An Often Overlooked Risk Management Tip – Read Your Policy

male reading an insurance policy

I have an easy and surprisingly somewhat overlooked risk management tip for you. Read your policy. When was the last time you read yours?

I’m always a little bit surprised that when I speak to prospects and clients alike, how many of them tell me they never or very rarely ever read their policy. Look, I know that we are all busy because our reading stack is very high. And after going through the application and quoting, no one is thinking about finishing the process by reading the policy.

Reading your policy is essential to the process and should supplement any risk management technique you utilize in your offices. The policy tells you who’s insured, what’s insured, what you’re supposed to do when and if you do get sued, your coverage limits, your deductible, and how much it actually costs. These are just to name a few.

The policy is also going to tell you what’s not covered, referred to as exclusions in the policy. And perhaps this is even more important than knowing what is covered.

So, don’t ignore my comments and do nothing. Take a moment and read it. You don’t need to become an expert in legal malpractice insurance. Just an informed consumer. A little knowledge in this matter will go a long way in your risk management efforts to avoid legal malpractice.

Why Do You Need a Dual Calendaring System?

The importance of dual calendaring.

According to the most recent ABA studies, malpractice claims stemming from calendaring errors continue to be a common mistake made by law firms. One of the ways to reduce calendaring errors is to make sure that your firm or office has a dual calendaring system in place.

Dual calendars can include calendars on your computer, laptop, desktop, other electronic devices, paper calendars, wall calendars, desk calendars, diaries, phones, there’s a slew of them. My point being is that there are actually several ways to implement a dual calendar system, and you should choose one that works best for you and your firm.

The risk management benefit of having a dual program in place is the backup benefit. If a calendar entry is missed on one system, it should be picked up by the other system. Hence the chance of a missed deadline by the office is reduced with a dual calendar system. consistency with the entering of the information, weekly cross checking of the system and having two people maintaining the system are key elements to a successful program.

So if you want to reduce your risk of a legal malpractice claim, and lower your malpractice insurance premiums, make sure you have a dual calendaring system in place. 

‘Tis the Season for Cyber Security

02J68283

As the holiday season draws near, so do cyber criminals.  With more and more people shopping online, the number of potential cyber breach victims increases every day.  In fact, Adobe is predicting that Black Friday 2017 will see the highest sales ever on record.

So, without completely withdrawing from the online world, how can you protect yourself and your business online?  Try applying the following tips:

Make sure that you are on the website that you think that you are on

One of the most common ways to scam your username and password or credit card information from you is to send you to a fake website that looks very similar to the website that you are expecting.  An example of this is paypal.com versus paypa1.com.  Note that the only difference is the “L” at the end of the first one and there is a “1” at the end of the second one.

To get you to these fake sites, scammers will send you an email that directs you with a bogus link.  One way to see where the link is taking you is to hover over it with your mouse.  The website address will popup.  If the link is bad, block the email sender and move the email to your “SPAM” folder to prevent receiving emails from that person in the future.

One way to confirm that you are visiting the website that you want is for you to type the website into the address bar.  This way, you know that you are not following any false links and you arrive at the correct website.

Don’t fall for holiday phishing schemes

On Black Friday 2017, retailers sent over 3 BILLION emails to consumers, advertising their best deals and sales.  This day was also filled with scammers sending out tons of emails, pretending to be a retailer.  They were taking advantage of the fact that consumers were expecting to receive these emails and may not have questioned them as much.  This is known as phishing and its main purpose is to collect as much personal information about you as possible.

Commonly, phishing emails will try to direct you to a login page or a payment page.  They want to get your information as quickly as possible without you questioning the validity of the site.

A few ways to identify phishing schemes:

  • The “From” field display name is a store or bank.  However, when you click into it to reveal the full email address, it’s an address not related to that entity.
  • The email has graphics that look “off” or “fuzzy”.  Sometimes, to make the fake email look more legitimate, a scammer will copy the graphics from a store or bank from their website, which are not a high resolution.  As a result, when they are placed into an email, they look wrong.
  • When you hover over the link that the email wants you to visit, it is not pointing to the website that it claims to be sending you to.
  • Check for spelling mistakes and bad grammar.  Legitimate companies are sticklers when it comes to spelling and grammar.  If the email sounds poorly written, there is a good chance that the email is not legitimate

Check for an SSL certificate upon checkout

When you check out online, you want to make sure that there is an SSL certificate in the address bar.  You should see that the web address starts with “https://”.  Normally, there will be a lock image next to the address or the whole bar will turn green.

An SSL is important any time that you are entering financial information or passwords.  This encrypts that information and keeps it private from anyone that may be watching your transaction.

Create a strong password (and don’t use the same one) for your customer (and business) accounts

Your customer accounts for stores and banks should be protected by a strong password.  The company can have the best security measures and encryption in place, but if your account has an easily guessed password, none of that matters.

A strong password is 12 characters or more and contains at least one of each of the following:

  • Uppercase letter
  • Lowercase letter
  • Number
  • Symbol

You also do not want to use the same password for all of your accounts.  This is because if one of the accounts is hacked, the hacker now has the login information for all of your other accounts and they WILL check this immediately.

The average American has over 60 online accounts that they have to remember, so look into a good password manager to help you maintain the information.  Not only will the password manager help you remember all of your login information, but it will help you create secure passwords.

Some highly rated password managers include KeePass, Dashlane and LastPass.  Check out this article from PC mag for more information on the top password managers of 2017: https://www.pcmag.com/article2/0,2817,2407168,00.asp

BONUS: Turn on two factor authentication where possible

Two factor authentication (TFA) is becoming more prevalent as hackers become more savvy and have access to greater computing power.  TFA uses not only your username/password, but one other means of verification before you have access to your account.

This is now commonly available with banking and credit card websites.  When you turn this on, after you sign in with your username and password, they will ask if you want to receive a text or email for secondary verification of the account.  Once you make your selection, they will send a one-time only code to the phone number or email associated with that account, which you then have to enter to gain access.

This is helpful because even if someone had your password, they would still need access to your email or phone to be able to access your account.  If TFA is available to you, INF recommends turning it on to better protect yourself.

Have a safe and secure holiday season from INF!

Smart Risk Management for Law Firms: Be Prepared – not just for boy scouts anymore

Businessman using mobile phone outside courthouseI don’t know any attorneys that want to get sued by their client.  However, not all law firms are taking the proper steps to prevent this situation from happening.  In order to protect both your firm AND your client, you should employ multiple risk management techniques.

What is risk management?

Risk management is a set of policies and procedures that a law firm should have in place to reduce or eliminate risk issues.  Not only will you be protecting yourself and your clients, but you should receive a credit from your lawyers professional liability insurance carrier for employing these techniques.

How should risk management be taught?

Frequently, firms hold seminars for their employees to review office procedures and information specific to the firm.  Outside training can also be implemented in the form of webinars or guest speakers.

Your staff may interact with your clients as much or more than you do.  Don’t forget to train everyone!  According to the latest Verizon security report, 51% of data breaches are caused by the people within a company.  Make sure that they are familiar with your policies and procedures that you have in place.

Business team in the office

Important risk management policies for law firms #1 – Take the right cases

A common cause of malpractice is taking a case that your law firm is not qualified for or does not have the resources to handle.  You have to look past the dollar signs of a case and ask yourself, “Is this the best case for me and the firm?”  Create a policy that helps you walk through the details of a case to ensure that you are well-versed in the area of law it concerns as well as having the resources that it may require.

Important risk management policies for law firms #2 –Dealing with Departing Attorneys

Redundant Businesswoman Leaving Office With Box

If an attorney is departing your firm, make sure that an exit interview is conducted and that the proper steps are taken to remove them from your firm.  Make sure that you are aware of all cases that he/she was working on and any open issues.  Create a policy that outlines the following:

  • What are the important questions to ask in the exit interview for my firm?
  • Who should be assigned any work that is not completed?
  • What materials can the departing attorney take if they are allowed to take clients with them?
  • How can they be removed from your letterhead?
  • How can their access to your computer system be eliminated?
  • How does your firm contact your professional liability insurance carrier to let them know the date of attorney departure?

 

Important risk management policies for law firms #3 – Hiring a New Attorney

When you hire a new attorney, make sure that they go through your complete hiring process.  Make sure that they are everything that they claim to be.  Create a policy that outlines the following:

  • Ensure the new attorney is proficient in your firm’s areas of practice.
  • Why are they leaving their current firm? Was there a performance issue, were they a product of downsizing or are they looking for more opportunity?
  • Complete a conflict of interest check with the new attorney and all of the firm’s existing clients. The last thing that you want to do is to bring on a new lawyer and find out a few months later that they have a conflict with one of your biggest clients!
  • Make sure that they are comfortable with your firm’s risk management procedures.

 

Important risk management policies for law firms #4 – Dealing with Unhappy Clients

Clients are the lifeblood of any business.  An unhappy client can lead to bad reviews online, refuse to pay their bill, sue you for malpractice and many other things that can negatively impact your business.

One telltale sign that a client is unhappy is if they ask for a complete copy of their file after services have been rendered.  Another is if they tell you that they are unhappy with you or with the result of their case.

If you notice signs that your client seems to be dissatisfied, sit down and have a conversation with them to try to resolve the issue.  Sometimes, it is just a matter of explaining a legal process that they may not be familiar with.  Once they know why you chose to handle a situation in a certain way, it tends to alleviate their fears.

A common source of client dissatisfaction is lack of communication from the attorney to the client.  This can be solved by the attorney and the client setting up a communication timetable and sticking with it.  If you, as the attorney cannot meet the timetable during the representation, have your assistant or paralegal contact the client with an update.

Confused businessman with a calculatorAnother source of client unhappiness may stem from billing issues.  You are much better off to bill frequently instead of sending one large bill at the end of a case.  Smaller bills with detail help explain to the client what you did and act as an update to the case.  If you wait and send one “final bill” a client may forget how much work you performed and feel the bill is unreasonable.  Additionally, sending incremental invoices will help you get paid quicker.

Important risk management policies for law firms #5 – Docket Systems are CRITICAL

Agenda

If you look at claims that arise against lawyers, one of the most common alleged mistakes is a blown statute.  This is a result from your calendaring system not being used on a regular basis or not being used correctly.  Generally, LPL insurance carriers require that a firm have at least two docket systems with one of them being computerized.  Back up of this system should be on a daily basis.  Create a policy for your firm that details what type of docket systems your firm will use, how often they should be updated, how often they should be backed up, and who in the firm is responsible for maintaining the systems.

For more information on risk management or help creating/implementing these policies and procedures in your law firm, contact Donald Ivol at INtegrity First Corporation today!

Keeping Your Information Safe In the Digital Age – Part 3

With the onslaught of data breaches that happened in 2015 (about 65,000 according to the Verizon Data Breach Investigations Report), INF presents this multi-part blog series about keeping your data safe in the digital age.

Accessing Your Password Database on Different Devices

The last blog post of this series covered setting up a password database in KeePass and accessing it on your personal computer.  This blog post will cover accessing your passwords on multiple devices.

Storing your Password Database in an Accessible Place

If you only want access to your passwords on your laptop or desktop, storing the database file (*.kdbx file) locally is fine.  However, if you want to be able to retrieve your passwords from your phone, tablet, etc., the file needs to be stored in a cloud.  If you already have a cloud account, you can store it there.  If you do not have a cloud account and you won’t be using it for large files, Dropbox is great free option to consider (https://www.dropbox.com/).  It takes about 3 minutes to sign up and you get 2GB of space for free.  Your *.kdbx file won’t even use 1% of that amount.

Once you have your Cloud account set up, move your password database file to the cloud.  This benefits you in multiple ways.  First of all, you can access your passwords from all of your devices.  Secondly, your password database will now be backed up on a regular basis.  In fact, Dropbox keeps all deleted and updated versions of your files from the last thirty days.  So, if you accidently delete your file from anywhere, you can restore it from dropbox.com.

Retrieving Passwords on your iPhone or iPad

If you want to access passwords on your iPhone, you need to download the app for the cloud that you are using onto your device. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app “MiniKeePass”.

To load your password database into MiniKeePass, open the Dropbox app (or your Cloud app) and click on your *.kdbx file.  The cloud app will not be able to show a preview of the file, which is expected.  Click on the icon of the square with an arrow pointing up, which should give you a menu with multiple options.  Click the “Open in…” option and select “Copy to MiniKeePass”.  This has now stored a copy of the password database in your MiniKeePass app.  This is important to note as it is just a copy.  If you make changes to the file on another device, you will have to go through the process of loading your password database again.

The actions above will open MiniKeePass and display the database file. To open it, click on the filename.  The app will ask for the database password.  Enter your password and your database will display.  You can browse by folder or you can use the “Search” box.  To use the passwords, click on an entry and click on the username or password.  This copies that text to the clipboard.  You can then paste it wherever you would like.

Retrieving Passwords on your Android 

If you want to access passwords on your Android, you need to download the app for the cloud that you are using. In the case of Dropbox, you will download the Dropbox app from the app store and use your account information to sign in.  You will then need to download the app KeePass2Android from the app store.  Launch the newly downloaded app and click the “Open File” button.  You can browse to your password database file in your cloud and open it with your password.  You will then be able to search for the password that you want and copy/paste it any location.

Retrieving Passwords on your Chromebook

If you are using a Chromebook, there is a strong possibility that the cloud that you are utilizing is Google Drive.  Place your *.kdbx file in your Google Drive cloud and install the KeePass Chrome app.  Open your new app and select “Open File”.  Browse to your KeePass Database and enter the password.  KeePass Chrome will open the file and you can use the passwords as needed.

Should you use free Wifi…the answer is resoundingly “No!”

High resolution mobile phone graphic with Wifi Icon

It all starts out innocently enough.  You decide to stop into your favorite coffee place.  You order a drink, sit down, and pull out your laptop or other mobile device.  You don’t want to use your precious data from your wireless plan, so you think “No worries, they offer free wifi here.”  You connect to the free wifi and start browsing.  You check your email, your bank account and then online shop while you finish your drink.  A perfectly innocuous afternoon…or so you thought.  Little did you know that the person sitting across from you, seemingly having a day similar to yours, was capturing all of your online movements and information.  They were then able to check your email, access your bank account and shop online using your PayPal and Amazon accounts.

They were able to gather all of your information using a fairly simple program called a packet sniffer (or packet analyzer).  These programs are easy to install and use, but best of all, some of them are free, or so a hacker would say.  Because it is so simple, this exploit is used all of the time with free wifi.

When you go online using a wireless connection, you communicate via packets with the router.  Packets contain all of the information for the web page that you are using, including any text that you may type, such as your credit card information or passwords.  One web page can consist of multiple packets.  A packet sniffer can connect to the same wireless network and collect copies of these packets.  It then will put the packets together like you would piece together a puzzle.  Once the sniffer has put the pieces back together, the person implementing the sniffer has the information of everyone on the network for the entire time that they were there.

The reason that packet sniffers work with free wifi is because there is no encryption algorithm in place.  If the wireless router employs an encryption technique, the packets become encrypted, and thus, unreadable to the sniffer.  They can still collect your packets, but they can’t do anything with them.  It would be like someone having a puzzle where none of the pieces fit together.  With encryption, the router knows how to decrypt your packets, but no one else can.

If you are required to enter a password for the wireless network, that normally means that it is encrypted.  However, if the password is known to everyone, then the packet sniffer knows as well, and you are back where you started.  Therefore, you want to connect to a network that has a protected key.

Before connecting to a network, look to see the encryption type.  You want to make sure that it is WPA2.  Two types of networks that you want to stay away from are WPA and WEP.  These are easily hacked and thus, should never be used.  If you are on a WIndows machine, to see the encryption type, click on the wireless indicator and select your network.  The encryption type will be displayed under “Security Type”.

But wait, I still want to be able to use free wifi…is that even possible?

It is possible to save your data plan and still make use of the free wifi when you employ a virtual private network, or a VPN.  When you use a VPN, it encrypts the packets for you only, thus making your packet puzzle impossible for a packet sniffer to solve.  Using a VPN is easy, as you just sign up for a VPN account with one of the many VPN providers.  The cost is normally less than $50 per year.

You can use your VPN account with all of your devices.  Generally, tablets come with the functionality for a VPN connection built into the settings.  You will need to consult the VPN service that you signed up with for specifics.  If you want to use the VPN on a laptop or desktop, you will generally need to download an executable program from the VPN service and install it.  Then, every time you want to connect to a free wifi network, you will launch the VPN program first, sign in, and then feel free to safely browse the internet in obscurity.

I don’t want to sign up for a VPN and I don’t mind using my data.

If you don’t mind using your data in your phone plan, then connecting to your phone or tablet’s personal hotspot is the most secure option.  Simply turn on your hotspot and connect your device.  You may be using your data plan, but you can do so knowing that your data is safe.

June Attorney Pro Risk Tip of the Month

Be careful online.

Unfair or not, lawyers have to be more careful than the average person when posting online. Don’t be casual. Don’t post anything about a specific legal matter or client. Include disclaimers. Remember that the Model Rules of Professional Conduct apply to your actions online.

Tip courtesy of  www.attorneyprotective.com

Keeping Your Information Safe In the Digital Age – Part 2

With the onslaught of data breaches that happened in 2015 (about 65,000 according to the Verizon Data Breach Investigations Report), INF presents this multi-part blog series about keeping your data safe in the digital age.

Password Management Programs

As promised in Part 1 of this series, this blog entry will cover setting up and using a password management program.  There are many good password management programs available, such as LastPass, KeePass and 1Password, and the cost of the program varies anywhere from free to around $100.  If you are like most users, you need a password management program to:

  • Create unique, strong passwords for all accounts, new and old
  • Be an easily searchable repository for all passwords
  • Remind you when to change your password
  • Keep track of the security question answers that you created

Fortunately, there are multiple free programs that fit the above criteria.  KeePass does all of the above and more.  It is free and open source, which means that there is no chance of a security issue, because there are thousands of developers that have reviewed the code.  In this article, we will cover the installation, setup and a few highlights of this program.

How to Set Up KeePass 

To download the latest version of KeePass, go to: http://keepass.info/download.html.  We recommend downloading the most recent version of the “Professional Edition”.  The download link will take you to Sourceforge, which is where the download is stored.  Save the setup file and then run it.  Select your language and accept the agreement.  Most people allow the program to be installed on the C drive.  Install the program, keep “Launch KeePass” checked and click “Finish”.

KeePass will launch, as shown below:

Image1KeePassBlank

The first thing to be done is to create a new database file that will store all of your passwords.  Go to File > New.  This will bring up a dialog box, asking you the location to save your password file.  We recommend saving it in a cloud, such as Dropbox or Microsoft OneDrive.  This way, you will be able to access your database from any device that has access to your cloud account.  Take note, the file extension will be “.kdbx”.  Name your file, then click “Save”.

This will bring up the dialog box to create the master key:

Image2MasterPassword

The master key is simply the password that you need to open the database file.  This will be the only password that you need to remember from now on, so you need to make it secure.  See Part 1 of this blog series for tips on creating a secure password.  Enter your master password twice and click “OK”.

This brings up the next dialog box, which specifies the settings for the password database:

Image3DatabaseSettings

The default settings are adequate, so no need to change them.  Press “OK” and you are done with the setup.  KeePass will be opened to your new database.

Image4EntriesInKeePass

Creating a New Entry in KeePass

To create an entry in KeePass, click the “Add Entry” button (the yellow key) or press Ctrl + I.  The “Add New Entry” dialog box will appear:

Image5AddEntry

The title field should be a description of the username and password that you are going to enter, such as “Susan’s PNC Bank Account” or “Andrew’s Chase Visa Credit Card”.  The username field should be your username, which is normally an email address.  By default, KeePass provides a 20-character alphanumeric password.  To display this password, click on the button with three dots to the right of the password field.  If you would like to change the character set or length, click on the “Generate a Password” button (it looks like a key with an orange burst) and select “Open Password Generator”.

This will open the Password Generator window:

Image6PasswordGenerator

Select the character set checkboxes that you would like the password generator to use.  You can also change the length of the password.  Once you have the settings to your liking, select “OK”.  The password will now use the settings that you selected.

The other option is to enter your own password.  You can delete the one that is generated and enter your own.  Fill in the URL field with the web address of the sign-in page that corresponds to the username and password.  You may choose to put in an expiration date for the password as well as set a reminder alarm.  Finally, if you have any notes that go with this entry, such as a security question/answer combo, you can enter it in the “Notes” section.  Once the password entry is to your liking, select “OK”.  You will now see your entry in the main right-hand window pane.

Image7TestEntries

To edit the entry, double-click on the title and the “Edit Entry” dialog box will pop up:

Image8EditEntry

Make any necessary changes and press “OK”.  To save your database, click on the “Save” button, which looks like a blue disk.  You will want to create an entry for every password that you have.

To help you organize your passwords, KeePass provides categories on the left-hand side of the main window.  Simply drag and drop your entries into the categories that they belong to.  You can also add categories, if the existing ones do not fit your needs.

Image9LefthandWindow

Using your KeePass Database

Now that you have populated your database, the next step is using it!  To open your browser to the sign in page of an entry, double-click on the “URL” field in the right-hand window pane or highlight the entry that you want to use and press Ctrl+U.

Image10URL

Your browser window should automatically open to the sign-in page corresponding to that username and password.  If the page has both the username and password fields on it, put your cursor in the username field and then go back to KeePass.  Make sure that entry is highlighted and press Ctrl+V.  This will automatically fill in the username and password in the browser.

Alternatively, if you want to enter the username and password yourself or if they are on separate pages, you may do the following:

  • Double click on the “URL” field in KeePass to open a browser to the sign-in page
  • Go back to KeePass and double click on the “Username”
  • Go back to the browser, put your cursor in the “Username” field and press Ctrl+V to paste the username
  • Go back to KeePass and double click on the “Password” field
  • Go back to the browser, put your cursor in the “Password” field and press Ctrl+V to paste the password

Please keep in mind that KeePass only keeps the fields copied for 12 seconds, so you must do the steps above fairly quickly.

Part 3 of this series will cover accessing your password database on different devices.