Posted by Dan Bindman, associate editor, Legal Futures
When in-house IT experts bang on about data security and the ingenious strategies hackers are deploying to hack into law firm computer systems, most partners groan inwardly and wait for the inevitable request for funds.
The question of where to draw the line on IT security spending is a tricky one and there are no easy answers. As a general rule of thumb, a pinch of scepticism seems prudent about whatever spend the IT department deems essential – let us not forget the prolonged hysteria over the Millennium software bug, which was far from the existential threat to law firms the IT geeks claimed it would be.
But, and of course there is a ‘but’, data security is something that no conscientious managing partner can afford to drop the ball on, however suspicious they are of empire-building techies. There are clearly well-organised criminals and even – it is alleged – foreign governments looking to obtain advantage from stealing corporate data. While corporations nowadays focus resources on ensuring data security, if their lawyers are less diligent they could inadvertently allow access to the same digital treasure by the back door, the argument goes.
Of course, there are lots of reasons why firms might already be taking data security seriously, not least because corporate clients demand it. There is the duty of care owed to any client, plus legislative requirements, both European and domestic, and the Solicitors Regulation Authority’s (SRA) code of conduct. Lurking behind each decision on software and firm-wide data strategy is the fear of reputational damage.
This last constraint on data security carelessness – fear of negative publicity – is also said to be the culprit for widespread under-reporting of ‘cyber incidents’ by its victims. So much so that the European Commission has just finished consulting on whether to make security breach reporting mandatory.
Protecting your data is much like safeguarding any other kind of property, IT consultant Seth Berman told a session on emerging trends at the SRA’s recent international conference of legal regulators. If you have a security guard in your firm’s lobby, less “bad stuff” happens to you than, for instance, a neighbouring firm without a guard.
Mr Berman, who is executive managing director of digital risk management consultants Stroz Friedberg LLC, is no doomsayer peddling cyber fear to boost his profits. He is a former US federal prosecutor specialising in computer crimes and was also a partner at 1,000-lawyer US-based global law firm McDermott Will & Emery. So when he says law firms spend too little on IT security, it is worth hearing him out.
Law firms are particular targets of hackers and fraudsters, he says. Partnerships are reluctant to pay for IT infrastructure because the money comes from partners’ pockets and partners have a tendency to ignore rules set down by their colleagues – such as the firm’s IT security policies.
Another vulnerability comes from the large amount of biographical and contact information lawyers publish openly, leaving them open to data “phishing” attacks by hackers – including so-called “spear phishing” which is a sophisticated attack targeted at specific groups of people. An example of this scam is an e-mail purporting to be from an old friend, with an attachment containing a virus which, if opened, will allow hackers access to the firm’s internal systems. Tests to find out how susceptible law firm employees are to this sort of approach reveal an alarming level of gullibility, Mr Berman says.
Further law firm weaknesses, or attractions from a hacker’s perspective, are that a lawyer’s working lifestyle involves long hours and a lot of remote working, meaning more opportunity for confidential materials to suffer a data breach. Also, it is often widely known who a firm’s clients are; in the case of litigation it is often a matter of public record.
From a regulator’s point of view the speed of technology development makes it difficult to prescribe standards for data security on anything other than an outcomes-focused basis. But the problem of defining a minimum industry standard for law firms is not insurmountable, Mr Berman says. He further argues for regulators requiring periodic external audits of data security, looking at things such as firewalls, the firm’s ‘bring your own device’ policy (smartphones etc), and whether the data on lawyers’ laptops are encrypted.
Surprisingly, perhaps, he says cloud computing doesn’t present a particular security risk. Where data is stored is not so much the issue; most breaches occur at the point where data is accessed. This might come as relief to some regulators, for whom the presence of law firm data ‘in the cloud’ seems to symbolise the way virtual law firms present risks that terrestrial firms do not – even those whose confidential data is stored offshore.
In the absence of having to comply with a regulatory directive, keeping on top of cyber-threats remains down to the law firms themselves for now. Which brings us back to the funding question. The dilemma of how to determine the correct spend was encapsulated at the SRA conference, when the authority’s chairman, former Herbert Smith partner Charles Plant, questioned the premise that law firms’ investment in IT security was inadequate and suggested the opposite was often true.
Mr Berman responded: “I have no doubt they think they spend a lot of money on IT. I don’t think they spend enough money on IT and I think one of the reasons they don’t spend enough money is that they think they spend too much”.