As explored in last week’s posts, the bad news for law firms is their challenging data security threat environment. On the other hand, law firms that meaningfully elevate their security posture, thereby outrunning less-secure firms, can enjoy good news, including increased revenue, better-controlled expenses, and stronger client relationships.
Security risks flow from threats coupled with vulnerabilities – and when it comes to data security, law firms are uniquely vulnerable. Understanding and countering these vulnerabilities is the key to transforming data security bad news into good news.
Why are law firms so vulnerable?
Law firms have highly valuable information.
Like any other business, firms have employee personal data, including SSNs, payroll data, and health plan data, along with financial and tax information for the firm itself and its owners. Yet law firms also have something far more attractive than other businesses – a concentrated trove of client data, such as nonpublic issuer information; client trade secrets; confidential information on client business strategies, controversial matters and transactions, and litigation; sensitive information with reputational impact for public and private individuals and institutions; and on and on. In addition, law firms have information and credentials that can serve as gateways to clients’ systems, through hacking or social engineering.
Many firms are behind the curve on data security safeguards.
Despite their valuable information, many law firms are demonstrably lax in their data security posture. Consider results of the 2017 ABA Legal Technology Survey regarding law firm data security controls:
- Less than half of the responding firms have the following policies or plans that are important facets of the firm’s security posture: computer acceptable use policy (48%); remote access policy (45%); personal technology use/BYOD policy (24%); incident response plan (26%); disaster recovery / business continuity plan (42%).
- Only 60% of the firms have a formal policy or process to manage retention of data held by the firm, and only 40% have an official records retention schedule.
- 28% of the firms allow personal mobile devices (tablets, laptops, smartphones) to access the firm’s network without any restrictions.
- Only 45% of the firms have file encryption tools, only 36% have email encryption capabilities, and only 21% have full disk encryption.
Why are so many firms behind the curve in their data security safeguards? Here are ten factors to consider (warning – some of the below is not sugar-coated):