strong passwords or other authentication mechanisms.
      1. We believe that small practices should now use (or now start the transition to) more than one “factor” of security access to critical applications, such as webmail.
      2. A “factor” can be something you know (e.g., a password), something you have (e.g., a security hardware device), or something you are (a biometric identifier, such as fingerprint).
      3. In one common scenario, for example, to log into the application, a user would have to input a user name and password (something to user knows) as well as a text message sent to the user’s cell phone. [61] A remote attacker with the password but without access to the user’s cell phone could not log in.
      4. The practice uses strong passwords and/or biometric mechanisms to control access to smart phones.
      5. The practice password protects its wireless networks with strong passwords.
   2. Individual workers have their own accounts on the practice’s network and computers.
   3. Workstations log off users after a period of inactivity or otherwise require the user to reauthenticate him or herself to the system.
   4. The practice encrypts client data while stored on computers, mobile devices, and any servers.
   5. The practice promptly patches operating system and application software. When solos and individual users manage their systems, it is usually best to establish settings for automatic software updates. Larger practices may want central management of software updates.
   6. The practice has procedures to remotely wipe lost or stolen mobile devices containing client data.
   7. When exchanging sensitive information with clients, the practice uses industry-standard methods and software for encryption. [62]
   8. Remote users logging into office computers use remote access software or a virtual private network to encrypt communications between the user’s device and the office computer.
   9. Networks and computer systems log user activity. Common operating systems maintain useful system logs by default.
   10. The practice uses industry-standard endpoint security software, including firewalls for individual computers and antivirus components to prevent and detect malicious software.
   11. The practice’s networks are protected by technologies to control access, such as firewalls. Larger practices should consider implementing specific network protection technologies for intrusion detection, data loss prevention, and continuous monitoring.
   12. The guest wireless network should be segregated from the practice’s internal network.
   13. Larger practices should consider products and services that filter emails, for example to prevent spam and malicious software, and products and services for filtering web traffic, which can, for instance, prevent access to malicious sites hosting malicious software or block access to certain kinds of sites.