Closing the Breach: Law Firm Data Security
Data breaches come in all shapes and sizes. Breaches that arrive in the form of sophisticated cybercrime attack, such as malware, may gather the most publicity, but something as simple as an attorney leaving a laptop in the back of a taxicab can be just as damaging. While most law firms understand the ethical and regulatory requirements to protect and secure both client and firm-owned information, securing data is not a simple process. Too many firms fall short in considering all factors.
For example, stringent technical controls and established policy and procedural documentation give firms leverage in their negotiations with liability insurance providers that can result in lower premiums. However, if we take a holistic approach to looking at law firm data security from the standpoint of efficient access to information, we must consider the single most important asset/liability - people.
There seem to be a million blogs and articles touting the importance of focusing on the technological side of security but the weakest link is the behavior of people. Failure to sufficiently educate attorneys and administrative staff on how to approach privacy and security continues to be the biggest risk to law firms that no one seems to talk about.
Challenges to Law Firm Data Security
Anti-virus and intrusion detection programs help protect against attacks, and are important components to a well-rounded information security plan that should not be diminished. However, the major threat to information security are its people. Some examples of how people can impact information security:
- An attorney forwards client-related documents to his/her personal email account for ease of access while working from home.
- A law firm issues a preservation hold authorization putting a hold on all document destruction to a related case but information gets deleted inappropriately because it was left unfiled in an attorney’s inbox.
- A client transfers representation to a new law firm. The original firm believes it has appropriately transferred all authorized material to the new firm, but did not realize that client material remained siloed on a file share drive.
- Established HIPAA-HITECH regulatory requirements for protecting sensitive employee or client information are not applied and social security or bank account numbers aren’t redacted before distribution to firm recipients.
These are the daily sorts of pitfalls law firms should consider when developing and implementing their information security and management procedures.
So, what are the implications? Even though law firms vary by size, practice areas, culture, and available technology they have a professional responsibility to act in the best interest of firm clients. This includes identifying and mitigating risks such as:
- Fines from non-compliance to laws or regulations,
- Litigation arising from improper information handling,
- Reputational damage
Assuming you’ve recognized this as a gap between where you are and where you need to be, what do you do?
Conduct an Information Governance Assessment
An information governance (IG) assessment is a business-first activity, focused on the most important asset a firm has aside from its people – information. The goal of the assessment should be to orient the Firm toward addressing any information handling threats and opportunities. Stakeholders involved in the assessment normally include representatives responsible for the business function, privacy and security, IT, records management, and legal representation to get a well-rounded perspective from those involved in protecting the best interests of the Firm and its clients. A common finding from IG assessments is that employees fail to grasp and practice information security, revealing gaps between policy and adoption.
Policies and Training
Information security starts with a strong policy foundation. Policy statements should be simple and straightforward, clearly stating the Firm’s intention regardless of software, culture, and other operational variables. Social engineering training and awareness shouldn’t stop after a one-time education session or a phishing exercise/penetration test. Security may require hours of personal contact and follow up ensuring end-users become comfortable handling information in ways aligned with policy expectations.
Continue with Procedures
Because the purpose of written procedures is to fulfill policy objectives, documenting specific guidelines, controls, and practices within a standard operating procedure manual (SOP) is essential. Developing and adopting such procedures forces a firm to assign responsibilities and accountability for the execution of operational tasks properly. A firm’s risk appetite goes up as administrative resources go down so it’s important to ensure there are the administrative resources in place to support the business needs. As an example, a law firm shouldn’t expect a partner to spend significant time filing email. Utilizing a legal process outsourcing company like Epiq can identify resources that will allow timekeepers to focus on what they’re supposed to be doing: practicing law.
Training and Awareness
To reiterate, the most important component to ensuring information management and security are the people supporting the business’ core function. Dedicated resources well-skilled in technology and executing process in place, are essential to training and raising awareness to information security principles. The benefits to a fully functioning information management and security program include:
- Assured protection of client data
- Demonstrated adherence to compliance requirements
- Avoidance of potential fines and reputational damage
- Possible saving on liability insurance
Once risk is identified, law firms are obligated to take action. Any risk you don't address that you're aware of and do nothing, you accept.
DLA Piper, one of the biggest law firms in the world, recently was hit with a data breach. DLA has stringent and compulsory technical controls and supporting information security policy documentation in place. If they’re vulnerable, everyone is.
Consider working with consultants like Epiq, who specialize in law firm data security and governance at law firms.