Don't Lose the Phone!

The first and most obvious point is to protect the device. Your smart phone or iPad is of no use if it lost or stolen. Despite the obviousness of this point, these devices are routinely lost or stolen. Smart phones are reportedly the most stolen item in the world. Although handcuffing it to your wrist is not practical, there are some clear actions that can be taken to reduce the risk:

• Do not leave these devices in cars, at least where they can be seen. Also they need to be protected from heat.
• Secure these devices when traveling, particularly through airports. Traveling with a laptop is always a risk. In one famous case, the TSA seized an attorney's laptop with all sorts of confidential information on it. In my case, I always carry a roller bag which has pockets for my phone and iPad. I make sure they are always there (particularly through security) or in my hand.
• Carry the device in the same place. If a carrier is not used, have a pocket that is deep enough it will not fall out. Do not hand carry it. When it is put down, it will be forgotten. I am tired of getting calls from clients that they left their phone in my car.
• Password protect the phone. Note on iPhones the Mail function is not password protected.
• Enable "Find iPhone."
• Enable remote data wipe.
• Do not use the phone for attorney-client privileged communications such as texting or email.

Encrypt the data.

"Internet email is not at all secure. The underlying protocols such as SMTP and IMAP are plain text and thus have no security." Information Security Stack Exchange (website for security professionals).

The first thing to know is that the mail program on an iPhone is not encrypted. Therefore it should not be used for secure communications. Gmail and some other providers use either SSL (Secure Socket Layer) or TLS (Transport Layer Security) to protect email from a user to their server. For commercial users, Microsoft Exchange encrypts between its users and their servers. BUT email may go through many servers and not being encrypted after your provider's server.

Use S/MIME (Secure Multipurpose Internet Mail Extensions) or third party apps to encrypt your attachment before attaching it to an email. However, using a complex third party apps may require giving it to recipients so they can decode email received. The difference between encrypted and plain text email has been described as similar to the difference between a postcard and sealed letters.

BUT is the recipient secure? Whatever security is taken by the sender, does not guard against a lack of security on the part of the recipient. This suggests a necessity to discuss internet security with any client to whom sensitive information will be sent. I particular advise this in the case of any major corporate client.

The best of both worlds has been described as: use TLS/SSL to protect the email "pipeline" and complex third party encryption programs (e.g. S/MIME) requiring the recipient to decrypt.

In the case of a client having sensitive information on their smart phone, we have clients bring us their telephones and download confidential data by wire. This circumvents the use of email completely.

Avoid insecure WiFi.

The most important measure a user can take is to protect their home network. That means that any home router must be encrypted to prevent unauthorized use (such as neighbors). I use ATT U-Verse and it has encryption security. That replaced a local provider which did not have router security built in.

Do not use public Wifi for confidential communications. If in a public place with Wifi, a smart phone can be switched to ignore the Wifi and use the cellular system. That is much more secure than a public Wifi.

On a smart phone, a user should disable WiFi nets not commonly used, e.g., hotels, restaurants. Under "Wifi" on the phone, a user can tell the phone to "forget" Wifi networks that perhaps used once. The only networks it should routinely access are a home and office network.

Conclusion.

In summary, the use of simple security will avoid the most egregious errors and keep clients' data secure.