Law firms have often been described as the “soft underbelly” of cyber security or the “path of least resistance to steal sensitive client information,” as one Canadian forensic expert put it. Down south, the U.S. Federal Bureau of Investigation went so far as to warn law firms that they are not doing enough to guard against cybercrime.
Here, the situation is more of the same. “A lot of people in the legal community are coming around to cyber risk but there definitely needs to be increased awareness regarding cyber threats that law offices face,” says Kevvie Fowler, a partner and one of Canada’s leading forensic experts with KPMG LLP (Canada).
Data breaches have become expensive. American companies hit by data breaches spent an average of $5.5 million last year to cope with the after-effects, up from 9 per cent from the year before, according to a study published by Ponemon Institute, a U.S.-based research centre dedicated to privacy, data protection and information security policy. On average, it cost $201 per record lost, up from the $188 the year before, mainly because “the loss of customers following the data breach due to additional expenses required to preserve the organization’s brand and reputation,” according to the “2014 Cost of Data Breach Study: United States.”
Keeping data safe is increasingly becoming an ongoing business priority for law firms. Data security issues is a combination of four elements: people, policies, practices and technology, points out Kelly Friedman, an expert in electronic information issues with Davis LLP. Here are some tips from the experts.
- It’s a management issue, not just an Information Technology (IT) issue. Technology is important: A good anti-software program is a must as is continuously updating software programs and having technological mechanism to monitor and detect unusual network behavior. But management have to be on top of things. “This has to come from the top-level of the organization,” says Fowler. “Ultimately, they are accountable.” Indeed, executives are now beginning to pay the price for data breaches. Take Gregg Steinhafel. Earlier this year, Target’s CEO resigned after the widespread data breach that saw hackers steal personal data and credit card information from millions of customers.
- Create a culture of security. Astonishingly, passwords written on sticky notes posted by the computer still takes place within law firms. That’s why awareness and training are key. “Make sure that everyone understands that what we do at a law firm is confidential in the same way we train people not to talk in elevators about clients matters,” says Ryan Black, IT co-chair at McMillan LLP.
- Establish a good security team. It is a misnomer to believe that the IT department can deal with security issues all on their own. “It’s simply not fair to them because that was not what they were trained to do or hired to do,” notes Friedman. Consider hiring security professionals.
- Conduct a security assessment. In order to protect sensitive data, you need to have an understanding of what is considered to be sensitive data and where it resides. What’s more, a growing number of clients are demanding that law firms be up to snuff in terms of security. “Clients are asking us to commit to certain things when we submit a proposal to work for them or when they retain us as clients,” says Black.
- Implement solid security policies. Finding the balance between ease of use and security is a struggle and can be daunting. There are many industry, national, and international IT security standards that have been developed to give guidance on information systems management and security. The Payment Card Industry Data Security Standard is worth considering as is the International Organization for Standardization and International Electrotechnical Commission (ISO/IEC).
- Test, test, and test. The technological landscape is continuously in a state of flux. Test policies and procedures. If a solid culture of security has been implemented, then “as the new technologies arise, you can quickly adapt to it,” says Black.
This story was originally published in the magazine Canadian Lawyer.