A spotlight on Law Firm Security
As the rest of the world and industries tighten their security, it places law firms in the unenviable position of being viewed as the weakest link. So prevalent is the view, that the FBI convened a meeting of the top 200 law firms in New York City to deal with the increase in law firm cyber attacks. Clients, who read the early February Bloomsberg Businessweek article, saw Mary Galligan, head of the cyber division in the New York City office of the U.S. Federal Bureau of Investigation quoted as referring to law firms as “much, much easier quarry,” for hackers. Alan Paller, director of research for the SANS Institute, had a four-part guest post on Forbes.com describing the hack of “a large law firm in New York.”
According to Paller the British Security Service (MI-5) has an equally low opinion of law firm security, “Most law firms have very weak security, attorneys are often arrogant so they don’t pay attention to security notices and guidelines, and the important files relating to clients’ international activities are usually much easier to find in the law firms’ files than in the corporate files.” That same Bloomsberg article quotes Mandiant, an information security company, as saying, “it estimates that 80 major U.S. law firms were hacked last year.” As the General Counsel of a major corporation, all this just gives you those warm fuzzy feelings doesn’t it?
Unfortunately, for far too many law firms, security *is* an afterthought. Law firm culture and attorney convenience undercut and compromise security. Some firms don’t truly understand what needs to be done. They make half hearted attempts; get some good enough policies and such in place and cross security off their ToDo list. It seems at times that lawyers and law firm managers have to be dragged kicking and screaming into the world of electronic security. Why are law firms considered the weak link? Because even something as simple as enhanced network passwords requires intense partner debate and discussion rather than simple acceptance. Remember the brouhaha over adding passwords to BlackBerrys back when they first came out? Few attorneys wanted to be burdened with the delay and inconvenience of entering a password to protect firm and client data. Here we are a decade or so later and, while we have made some progress, the last International Legal Technology Association (ILTA) survey I saw said that 26% of law firms still didn’t require simple passwords on wireless email devices. It is shocking to me when I think of the proliferation of mobile email (now 92% of attorneys), all the advanced and varied connections, and the increased storage today’s smart phones have, and therefore how much additional client information is directly accessible or physically stored on them, that more than a quarter of the law firms surveyed aren’t providing the most minimum of protection.
In fact one could argue the entire ILTA Technology Survey, which is by far the best and most comprehensive survey of its type available, reflects what the industry historically and currently thinks of security by the paucity of survey questions. Looking through the ILTA question concerning what security measures respondents have in place, the numbers paint an abysmal picture for law firms:
Email is the default tool for many firms. In the adage of the “law of the instrument,” email is Maslow’s Hammer. While large-file transfer is briefly mentioned (under a cloud computing question) nowhere does it directly question how much confidential information is inappropriately communicated through email. Reading between the lines, I would guess that between 20% and 24% of law firms have addressed that issue. But as prolific as email is, some of these solutions can get lost. A few months back I was involved in a sensitive large file transfer from a top US law firm, and I was horrified at how it was handled. Multiple emails later with duplicative attachments, some attachments ZIPed, some not (and some both) I wasn’t sure what I had been sent. I finally had to write the sender back with my own file inventory to make sure I had all the documents and images I was supposed to have. How was this data that exited the firm recorded or logged? Honestly, I doubt it was. Was there no tool in place for this person to use? Had it been addressed by a tool that they had forgotten about? It was clear the firm didn’t have a tool like Biscom in place that would automatically take over, enforce the firm’s policies and provide detailed logs for them.
The survey doesn’t address firms who relaxed their security standards in the face of attorney desire to use consumer technology. I won’t argue the point that IT needs to be more flexible and responsive to users’ needs, but IT is still responsible for the electronic business control. Some seem to have forgotten this fact. As a colleague recently said to me, “And the first time there is a breach or loss of data caused by these mobile/consumer devices, what will you say to your client? To your insurance broker? To the NY Times?” I personally have issues with the idea of using DropBox for confidential client information. I don’t have issues with DropBox per say (I have a personal account), but I think they make an excellent poster child for today’s consumer technology. The fact that so many legal software tools have chosen to integrate with DropBox amazes me. I’ve been told that “it’s no worse than unencrypted email.” That it is “simple, understandable, and it just works.” Well those are great examples of “good enough” thinking that just isn’t. I’m thinking I need to write a follow up post entitled “What’s Your DropBox Policy?” that goes into this particular aspect more closely.
Not one to be totally negative, I can turn all those statistics upside down and say there is a small percentage of law firms who do seem to get the importance of security, who have the right attitude and who are truly doing enough. So how do you get your firm into this minority?
Lastly let me leave you with three of my favorite security maxims:
Who was it that said, “Just because you’re paranoid doesn’t mean they aren’t out to get you?” Could be they were right.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.