Legal Data Intrusion – Big Risks from Little Action


As of 2015, there are a little more than 1,300,000 licensed lawyers in the United States (  Also according to this same source, the percentage of lawyers in private practice rose from 68% in 1980 to 75% in 2005.

What this means is that, given that the amount of private practice attorneys have remained constant in the last 10 years, and given that the amount of licensed lawyers have not increased since 2015 (which they really haven’t all that much according to, approximately 975,000 lawyers are in private practice.

I did some research and could not find any definitive resource that could show how much data is kept at a law firm, so I thought I would use my experience in IT to come up with a ball park figure to combine with the population figure above.

Let’s assume that a law firm contains 4 people (according to this government source, 1-4 law offices happen more often, almost 128,000 of these offices exist in the US, than larger law offices –  Now, let’s further assume that each of these lawyers (or other staff) have at least 1 computer (this could be a dockable laptop or pad which can be mobile), a cell phone (smart phone), and at least one other device that can get access to the internet.  That now means that there are 12 devices that, at any time, can contain (even briefly) client data.  That does not count any “hard copy” files that are carried by the attorney in their automobiles or their homes.  Let’s address each of these areas separately.

First, in my experience any device that has access to the internet is vulnerable every time a user activates that connection.  When the computer is part of a network, that vulnerability expands quickly to other users.  To prove my point, let’s take a formula that is used by project managers to determine communication networks for stakeholders.  This formula is also used in probability, but its use in networks is what we are applying today.

The formula is N(N-1)/2 and is easily calculated using a number of “spokes.”  For instance, let’s say that you have 4 computers that are networked, which means they are connected to each other.  By using the formula, you can calculate that there will be 6 lines of communication between these 4 computers.  This does not look intimidating now, but just increase this by 5, to 9 computers, and you have increased the lines of communication from 6 to 39!  A graph at Figure 1 shows how the increase in spokes can increase lines of communication almost geometrically.


We present this to make a point.  If you have 4 people in your office and they all have a computer, cell phone, and pad, then we are talking about 12 devices that are interacting not only with internal computers, but EVERYONE on the internet.  This can be overwhelming to anyone trying to protect these devices from intruders.

Let’s take a moment to differentiate intruders from hackers.  Hackers have a connotation of someone in a darkened room, their face illuminated from the computer screen, laughing (“bwa hahaha”) at having taken control of someone else’s computer.  However, hackers are not all bad.  In fact, inventors are hackers, trying to take known processes and improving those processes (Thomas Edison can be called a hacker, for instance).  Computer intruders, on the other hand, have that connotation of bad actors.  In the cybersecurity world, we consider bad actors “Black Hats.”  These intruders may steal for money, celebrity, or just plain because they wanted to intrude.  In any case, intruders are what I will be called the Black Hats, since this is what they do – intrusion techniques for the purpose of achieving one of three things:  Deceive, Deny, or Destroy.  They want you to go somewhere other than where you want to go (on the internet); if they fail at that they will deny you access to the internet (called “Denial of Service” or DOS); or finally they will destroy your data and the machine along with it (by corrupting your hard drive or something similar).

So, let’s review.  You have individuals in law offices that make a living off of social contact with their client.  They bill for services that they do using their mobile devices and make calls and email to their clients.  All this data can be kept on their devices, which puts the data at risk of being stolen, or it can be placed in the “cloud” in order to secure the data.

The cloud is an interesting phenomenon.  The basic concept of the cloud is a place where you can store your data and in case your machine is stolen, destroyed, or damaged, you can always access and download the data that you may have lost from the cloud.   I use the cloud to store some presentations and papers, but I would never trust it for personal data.  I backup my data on a separate drive that I keep in a secure area.

What does all this mean?  Legal offices can have data intrusions.  There, I said it.  In fact, if a law office insists that they have never had an intrusion, I would have a hard time believing that was true.  Even if the office has the BEST automated intrusion detection system, you can see for yourself that even with just 10 employees, you have over 45 lines of communication.  Any one of these lines can be trying to get information from any of these employees; and that does not include email communications which at any time can result in an incident that can lead to malicious software being installed on the employee’s computer.

So, what can be done to prevent these intrusions?   You can educate the users of the computers to protect their credentials (user id, password, pass phrase, etc.).  This is something that is somewhat useful, especially if you make the “training” (ranging from computer based training to in-class instruction) mandatory for every user.  Of course, written computer security policies (including “screen warnings” for users) are good to accentuate the education of those users.

I use the following two phrases in my cybersecurity classes:  Lock the Door, and Check the Stove.

Everyone walks away from their homes at one time or another thinking that they forgot to lock the door.  That may go unnoticed, but forgetting to turn off the stove can lead to a conflagration.  The same is true if you do not have a password, or you forgot to activate your anti-virus or (worse yet) clicked on that attachment that you THOUGHT was from a colleague about next week’s court case when it was in actuality malicious software.  So I thought I would make it simple:  Two things to do – Lock the Door and Check the Stove

Lock the Door consists of the following:

  1. Ensure your password has strength. This does not mean that you put down your favorite golf course or sports team.  This means that you think of two words that have nothing to do with one another (like “beamframe”) and use special characters and numbers to make it more complex.  This helps negate dictionary password breakers and makes the intruder move on to a “softer target.”
  2. Use a laptop when you are getting a coffee at a local coffee spot or on an airplane? Get a polarized privacy screen (they cost around 30-40 dollars, which could be considered expensive,  but can you really put a cost on a data breach?).  In addition, sign up for a virtual private network (VPN) if you do not already get one from your office.  One free VPN is Hot Spot Shield, but there are many others out there, so research the topic and talk to your IT folks.
  3. Be aware of your surroundings. People can be listening to you at an airport or in the seat next to you in a waiting room.  Go outside or outside of ear shot when you are taking a phone call or even texting.
  4. Do you have your cell phone on the desk during an interview with a client? Put in in your desk drawer.  Trust me it is best to keep it in a closed container while you are interviewing the client.  Remember that most cell phones contain a microphone and a camera.  Why would you risk those becoming active?
  5. Remember that the probability of an intrusion is relatively high (in 2013 there was an estimate of 20 MILLION attacks PER DAY according to As much as you can prevent such a breach, the intruder just needs you to be complacent just once.  You have to be vigilant all the time.  Ensure that you keep the breach to a minimum by implementing good security practices as mentioned in 1, 2, and 3.
  6. Finally, get some training. An intro to cybersecurity for legal professionals is a good thing and can get some great traction once legal professionals understand the risk of their actions.  Remember that an ounce of prevention is better than millions in reputation cost.

This brings into view a new type of “hat” for cybersecurity.  A few months ago, I introduced “silver hat” to denote individuals over 60 that know cybersecurity and share those cybersecurity concepts with others.

Now I would like to introduce “Purple Hats” (currently pending trademark by the US Government). Purple was chosen since it is the color that is worn by those graduating with a law degree.  These individuals will be practicing law professionals (attorneys, paralegals, etc.) that understand cybersecurity principles and share those with others in their profession (and beyond).  By establishing a cohort of individuals that focus on cybersecurity and use those principles to guide their computer use, it is hoped that the amount of breaches that are experienced by legal offices will diminish.

After all this, if you do not believe my take on this (after all, I am NOT a lawyer or legal professional), then maybe you will believe your OWN ABA journal.  According to an article in your journal, less than 17.1% of ALL legal offices have an incident response plan should there be a data breach (  Look at this in relation to the numbers above and tell me it does not give you a moment to think about the consequences of a data breach.  How many billable hours will it take to make up for the reputation costs of just ONE data breach?

More articles on this subject are forthcoming, but suffice it to say that litigation is something that is private and, as such, needs the user to be aware of the possibilities of intrusion at all junctures of computing use.  Just take a look at rule 1.6 in your ABA rules (  If this is not a time to pause and consider cybersecurity, then you may be increasing your risk of a data breach.  Your small prevention will help limit any legal intrusion.


Cyberbullying Information = Protection and Prevention


I think that the discussion about cyberbullying is undergoing a tremendous transformation.  The idea of cyberbullying was originally a campaign to identify the concept, but now it is almost solely focused on the prevention of bullying in any form.

I recently had a discussion with a group of middle school students about cyberbullying and they had some great questions about what it entailed.  They asked questions like: “Can I go to jail for cyberbullying?”  and “What is cyberbullying?”

I found through some research that there is an entire web site dedicated to the discovery and definition of cyberbullying called  The site is not a secure site (HTTPS), but it does not ask for any identifying information, so the information is still useful.  The site has so much information that it would be impossible for me to list everything here.  However, some of the main topics include state legislation that has been passed, or scheduled to be reviewed, in each state, which was a great way for me to answer the questions posed to me by these students.  The very nature of cyberbullying makes it a mandatory topic for discussion at school and at home.  I had to explain that calling a fellow student a jerk one time would not necessarily be cyberbullying, but to enlist others to jointly and consistently call this student a jerk (or comment on their looks, their clothing, etc.) would be considered a bullying incident according to their state law.  I recommended that they discuss this topic with a parent and/or trusted adult to ensure that they are not wandering into illegal activity.

I also went into other cybersecurity issues like not sharing passwords, passcodes, or user ids with other students or other people (other than your parents of course).  The idea of protecting the password helps to protect your information, which if in the wrong hands can cause a problem with identity protection causing possible identity theft.  It also leaves you open to cyberbullying since an individual can make it seem as if a message is coming from YOUR account when in actuality it is THEIR message but they have access to your account!

When asked about cyberbullying, I told the students that ANYONE can be a cyberbully.  You do not need to be stronger, bigger, or smarter, just start a campaign to put the other person down.  By showing the other person in a “low light” it makes the bully feel stronger.  Protecting your information and ensuring you are aware of what cyberbullying entails can help to prevent you becoming a victim.  I urged the student not to focus on the punishment, but to be aware of what they were doing online and stop any online action that could be taken as bullying.  I also gave them the web site.  In my opinion, that site is one of the best I have seen.

On thing I did not tell them — if you are being bullied, block or defriend these individuals.  No reaction from you means that their messages are meaningless.

Talk to your children (texting does not count).

Learn, Offer, Value, Educate (LOVE)

What If We Taught People to Drive Like We Teach People to Use A Computer?

drivers computers1I want you to teach a person to drive a car using the following outline:

  1. Teach them where the accelerator is and how to use that
  2. Teach them where the brake is and how to use that
  3. Teach them where the mirrors are and how to use them
  4. Teach them how to turn on the car, how to turn off the car
  5. How to fill the car with gas and where to put it
  6. Where the light switch is and how to turn it on and off
  7. Where the radio switch is and how to operate that
  8. How to read the speedometer

I am sure that I skipped some steps, but you get the drift.  What you want to teach the potential driver is the “buttonology” of the car.  You fail to tell them about the dangers of driving, the rules of the road, how to be courteous and otherwise how to have consideration for others.  What is the probability this “driver” will have an accident the first day they are driving?  I am a statistician and I would take odds on this one!

Let’s segue to computers.  That’s right, computers!

How do we teach computers today? We teach buttonology, how to associate functions with pressing of the buttons.  Want email?  Do this combination of buttons.  Get an app, or get on the internet?  Push this series of buttons.

There are no classes on the rules of the road, the ethics of using a computer or the dangers associated with using a computer.  If that were compared to diving a car, basically what you are saying is that we should all go out to our car and cut the brake lines and then drive the car.  We may make it to our location, but chances are we will crash and burn.  The same is said for operating a computer without the guidance necessary in the area of cybersecurity.

Cybersecurity.  The very name raises images of dark figures hiding in the shadows, plotting the overthrow of a computer network.  Yes, the black hatted individual that spends their days planning to attack a network for a variety of reasons, whether they be money, fame, or maybe rationalization that the attack will right a wrong.  Ah, cybersecurity.  It is meant for people who are the target of the attacker, not for normal people like you and me.

Hmmm.  Then maybe none of us need driver training but the people who operate commercial vehicles, or maybe we can all get pilots’ licenses, after all only commercial airline pilots are meant to REALLY learn about flying a plane!

Maybe this is a little bit hyperbole, but I have talked to a number of people who believe that computer training is one thing, cybersecurity is another.  Ladies and gentlemen,  that is like saying that there are five unrelated fingers on your hand!  Every finger works as part of the whole hand.  The same can be said about computer training and cybersecurity training.  Did you know that your brand new computer comes configured so that ANYONE can have access to that computer from the internet?   A simple configuration change can eliminate that threat.  Did you know that you can be tracked through your cell phone; or that people can access your microphone and video camera from your phone?  Many people realize they can, but fail to correct that situation.  Do you have a passcode on your phone?  Do you have a privacy screen on your phone?  All of this is part of keeping yourself safe while using a device you know the location of buttons.  Without good cybersecurity education, you are putting yourself at risk every time you get online.

The sad part of this whole situation is that our children are using devices at very young ages and do not understand the consequences of their use.  Would you put them in a car without education and let them drive to the store?  Of course not!  Why are continuing to let our children learn functions without learning consideration of their actions?

I teach senior citizens cybersecurity and I wanted to get the word out so I contacted a local paper.  The editor responded that it sounded okay, but they just did an article on seniors learning computers and that it might take a while before something else was done on this subject.

Can you now see what I am discussing here in this article?  If we fail to protect ourselves, we are just placing more people “on the road” without seat-belts and brakes!  Worse than that, we are giving people the ability to get scammed because they “trust” the network they are on at any time.  We do not implement protections and thereby put our loved ones in harm’s way.  We do it inadvertently, but we do it nonetheless.

How can we start to turn around this spiraling of our computer users?  First, look toward the basic cybersecurity courses (there are plenty that are free on as well as other sites).  Yes, there are classes in hacking, but there are plenty that show defensive measures to keep yourself safe while using your computer, cell phone, or other technology.  If we fail to keep pace with safety and security, we are contributing to the increasing cyber crime.  After all, what better way to encourage cyber criminals than to place someone on the computer network that does not understand the protections necessary to be secure and safe.  If that is case, take your teenager and give them the car before they get their license and let them drive it wherever they want.

If that be the case, one more fact before I let you go on with your internet surfing.  There are approximately 3.6 BILLION internet users according to and there are “only” approximately 1 BILLION cars on the road according to  From these numbers, which of the elements – computers or cars – present the most threat?  If I were a criminal, would I want to steal a car or steal a computer network (without you knowing)?  You decide.

That last part made your anxious – admit it.  Let’s all start to educate our users better and keep cyber crime at bay.  Otherwise, you need to get off the grid, because it is about to get ugly (or uglier)!


Learn, Offer, Value, Educate (LOVE)

“Silver Hats” founder

Using a Game Keypad for Passwords

I wanted to make a strong password without forgetting the password in the process.  I specifically needed something that would not “linger” on the computer where an intruder could find the passwords, and I did not want to have several passwords in the “cloud” under one key that could be broken and then all my passwords exposed (see my previous blog on Ali Baba).


The solution it seemed was in the same keypad used by gamers to compile “macros” that would save keystrokes for complicated games (i.e. pressing the CTRL key while holding down the SHIFT and DELETE keys to fire a weapon).  So, when looking for a solution, this looked like a good alternative.  I purchased a GENOVATION keypad from AMAZON, which cost me about 80 dollars at that time, but I noticed that they have gone up in price since that time.  I then plugged it into a computer that I do not put on the internet and then program the macro generator with passwords that are sometimes 30 characters long with random letters, numbers, and special characters.  Then I go to the site, put in my userid and when I get to the text, I press the appropriate key and the password is inserted and I am into my account.

Because the hardware is not connected past the submission, the file is not placed on the computer I am using for the account and then I unplug the hardware and put it aside for the next use.

Some disadvantages:

(1) I cannot carry the keyboard with me (it is about the size of a book) so it is not really portable.

(2) I can only use it from home, which actually suits me fine since I have no intention of going into my bank account from some hotel wi-fi.

An advantage I failed to mention was that this keypad can be adapted to an iPhone to put your passwords in at home.  Again, portability is an issue, but I am looking into other Genovation products that are smaller and you could possibly carry with you.  The main concern is that the smaller the keypad is, the more likely that it may become stolen which could be a problem if you have the keys plainly labeled with things like “bank” or “credit card.”  I am doing some more research on this and will share that as I go.

Thanks for reading and remember

Learn, Offer, Value, and Educate

Ali Baba and Cloud Security


By Maxfield Parrish – Arabian Nights, Public Domain,

So, we are now in the cloud era, where our files are kept on secure servers around the world and we can sleep at night knowing that we can put all of our records in an area that we have never seen, do not know the location, and have NO idea the amount of security that is on those servers.  Wow, this certainly makes me more relaxed, how about you?

This reminds me of the story of Ali Baba and the 40 Thieves.  Although reputably a part of the 1001 Arabian Nights, it has been challenged that it is not really part of the original stories of that very colorful legend, but nonetheless we will assume it to be for the purposes of this article.

The story goes something like this:  Ali Baba, a poor man, is cutting wood one day and he hears the beating of hooves.  Hiding in a nearby area, he spies a group of riders approach the side of a cliff and then hears what looks like the head of this band say “Open Sesame.”  At those words, the side of the cliff opens and the band enters with the leader saying “Close Sesame” closing the wall behind him.  Now the story goes on in some detail of how Ali Baba uses the password to go into the cave and steal some treasure only to be found out and then employing an ally to ultimately defeat the thief’s leader, but the main reason for re-telling this story is the “password of passwords.”

You see, the leader knew that the password had been compromised, but did nothing to change that password, instead trying to “seal the leaks” by disposing of the people who knew that password.  Once a password is compromised, the chances that it will be distributed is high.  What happens when a “password of passwords” is compromised, similar to one that many systems administrators have to do their daily jobs?  Pure chaos.

If I were a stranger and asked you for the key to your home, would you give it to me without gathering some information about my background, or my reputation?  Probably not, but yet we are willing to trust our sensitive data to others that we have not verified.  The cloud security is probably very good, but until that can be affirmed, placing sensitive information in that area is somewhat disconcerting.  After all, all a “black hat” would have to do is to get ONE password or set of credentials that would allow access to all records and then there would be chaos.

So, what is the solution to this for the household computer use?  Get an external drive and software to back up your computer and use THAT to store your important files.  As for the rest of the industries that are using cloud security, such as the health information and bank information industries, it is vital that THEY inform the consumer their security posture (leaving out the details so that intruders do not gain access).  In the meantime, continue to make your passwords strong by making them longer and more complex.  Don’t know how?  There are many references on passwords, including a children’s book on the subject by yours truly  called “Granpappy Turtle Talks About Passwords” available at

Learn, Offer, Value, and Educate


Grace HOOPER?! It’s Grace HOPPER! Get it right!!

grace-hopper-1Well, I have seen some disrespectful news, but I just saw a “ticker” from a major news network (I will not say the name, but the three initials start with “N”), that said a new Center for Cybersecurity was going to be inaugurated at the Naval Academy in Maryland under the name of Grace HOOPER.  The problem is that the name of this giant of computing is Grace HOPPER.  She went from enlisted to “star” officer in the Navy and was responsible for actually making the COBOL computer language (look it up — big stuff here!).

I was so angry when I saw this misspelling of this great lady’s name.  In a world that is priding itself on possibly electing the first woman President, it forgets that there are women that have paved the way for the women now to make an even larger impact on the world.  The sad thing about the injustice that this news agency did to this very important and famous woman is that they forget that there is a SHIP NAMED AFTER HER (specifically a guided missile destroyer)!  That’s right, a US Navy ship bears her last name (  Heaven forbid that we should get it right on some news ticker!

It is astounding to me that there is someone not checking these tickers to make sure that they get this name correct.  Computer scientists and computer enthusiasts should be offended at this, but to tell the truth I do not know how many of them know that Grace Hopper was so important in their career field.  I am hoping I am wrong and plenty of computing enthusiasts will say they knew who she was.  If not, it is time everyone knew!

There are others that people forget.  For instance, who was the first one to popularize a “pie chart?”  You read this right — who was the first person to make the pie chart popular?

Give up? (Or did you look it up to make sure you got it right?)

It is Florence Nightingale, the nurse who took data and visualized it so that she could get soap for the operating and diagnostic area of the hospital where she worked.

Let’s get this stuff correct, folks.  I have no idea who Grace HOOPER is, but Grace HOPPER is a great pioneer in computers and deserves at least a second look at the spelling of her name.

Learn, Offer, Value, Educate


Happy Cybersecurity Month! Hug a Silver Hat!

cover-for-simple-cybersecurity8x13Did you know that it is cybersecurity month?  I know it does not get the publicity that other “special months” or “special days” do but it is no less important.  Cyber affects every person in the US and the World.  Did you know that there are over 3.4 BILLION people on-line in the world? Or that the continent of Africa has increased their online presence by 8000% (   Cyber currently has reign over our health care, our infrastructure (that’s right – electrical grid, water purification, even our entertainment), and our daily commute.  It is a shame that we only have one month devoted to this very important part of our lives, and even that month is barely mentioned!

So, what are you all doing to celebrate this month?  Are you making any travel plans, or maybe taking a day off of work?   Well, here are some suggestions to help commemorate this important aspect of our daily living:

  • Change your passwords – now!

There have been so many breaches that it does not harm you to change your passwords on your accounts that could disrupt your lives like your online bank accounts, online insurance accounts, online health care accounts, Social Security online accounts, and any other accounts that you need to use.  Do you have one master password that controls all these accounts?   Then you should be changing this at least once a month, if not more.  People ask me what a good password contains and I have done research on this (as well as written one of the first children’s books on this subject – GRANPAPPY TURTLE TALKS ABOUT PASSWORDS, available at – sorry about the shameless plug) and can tell you that some of the best passwords are long, complex, and memorable.  But the bottom line is to remember this:  LONGER IS STRONGER.  Make your passwords long using random words (like BOIL and FRAME), along with some numbers and special characters and voila you have a pretty strong password.

  • Check your router

Does that sound strange?  Everyone that has access to the internet has a router (you know that box that the cable company or phone company rents to you?).  This router has a default setting for both the USERID and password (especially for those that you buy yourself).  It is usually on the bottom of the router or on a plastic card that can be removed from the case of the router and the USERID is normally ADMIN with the password being 12345 or PASSWORD or (Heavens!) NO PASSWORD!  Change this password and USERID whenever you can, but do so as soon as possible.  Make it a strong password (see above).

  • Know your surroundings!

This is probably the most important suggestion.  When I was in the military I was walking down a hallway and there was a person coming the other way with his head down – he almost ran into me.

“Be careful there.”  I warned.

“Oops, sorry about that,” the other service member said, “I know where I have been, and I know where I am going, I just want to know where I am.”

Although somewhat funny, this story has real value today.  We used to walk with our “head in the clouds.”  Now we walk with our “hands on our phones.”  We are oblivious to our surroundings or who is in front or behind us.  We need to lift our heads and become more aware.  In addition, get a “privacy screen” for your laptop and your phone.  These are usually less than 50 dollars for a laptop and prevent people from “shoulder surfing” to get information.  Also, get a virtual private network (VPN) for use on your phone and your laptop or other device when you are out of your home and using local WI-FI.  These WI-FI connections are NOT secure and so present a real threat to those who use them.  I am waiting for someone to get hacked at one of these public sites and litigating because they were not secure.  But that is another story for another day.

Let’s review.

First, change your passwords.  Make them strong and one that you can remember (it can be done).

Second, check your routers at home to ensure they are secure.

Third, ensure you know where you are and what you are doing.

And TRY to enjoy the month.  There are tons of articles out there that research everything from cell phone vulnerabilities to making strong passwords.  Don’t like to read?  Plenty of YouTube videos for you to review.  Want a place to start?  See my SIX MINUTES FOR SILVERHATS series on my YouTube Channel – GRECTECH (the one with the black and gray logo).  If you have any suggestions, please contact me through my web site or  Happy computing!

Learn, Offer, Value, Educate