Most attorneys read emails, review documents, and access case information from their phones on a daily basis. The mobile browsers have become an extension of the firm’s network. They are fast. They are easy to use. But they are also collecting more data than most firms realize.
A recent study examined the data collection practices of major mobile browsers and found significant variations in the data collection and tracking processes. Some mobile browsers collect substantial identifiers associated with users and devices, while others collect minimal identifiers for basic functionality. This is of significant concern for a law firm dealing with confidential information.
How mobile browsers handle user data
Mobile browsers collect user data in a variety of ways.
First, mobile browsers collect technical data necessary for their functioning. This includes IP address, device type, operating system, language settings, and activity within the mobile browser.
Some of this data is necessary for proper functioning.
Second, mobile browsers collect user data in the form of analytics. This includes search history, website URLs, user interactions, crashes, and in some cases, user IDs connected to advertising systems.
This data could potentially be connected to a user profile.
Third, mobile browsers collect user data in the form of cookies and tracking. Even when a mobile browser does not collect user data, cookies and tracking scripts from websites could potentially collect user data.
On mobile devices, user IDs are often connected to advertising IDs.
This means a lawyer researching a case, viewing a client portal, or reviewing documents through a website could potentially leave a trail of user data.
This could include search history, time stamps, location indicators, and device IDs.
While this does not mean that client documents are automatically exposed, it does mean that behavioral data exists and may be stored by browser vendors or related services.
The risk to a local law firm
Browser usage is not taken lightly. A browser that tracks identifiers and usage patterns will amplify the digital trail of their activity; such as logging into case management tools, accessing legal filings and client information. There are several potential consequences.
In the case of a compromised device, saved session information and cookies offer a potential entry point to the firm’s systems. If advertising identifiers are tied to browser usage patterns, legal research topics will be part of a larger data profile. If the browser’s syncing features store history and login information in personal accounts, firm data will leave the controlled environment.
However, there is also the issue of compliance. Law firms are also governed by ethical requirements of confidentiality and, in California, the regulations on the handling of consumer data. A breach could start with a mobile device that has inadequate security or a browser configuration that has inadequate controls.
Many managing partners will assume the risk with mobile devices is related to email. But the browser is the primary entry point to cloud services such as Microsoft 365, document management systems, and billing systems. If the browser has too much information, it could be a problem. If it doesn’t have enough information, it could be a problem.
The solution: control, configuration, and policy
Obviously you can’t ban mobile browsing, but you can manage it thoughtfully.
With regard to the browser, some are more private in default settings and have less data collection. Spoiler: Edge and Chrome are some of the larger collectors. Review independent research on privacy and vendor documentation before selecting a browser to deploy across the enterprise.
Consider the configuration. Disable unneeded sync options. Restrict password storage to approved password managers. Disable advertising IDs on firm-managed devices. Mandate multi-factor authentication for all web-based systems.
Assess your mobile device management. Firm-managed devices and bring-your-own devices should be enrolled in a mobile device management system. This system should have the ability to enforce encryption, screen lock requirements, remote wipe capabilities, and application controls. Browser updates should be enabled to reduce vulnerability.
Policy is just as important as technology. Attorneys and staff must be aware of what browsers are supported, how to access client portals safely, and what is and is not allowed on firm-provided devices. Personal browsing on a firm-managed phone is not necessary and is a risk.
Lastly, you must have an IT partner that understands your needs as a law firm. A generic IT checklist is a good start, but it needs to be customized for the nature of your firm and workflow.
Mobile browsers are part of your firm’s infrastructure whether you design for them or not. They can provide you with better security and better control of your firm’s data. It’s less about preference and more about responsibility.