A breach of information security is a nightmare for every law firm. How do you make sure it does not happen?
A lawyers.com headline from 2011 paraphrased Benjamin Franklin’s famous quote: ‘Nothing’s certain in life but death, taxes and hacks.’ The context was banking fraud, but to some extent, information security paranoia has spread to the legal sector.
This does not reflect the attitude of IT directors, who are taking a balanced, yet focused approach.
Legal IT systems, particularly document management systems, lend themselves to secure content, including data storage and retention. Ethical walls and client extranets restrict access. However, as soon as information leaves the firewall, it is open to interception, observes Duncan Eadie, IT and facilities director at Foot Anstey. Once data has been shared, the firm has no control over where it goes next.
Legal IT has long been about balancing security and convenience, and last year’s buzzword, BYOD – bring your own device – tipped the balance to convenience. As lawyers access firms’ systems and data from more devices, the focus is shifting. Tim Hyman, IT director, EMEA at Reed Smith, describes information security as ‘the new disruptive technology’ because clients in regulated sectors are dictating firms’ arrangements. Reed Smith is subjected to regular security audits by major clients who also carry out spot checks on physical and technical measures. Banks are ramping up security, and, as a trusted partner, the firm is adopting financial industry standards.
But it is not just financial information that is potentially vulnerable to hackers. Law firms frequently advise on M&A transactions and handle corporate and personal information, and intellectual property. Stuart Whittle, information security and operations director, explains that Weightmans aligns its information security procedures to ISO27001. This strategy is client-driven as the firm handles significant personal injury work: ‘We have a dedicated information security manager and all sensitive data is encrypted and checked by our risk and compliance team.’
While firms are aware that unencrypted information is monitored by government agencies and others, targeted attacks are seen as a serious threat. ‘Anyone targeting specific information will look for the weakest link in the data lifecycle chain,’ says Paul Caris, CIO at Eversheds. ‘Transactions provide various opportunities for information to be divulged and I make sure that Eversheds is not the weakest link. But it is for the government to tackle the wider risk.’
Lawyers and clients increasingly use public file-sharing sites to share documents. However, Dropbox and similar sites have been linked to spear-phishing and malware attacks. As their data is held in the US it can be accessed by US government agencies. As Eadie observes, when you look at the small print, there are often disclaimers around users’ information. Before signing up to any file-sharing site, look at the T&Cs.
Whittle, who is also a director of the Legal IT Innovators Group (LITIG), agrees. LITIG conducted detailed research into consumer and commercial file-sharing services. ‘We focused on security, terms and conditions and the implications of sharing confidential advice, personal data and personal sensitive data as defined in the Data Protection Act – for example data pertaining to employees affected by a merger.’ LITIG produced standard wordings for IT directors to inform lawyers about the risks of using consumer file-sharing sites and for lawyers to inform clients.
What happens when a client asks a lawyer to share a document in Dropbox? Eadie observes: ‘Particularly in transactional work, clients are looking for immediate closure and while setting up an extranet might take 30 minutes, sharing via Dropbox takes seconds.’ Caris has responded by developing bespoke encrypted file-sharing solutions for Eversheds’ lawyers and clients.
Reed Smith does not entrust sensitive information to extranets or file-sharing sites. For higher security data, it provides an encrypted FTP solution. ‘The client is sent a link and a password and is given 30 days’ access,’ explains Hyman, adding that all documents can be read-only to stop them being copied or downloaded.
Remote access to firms’ systems can be monitored, but information can leave a firm via USB sticks. If these are not password-protected or encrypted and they are lost, their data is easily accessed. Reed Smith’s PCs accept only its Ironkey password-protected USB sticks, which remotely register every device they are used on and can be wiped remotely.
People are the weakest link. It is difficult to stop them printing confidential information or writing down their passwords. This requires education to ensure lawyers do not undermine the systems that protect firm and client information. Reed Smith regularly distributes security awareness videos. User education should include social media.
Information security concerns have highlighted an innovation gap in legal IT. Inspired by self-destructing message apps like Snapchat, perhaps legal document management system suppliers should consider creating file-sharing applications with a self-destruct feature – once a password-protected, read-only document had been accessed, it would self-destruct. This would allow confidential documents to be shared securely without being downloaded or forwarded. Or, as Hyman suggests, it might be possible to incorporate digital rights management (DRM) into Word, for example, by setting a particular time before a document would delete itself once it had been read. These ideas do not take into account regulatory and policy issues. But they are food for thought…
Counting the cost
Information security is an increasing overhead for law firms.
Firms may be asking themselves whether their systems and information are sufficiently secure, but Hyman suggests that tomorrow they will be asking: ‘Are we efficiently secure?’ The challenge will be to derive added value from their security investments.
Joanna Goodman MBA is a freelance journalist and editor of Legal IT Today