PRO Partners

When Good Enough - Isn’t

Jeffrey BrandtA spotlight on Law Firm Security

As the rest of the world and industries tighten their security, it places law firms in the unenviable position of being viewed as the weakest link.  So prevalent is the view, that the FBI convened a meeting of the top 200 law firms in New York City to deal with the increase in law firm cyber attacks.  Clients, who read the early February Bloomsberg Businessweek article, saw Mary Galligan, head of the cyber division in the New York City office of the U.S. Federal Bureau of Investigation quoted as referring to law firms as “much, much easier quarry,” for hackers.  Alan Paller, director of research for the SANS Institute, had a four-part guest post on describing the hack of “a large law firm in New York.”

According to Paller the British Security Service (MI-5) has an equally low opinion of law firm security, “Most law firms have very weak security, attorneys are often arrogant so they don’t pay attention to security notices and guidelines, and the important files relating to clients’ international activities are usually much easier to find in the law firms’ files than in the corporate files.”  That same Bloomsberg article quotes Mandiant, an information security company, as saying, “it estimates that 80 major U.S. law firms were hacked last year.”  As the General Counsel of a major corporation, all this just gives you those warm fuzzy feelings doesn’t it?

Unfortunately, for far too many law firms, security *is* an afterthought.  Law firm culture and attorney convenience undercut and compromise security.  Some firms don’t truly understand what needs to be done.  They make half hearted attempts; get some good enough policies and such in place and cross security off their ToDo list. It seems at times that lawyers and law firm managers have to be dragged kicking and screaming into the world of electronic security.  Why are law firms considered the weak link?  Because even something as simple as enhanced network passwords requires intense partner debate and discussion rather than simple acceptance.  Remember the brouhaha over adding passwords to BlackBerrys back when they first came out?  Few attorneys wanted to be burdened with the delay and inconvenience of entering a password to protect firm and client data.  Here we are a decade or so later and, while we have made some progress, the last International Legal Technology Association (ILTA) survey I saw said that 26% of law firms still didn’t require simple passwords on wireless email devices.  It is shocking to me when I think of the proliferation of mobile email (now 92% of attorneys), all the advanced and varied connections, and the increased storage today’s smart phones have, and therefore how much additional client information is directly accessible or physically stored on them, that more than a quarter of the law firms surveyed aren’t providing the most minimum of protection.

Hacked!In fact one could argue the entire ILTA Technology Survey, which is by far the best and most comprehensive survey of its type available, reflects what the industry historically and currently thinks of security by the paucity of survey questions.  Looking through the ILTA question concerning what security measures respondents have in place, the numbers paint an abysmal picture for law firms:

  • 86% do not use or require two factor identification
  • 78% do not issue encrypted USB drives
  • 76% do not automatically encrypt content-based emails
  • 58% do not encrypt laptops
  • 87% do not employ any laptop tracking technology
  • 61% have no intrusion detection tools
  • 64% have no intrusion prevention tools
  • All those new iPhones and Android smart phones that have been added to law firm technology arsenals?  94% don’t bother to track them.

Email is the default tool for many firms.  In the adage of the “law of the instrument,” email is Maslow’s Hammer.  While large-file transfer is briefly mentioned (under a cloud computing question) nowhere does it directly question how much confidential information is inappropriately communicated through email.  Reading between the lines, I would guess that between 20% and 24% of law firms have addressed that issue.  But as prolific as email is, some of these solutions can get lost.   A few months back I was involved in a sensitive large file transfer from a top US law firm, and I was horrified at how it was handled.  Multiple emails later with duplicative attachments, some attachments ZIPed, some not (and some both) I wasn’t sure what I had been sent.  I finally had to write the sender back with my own file inventory to make sure I had all the documents and images I was supposed to have.  How was this data that exited the firm recorded or logged?  Honestly, I doubt it was.  Was there no tool in place for this person to use?  Had it been addressed by a tool that they had forgotten about?  It was clear the firm didn’t have a tool like Biscom in place that would automatically take over, enforce the firm’s policies and provide detailed logs for them.

The survey doesn’t address firms who relaxed their security standards in the face of attorney desire to use consumer technology.  I won’t argue the point that IT needs to be more flexible and responsive to users’ needs, but IT is still responsible for the electronic business control.  Some seem to have forgotten this fact.  As a colleague recently said to me, “And the first time there is a breach or loss of data caused by these mobile/consumer devices, what will you say to your client? To your insurance broker? To the NY Times?”  I personally have issues with the idea of using DropBox for confidential client information.  I don’t have issues with DropBox per say (I have a personal account), but I think they make an excellent poster child for today’s consumer technology.  The fact that so many legal software tools have chosen to integrate with DropBox amazes me.  I’ve been told that “it’s no worse than unencrypted email.” That it is “simple, understandable, and it just works.”   Well those are great examples of “good enough” thinking that just isn’t.  I’m thinking I need to write a follow up post entitled “What’s Your DropBox Policy?” that goes into this particular aspect more closely.

Not one to be totally negative, I can turn all those statistics upside down and say there is  a small percentage of law firms who do seem to get the importance of security, who have the right attitude and who are truly doing enough.  So how do you get your firm into this minority?

  • As with any significant and potentially unpopular initiative, you need support and sponsorship from the very top of your organization.  The managing partner, the technology committee, the department chairs, key rainmakers, whoever they might be in your firm culture, they need to be fully invested in the importance of security.
  • Establish a dialog with the ethics czar, compliance officer, or general counsel for your firm.  Take the time to educate them on the advances in technology: the good the bad and the ugly.  In turn get them to educate you on the American Bar Association’s Model Rules of Professional Conduct (or the Law Society, or whatever jurisdictional agency is applicable).  Keep current on the rulings and such that are impacted by the use (or non-use) of technology.
  • Create an appropriate set of governance and security policies and establish the mechanisms to monitor and enforce them.
  • Invest heavily in user education, training and cultural shift.  I know what an uphill battle training lawyers can be.  But it must be done.  Not only do they need to be trained in the mechanics of the tools but in the social media approaches used by hackers to obtain access information.
  • Hire a chief security officer.  A few firms now have a CSO.  Other firms have dedicated security resources inside the IT team.  If your organizational structure can’t handle internal resources, use outside resources to accomplish this goal.
  • Conduct annual security audits.  Security is not a Ronco Rotisserie where you can “Set it and forget it.”  Have your review conducted by a reputable, external group, so that you can double check your own processes and policies and further your security education.

Lastly let me leave you with three of my favorite security maxims:

  • The Infinity Maxim - There are an unlimited number of security vulnerabilities for a given security device, system, or program, most of which will never be discovered (by the good guys or bad guys).
  • The Be Afraid, Be Very Afraid Maxim - If you’re not running scared, you have bad security or a bad security product.
  • The Blind-Sided Maxim - Organizations will usually be totally unprepared for the security implications of new technology, and the first impulse will be to try to mindlessly ban it.

Who was it that said, “Just because you’re paranoid doesn’t mean they aren’t out to get you?”  Could be they were right.



Copyright © 2023 Legal IT Professionals. All Rights Reserved.

Our Newsletter
All the legaltech headlines in your mailbox once a week? Sign-up now! 

Media Partnerships

We offer organizers of legal IT seminars, events and conferences a unique marketing and promotion opportunity. Legal IT Professionals has been selected official media partner for many events.

development by