X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Advances in information technology have greatly enhanced the ability of corporate counsel to communicate quickly on legal matters both internally and with outside counsel. E-mail, intranets, extranets and specialty applications such as case management, litigation support and document management, allow in-house counsel to collaborate and stay in touch. However, with these increases in the ability to communicate and collaborate are also added security threats. In testimony before the House Sub-committee on Government Management, Information and Technology, Mark Rasch, senior vice president and legal counsel for Global Integrity Corp. testified to the following: � External malicious attacks on computer systems increased 43 percent from 1977 to 1999. � Theft of proprietary information and intellectual property has increased 15 percent since 1998. � Insider abuse of the Internet (i.e., e-trading, pornography, e-mail abuse) has increased 17 percent since 1998. � System penetration by external parties has increased 32 percent from 1998. � The Melissa virus cost U.S. businesses $75 million. � Virus damage in the first two quarters of 1999 exceeded $7 billion. [FOOTNOTE 1] In light of these frightening statistics, what kinds of security measures are needed to protect the data of corporate counsel? While all information security should be implemented in relation to the nature of the threat, some of the most common sense security measures can be the most effective. By maintaining adequate access control and ensuring all software patches and updates are applied, many system vulnerabilities can be addressed. Some of the most important mistakes that management makes regarding information security are relying solely on technology to solve the problem of security and failing to properly train users. The development of a risk management plan and implementation of security policies and procedures may be more labor-intensive than purchasing the newest security software, but it may be the better value. MAKE SECURITY NEEDS KNOWN Risk management is “the process concerned with the identification, measurement, control and minimization of security risks in information systems to a level commensurate with the value of the assets protected.” [FOOTNOTE 2]The most important asset in any organization is its data, and the sensitive data used by corporate legal departments and law firms require adequate protection. Lawyers have a fiduciary duty and contractual obligation to protect client legal information. A failure to ensure its confidentiality can result in legal and economic repercussions. Given that the most important asset to a lawyer is the client’s information, then he or she has an obligation to communicate the gravity of that responsibility to his or her system administrator and IT management and request that an appropriate course of action is taken. Ascertaining risk is a complex process that requires a holistic approach in order to manage it. A major part in the development of a risk management plan is identifying and understanding what systems and data need protection. By conducting a risk assessment, the IT management can assess your system’s vulnerabilities and develop risk mitigation solutions. Even if your company has developed a detailed information security plan, it is in your best interest to inquire if it accounts for the specialized needs of your legal department. Legal departments deal with a company’s most sensitive data on a daily basis. Sensitive corporate information is routinely created, accessed, exchanged and distributed to internal and external sources. Management regularly distributes memos to internal staff and exchanges sensitive memoranda with in-house counsel. In-house counsel transmits information to outside counsel. Determining the criticality and sensitivity of data is one of the first steps in performing a risk assessment. If you’re not sure how your data are being protected, you need to find out what is being done to keep them secure. Contact your information security officer and chief information officer and discuss the importance of securing your data with them. BE AWARE OF SECURITY ISSUES AND TRAIN USERS ACCORDINGLY Two of the most effective tools for ensuring security are security training and awareness. Users need to be constantly reminded about the threats associated with the use of technology. Posters, flash screens, handouts and other informational tools, distributed to all users, can help to keep users aware of security risks. Moreover, information security training classes should be provided for all new employees so that they are aware of organizational policies and procedures, including the system “rules of behavior.” Each newly trained user should sign an acknowledgement at the completion of training, indicating acceptance of their responsibilities for maintaining those policies and procedures that accompany the use of corporate systems and the consequences of failing to properly use the systems and follow the rules of behavior. Furthermore, when implementing new security technology solutions, be sure users receive proper training. For example, the newest technological solution for maintaining secure communications is encryption software. Many corporate legal departments have begun using encryption software to communicate with co-counsel and outside counsel. However, encryption software is complex and involves using public keys and private keys, which can be confusing. End users who are not properly trained to use such software can easily get frustrated and fail to use it properly, or not use it at all. COVER THE BASICS There are a number of high-tech solutions to protect your confidential data in the marketplace. Each one touts that it will provide total security, so where does one start? The implementation of rules of behavior, security policies and procedures are the foundational basis of a security architecture and the most inexpensive method of securing data. Therefore, consider the following: � Establish a password policy for your network operating systems, which uses an eight-character password consisting of combinations of upper and lower case letters, numbers and random characters. � Develop a policy of changing passwords at least every 90 days. � Train users to keep their password in a safe, secure place. � Implement anti-virus software. � Download software patches and updates routinely on all servers, workstations, laptops and PDA’s. � Develop a clean-desk policy. � Secure all sensitive hard copy data in locked file cabinets. � Set and use authentication in applications, such as document management and case management. � Establish policies and set privileges for system access that are directly relevant to an employee’s duties. � Assign supervisory rights to as few people as possible. � Make sure your critical applications are backed up regularly and the application software and backup tapes are stored in a safe location off site. EXTERNAL CONNECTIONS Be aware that every external connection can be an invitation to a hacker. In the corporate legal field, a common trend is to use an Internet connection or other public telecommunications link to collaborate with outside counsel via an extranet. An extranet is a Web site accessed with a special URL over public telecommunications lines like any other site on the Internet. Using an extranet, in-house counsel and their law firms can post documents for review and editing, exchange ideas via “chat” functionality and threaded discussion, post billing information or important calendar dates for a particular matter and other useful functions. Clearly, much sensitive data can be found on an extranet and it should be adequately protected. Whether this extranet is hosted inside the walls of the law firm or by a commercial third party, you should be sure that: � The extranet has proper authentication procedures to allow only certain people access and keeps others out. � Commercially reputable firewalls properly configured for your environment are used and look for evidence that the software is updated and patched on a regular basis. � The Web server software is properly installed to support only your approved functions, and the extranet it resides on is updated regularly to patch any programming “holes” that have been discovered. � Access to data is limited on a need-to-know basis within the corporate environment or a third-party company on the extranet. � Your service providers do not allow access to your client’s data. If you communicate with your outside counsel through an external connection, you must take reasonable measures to ensure that they, too, have implemented appropriate security policies and procedures. Before you allow anyone connectivity to your system, establish your security policies for external connectivity and require their concurrence to comply with them prior to establishing the connection. Getting a signed memorandum of understanding regarding security policies and procedures with every outside firm to which you connect puts everyone on notice regarding accepted security practices and gives your organization a little more security. MAKE IT A PRIORITY Finally, it’s important to remember that protecting your data should become your priority. Corporate counsel must get involved in ensuring their data are secure. The development of security policies should not be a foreign concept. All corporate legal departments should have well-developed policies and procedures for ensuring that their offices are properly secured. Additionally, all legal departments have policies to ensure that legal personnel hired meet certain professional standards. Most attorneys accept that state bars require continuing legal education. The development of security awareness training, policies and procedures for ensuring corporate data is protected should become a priority as well. Sandra L. Brown is an information assurance analyst with Fairfax, Va.-based SRA International Inc., an information technology firm that provides systems integration and consulting services and solutions. Tim Kenney is a consultant in the Legal Services Consulting Division of SRA International, Inc. FOOTNOTES FN1http://www.house.gov/reform/gmit/ hearings/2000hearings/000309.compsec/ 000309mr.htm. FN2National Information Systems Security Glossary NSTISSI No. 4009.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.