Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable.
Law firms have highly valuable information.
Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners. Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on. Law firms also have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.
Many firms are behind the curve on data security safeguards.
Despite their valuable information, many law firms are demonstrably lax in their data security posture. Results of the 2018 ABA Legal Technology Survey reveal a bleak picture for law firm data security controls:
- Less than half of the responding firms have the following policies or plans that are important facets of a law firm’s security posture: computer acceptable use policy (41%); remote access policy (37%); personal technology use/BYOD policy (21%); incident response plan (25%); disaster recovery / business continuity plan (40%).
- Only 53% of the firms have a formal policy or process to manage retention of data held by the firm, and as of 2017, only 40% have an official records retention schedule.
- 31% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
- Only 46% of the firms have file encryption tools, only 38% have email encryption capabilities, and only 24% have full disk encryption.
In the midst of a troubling threat environment, why are so many firms still behind the curve in their data security safeguards? Here are ten factors to consider:
- Our profession is largely self-regulated. Unlike the granular security requirements for health care entities under HIPAA and for financial institutions under the Gramm-Leach-Bliley Act, lawyers are guided by their licensing states’ rules of professional conduct regarding safeguards for client information. Rules 1.6, 5.1, and 5.3, taken together, merely require lawyers and law firms to make reasonable efforts to give reasonable assurance that there are reasonable precautions to avoid unauthorized disclosures of client information. Yes, some law firms are HIPAA business associates, and firms are subject to applicable states’ PII breach notification statutes (plus statutes in several states requiring reasonable security safeguards for the PII of state residents). But generally, the security of the most valuable client-related data is only regulated through adherence to lawyers’ professional rules of conduct.
- The traditional law firm financial model – cash basis, with residual profits fully distributed to equity partners each year-end – tends to discourage long-term investment in security infrastructure.
- Many firms are understaffed (internally) and under-resourced (externally) for IT security functions.
- Many firms continue to use old, legacy IT systems and technology. This becomes a problem if patching falls behind, or if the hardware or software simply cannot accommodate up-to-date security features.
- The lack of a controlled, defensible destruction discipline causes many firms to unnecessarily retain sensitive and confidential information for far too long, which multiplies security exposures.
- A law firm’s “faster faster, bill bill!” work tempo can encourage security mistakes and exacerbate social engineering vulnerabilities. When lawyers and staff are operating at full speed in a constant time-crunch, it’s hard to take the time to reflect on whether your outgoing email is going to the right recipients (or with the right attachment), or to consider whether something about the email that you’ve just received (with links, attachments, or instructions) is maybe a bit off, just not right.
- Law firms tend to make lots of information publicly available about the firm’s lawyers and client-facing staff, such as extensive website professional bios and loquacious out-of-office messages. Such information is tailor-made for phishing and other social engineering exploits.
- Some firms continue to tolerate an “old school” culture in which many partners (a) are comfortably uncomfortable with technology; (b) assume data security is purely IT’s (or someone else’s) responsibility; (c) resist change; (d) devalue the input of non-partners and non-lawyer professionals; and (e) evade compliance with firm-wide policies/protocols that constrain how the individual partner practices law.
- For lack of a gentle euphemism, there is also lawyer hubris – the attitude that we’re too smart to be exploited, too small/local to be targeted, too set in our ways to adapt, too busy to be bothered….
- And, because of our professional stature and reputation, our culture of secrecy, and our trusted adviser brand, lawyers and their firms are particularly susceptible to ransom extortion.
Law firms that understand and overcome these vulnerability factors and achieve better data security will reach a far better place for themselves and the clients they serve. There is of course no perfect protection against data breaches, but significantly reducing the likelihood of breaches is both valuable and attainable. And in a highly competitive market for legal services, elevating the firm’s data security posture is a smart, strategic move.