Before you hand over your most critical data to your legal represenatatives, make sure their security is at least as good as yours.
More years ago than I like to remember -- in days when not everyone had a computer on his or her desk -- I worked in the litigation department of a law firm representing a major multi-national. The client was highly concerned about the confidentiality of the huge volume of documents it was obliged to hand over to attorneys for review.
This client cared about its data. Its head of security was the former chief of staff intelligence and security for the British armed forces. He was an impressive man. I know. I was vetted by him.
What electronic data there was back then was on computer disks. We protected the client's information using locked doors and alarms (and we did have one breakin, but the thieves were looking for tangible valuables, not intellectual property). When we eventually started scanning documents, access to the database required an RSA-style token, as well as passwords.
Times change, and with the advent of e-discovery, enterprises are increasingly handing over data in electronic form to their legal counsel. Of course, there are many efficiencies in handling data digitally. There are also many new risks. For example, law firm databases may be easier to hack than law firm offices. Indeed, the security vendor Mandiant estimated that 80 major US law firms were hacked in 2011.
A familiar combination of social engineering and hacking resulted in a major theft from a Canadian law firm's trust account just last month.
If it's the case that law firms are less stringent about data security than enterprises, the reasons are partly psychological and partly cultural. That's what Alon Israely, manager of strategic partnerships at BIA, told me when I spoke with him last week. Law firms are steeped in the tradition that much of what they do is protected by attorney-client privilege. They're also slow to bring new technology on board.
Indeed, he said, "law firms are notorious for not having the same standards and protocol for data security" as private enterprise. When he spoke about law firms handing out key card access to supposedly trusted vendors, uploading critical data to laptops (which then get lost), and leaving hard drives on desks and documents in printers, it was all very familiar to me from my time in law offices.
"Information security, for law fims," he said, "is not an easy thing, although the basic, foundational rules and guidelines are the same everywhere."
It's not uncommon for businesses to find themselves trusting their data "crown jewels" (intellectual property, for example) to the custody of counsel. Thieves and hackers know this. What do you need to do to ensure that your law firm is up to protcting your information?
Here's Israely's checklist of best-practices:
- Make sure the law firm has data security policies in place; for example, whether it holds client data on the corporate network or elsewhere. (Does it upload the data to laptops, for example, or allow it to be attached to emails?)
- Security policies don't necessarily go hand-in-hand with training. Ask if there's a security awareness program, for non-legal staff as well as attorneys.
- Find out if someone at the firm has overall responsibility for security -- not a CISO necessarily, but someone with an understanding of the challenges.
- Make sure the firm is prepared to work alongside you and shares a similar culture when it comes to security and data privacy.
- Investigate whether your attorneys make use of external vendors, for example for discovery purposes. External vendors sometimes have superior security.
The bottom line is simple. Your information shouldn't be more vulnerable to theft just because it's in the custody of your attorneys. For your counsel, it should be a matter of due diligence, but the end of the day, it's up to you to make sure its security culture meets your expectations.
— Kim Davis , Community Editor, Internet Evolution