Editor’s note: This is the second installment in a series on law firms’ efforts to secure client data. Previous article
From kill commands and encryption codes to government espionage and foreign hackers, law firm life is beginning to resemble the plot line of a spy thriller.
Law firms’ efforts to protect client data from breaches may be less dramatic than a typical Hollywood blockbuster, but they entail complex productions when it comes to ensuring the physical and cyber security of their clients’ information.
And while those in IT say the threats from hackers in places such as China or Russia are real, the biggest threat to a law firm’s information security comes from its own employees.
“The single biggest threat still is people inadvertently bringing down a virus from outside or through a phishing scheme. … That’s where the training gets critical,” Reed Smith Chief Information Officer Gary Becker said. “You can never tell your workforce enough ‘don’t do this’ or ‘don’t do that.’”
So for Reed Smith and many other firms, the first step in data protection is having a current, active information security policy that is explained clearly and often to every person employed by the law firm.
As many who spoke to The Legal noted, firms are in the midst of a balancing act between protecting data on one hand and running an efficient business that doesn’t resemble what one person referred to as a “police state.”
John F. Mullen, chair of Lewis Brisbois Bisgaard & Smith’s data privacy and network security practice, said law firms’ security policies are useless if they aren’t being enforced. He said firms are vulnerable to a data breach from three main areas: an employee who downloads a virus or mistakenly leaves an unencrypted laptop in a taxi, for example; the law firm’s vendors who have access to client information getting breached; or foreign hackers looking to get information from firms working on major business deals or IP matters.
Mullen said some firms will say they are immune to threats from foreign hackers because they aren’t working on deals any hacker would care about. But Mullen said that is a mistake because some viruses don’t seek out a certain firm, but rather any company that has a certain type of software.
Scott Vernick, a Fox Rothschild partner whose practice focuses on data security issues, said law firms need to think of themselves as any other business when it comes to security threats.
“To a certain extent, we’ve always been highly mindful of the confidential nature of client data, but I don’t know that that’s translated completely to the thinking that we are just like any other business and so we have to think about data security like any other business,” Vernick said.
Blank Rome has been thinking about this issue, and hired in August a director of information security to develop and run a security management program for the firm.
Robert Weaver, Blank Rome’s new director of information security, said most programs that follow a standardized method will hit all of a typical client’s needs.
“Having said that, law firms have the very unique challenge of having a variety of clients with a variety of needs,” Weaver said. “So you can’t create a one-size-fits-all program and apply it to an entire firm. That’s the challenge of doing what’s right for everybody and enabling the firm to operate in an effective and efficient manner.”
Firms Don’t Want to Be ‘Police State’
One of the latest debates on how law firms protect client data is whether firm employees should be allowed to access personal email that operate on Web-based platforms, such as Gmail or Yahoo. Some firms have banned access to such accounts from firm devices while other firms have implemented technology to protect what information is sent through those email accounts.
Becker said that issue has become a big point of discussion. Reed Smith hasn’t blocked email accounts.
“What we’re trying to do is walk that very fine line,” Becker said. “We don’t want to be punitive in our approach, but we do have to put technology and protections in place that prohibit use of such Web-based systems for confidential information.”
For all outbound information, Reed Smith tracks the source as far as what client file and matter the document is coming from. Alerts are generated when the information is confidential, he said.
“Without becoming a police state, you are trying to review and watch everything going out of your environment,” Becker said.
Weaver said personal email access is an issue that comes up from clients. With the ubiquitousness of personal mobile devices, Weaver questioned whether employees had to use firm computers to access personal email.
“I don’t know how much longer that debate will last,” Weaver said. “I don’t think regulated industries will back down on that. They were regulated to stop that a long time ago.”
Remote Access Increases Risk
The more offices a law firm has, the more spread out its data and the more touch points there are for a breach. The problem is compounded by the growing use of remote access and employees using their own devices to access firm data.
Becker noted that the law firm’s business continuity plan, created in 2005 to protect the firm against data loss in the event of a disaster, has helped in the protection of client data from cyberthreats. Becker said storing information in a cloud-based system or on an off-site server has taken data out of local offices.
Other ways to secure remote access is by creating strong passwords that change every 90 days, Becker said. His firm also requires a two-factor authentication for remote access, meaning a password is needed and then a code generator is used. That generator, which can be a key fob an attorney carries or an app on a mobile device, generates a new code every 30 seconds.
Reed Smith has installed mobile data management programs on its mobile devices, allowing the firm to issue a “kill command” when a device is lost. The command wipes the device clean. When employees log on remotely, certain functions are disabled, Becker said. In order to prevent “data leakage,” remote users can’t print certain documents that could then be easily printed and thrown in the trash without being shredded. They also can’t save documents to local drives.
“Our financial services clients have these standards and that’s what they expect of us,” Becker said.
Weaver noted international travel as another area where companies of any type are taking precautions. Travelers need to think about what information and technology they are taking with them overseas and the networks they are connecting to overseas. They also need to consider what they are bringing back from their travels and plugging into their networks in the United States, he said.
Other Security Measures
Managing vendors is a key aspect of data security, Weaver said, noting it was a Target vendor that caused the retail company’s data breach late last year. Weaver said it is a “core demand” of clients for the law firms to manage the data security of law firm vendors.
“It’s definitely a new way of doing business from … [a] due diligence perspective,” Weaver said.
Weaver said most firms are doing the basic blocking and tackling, using antivirus software and firewalls to protect their networks. Vernick noted there was some discussion in recent years about whether videoconferencing opened up firms to a potential breach. He said his firm doesn’t use a Web-based system for that, but rather goes through its firewall-protected network.
Physical security can be just as important as cybersecurity. Becker said a badge is needed to get into every access point of every office. Firms need to manage access to their offices because confidential documents could be sitting on attorney desks and on printers. Reed Smith’s data centers, though hosted by a third party, have cameras monitoring the sites at all times, as do the firm’s data communication closets in Reed Smith offices, Becker said.
To ensure as best it can the security measures are working, Reed Smith hires a company to conduct third-party security audits.
“We pay them to try to hack into us and to show us where we have any gaps in our security programs and policies,” Becker said.
From protecting USB devices firm employees use to what websites they can access, the issues for law firm security specialists are varied and growing.
“Our challenge … [is] what are the risks of allowing those things,” Weaver said. “Is there a business value to this function that you are allowing and weigh that against the risk.”
The next part of the series will examine whether firms should have cyberinsurance.