Encryption is business-critical for law firms as well as their clients – and it is under threat.
Information security underpins client confidentiality and legal professional privilege, but litigation and legislation whereby law enforcement and other government agencies are seeking access to encrypted data and devices threaten to muddy the waters.
The Apple v FBI case, whereby the FBI is using the US courts to force Apple to provide software to unlock a terrorist’s iPhone, raises moral, political, legal and technical issues for law firms. As Jonathan Goldsmith discussed in a Gazette article, the main arguments summarise the liberty versus security debate, with the tone reflected on this side of the Atlantic in the revised draft Investigatory Powers Bill, which includes provisions for mass surveillance by government authorities.
‘For many law firms, the IP bill is seen as a significant threat to legal professional privilege,’ says David Prince, delivery director, IT security, at London-based Schillings. ‘History has told us, time and again, that deliberately weakening encryption or implementing a backdoor results in exploitable weaknesses accessible not only to the authorities, but to any malicious actor.’
The Apple case is not just about privacy and technology; encryption is business-critical. If organisations lost confidence in the iPhone as a secure device for business, Apple could face serious repercussions as the device accounts for around two-thirds of its revenue. BlackBerry, whose devices are known for their end-to-end encryption, is seeking to reposition itself as a provider of security software that can run on multiple devices. BlackBerry recently acquired UK cybersecurity firm Encription to strengthen its cybersecurity consultancy business.
IT security expert Graham Cluley highlights the extent to which business relies on strong encryption: ‘Anything that waters down the encryption systems that protect online transactions and business communications represents a gold mine for online criminals. We need to stop thinking of encryption as something that is used by criminals and terrorists; every time we log into our online banking we are protected by encryption. It is almost sacrosanct and we need to defend it.’
Encryption – and information security generally – is also business-critical for law firms that handle sensitive personal and company information, including upcoming deals and acquisitions. The reasoning behind this is clear: to ensure client confidentiality and maintain their reputation as trusted advisers and business partners.
Backdoor access to a law firm’s data via mobile devices or internet browsing would contravene lawyers’ professional obligations to their clients. ‘The commercial impact could also be significant if clients lose trust in their law firm to ensure information is protected and seek advice elsewhere,’ Prince adds.
As Richard Hodkinson, chief technology officer at DWF explains, if a law enforcement agency required access to a law firm’s data, this would be a strategic board-level issue.
Firms and legal IT vendors are concerned about scope creep: if a precedent is established, authorities might then require access to devices and intercept data for investigations that did not involve national security. Unsurprisingly, this was discussed at the RSA Conference in San Francisco. As Orlando Scott-Cowley, cybersecurity strategist at email management company Mimecast observes, IT vendors that are known to allow backdoors to their products tend not to last long because this is not acceptable to their customers.
High-profile breaches have focused businesses and law firms on cybersecurity and TalkTalk chief executive Dido Harding’s uncomfortable television interviews helped to engage the C-suite.
This has drawn client attention to law firms’ data security measures. DWF works with banks and large insurance companies, and business pitches commonly include detailed questions around data management and procedures – including dealing with a potential data breach. ‘We need to have a robust and mature approach to information security management in order to win and retain business, as well as to defend the firm against cybercrime,’ Hodkinson says.
DWF has ISO 27001 certification supported by a suite of software tools. These include a mobile device management platform, whereby if a device is compromised it can be remotely wiped. Hodkinson’s team also includes an information security officer. However, the firm’s agile workforce and multiple locations add complexity to the information security equation. ‘Everyone wants maximum accessibility, but regulation and risk require strong protocols, procedures and responsibilities, as well as effective technology,’ Hodkinson says. ‘As more people use mobile data, the boundaries of the enterprise become unclear and its data becomes more difficult to manage.’
David Aird, IT director at DAC Beachcroft, observes that firms are investing more time, effort and resource in IT security. ‘The barrier is continually raised,’ he says. ‘Something that is extra this year will be standard practice by next year. Therefore, firms have to take a risk-based approach – we handle data differently depending on the risk. Certain clients also increase the risk factor as their information is more interesting [or] valuable to enforcement agencies and hackers.’
Aird has introduced information security measures including intrusion detection, internal network monitoring and threat analysis. The firm deploys Good Technology mobile device management and all devices are encrypted. It has ISO 27001 certification and carries out external penetration testing of web-facing services and information security assessments. There is also work on the people side, including raising awareness of ‘phishing’ and ‘whaling’ (whereby hackers send spoof emails that seem relevant to a genuine transaction).
Emails are an obvious target. However, cloud-based email means that messages and data reside in the cloud and not on the device. Mimecast Secure Messaging is an email service through which messages are accessed via a password-protected web portal, so the information never leaves Mimecast’s private cloud. Mimecast’s Targeted Threat Protection was recently extended to cover security threats from spear-phishing (emails that seem to come from a known business or person) and whaling.
Egress Switch provides a secure way of sending sensitive information to non-secure email addresses (for example, Hotmail and Gmail). It is used by central and local government organisations that handle personal and financial information, because it allows users to control who receives and reads messages which cannot be forwarded without the sender’s permission.
These services are cloud-based, which means information is held centrally and is not on the user’s device. As Scott-Cowley explains: ‘Mimecast does not own or have access to users’ data. Authorities and others would have to go to the owner of the server or device, and that’s generally the customer or firm who has purchased the service.’ The only way a third party could access data that had been encrypted with enterprise-grade encryption as used by Mimecast would be to obtain the user’s encryption key or password.
Schillings’ Prince notes that the latest revision of the IP bill will not impact end-to-end encryption technologies, such as iMessage, due to the fact that organisations do not hold the encryption keys. ‘We are already seeing more firms adopt end-to-end encryption to enhance the cybersecurity of client communications,’ he says. ‘In this sense, the IP bill presents a significant opportunity for end-to-encryption technologies to become more user-friendly and accessible.’
Encryption is a broad term. The guidance provided by the American Bar Association in the US and the SRA and others in the UK is open to interpretation and does not address the current dilemma, which is why many firms are turning to industry standards such as ISO 27001 certification. Because there is not enough clear guidance specifically for law firms, they are having to make their own decisions. This works well for larger firms such as DWF and DAC Beachcroft, but, as Aird explains, smaller firms face similar challenges without the budget for a comprehensive information security programme.
Here, as with other technology issues, law firms can learn from other sectors. But as Cluley observes, smaller law firms which may not have a dedicated IT function might still advise clients whose data may well be of interest to governments and hackers. He recommends that firms without the in-house resources to deal with information security work with a consultant or technology partner to secure their data.
Aird emphasises that a pragmatic approach that includes raising awareness around phishing and changing passwords regularly is one of the most cost-effective ways a firm can reduce its risk profile. As Hodkinson says: ‘Information security is like a living organism. It needs feeding and watering regularly because it keeps growing and changing.’
Robots and autonomous vehicles: a new legal argument?
Following up my January feature on digital assistants, I attended a seminar at the Japanese embassy in London that promoted collaboration between Japan and the UK as leaders in artificial intelligence (AI) and robotics. I was privileged to have the opportunity to interview Professor Hiroshi Ishiguro, whose Geminoid project, which includes the Geminoid HI-1 android that exactly resembles him, has made him world-famous.
Professor Ishiguro creates robots and androids that interact with humans. He demonstrated CommU, a small humanoid robot (currently on the market) that translates conversations in real time (like a robotic interpreter), and Sota, a conversational helper/companion robot. As part of the Geminoid project, Professor Ishiguro created Erica, the world’s most advanced robot, who is programmed to have intentions and desires. What does she want? To do her job well and to be recognised. I asked Professor Ishiguro why he was making intelligent, self-aware robots. By replicating ourselves, we learn more about ourselves, he responded.
The seminar also featured AI in practice. Oxfordshire County Council’s transportation plan uses big data and machine learning to address traffic congestion. This is not about AI taking a job, but doing a job – real-time analysis of floating data sources keeps motorists informed and predicts potential traffic problems. Oxford is trialling the use of self-driving vehicles to carry passengers into and around pedestrianised areas. This will reduce traffic and pollution as the autonomous ‘pods’ will enable pedestrianised areas to be extended.
Bringing these ideas together might raise new legal issues, however. In California, Google’s autonomous (self-driving) car recently collided with a bus – showing that even though self-driving cars are programmed to avoid collisions (as Toyota demonstrated at CES), this cannot always be avoided.
Much has been written about where the legal responsibility lies if an autonomous car has an accident (Google’s cars are self-insured). But if the autonomous vehicle also had intentions and desires (to do its job well and be recognised, perhaps) this might create new legal arguments.