As explored in last week’s posts, the bad news for law firms is their challenging data security threat environment. On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.
Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable. Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.
Why are law firms so vulnerable?
Law firms have highly valuable information.
Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners. Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on. In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.
Many firms are behind the curve on data security safeguards.
Despite their valuable information, many law firms are demonstrably lax in their data security posture. Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:
- Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture: computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
- Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
- 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
- Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
Why are so many firms behind the curve in their data security safeguards? Here are ten factors to consider (warning – some of the below is not sugar-coated):
- Our profession is largely self-regulated. Unlike the granular security requirements for health care entities under HIPAA and for financial institutions under the Gramm-Leach-Bliley Act, lawyers are guided by their licensure states’ rules of professional conduct regarding safeguards for client information. Rules 1.6, 5.1, and 5.3, taken together, merely require lawyers and law firms to make reasonable efforts to give reasonable assurance that there are reasonable precautions to avoid unauthorized disclosures of client information. Yes, some law firms are HIPAA business associates, and firms are subject to applicable states’ PII breach notification statutes (plus statutes in several states requiring reasonable security safeguards for the PII of state residents). But generally, the security of the most valuable client-related data is only regulated through adherence to lawyers’ professional rules of conduct.
- The traditional law firm financial model – cash basis, with residual profits fully distributed to equity partners each year-end – tends to discourage long-term investment in security infrastructure.
- Many firms are understaffed (internally) and under-resourced (externally) for IT security functions.
- Many firms continue to use old, legacy IT systems and technology. This becomes a problem if patching falls behind, or if the hardware or software simply cannot accommodate up-to-date security features.
- The lack of a controlled, defensible destruction discipline causes many firms to unnecessarily retain sensitive and confidential information for far too long, which multiplies security exposures.
- A law firm’s “faster faster, bill bill!” work tempo can encourage security mistakes and exacerbate social engineering vulnerabilities. When lawyers and staff are operating at full speed in a constant time-crunch, it’s hard to take the time to reflect on whether your outgoing email is going to the right recipients (or with the right attachment), or to consider whether something about the email that you’ve just received (with links, attachments, or instructions) is maybe a bit off, just not right.
- Law firms tend to make lots of information publicly available about the firm’s lawyers and client-facing staff, such as extensive website professional bios and loquacious out-of-office messages. Such information is tailor-made for phishing and other social engineering exploits.
- Some firms continue to tolerate an “old school” culture in which many partners (a) are comfortably uncomfortable with technology; (b) assume data security is purely IT’s (or someone else’s) responsibility; (c) resist change; (d) devalue the input of non-partners and non-lawyer professionals; and (e) evade compliance with firm-wide policies/protocols that constrain how the individual partner practices law.
- For lack of a gentle euphemism, there is also lawyer hubris – the attitude that we’re too smart to be exploited, too small/local to be targeted, too set in our ways to adapt, too busy to be bothered….
- And, because of our professional stature and reputation, our culture of secrecy, and our trusted adviser brand, law firms are particularly susceptible to ransom extortion.
Law firms that understand and overcome these vulnerability factors to achieve a better data security posture will reach a far better place for themselves and the clients they serve. Though there is of course no perfect protection against data breaches, significantly reducing the likelihood of breaches is both valuable and attainable. And in a highly competitive market for legal services, outrunning the other law firms running from the “bear” of data security threats is a smart, strategic move.
So, where to begin? With security risk assessment, the focus of our next post.