The latest Snowden revelations should make law firms think seriously about data protection.
The Snowden affair continues to send shockwaves through the law (for instance, the Miranda decision a few days ago), and also through the legal profession itself, as follows.
This week, The New York Times ran a lead story from the Snowden documents, showing for the first time that a law firm had apparently been spied on. The facts are interesting. A large American law firm, not identified but believed to be Mayer Brown, was acting for the Indonesian government in a trade dispute case with the US. The Australian government was spying on the Indonesian government, and had as a result access to the communications between the American law firm and its government client.
The Australian government offered the information to the US spying agency, the National Security Agency, specifically mentioning that ‘information covered by attorney-client privilege may be included’. The NSA gave advice and reported that the Australian spy agency ‘has been able to continue to cover the talks, providing highly useful intelligence for interested US customers’.
I am trying to act surprised. Seriously, there are a few easy lessons to draw. The first is that, contrary to assurances about mass governmental surveillance being about the fight against terrorism, this was not a terrorism case and not about keeping American citizens safe from violence. It was a straightforward trade espionage case.
Second, although we do not know what either the Australians or the Americans did with the ‘information covered by attorney-client privilege’, it would take a medieval saint to believe that they destroyed it without looking at it.
In other words, the concerns raised by the Council of Bars and Law Societies of Europe, and others, about the consequences of the Snowden revelations on professional secrecy appear to be justified. Third, we now have a classic example of the kind of behaviour which should (in my view) not be subject to government surveillance, a precedent to point to in the continuing debate about where the line should be drawn between security and liberty.
There are deeper lessons to learn, about the kind of cybersecurity that law firms should seek to provide for their clients. On the one hand, there is presumably nothing that law firms can do about the powerful surveillance methods of large government security agencies, at any rate for the time being. (The market being what it is, there will doubtless be solutions, maybe only partial, in due course.) On the other hand, this is not a signal for doing nothing.
The Law Society has recently joined with other bodies (such as the London Stock Exchange, the CBI, the Cabinet Office and the Takeover Panel) in launching the Cyber Security in Corporate Finance Guide last month. This is aimed at all players in a niche sector, and lawyers’ concerns are (unsurprisingly) not the main focus. However, the Solicitors Regulation Authority will be publishing a booklet on cybercrime next month as part of its spring update to the Risk Outlook. This booklet outlines some of the risks firms should consider when determining their cybersecurity arrangements.
The American Bar Association (ABA) has been concerned for some time about the effects of lax cybersecurity in law firms. Last year, it published The ABA Cybersecurity Handbook ($59.95), which makes clear - among other things - that cluelessness about cybersecurity in most law firms is leading to anxiety that they have become a one-stop ‘treasure-trove’ to data which hackers might have difficulty in obtaining from their clients.
The handbook reports that already ‘[i]n late 2011, the FBI met with representatives from major law firms to discuss the rising number of cyber attacks on the firms and to warn the firms that hackers perceive them as a relatively unprotected backdoor into the data of corporate America’.
I am sure that the FBI did not warn them that one of the major spies on their data was the US’s own NSA, but regardless of that, it is clear that foreign spy agencies - the Chinese government is usually mentioned - have a strong interest in obtaining easy access to information lying about in law firms’ computers, such as trade secrets, intellectual property, financial data, corporate strategies and internal research. The ABA’s handbook gives advice on how law firms can protect themselves, which is just as applicable on this side of the pond.
In other words, there are measures that individuals and law firms can take, at least to make it more difficult for hackers, and to ensure that they are not being negligent with their clients’ data. The New York Times (again) has published a guide to some of the measures available.
I have avoided the question of whether Snowden is a hero or a villain. I don’t care, and too much energy can be absorbed by that debate. From our point of view, we just need to reflect on the consequences of what his stolen documents, and the responses of the various players, have told us.
For law firms, as finally proved this week by the article mentioned at the start, cybersecurity is now one of the most significant - and challenging - items on the agenda.
Jonathan Goldsmith is secretary general of the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs