ACC Survey Finds Data Security is Fastest-Growing Area of Concern for CLOs and Law Firms

22
Mar
2018

Matthew Gillis & Laurie Fischer

A new survey of nearly 1,300 Chief Legal Officers (CLOs) in 48 countries, conducted by the Association of Corporate Counsel (ACC), found that data breaches and the protection of corporate data is the fastest-growing area of concern among CLOs. Thirty-six percent of CLOs rated this issue as “extremely important” in the year ahead, compared with just 19 percent as recently as 2014.

These results from the ACC Chief Legal Officers 2018 Survey are a stark reminder of the reality that corporate data networks, websites and e-commerce platforms are under attack daily. The survey found that 27 percent of CLOs had experienced a data breach at their organizations within the past two years, an increase of four points since the 2017 survey.

Moreover, CLOs are coping with cyberattacks on larger scales. One study found that five “mega-breaches” last year were responsible for more than 72 percent of all data records exposed in 2017. This came during a year that smashed previous records for most data breaches worldwide, with a total of 5,207 publicly reported breaches and 7.89 billion information records compromised.

Data security is on the mind of every corporate executive — especially the CLO or GC — but unfortunately the risk exposure to the company does not stop within the boundaries of the enterprise networks and systems. In fact, some of their most sensitive data resides at any given time on their law firms’ networks as well. That data is a cyber-criminal’s dream target.

One of the most recent examples of how this exposure came back to haunt companies, executives and foreign governments was the 2017 “Paradise Papers” data security breach, a hack of a law firm network that revealed extremely damaging information about the firm’s clients and led to the initiation of government inquiries in multiple countries. This breach illustrated how cyber thieves will go to extraordinary lengths to hack law firm networks, compromise their security systems and access the treasure trove of confidential client information being stored.

In light of these risks and how high these stakes are for both CLOs and their law firms, it’s time to take stock. Although storing data outside of the law firm or corporate firewall used to be considered less secure than storing that data on-site, the truth today is that cloud providers and third party service providers often do a much better job of securing law firm and corporate data than the law firms and corporate IT shops themselves. Unlike four or five years ago, it is now far more secure to migrate your data to the cloud, where it can be hosted by skilled managed technology professionals in secure world-class data centers.

Instead of being stored directly on your firm’s network – or one of your employees’ personal devices – cloud-based data is stored on high-capacity servers operated by a cloud services provider and made accessible to your team members via the internet. If one server fails, the operation moves to another server maintained in the provider’s secure data centers, without downtime or business interruption. In addition to mitigating risk related to data security, cloud migration also allows legal professionals to more easily access their software applications, enables firms to reduce capital investment requirements for hardware, and eliminates concerns about network capacity, back-up and performance.

For firms that have the staff and expertise to manage the cloud migration on their own, one option is to move their systems into a “Colocation” data center facility. With colocation, the firm owns, uses and maintains its own equipment – they simply rent space from a data center and share the cost of physical security, power, cooling and network connectivity with other tenants.

For firms that want to avoid the capital outlay required to deploy their own IT infrastructure in a colocation facility, there are four primary options for cloud migration:

1. Vendor Cloud — The Software as a Service (SaaS) licensing and delivery model in which software is licensed to the law firm, and the software applications and related services are accessed via the internet and a web browser. There is no need for the firm to install and maintain the software, the applications run on the SaaS provider’s servers and the vendor is responsible for the security, performance and maintenance of the applications.
2. Private Cloud — The dedicated hosting of the law firm’s data and software applications at a specific data center operated by a cloud services provider. The firm’s IT is hosted on someone else's infrastructure in their data center, the service provider has few clients with strictly controlled access and deploys the logical security designed for the firm’s private environment.
3. Public Cloud — The law firm’s electronic information is hosted with a service that is available to the general public securely over the internet (e.g., Azure, AWS, Xi, etc.). Best-suited for firms with a high degree of technical expertise because it is a “Do it Yourself” (DIY) solution, the firm’s IT is hosted on someone else's infrastructure, but there are many clients with access to the cloud hosting environment and lots of “multi-tenancy” use.
4. Hybrid Cloud — The law firm has some data and applications stored in a private cloud and some in a public cloud. The service provider has orchestration and automation tools that allow them to control both environments, and firms can keep certain critical software applications and data folders on dedicated servers, while applications and data folders with fewer security concerns are available on a shared platform.

The bottom line is that it’s now time for law firms to trust the cloud more than they trust their own networks. The risks of data breach are simply too high and the consequences of a large-scale breach are too severe to roll the dice on your own firm IT infrastructure.