Ten Tips for Law Firms Safeguarding Client Data

I recently attended an eDiscovery conference for lawyers, and one of the discussion panels was “Mitigating Risk and Security Concerns–Selecting the Right Vendor to Protect Your Data.” The discussion began as it usually does, with all the panelists agreeing that security is a huge concern and that vendors must be vetted to insure they’re safeguarding your data. The audience, consisting of attorneys, paralegals, legal assistants, IT managers and data specialists all seemed to agree as well.

Everything was going great until a paralegal in the audience asked the panel, “What about law firms? What should we do to make sure they’re safeguarding our data?”

The panel was taken aback. I don’t think any one of them had ever heard that question before that day. In response one of the panelists, the in-house counsel from an insurance company, asked the paralegal “What do you mean? You can’t get more secure than a law firm—it’s their business to protect our data.”

I am, of course, paraphrasing what he said. The audience nodded their heads in agreement with the in-house counsel—and took notes: “No need to vet your law firm. Protecting our data is their business.”

I don’t know what surprised me more, that in-house counsel at a major insurance company thought law firms were great at securing data simply because they were a law firm, or that the audience didn’t audibly gasp in disagreement with the in-house counsel. Did all the recent press about security leaks and breaches at major law firms across the U.S. and U.K. really go unnoticed? Have people not been reading the papers or checking their Twitter feeds? People are hacking and cracking 24 hours a day and law firms are one of the most visible targets.

I’m not saying all law firms are bad at securing data, just as I would never say all vendors are great at protecting it. But I am certainly saying that it is not a law firm’s core business to secure data. Not many J.D.s have a B.S. in Information Technology as well.

Their business is to protect your information, trade secrets, privilege and confidential content, and they are very good at that. But law firms are clearly not in the business of actively safeguarding data from hackers and cyber-terrorists, or from network and server intrusions and penetrations.

The Players.

Cyber terrorism is fairly mainstream now. There are hackers, crackers, black hats, gray hats, script kiddies, hacktivists and code gangs doing all sorts of things to mess with corporations or individuals for all sorts of reasons: profit, chaos, activism, spite, fun, etc. Going forward I will refer to the entire group as “hackers” or “cyber-terrorists” and am referring to the ones whose main purpose is to steal or corrupt data.

Hackers break into systems, but they are also adept at luring employees out to download files of their own volition. It is common to hear about big companies being hacked: Target, Facebook, Microsoft, NBC, Michaels, and Twitter were among the largest corporations hacked last year.

The Plays.

What did these hackers do? Facebook had passwords stolen and malware implanted on their systems. Microsoft had malware implanted that allowed hackers to log on to computers without the user knowing. Michaels and Target had their customers’ credit card information stolen and used by the hackers.

As corporations ramp up their security protocols in an effort to ward off threats, hackers are increasingly targeting the law firms that represent those same corporations. Law firms handle large volumes of data and documents from their clients, and as it turns out, hackers have a much easier time of stealing data from a law firm than from a corporation. Why jump through the hoops of corporate security when you can slip through the unsecured doors of a law firm? Hackers have tested, and proven, that many law firms lack the same resources or safeguards as corporations, yet they hold the exact same data.

Why Solutions Are Difficult.

Law firms are starting to realize the need for improved security measures, but security is hard. It’s hard to design a good plan, it’s hard to implement the technology and processes that make up that plan, and it’s hard to maintain adequate safeguards as threats continue to morph and multiply, while software and hardware updates are always one step behind.

Add to this the security complexities of managing a whole new world of technology, including mobile technologies, cloud storage, BYOD (bring your own device), and an increasingly mobile workforce, which create additional layers of security concerns and risk management issues.

Security is hard on employee morale too. Nobody likes having to change that ‘strong’ password as soon as they’ve finally memorized it; having to encrypt every file they send and decrypt every file they receive; getting locked out of ‘downtime’ websites like CNN, Amazon, Trulia and ESPN; not being able to access personal e-mail from work; or being told they can’t access company data on iPads or Surfaces.

Why Solutions Are Essential.

But despite security enforcement being tough and unpleasant, law firms do have an ethical responsibility to take every reasonable measure to safeguard their clients’ information and data. In today’s email/IM/text-heavy workplace, this responsibility extends to implementing adequate security measures to protect against cyber-attacks. Every law firm, and its employees managing client data stores, has a duty to understand the risks associated with storing data and implement processes and technology to sufficiently defend that data. Hackers may still attack, but they shouldn’t always succeed.

When I think back to the in-house counsel’s response at the panel, I can’t help but think, “Shame on you.” While I understand where he’s coming from, his cavalier attitude is unconscionable. He would never send data to a vendor without asking, at minimum, some very basic security questions. As a data controller, the law firm should be held to the same standards.

What can law firms do to safeguard their clients’ data? Here’s my top ten:

• 1. Hire or designate a full-time Information Security officer (or multiple officers if you have the budget for this). An Information Security officer is someone’s whose sole job is to maintain security on client and company data. Ideally this person should have a background in IT and have good working knowledge of law firm and corporate infrastructure.
• 2. Consider your employees’ morale, but not at the expense of the security of your client’s data. Making your employees happy in the workplace should always be a concern, but data leakage and security breaches pose a bigger threat. Your employees can and will get used to data security protocols, not matter how inconvenient they may be.
• 3. Create a security policy and train employees on that policy. Employees often don’t know what the policies are or why they were created. Policies should include:
•     a. Password policies—Passwords should be complex, never re-used and changed often. They should not be shared, and that includes being written on a Post-it Note and stuck to the computer monitor.
•     b. Download guidelines  —Stranger Danger! Don’t open files that are out of the ordinary or are from unknown addresses.
•     c. Installation restrictions—Safeguard who can install software. Malware is often hidden in executables and fake updates
•     d. BYOD policies—You can say no, but you don’t have to anymore. There are a lot of tools out there that will allow you to monitor and safeguard data on personal and/or mobile devices (data partitioning, wipe switches, access controls, Apps that you control, etc.)
•     e. Encryption policies—Make sure data is always encrypted when being sent anywhere and that logins/passwords are sent through different mediums. I can’t tell you how many times I will get a login in one e-mail immediately followed by a second e-mail with the password. How is that safe? If someone broke into my e-mail, they can read both e-mails.
• 4. Update your policy quarterly. Technology changes fast (especially apps and iOS updates) and you need to update your policy frequently to keep up.
• 5. Think outside the box; hackers do. Find where you are most vulnerable and add more security to that area. One creative way to determine weaknesses is to hire hackers yourself to do intrusion testing.
• 6. Understand that even if data isn’t interesting to you, that doesn’t mean hackers don’t want it. Protect everything, even if your client manufactures screws.
• 7.  Consider outsourcing your data storage. As I said before, security is tough and it’s not your core business. There are dozens of companies out there who only do data storage. Rely on their expertise and data will likely be safer and your IT costs will be lower.
• 8. Have backup, retention, and deletion plans. Depending on legal holds and industry mandates, data should be managed and purged on a regular basis. Storing data past the date when you are reasonably required to have it means that data is unnecessarily vulnerable.
• 9.  Keep yourself up to date. Stay knowledgeable on trends, data security breaches, new security safeguards and new mobile workforce tools.
• 10. Educate everyone. Educate your clients on potential threats and how you are safeguarding against them. Educate your staff on why security is paramount and client data protection is as important as Privilege protocols. Educate yourself and your peers. Data is serious business. And did I mention that it’s hard too?

IT Experts of the World—Unite!

Cyber criminals are growing in size, expertise and intent to hijack data. Plus, the notoriety, street credibility and lucrative nature of stealing data is adding to the growth of the cyber-terrorist community.

Each week new viruses, worms, Trojans, sniffers, and key logging programs are unleashed on unknowing companies, law firms and individuals. The Heartbleed bug of late is a perfect example of our vulnerability to hackers.

Corporations, their outside law firms and their third party vendors all need to be equally vigilant in maintaining adequate security protocols and measures in order to prevent embarrassing and possibly damaging corporate data leaks and to safeguard data against corruption and damage. That vigilance begins with the corporations themselves holding all data managers, law firms and vendors alike, to the same high standards of data protection.