The Australian Nation, began and was established on 26 January 1788- in defence of Aldi

Leave a reply

I have often postulated, that the biggest problem with mobs, is the intelligence of the mob is often lower than the individual intelligence of the people who form it. The mob problem is often typified in social media particularly in forums like twitter, where any debate is limited to 140 characters. The most recent example is the report today in the Australian Aldi pulls ‘racist’ garments from stores. The purported racist garments were T shirts s that were “emblazoned with the words “Australia – established in 1788“.

I am not a racist; I am not very patriotic, but I am not ashamed that I am Australian. I am pleased I live in a country with a strong legal constitution and a stable government. The Australian Nation I am proud to be part, is not the continent itself, but all of its citizens, who compromise many ethnic backgrounds, and with different religious beliefs but who in the most part appreciate the cultural diversity and respecting different beliefs.

The Commonwealth of Australia was inaugurated by an Act of the Parliament of the United Kingdom on 1 January 1901 The inauguration of the Commonwealth, followed the earlier establishment of the States. 1 January 1901 is not when Australia as a nation was established. England wisely but over a rather long period of time gradually seeded all power to the Australian people. There is no defining “independence day” as there is in the US. The power of the UK Parliament to legislate over Australia was not finally terminated until the enactment of the AUSTRALIA ACT 1986 in 1986. However the seed of our nation began on 26 January 1788 when Captain Arthur Phillip arrived in Australia with 11 Convict Ships, at Sydney Cove and who became the first Governor of the Colony. It may not have been the most auspicious beginning but it begins our constitutional history as a Nation. That is the day that Australia as a Nation began to form, that is the day Australia as a Nation was first established. That is why it is celebrated.

The National Australia Day Council recognises the unique status our indigenous people. They recognise that “Aboriginal and Torres Strait Islander people and some non-Aboriginal and Torres Strait IslanderAustralians may have mixed feelings about celebrating this day. January 26 has multiple meanings: it is Australia Day and it is also, for some, Survival Day or Invasion Day. We can honour all that is great about Australia and being Australian, remember the sufferings and our shortcomings and commit to build a more cohesive and inclusive nation. We do so with an underlying spirit of optimism.”

All Australians, including Aboriginal and Torres Strait Islander peoples, should celebrate Australia Day, as being the day that Australia as a Nation which we are all lucky to be a part first became to be established.

The twitter furure against Aldi was wrong. It only demonstrates the mob problem without fully understanding what the Australian Nation is about.

Aldi should not have apologised, Adli should not have withdrawn the products.

Happy Australia Day

JDC 8 January 2014

Passwords reconsidered again following Adobe Security Breach

Leave a reply

I received yesterday (22.11.13 an email from Evernote. It begins:

There were published reports recently of a security breach at Adobe that may have exposed private information, including Adobe passwords, email addresses and passwords hints of millions of users. The list of compromised Adobe accounts has been uploaded to the web. We compared this list to our user email addresses and found that the email address you used to register for an Evernote account is on the list of exposed Adobe accounts.

I was previously aware of the security breach. Adobe had previously sent me an email on 9 October 2013 to the following effect

Important Password Reset Information


We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

Adobe did not however reveal the full extent of the security breach. Recent reports suggest 150 million logons were compromised. See

Over 150 million breached records from Adobe hack have surfaced online

Adobe’s colossal password leak becomes a playable crossword puzzle

Adobe’s file is over 10GB. It is freely available to download on the internet. Evernote (quite correctly) have analysed the file to improve its security. Adobe in its email to me, assured me that my password was encrypted. It neglected to tell me:

  1. My password hint was not encrypted; and
  2. All similar passwords were encrypted with the same hash code.

The following record is an extract from the database of one of my logons.

—UID—|–|———email address———–|—password—|—-hint–|–

80553053-|–|-jeffchard@optusnet.com.au-|-kzUVdObPaVk=-|-son|–

All similar password have the same hash code, it is easy to filter the 150 million records to see all the hints for that password. Some of the hints do not need much guessing. For example, my (old) password is easily guessed from these entries

—UID—|–|———email address———–|—password—|—-hint–|–

77027752-|–|-j########.denham@#########.com-|-kzUVdObPaVk=-|-last
name|–

142176909-|–|-######@denham#########.com-|-kzUVdObPaVk=-|-boss’s name|–

It is not hard to work out that I have a son named “Denham”.

My logon was fully compromised.

Yes I admit my password was a dumb password, it was a clayton’s password. The logging on to Adobe was not important to me.

I have not used that logon or that password for a long time.

That logon was not the logon that Evernote was emailing me about. The other logon name is important to me. Unfortunately the password was just as transparent and dumb.

As previously reported in Practice Guidelines for the use of Cloud Computing by Lawyers many similar security breaches have occurred in the past. Those breaches fortunately did not impact me personally. I definitely do not want experience what occurred to poor Mat Honan How Apple and Amazon Security Flaws Led to My Epic Hacking.

As a result of the breach I have now changed all my passwords on all my accounts. I do not use the same password on any site. My passwords are much more secure.

The seriousness in the breach, is not that that someone with nefarious intentions could logon to Adobe by using my credentials. It is serious because it exposed my logon and my password to people who may wish logon onto another website that is important to me.

JDC 23 November 2013

Microsoft Wedge Touch Mouse and the Surface Pro, and reflections on the Surface RT

Leave a reply

The Surface Pro
I have written several posts in the past about my Surface RT. I am still a strong advocate of that device but I recently relented and bought a 128GB Surface Pro (taking advantage of the Microsoft’s price reduction that eventually came to Australia). Many will comment that my timing was lousy. I bought it just before Microsoft announced the 23 September 2013 Launch Date. I had the belief (whether it is still right or wrong time will tell) that upgraded Surface devices would not be available until the New Year. Notwithstanding the upcoming launch date, I am not disappointed I bought it. I needed a new laptop at the time.

My last laptop was a Sony Vaio which I paid almost $4000 for several years ago. It unfortunately got slower over time, to the extent that was frustrating to use (i.e. unusable). I have often wondered how computers appear to slow down as they age. I am not sure whether my expectations change, or whether Intel is just evil.

The only programs that I have installed on the Pro are: 

  • Microsoft Home Premium 365 Subscription: This gives the full suite of the Office 2013 Products including OneNote, Publisher and Access. This is excellent value.
  • Reckon Accounts (which I believe to be expensive compared to Quicken in the US)
  • Adobe X1 Reader; and
  • Autodesk Sketch Pro 6.

Obviously I have available to me all the Metro Apps that I have on the RT. I have installed on the Pro those Apps that I actually use.

It is when you have more than one Windows 8 device that the full convenience of the Windows 8 operating system becomes apparent. Once the Pro was configured correctly, all my settings on the RT (contacts, most passwords, explorer favourites) sync and are continually updated between the RT and Pro. I have 8.1 Preview installed on the RT. I suspect syncing will further improve once both machines have the final version of 8.1 on 18 October 2013. I do not propose to install the 8.1 Preview on the Pro. I will wait until the full version is released. The syncing of data also works to lesser extend with my Windows Phone. My subscriptions in the Fifth App which (I discuss below) sync between all devices.

I use the Pro as a small workstation. It is has access to the Workplace Domain resources without being a Domain Computer. I did not want to give up my Microsoft Account Login to change to a Domain (Local) Login. I understand that Windows 8.1 has new abilities to connect to the Workplace, but I understand that you may also need Server 2012 R2 to use those new abilities. I am using Word 2013 on the Pro to compose this post because the Type Cover is attached to it. The RT has only the Touch Cover.

I also bought a Microsoft Wedge Touch Mouse to use with the Prol. I do not really need the Wedge Mouse when using the Office Programs; it was needed when using Reckon Accounts. Reckon Accounts was the Australian Version of Quicken and was known as Quicken until the beginning of this year. Fingers or even the Pro Stylus on a small screen was not just convenient.

The Microsoft Wedge Touch Mouse

The Wedge Touch Mouse Surface Edition is surprisingly small, particularly when it is compared to the box that it is packed in. The small size is a convenience, you would not get any increased functionality if it was larger (other than possibly making it easier to find on a cluttered desk).

What I found particularly surprising about the touch mouse, is how well I believe that it would work with Windows 8 on non-touch screen workstation. It allows you to use most of the touch gestures without the touch screen. I am not sure that I can explain this accurately. The Windows 8 Metro Touch gestures once you get to learn them (which is not hard) become second nature (so much so that when I have use an iPad I have difficulty). When using the touch mouse, most of those gestures just seem to automatically flow through subconsciously without having to touch the screen. I had to check when composing this, you cannot use Pinch and Expand on the mouse touch surface to expand or contract what is displayed.

Reflections on the Surface RT
I still use the RT for consuming information particularly when reading in bed or on a train. It is lighter and more convenient to hold. I cannot imagine using the Pro for reading when I am in bed. The RT is heavy enough. It is always on and updating in standby mode.

The improved Snap views in Windows 8.1 works marvellously with my favourite News reader app (The Fifth) which I use to do most of my news consumption.


When opening an article in the browser, it automatically goes in snap view, and opens the article in Explorer with a large window to the right.


I am still and advocate of the RT architecture. I expect that technology advances, and both ARM and Intel architectures become more powerful but less power hungry, the ARM architecture will always permit thinner and lighter products.

Jeffrey Chard
14 September 2013

Microsoft Reader App 8.1 Preview – the Hidden Gem

4 Replies

I have in several previous blogs complained that Windows RT and Windows Surface RT did not have a Metro PDF reader that matched the capabilities of Goodreader on the iPad.

One of the main reasons I was looking forward to the release of Windows 8.1 Preview was the hope that it would include an improved Reader app. I was disappointed in reading all the reviews of the 8.1 Preview there was no mention of any improvements to the Reader App in the media. I was therefore very surprised to discover, that the Microsoft’s Metro Reader App does contain most of all the improved capabilities I was hoping for. It can now:

  1. open a maximum of 5 PDFs at the same time; and
  2. those PDFs can be viewed either in separate windows or switched by selecting tabs

The Reader App will not automatically close a PDF document if you open another.

Two Sample PDF’s shown open in separate windows.

The Metro App retains all its existing annotation and commenting capabilities. It is now a very powerful PDF reader.

The Reader App only recognises internal hyperlinks. It cannot open an externally hyperlinked pdf document; neither does Goodreader. Nor does it recognises embedded PDF documents that may be in a PDF Portfolio; neither does Goodreader.

Given the inherent advantages of the Windows RT in recognising USB drives, the Metro App by default has become a much more capable pdf (and XPS) reader than Goodreader can ever achieve.

Some functionality (opening multiple instances of itself) could result from the additional functionality of Windows 8.1. It could also be we can look forward to similar functional improvements (and more) in Adobe Reader Touch and other PDF readers in the Store once 8.1 is officially released.

JDC 17 July 2013

Mr Nokia, Are your Lumia 920 Gorilla Glass Screens Defective?

9 Replies

In the last 6 weeks, my wife, my office (2 phones), my son, my step daughter, and my step grandchildren (2) upgraded their iPhones to Lumia 920s. We could have stayed with iPhones, or we could have chosen the Lumia 820 but we selected the 920 because the screen was made of Gorilla Glass. Whilst I did not believe Gorilla Glass to be unbreakable, I believed that it would better withstand an accidental drop. I was wrong! Within the course of last week, my son’s phone fell out of his pocket, my wife’s phone slid off the bonnet of her car, and my business partner’s  fell of a lounge (from a height of  only 30 cms from the ground). In each case the screen much their amazement cracked.

My Wife’s Phone

My Son’s Phone

My Business Partners Phone

It appears that these are not isolated incidents:

nokia Lumia 920 cracked gorilla glass , poor desig…

http://forums.whirlpool.net.au/archive/2043450

I accept that had my wife or my son were using an iPhone, those screens may have also cracked if dropped the same way. An iPhone screen most likely would not have cracked falling 30 cms. I have dropped them from much higher.

Your phones are advertised as being tough. You represent that they can hammer nails

Nokia uses Lumia 900 as a hammer in a torture test, makes us wince

Nokia Lumia 900 is tough as nails — literally

Whilst Gorilla Glass is not unbreakable, you represent it as being able to withstanding accidental drops.

In each of the above situations and those described in the above hyperlinks the screens should not have cracked. I can only conclude there was a defect in the gorilla glass on those phones, or there is design defect in the sculptured glass causing the screens to crack so easily. I note that there have been other reports of defective glass in the Nokia 900

Nokia Lumia 900 screen potentially weak from the inside, cracks from slight fall [Updated] – Gadget Review

How many Lumia 920 owners have suffered cracked screens in the same circumstances?

JDC 8 July 2013

Updated 9 July 2013

Mr Microsoft why did you ignore most of the English Speaking World when releasing Windows 8.1 RT Preview on 26 June? UPDATE 4 July 2013

4 Replies

Important Update 4 July 2013

On 27 June 2013 I wrote the blog below bitterly complaining about Microsoft’s apparent decision to ignore most of the English Speaking World (i.e. all those who did not live the US). At the time of that post, whilst Microsoft promised a fix for those who had language packs installed, it was not immediately clear to me whether that would also apply to those like me, who did not have a language pack installed, but merely the wrong OS Base Language.

My unhappiness may have been unwarranted.

I am pleased to report that Microsoft has made Windows 8.1 RT Preview for other languages. The Australian version can be downloaded from

http://windows.microsoft.com/en-au/windows-8/preview-download

I guessing the Great Britain English version can be downloaded from

http://windows.microsoft.com/en-gb/windows-8/preview-download

by clicking the “Get Update Link”, you down load an application/upgrade required to be installed from the desktop (you just need to follow the instructions). Upon installation of that application /upgrade the Surface reboots, and you are then taken to the Store and asked if you wan to install the Preview. The preview then appears installs like any normal application. As I write this, my RT is still downloading the 2.1G update files. It is doing it slowly (10:48 am 4 July) so I can not confirm final installation.

JDC 4 July 2013 10;50 pm One Possibly Happy Customer.

Further Important Update 4 July 2013

My installation of Windows 8.1 RT Preview completed its download at 1:10 pm (having commenced at say 10″10 am). The installation process involving various restarts took a further 40 minutes. I was able to login at about 10:50 pm.

One trick for the unwary is that the default Keyboard was the UK board after the install. You will need to log into your Microsoft Account. If your password contains characters that appear in a different location on a UK keyboard, you may first need to change the input method to select the correct keyboard layout.

The other surprise is that Microsoft has by default implemented a two factor authentication to log in your Microsoft Office Account. In addition to your password it also requires that you enter a PIN that is sent to you (to your previously notified mobile telephone) by SMS.

I have not yet tried any of the new features of 8.1.

JDC 4 July 2013 3:31 pm A Happy Customer.

MY Original BLOG 27 June 2013

I am writing this on my un-upgraded Windows Surface RT because I do not live in the US and I speak English.

I could not upgrade to Preview 8.1 because my original OS base language is Australian English. I quote you from your download site

Notes before you download: If you’re using an English version of Windows, you can only
install Windows 8.1 Preview from the Windows Store
if your OS base language is English (US).

If you’ve installed a language pack, please don’t install Windows RT 8.1 Preview at this time. A fix will be available soon, so please check back.

ISO files (.iso) are not available for the Windows RT operating system. You can only
update to Windows RT 8.1 Preview through Windows Store. Windows RT 8.1 Preview is only available in the following languages: Arabic, English (US), Chinese (Simplified), Chinese (Traditional), French, German, Japanese, Korean, Portuguese (Brazil), Russian, Spanish, Swedish, and Turkish. You can find system requirements, support options, and other additional information in the FAQ and in the links on this page.

I do not have additional language packs installed. It is not immediately clear whether the fix referred to in the second paragraph we will permit me to install the preview when it arrives. If it is only intended to apply where additional language packs installed:

  • I am very angry as it would appear you propose to totally ignore every English speaking person living outside of the United States.
  • I have shown loyalty to Microsoft in purchasing the Surface RT when it was first released in Australia, even though I recognised then that improvements and developments had to be made.
  • I wrongly believed that in supporting you, you would not let me down.
  • I was wrong and my patience has ended.
  • Unless the position is corrected quickly you have lost my support.

If the fix is proposed also to permit me to install the preview I hope that it will be released very soon.

JDC 27 June 2013 One Very Unhappy Customer

A commenter on Reddit asked why I could not just change to English (US). That is a good question and I in fact tried to change my Language and Regional Settings but it did not work In investigating further, Microsoft in fact says

Windows RT users

Please do not change your base language just to install the Preview.  If you do this and then update to the preview version, you will permanently change your base language on these devices.  This happens because we create a new restore image based on your selected 8.1 base language during install.

Also, as we noted on the download page, if you’ve installed a language pack on Windows RT, we ask you not to install Windows RT 8.1 Preview at this time. A fix will be available soon for updating through the store with a language pack installed, so please check back.

Charles [MSFT]

In either report there is no suggestion that Microsoft will make the Preview available to other English speaking RT owners outside of the US. It also appears that for RT owners the only way to upgrade is to wait for the correct OS base language to become available. Microsoft is not even suggesting that will occur.

JDC 27 June 2013, Still One Very Unhappy Customer

Some other commenters on Reddit question my concern it because it is only a pre-release preview version. Most of those commenters either live in the US or they do not have a RT version, others do not understand that even the US English version of the Preview is not available for use to even download. Previously I would not consider installing preview Versions of an operating system on production computer. However, as I discussed in previous blogs, Windows 8 RT does not have Outlook and that is a great big missing hole in the operating system. It is not possible to send my email any document from the Desktop. You cannot send from any word document by email from inside Word RT.

I was also looking forward to 8.1 Preview because I hoped it would provide a more capable PDF Reader. Microsoft’s reader, and all other available readers are limited. You cannot open more than one pdf in them. None of them cope with PDF packages (they open the first document but do not recognise the links other pdfs in the package). While I could not check myself, it would appear my wishes in that regard have not been answered.

JDC 28 June 2013, Remaining One Very Unhappy Customer

   

Information Security for Lawyers – Passwords reconsidered

1 Reply

On 26 February 2013 I wrote about Information Security for Lawyers. In that blog I suggested a password protocol recommended by StaySmartOnline.gov.au. Two readers were kind enough to post comments providing criticism that that recommendation. David referred me to two 2 cartoons from xkcd.com, one of which I reproduce below

Alex Muentz more directly said

“Good advice, except for the passwords. Passwords like these end up on stickynotes.

Why not multi-word passwords? Easier for language oriented folks like lawyers to remember and a large enough password-space to make brute-forcing inefficient. Tools like hashcat permit 2 dictionaries, but doing 3 or 4 word passphrases is a lot of entropy”.

While I am not sure how the thermodynamic concept of entropy has become a measure of password strength, multiword password protocols are a viable alternative and should be considered.

Any password policy is a compromise between complexity and ease of use:

  • A 24 character multiword password can be difficult to type correctly, particularly as the password is often hidden and where your typing skills could be less than perfect.
  • Whilst it may be easy to remember multiword passwords, it may not be that easy to remember many multiple multiword passwords you will need for different websites.

Cartoons can be very informative. My son Alex referred me to another very relevant XKCD cartoon on “Password Reuse”. I reproduce it below.

.

Even if the website is not evil, not all websites, even highly respected websites do not always store passwords and other private information securely. See Sean Buckley’s article Microsoft Store hacked in India, passwords stored in plain text, and Michael Lee’s article Qld govt department stores credit card recordings unencrypted.

The same password should not reused to logon onto different websites. Unless you are a lot smarter than I, you should use a password manager to record and store passwords. I use eWallet from Ilium Software, Inc. Versions are available for Windows PC, iPhone, iPad, Windows 8 Metro, Android and Blackberry. It is not available on the Windows Phone 8, (Ilium Software Please Fix:eWallet to Go, just does not get there) l The data file is encrypted and can be synced between devices. The file can also stored to dropbox or skydrive to make syncing irrelevant between devices.

Internet Facing Devices

Password strength is more important for internet facing devices and websites. Most law firms may not be as concerned to securely protect network access from locally connected workstations. Microsoft’s Windows 8 Operating system recognises this and provides the option for a 4 digit pin code alternative to password logons. Whilst some may consider this could reduce security, I do not believe that to be the case. Pin Code Logons can provide convenient network access for devices known to be secure and simultaneously requiring complicated passwords when external access is required.

Another alternative could be to use Two Factor Authentication. This is become very popular for a lot of websites. It can be introduced very inexpensively. Phone Factor, a company which has been purchased by Microsoft, offers free (if you are small) or relatively inexpensive solutions (if you are larger). You can learn more about them here. I will talk more about Two Factor Authentication in a future post.

JDC 10 June 2013.

My First Six Months with a Windows Surface RT, from a Lawyer’s Perspective

5 Replies

I have previously written about my experience using the RT in the following posts

My First Three Months with a Windows Surface RT from a Lawyer’s Perspective | Jeffrey Chard (my last post) and

My First 10 days with the Surface RT | Jeffrey Chard

I have had my RT now for about 6 months.

General Use

I donated my iPad to my beloved wife about 2 months ago.

I primarily use the RT as a tablet. When using it as a tablet I prefer to use the Metro OneNote and IE10 Apps to the desktop programs.

I no longer have any problems with website compatibility with IE10. The Metro IE10 is extremely easy to use. The Swipe action UI is truly excellent.

There are a lot more Apps now available for Windows 8. From my first post, Dropbox has been available for some time. I wrote about it in my first above mentioned post. I prefer to use Skydrive because it is more integrated.

Zite and a decent replacement for Goodreader are still not available. Adobe Reader (Touch) is available, but it has similar functionality as the Microsoft Reader. There are other apps that allow you to annotate PDF, but nothing with the same capabilities as Goodreader.

Whilst Zite has come to Windows Phone 8, it is still not available on Windows 8 (nor is it available as a website, a fact that I I find curious). I use the following news reader apps instead.

The Fifth.
This has very recently become available in the Windows Store. I have been using it, and beta testing it for several months. Even though I may be biased, it is my favourite New Reader App. Whilst it uses upon RSS feeds, it is very easy to search for RSS feeds and to subscribe to them. The are a host RSS feeds that are built in to browse. All your subscriptions and reading history are synced to the cloud so that your history follows you between devices. The App can be downloaded here.

The Fifth app for Windows in the Windows Store

http://apps.microsoft.com/webpdp/app/e741b66c-cb4c-4e64-9ed0-5e35267a377a

Learn more about The Fifth by Ardent Technology and download it from the Windows Store

The only difference between the Trial Version (which is really the Free Version) and the Paid Version is the absence of Advertisements in the Paid Version. As the Adds are not very intrusive in the trial version, I am not sure there is much incentive to buy the Paid Version, unless you want to support the poor author. As he is my son, I would encourage you to do so J.

Appy Geek

Pulse News

From the Lawyer’s Perspective

As I mentioned in my last post, as a Lawyer I used primarily used by iPad to reduce the paper I had to carry. I could load into Goodreader, 20000 page briefs, which were fully hyperlinked. On the RT I have similar functionality, but with the added convenience of being able to access those documents from a USB Drive with no need to import.

Office RT is by far much easier to use the iPad equivalents when it is necessary to do work. Now that I have the Typecover, it is very convenient to take into the meeting room to take statements. I find it convenient to prepare witness statements and which I save to Skydrive. I eventually acquired a Typecover, and I use that when I have to do any creative work. The Typecover is much better than the Touchcover for doing work. I find that I can type more accurately on it than I was able to do on most of my earlier laptops when it is on a stable surface. I still use the Touchcover, as a cover and interestingly it is more accurate when it on my leather briefcase on my lap when I am on a train. The touchcover works better on a uneven surface.

If I need to use an desktop application I just use the Remote Desktop Application.

Why did I buy the RT instead of waiting for the Pro?

The RT has one main advantage over the Pro; battery life. It is inherent in its design. The tasks that I needed to do on the RT I was wiling to sacrifice all the benefits of the Pro to obtain longer battery life in slightly thinner package. The Surface Pro has only been available in Australia since the 30 May 2013. I have seen one in the shop and briefly paid with it. It works very well. I particularly like the stylus.

As I mentioned in my first mentioned post, the main thing missing from the RT is Outlook.

Microsoft has announced that Outlook will be available with RT 8.1 which is being released for Preview on 26 June 2013. This will be a great improvement. While I believe that I will continue to use the Metro Mail App, Outllook RT will fill the very big hole that existed when using the Desktop. The sooner Outlook RT is released the better. I am hoping that Microsoft will release it to RT8.0 for download at the same time as the 8.1Preview is released.

Back in the Office

In my last post I said

I am an advocate of the Metro UI, but in the office I am firmly a Desktop user. I am still using the Windows 7 Professional, and I did not take advantage of the reduced price to upgrade. I am a firm believer of Windows 8 and like its split personality, but there is really little point to upgrade until you have touch screens. The only advantage to upgrade (which is real) is the convenience of having access to all your metro apps on the Desktop.

I am hoping that Microsoft has a lot of success with the Surface RT. For a lawyer, the advantages of an RT over an iPad are clear. I am still looking forward to many great thinks from Microsoft this year.

Not much has changed but I expect it will very soon. I have read a lot about Windows Blue/8.1. Microsoft have done a lot to address some of the concerns that I had with Windows 8 on the Desktop. Whilst I believe that the split personality is inevitable. There a lot of changes in 8.1 that will encourage it to be used in the enterprise. One of the main advantages of 8.1 will be that, each Desktop User, will be able to use his/hers Microsoft Account and still be able to connect to the enterprise domain.

I am still looking forward to many great thinks from Microsoft this year.

JDC 10 June 2013

Practice Guidelines for the use of Cloud Computing by Lawyers – revisited

3 Replies

On 22 January 2013 I published a post on the guidelines that Lawyers should at least consider when using cloud services. In that post I reviewed as an example, Microsoft Service Agreement. I reproduced Microsoft Clause 5 on Privacy, which for convenience I again set out below

5. Privacy

5.1. Does Microsoft collect my personal information? Your privacy is important to us. We use certain information that we collect from you to operate and provide the services. Additionally, as part of the services, we may also automatically upload information about your machine, your use of the services, and services performance. We may use technologies, such as placing cookies on your machine, to help us gather such information. Please read the Microsoft Online Privacy Statement (http://go.microsoft.com/fwlink/p/?LinkId=253457) to learn how we use and protect your information.

5.2. Does Microsoft disclose my personal information outside of Microsoft?
You consent and agree that Microsoft may access, disclose, or preserve information associated with your use of the services, including (without limitation) your personal information and content, or information that Microsoft acquires about you through your use of the services (such as Internet Protocol address or other third-party information) when Microsoft forms a good faith belief that doing so is necessary (a) to comply with applicable law or to respond to legal process from competent authorities; (b) to enforce this agreement or protect the rights or property of Microsoft or our customers; or (c) to help prevent a loss of life or serious physical injury to anyone.

5.3. How does Microsoft respond to legal process? Similar to other providers of Internet services, Microsoft is served with legal demands and requests from law enforcement, government entities, and private litigants for content stored on our network. This information may relate to an alleged crime or civil matter and is usually requested pursuant to the normal legal process of the country or locality where the activity occurred. Microsoft may be obligated to comply with requests for your information or your content as part of such investigations or legal proceedings.

Last Monday week (5 March 2013), my son, Tim referred me to Google’s Terms of Service and the fifth clause. He then posed this question “is it fair to say that they could take photos randomly from Google drive and put them as the background for Google (users photos which happen to be stored on Google drive)?. The clause that Tim was referring to reads:

Your Content in our Services

Some of our Services allow you to submit content. You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours.

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services.

You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular

Those terms of their face do not comfort me as to the confidentiality of any information I may store in Google Drive, contained in a Gmail email or in any other Google Apps document. I then looked at Google’s Privacy Policy.On review of that policy I did not get the assurance I was wanting… Google went to great lengths to explain they will preserve the privacy of the information which they collect (“Information We Collect“). Information We Collect however seemed restricted to a user’s meta data, log on information, location information, device information etc. and not information stored in their services. Coincidentally, the following day I received an email news letter from Blawgworld that included a link to a post by William Peacock titled “Does Google Privacy Policy Compromise Attorney-Client Privilege? In that post, William refers to the same Google provisions and raises a similar question as my son even though he was referring to information in Gmail emails as opposed to photographs stored in Google Drive. William correctly raises the question,

Does a client’s use of Gmail constitute a waiver, since the terms of service allow Google to access and use that information? Doesn’t voluntary disclosure to a third party destroy the privilege? While Google only scans emails via robot, and not via human, the consent and disclosure of the information is what seems to matter – not what the third party does with it.

The answer to that question can be found:

6. Confidential Information.

6.1 Obligations.

Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates’ employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates’ employees and agents in violation of this Section.

6.2 Exceptions.

Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party.

6.3 Required Disclosure.

Each party may disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.

  • at least in relation to
    education customers by clause 5 of the Google Apps for Education Agreement that provides:

    Confidential Information.

    5.1 Obligations. Each party will: (a) protect the other party’s Confidential Information with the same standard of care it uses to protect its own Confidential Information; and (b) not disclose the Confidential Information, except to Affiliates, employees and agents who need to know it and who have agreed in writing to keep it confidential. Each party (and any Affiliates, employees and agents to whom it has disclosed Confidential Information) may use Confidential Information only to exercise rights and fulfill its obligations under this Agreement, while using reasonable care to protect it. Each party is responsible for any actions of its Affiliates, employees and agents in violation of this Section.

    5.2 Exceptions. Confidential Information does not include information that: (a) the recipient of the Confidential Information already knew; (b) becomes public through no fault of the recipient; (c) was independently developed by the recipient; or (d) was rightfully given to the recipient by another party.

    5.3 Required Disclosure. Each party may disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.

    5.4 FERPA The parties acknowledge that (a) Customer Data may include personally identifiable information from education records that are subject to FERPA (“FERPA Records”); and (b) to the extent that Customer Data includes FERPA Records, Google will be considered a “School Official” (as that term is used in FERPA and its implementing regulations) and will comply with FERPA.

    and

  • Possibly for all other customer by clause 6 of the Google Apps (Free) Agreement (although the links to this agreement only appear on the page Google Apps for Government). That clause appears to be identical to Clause 6 of the Business Agreement.

All Agreements defines Confidential Information” as meaning “information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information“. Whilst it may be very difficult to find, Google’s “fine print” does contain provisions at least addressing, and trying to preserve the confidentiality of customer data stored in Google’s Apps. Those provisions should have effect not withstanding the contradictory provisions in the more general Terms of Service.

To answer Tim’s question: Google could not use a person’s photograph stored on Googles Drive.

To answer William’s question: Willam’s question goes further than just asking, whether privilege is lost by disclosing to a third party in circumstances whether that third party did not agree to keep the information confidential. The answer to that question is a simple, NO; privilege is not lost because the third party is agreeing to remain the confidentiality of that information. The second part of William’s question is whether privilege is lost because Google has scanned the email to identify the subject matter for purposes of matching advertisement (what Microsoft calls “Sgroogled“). The answer to that question is also NO because:

  1. To waive privilege, there has to be intentional disclose of confidential information by the client. Privilege is not lost because confidential information has been inadvertently disclosed.
  2. Google to transmit the information would be considered to be the agent of either the client or the lawyer, and had no authority to disclose that information ; and
  3. No confidential information would be disclosed by the scroogling. Any resultant information that is disclosed, in any case would only be displayed to the email recipient in the form of advertising.

JDC published 16 March 2013.

Amended 17 March 2013 and 21 March 2013

Information Security for Lawyers

5 Replies

On 22 January 2013 I wrote about Practice Guidelines for the use of Cloud Computing by Lawyers. In preparing that blog I became concerned about security in my office. I recorded in that blog, many instances of security breaches to highly prominent organisations (Apple and Amazon Security Flaws, Blizzard suffers security breach, encrypted passwords and authenticator data compromised, Yahoo confirms server breach, over 400k accounts compromised, Dropbox confirms user info was stolen, Microsoft Store hacked in India, passwords stored in plain text, LinkedIn confirms security breach, ‘some passwords’ affected, and Chinese hackers target U.S. Chamber of Commerce, sensitive data stolen). Just last week Microsoft says it was also attacked by hackers, small number of PCs infected with malware | The Verge. Today the Asian Lawyer reports China Hacking Report Raises Alarm at Firms Whilst in Australia cases of cyber breaches may be less reported. Michael Lee reported on 18 February that Australian Law Enforcement laid charges in only 8% of reported cases when referring to a report issued by CERT Australia The Cyber Crime and Security Survey Report..That report also noted

255 of 450 organisations invited to complete the Survey responded (page 8).

The key findings for this survey include (page 5):

  • over 90% of respondents deployed firewalls, anti-spam filters and anti-virus software
  • two-thirds of respondents had documented incident management plans, however only 12% had a forensic plan
  • nearly two-thirds of organisations used IT security related standards
  • over two-thirds of respondents had staff with tertiary level IT security qualifications. Over half had vendor IT security certifications, whilst just under half had non-vendor IT security certifications
  • over 20% of organisations know they experienced a cyber incident in the previous 12 months, with 20% of these organisations experiencing more than 10 incidents.

Of the organisations which know they experienced cyber incidents:

  • 17% suffered from loss of confidential or proprietary information, 16% encountered a denial-of-service attack, and 10% financial fraud
  • 44% reported the incident to a law enforcement agency, whereas only 13% sought a civil remedy through action from legal counsel
  • 20% chose not to report the matter to a law enforcement agency because of the fear of negative publicity
  • the most common responses as to why incidents were successful, were that they used powerful automated attack tools, or exploited unpatched or unprotected software vulnerabilities or misconfigured operating systems, applications or network devices
  • over half of all organisations have increased their expenditure on IT security in the previous 12 months.

Number of incidents experienced (page 17)

When asked if their organisation had experienced a cyber security incident in the previous 12 months:

  • 69% of respondents reported ‘no’
  • 22% of respondents reported ‘yes’, and
  • 9% of respondents reported they ‘did not know’.

While these results indicate the majority of organisations did not experience a cyber incident in the previous 12 months, this may more accurately reflect that a number of cyber intrusions have gone undetected by some organisations. Anecdotal evidence available to the CERT suggests that some businesses are unaware of the full scope of unauthorised activity on their networks.

The CERT is also aware of hesitation from organisations to report a cyber security incident. This may be for a variety of reasons – some are concerned that the information they report may lead to negative publicity and/or regulatory scrutiny, others don’t consider reporting to be worthwhile.

Of the respondents who reported their organisation had experienced an incident in the previous 12 months:

  • 65% reported experiencing one to five incidents
  • 21% reported experiencing more than 10 incidents
  • 9% reported experiencing six to 10 incidents, and
  • 5% did not know how many incidents had been experienced.

Types of incidents experienced (Page 18)

Of the respondents who reported their organisation had experienced a cyber incident in the previous 12 months, the main types reported were:

  • theft of a notebook, tablet or mobile devices – 32%
  • virus or worm infection – 28%
  • trojan or rootkit malware – 21%
  • unauthorised access – 18%
  • theft or breach of confidential information – 17%, and
  • denial-of-service attack – 16%.

Contributing factors to the attacks (page 24)

Respondents were asked what factors they thought may have contributed to the incidents. The highest rated reason was the use of powerful automated attack tools (14%), followed by exploitation of unpatched or unprotected software vulnerabilities (11%), and exploitation of misconfigured operating systems, applications or network devices (10%).

These findings highlight the need for organisations to stay vigilant to vulnerabilities and apply appropriate mitigations – specifically where misconfigured systems are the reason an attack was successful.

Further The Australian Defence Signals Directorate (“the DSD“), noted in the Executive Companion to the Australian Government Information Systems Manual:

  • In 2010, 88% of Fortune 500 companies had botnet activity connected to their Internet domains, and 60%had business email addresses compromised by malware (Page 3)
  • After Wikileaks released a large amount of classified US State Department cables in November 2010, online payment service provider PayPal terminated WikiLeaks’ account, thereby closing its principal method for receiving financial donations from supporters. Claiming to support transparency and counter-censorship, Anonymous organised a Distributed Denial of Service attack that shut down PayPal’s website, as well as those for Mastercard and Visa (page 4).
  • The Australian Competition and Consumer Commission reported a loss of around $63 million from cyber crime and scams in 2010 [page 5).
  • 41% of Employees use the same password for multiple accounts (page 12).

In the DSD further noted in the in the Principles Manual to the Australian Government Information Systems Manual:

  • A new piece of malware is created every 1.5 seconds (page 2)
  • Over 2010-2011, the number of mass, indiscriminate email-based attacks declined by more than half, but highly-personalised targeted attacks tripled. Cost-benefit decision-making is driving this trend, as although targeted attacks are estimated to cost five times more than mass attacks, the average value per victim can be forty times higher (page 2).
  • There was a 46% surge in malicious software targeting mobile devices between late 2009 and late 2010 (page 5)
  • In 2011, 41% of data breaches were caused by a third party, namely outsourcers, cloud providers or business partners that handled or accessed the organisation’s information (page 15)
  • Three out of four companies across ten countries – including Australia – have security policies in place. However, 40% of employees and 20% of IT professionals did not know that the security policies existed
    (page 16)
  • During a 2011 information systems audit, 14 out of 15 Western Australian government agencies failed to detect, prevent or respond to suspicious scans of their Internet sites seeking to identify security weaknesses (page 21)
  • 19 Australian companies in a 2010 study lost between 3,200 and 65,000 individual records from data breach incidents, with an average organisation cost per breach of $2 million (page 23)
  • 85% of data breaches in 2011 took weeks or more to discover. In fact, over half of the breaches took months to discover (page 23)
  • 32% of Australian data breaches in 2010 were caused by employee negligence, representing a 3% increase since 2009 (page 24).
  • In early 2011, the City of York Council in the United Kingdom was penalised by the Information Commissioner’s Office after papers containing sensitive personal data were mistakenly collected from a shared printer and posted to the wrong person (page 30).
  • In a research experiment, the Sophos Australia office discovered that 66% of the 50 USB drives they purchased from a public transport provider were infected with malicious software. They were able to uncover information about many of the former owners of the devices, as well as their family, friends and colleagues (page 34).
  • Web applications are the third most common intrusion vector and are associated with over a third of total data loss. (page 36)
  • An 8 character password with mixed case letters, numbers and symbols takes approximately 5 days to crack using a graphics processing unit in a standard home computer; however if the password was extended to 9 characters or more it would take over 18 months to crack.(page 40)
  • 18% of Employees share their workstation passwords with co-workers (page 40).
  • 44% of data breaches were a result of exploitation of default or guessable credentials (page 41).
  • Mobile devices and laptops are the most likely endpoint from which serious cyber attacks are unleashed against an organisation. Over 2010-2011, 63% of attacks had an employee laptop or mobile device as their endpoint (page 45) and
  • More than 200,000 mobile phones are reported lost or stolen each year in Australia. This equates to 4,000 each week, or one mobile phone every 3 minutes (page 48).

WHAT SHOULD A LAW FIRM DO TO ENSURE its INFORMATION SECURITY? Information Security does not just mean Cyber Security. It must address security for all information media including hard copy, USB Sticks, inadvertent posting of faxing of material. It also need to address the preservation of that information, not merely protecting it from outside intrusion. I went to seminar just last week, where it was suggested that any law firm that catastrophically lost data stored on its server, without adequate backup, would most likely cease to exist in 18 months. That speaker also told of a situation where the company’s servers and primary backup media were both destroyed due water damage arising from a floor above. That company fortunately had external backup and was up and running within 8 hours. On 6 February 2013, Joe Patrice at Above the Law wrote an article When Luddites Handle Cyber Security, You End Up With American Law Firms. If I am a lawyer, and when it comes to the cyber security technology I am a luddite, the purpose of this blog is to not explain to you how to handle Cyber Security. That is far a too specialist area. However, that it important for law firms to treat Information Security systematically. Fortunately, there is a lot of information available to lawyers to assist them in developing those systems. International Standards for Information Security Management Systems have been available since about 1995. Most Security Information Guides appear to adopt the ISO/IEC 27000 Family of Standards which includes ISO/IEC/AS 27001 last published in 2005. There is new draft in preparation. Easier to understand are various guidelines, including the following freely available to review:

Simpler guidelines, not adopting the rigour of ISO/IEC/AS 27001 but more closely related to the legal profession can be found in the following guidelines:

although those guidelines are more concerned with receipt of handling of information by barristers/counsel and predominantly to ensure the confidentiality of client information.

A further and very practical resource, but restricted to On Line Security is the Australian Government StaySmartOnLine Site.

That useful site provides very practical information. It makes very useful recommendations. Some of the important principles expressed in the 27001 standard are recommended but explained with less rigour and are easily put into practice. If a legal practice must adopt the 27001 Standards will depend upon its size, client base and sometimes client requirements. I expect it is more likely in future, that some clients, particularly government departments will require legal practices to have an Accredited Information Security Management System in place. Whether formal accreditation is required, or whether a formal or informal information security policy is needed, the law practice needs to at least consider the following matters

  1. Identify All information Assets for example
    1. Electronically stored information and data
    2. Paper documents.
    3. Physical equipment, computers, facsimile machines, telephone communications;
    4. On line services, cloud services, etc.
  2. Identify the value of all Information Asset Values and assess the potential impact of loss or breach:
    1. For a legal practice the most economically valuable information asset will not be client information, but information stored on its practice management and trust accounting system. Second would be the knowledge stored in precedents and in other information systems.
    2. The preservation of the confidentiality of client information is similarly very important, particularly if it has high commercial value, or may be socially or media sensitive. As I have mentioned in my earlier post referred to above, the NSW Revised Professional Conduct and Practice Rules 1995 (“the Solicitor Rules”) s mandate both the retention of, and the preservation of the confidentiality of client information (rules 2 and 8).
  3. Ascertain the Threat to the Information Assets. Identify possible sources of threats.
    1. Hackers and Activists
    2. Inadvertent release of information by incorrect addressing of email, facsimile or post
    3. Employee sabotage
    4. Thieves
    5. Fraudsters
    6. Environment
    7. Fire and force majeure
    8. Employee negligence
    9. Inadvertent loss o
  4. Assess Vulnerabilities
    1. Password Weakness
    2. Remote Access
    3. Firewalls
    4. Shared Offices
    5. Social Engineering (staff inadvertently releasing information upon telephone enquiry)
    6. Office and building security
    7. Back up procedures
  5. Determine safeguard and policies, monitoring and reporting procedures.

Information security requires genuine commitment from all staff members. A documented and enforced policy is almost essential for all but the smallest practice. Staff must understand the need to report data breaches even those in which they were responsible, so the breach can be mitigated or otherwise responded. The Australian Government StaySmartOnline Site for Businesses referred to above provides very useful guidance in to address the vulnerabilities and could become the basis of a legal practices security policy.

A sample Information Security Policy, prepared primarily from the above site could be:

Information Security Policy

  1. Awareness by all Staff and Enforcement
    1. Information Security is a basic obligation of all employees and practitioners. This policy specifies procedures and rules that must be followed to ensure that the information retained by the firm is secure from loss and intrusion or disclosure.
      1. This firm holds information which if lost could be catastrophic for the firm, and also sensitive and commercial valuable information belonging to clients who lost of disclosure could cause substantial loss and damage.
    2. A wilful breach of the policies will lead to disciplinary action.
  2. Social Engineering challenges
    1. Staff must know social engineering attempts for external parties to obtain the disclosure of information. It is the practice of misleading and misdirecting a person in such a way as to attain information through social interaction. The hallmark of a successful social engineer is that they receive the information they request without raising any suspicion.
    2. Employees should not to give information over the phone or email without identifying the requestor.
    3. All requests for information should be funnelled through a partner or solicitor who can verify the authenticity of the caller.
  3. Office Security
    1. The Office should not remain unattended during office hours.
  4. Surveillance
    1. Closed Circuit Television Cameras should be installed in the reception area and in areas where sensitive information is stored.
  5. Pass Cards
    1. Pass Cards are issued to each employee individually. They provide a record of when that employee enters premises out of hours.
    2. Pass Cards should not be shared with other employees except for special circumstances and for limited periods.
    3. Pass cards should not be copied or duplicated.
    4. If a Pass Card is lost or stolen, the employee must immediately notify a partner.
    5. Pass Cards must be returned on the employee leaving the practice.
  6. Keys
    1. Keys be kept safe at all time.
    2. No address or other information identifying the firm or the employee should be attached to the key.
    3. A lost key service identification may be attached to the key.
    4. Employees must have no keys issued to them copied.
    5. If a key is lost, its loss may be reported immediately to the office management
    6. Keys must be returned on the employee leaving the practice.
  7. Alarm Pins (Personal Identification Numbers)
    1. Individual and distinct Alarm Pins to employees who need access out of hours.
    2. Those employees should keep their PIN confidential and not shared with other employees.
    3. Once an employee leaves, that employee’s PIN should not be recycled, but removed from the pool of available PIN numbers.
  8. Computer Equipment, Printers and Facsimile Machines
    1. Computers, Printers and Facsimile Machines may contain confidential information. All confidential information must be scrubbed before disposing of the machine. Including the removal of any hard disk in printers or facsimile machines.
  9. Mobile Device Security
    1. Mobile Devices may contain confidential information. All phones should be registered so they can be GPS located, or remotely swiped in the worst case.
    2. All remote devices must only be accessed by a PIN code.
    3. Any loss should be immediately reported.
  10. Employee Errors
    1. It is recognised that staff may make mistakes resulting in the loss or disclosure of information. Those mistakes may result from mistakenly sending and email or facsimile to the wrong recipient misaddressing a letter, or inadvertently including in a correspondence material that should not have been sent.
    2. If a mistake is recognised immediately after it has occurred, attempts should be made to immediately retrieve the material. Where the incorrect recipient is another legal practitioner, this may only require a telephone call to the wrong recipient requesting recipient permanently delete the incorrect addressed email or destroy the incorrectly addressed facsimile. In other cases a formal letter may be required, and a report made to a partner.
    3. With incorrectly addressed mail attempts should be made to have the material returned.
  11. Email
    1. In the case of email, practitioners should be wary of using Blind Copy (BCC). This is often very convenient, to send to a client communication between the legal practitioner and the opposing client. Problems can arise when the client mistakenly sends a reply “to all” with confidential instructions.
  12. Firewalls, Antivirus and Spam Filters
    1. The legal practice with advice from the Information Technology advisers:
      1. install appropriate fire walls, antivirus and spam filters;
      2. Install monitor and reporting software to ensure the adequacy of the cyber security software.
  13. Monitoring
    1. The Legal Practice with the assistance of its IT advisors must ensure that All firewalls and other security measures are continually monitored for effectiveness and to identify attempted attacks and data breaches.
  14. Passwords
    1. All employees should maintain strong passwords.
    2. All employees must not use the same password to access other websites or cloud services.
    3. StaySmartOnline.gov.au makes the following recommendations
  • A strong password has the following attributes:
    • a minimum length of eight (8) characters; and
    • a mix of upper and lower case letters; and
    • at least one numeral; and
    • at least one non-alphanumeric character; and
    • does not include a dictionary word in any language
  • The password does not literally have to be a single word. To make a password easy to remember, think of a pass phrase and then change some of the characters to make it a strong password:
  • June School Holidays can be modified to: 7un3Schoo1Ho!id@ys
  • Some where over the rainbow, blue birds fly can be modified to 5w0tR,Bbf}
  • I like Australian red wine can be modified to: IL077ieR3dw!ne*
  • Be good, be wise can be modified to: B3g00db3wi5e$
  • Please don’t use these examples.
  1. Remote Access
    1. Employees who have remote access to the legal practices computer system should have very strong passwords of at least 9 characters.
    2. The Practice should give consideration when appropriate to Dual Token based Authentication flor remote access. Whilst this may previously be considered to be too inconvenient, Microsoft Windows 8 Operating System with the appropriate hardware (such as the Surface RT and Surface Pro) allow for virtual token based authentication.
  2. Cloud Services
    1. The practice must confirm that the information security policies of any cloud based services exceed this policy.
  3. Website Access
    1. The legal practice should prevent access to inappropriate web sites.
  4. Portable Media
    1. Employees may only copy material to portable media (USB Drives, CDROMs) for limited purposes.
    2. The Legal Practice with the assistance of its IT advisors should maintain monitoring and reporting systems to report unusual copying of files.
  5. Operating System Updates
    1. The Legal Practice with the assistance of its IT advisors must ensure that all operating and security software updates are routinely installed.
  6. Backup
    1. The Legal Practice with the assistance of its IT advisors must ensure adequate back procedures are in place. Including having off site back up that is securely stored.
    2. The Legal Practice should consider multiple backup of essential information including on line remote back up of practice management information.
  7. Response Plans
    1. The legal practice shall have I place plans for the recovery of the data if a loss has occurred. .
    2. If confidential information has been lost, affected clients and authorities must be notified immediately.
  8. Revise
    1. The Legal practice must review this policy annually.

JDC 26 February 2013

Updated 21 March 2013 and 31 March 2013