Your firm, their data: protecting your client’s confidential information
This article outlines some of the key issues, questions and take-home messages as they relate to keeping your data and the data of your client secure and confidential.
Lawyers' obligations to protect information
Regardless of size, security vulnerabilities in technology can make or break a legal practice. The ability to ensure that all critical data is secure and available is rapidly becoming a valuable commodity. This is because traditional methods of data management are becoming non-effective and insecure. Lawyers have an ethical and commercial obligation to keep their data and the data of their clients safe, secure and confidential.
Law firms failing in cyber-security
To illustrate the issue it was reported in the New York Times that a 2015 internal Citigroup cyber-intelligence report discussed how law firms were at “high risk for cyber-intrusions” and that it “warned bank employees of the threat of attacks on the networks and websites of big law firms.”
The Citigroup report allegedly went on to note that it was “reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies”. It warned that “bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries”. The report further noted that firms would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”
Key concepts in protecting your client’s information
Client data management is integral to the continuity of any practice. When you think of client data management, there are a range of considerations that must be undertaken. A few key concepts that can help you navigate through these matters are listed below and while this is by no means an exhaustive list, it is a good illustration of the thinking that law practices should be employing when considering the integrity of their data security.
Data Retention:
Information is the life-blood of your practice, whether it be physical, digital or conversation based. To lose control of it is to lose control of your business. For example, ransomware- a type of malicious software that installs covertly on a victim's computer and blocks access to files pending payment of a ransom - is becoming a major problem for businesses. Being able to rely on data back-ups is essential for business continuity. Even if your client’s data has been kept confidential, having it lost or ‘locked-up’ and held to ransom could be a breach of your professional responsibility.
Some critical questions that you should be asking include:
- Is your company and client data located in a secure environment that contains robust mechanisms to prevent unauthorised access and secure dissemination of data?
- Do you have a robust back-up and data retention policy that is strictly enforced?
- Are the terms and conditions of your use of cloud technology (for example: Dropbox, one-cloud, Azure) compatible to your professional responsibility in regards to information handling?
- When a crisis arises what steps can be taken to retrieve data and how long will it take?
The take home message:
- If client’s data is lost, it’s your fault. Ensure adequate and appropriate back-ups are made.
- You need to make sure your information management and storage systems will help you comply with both your professional and general legal obligations
- You need to have a crises management plan in place so that if disaster strikes, you can be up and running again quickly with minimal loss of data.
Securing of Infrastructure and Online Services:
More legal practices are offering services to clients that allow the client to access stored information or to collaborate with lawyers. It is important to remember that any access into your network or data could potentially allow for exploitation.
Key considerations in this area are:
- Does your online presence (for example your email service, website, and client portals) have adequate security measures in place? Is the level of security sufficient to allow you to comply with your professional and general legal obligations?
- Does your platform provide simplistic avenues for attackers to invade and affect other parties? And have you had your platform tested (known as "penetration testing") for vulnerabilities?
- Is the infrastructure or online services regularly patched (updated) and in line with best practices?
- Are all devices within your control up to date with latest version software and anti-virus protection? (Many software patches are designed to fix known security flaws and are usually of the critical nature. Don’t delay in installing patches)
Take home message:
- Cyber criminals are at the forefront of technology. Your cyber security needs to be sufficiently robust to sustain cyber-attack. If you aren't certain that your systems are up to par, consider seeking the advice of a cyber security specialist to help you, while you stick to the lawyering.
- There is a lot of good material online that can help you understand the risks to which you may be exposed and what you can do to minimise those risks. The Australian Government's Australian Signals Directorate produces a lot of handy guidance material on the issue. The Australian Institute of Company Directors also has a lot of material available on its website.
Mobility and Bring-Your-Own-Devices:
With lawyers being able to operate outside the confines of a physical practice, a part of your sensitive data may be placed within harms reach due to insecure devices or badly executed securities. Cyber security company RSA has recorded a 173% rise of cyber-fraud occurring on the mobile platform between 2013 -2015.
Questions that should be asked about whether your mobile devices are leaving you open to data leakage include;
- Have you adequately secured you mobile device in case of loss or theft? Do you use a password? Does your device auto lock, requiring you to re-type you password to gain access, if left unattended? How long does it take before auto lock engages?
- Who has access to the data you carry around on your phone or portable device?
- Can that equipment or the mechanisms that allow it to work be used to transmit sensitive data or create security breaches? Information transmitted over public Wi-Fi networks can be accessed by others, for example.
- Should it be required, can you remotely find or control the device to enforce security policies? That is, can you erase the data remotely?
Take home message:
- While it is convenient to use your personal devices to hold client information, be sure that you have the right authorisation (and security measures) to do so. If in doubt, keep work (including client information) on a separate device.
- Client information such as telephone numbers and addresses can inadvertently make their way onto your devices. Again, get the right authorisation! Ask yourself, do I really need to store this information here? If you don't, delete the information.
- Don’t let your personal device be the weak link. Be sure to keep your device up-to-date and secure. Install software patches promptly.
The human element:
People are usually the weakest link in cyber security, even if you operate as a sole practitioner. Attacks via social engineering - that is, attacks reliant on the human tendency to want to engage with others - are usually the simplest and most effective methods. More than 70% of almost 500 IT security experts polled by European security technology firm Balabit said they considered insider threats riskier then outside attacks. The survey also found that the most prevalent method of social engineering is executed as a phishing email.
Questions you should be asking include:
- Is your staff aware of current scamming techniques and are aware to be overly suspicious of offers or free technology that come into their possession?
- Is access to your data on a need-to-know basis and "audit trail" of access available to you? Do your staff members understand the need to ensure that data - especially client information - is held securely?
- Is policy firmly established internally to disperse information about current threats and potential breaches?
Take home message:
- While all information is a potential target for cyber criminals, staff should understand the special category that client information falls within and therefore treat client information accordingly.
- Only through effective education and training can the issue of staff vulnerability be overcome.
Their data, your responsibility
Regardless of how you see it, data is rapidly becoming the most important commodity in the information age and its integrity is entrusted to us all. It is important to your and your clients’ success that all data can be verified as untampered and secured from any outside element.
It is part of every lawyer’s professional responsibility to keep their client’s data safe. If you feel that you don't or your practice doesn’t have an adequate understanding of how your data should be secured, or if you are not familiar with the technology or the types of questions you should be asking to gauge whether the data you hold is adequately secured, consider obtaining independent expert help as soon as possible.