Comment: Are Law Firms Playing Fast and Loose With Sensitive Client Data?

MarkEdgeBrainloopWith cyber crime on the perpetual rise, Mark Edge, (pictured) UK Country Manager for Brainloop examines just how much risk some firms are taking with sensitive information exchange and identifies four key measures to ensure security and ethical compliance. You can meet Brainloop at next week’s Inside Legal IT Expo in London.
Like so many other sectors, the unstoppable rise of the Internet has fundamentally changed the way the legal industry operates. Today’s legal professionals not only need to be fluent in the language of the law, but they also have to be more digitally savvy than ever if communication confidentiality and customer security is to be maintained. However, while electronic communications such as email have become the norm in nearly every business sector around the world, many methods are inherently unsecure and ethically suspect, which can have far greater ramifications to law firms than they might realise.
Emails sent through popular office platforms like Outlook are often unencrypted, meaning that once a user hits “send,” the content within the communication crosses a number of servers and can be viewed by several third-party and unintended recipients. While this may not seem like a concern when simply saying hello, confirming meetings or marketing to prospects, it becomes a major vulnerability when exchanging sensitive or confidential legal information, including contracts, invoices, personal records, and advice. Emails can not only put client data and communication at risk, but will also be increasingly viewed in court and by ethical panels as open, and therefore unprotected, communications.
The scale of sensitive data ending up in the wrong hands is a growing issue. Recent figures revealed the Information Commissioner’s Office investigated 173 law firms for potential data breaches in 2014[1]. In total, 187 incidents were recorded and 29 percent related to security and 26 percent related to incorrect disclosure of data.
Many legal bodies such as The Bar Council now clearly state in their guidelines that extra security steps should be agreed with clients and put in place before using email to transmit any sensitive information. However, in reality this is often overlooked for the sake of ease and convenience. Email is here to stay, but as the rules governing electronic communications in the legal sector continue to evolve and tighten, the reality is that it must change to become more secure.
So, what can law firms and clients do to ensure digital correspondence containing sensitive information remain secure and adhere to the legal industry’s ethical principles? These guidelines are a good place to start:
Examine firm policy relating to electronic data (and amend it where necessary).
Create new or update existing policies governing the law firm’s electronic data. Ensure the list of policies cover everything from specific rules when sending emails, to the inadvertent production of privileged documents. Regularly discuss these policies with employees through training seminars and make sure they are reviewed on an ongoing basis.
 Standardise encryption throughout the organisation.
Ensure all employees are sending encrypted emails. At a basic level, this might be as simple as amending “settings” in the company email application. But for additional security and convenience, firms can implement tools that seamlessly integrate with Outlook, ensuring all digital communications (both in the body of emails and attachments) are encrypted as standard, without any additional action required from the user.
Where necessary, consider investing in confidential collaboration platforms.
Sometimes, encryption simply isn’t enough when handling critical client data. Law firms naturally want to benefit from new online collaboration platforms available today but they cannot afford security compromises. Clients quite rightly expect full protection of their sensitive information in accordance with national data protection laws. However, it is possible to fulfill all requirements without compromising productivity. By investing in confidential collaboration platforms, such as secure data rooms, efficient collaboration can be achieved, while all digital files – be it emails or documents – remain fully protected at all times. Collaboration platforms also automatically record all actions undertaken by those using them, providing a full audit trail and ensuring industry compliance.
Stay ahead of the curve – anticipate (and accommodate) changes.
With cyber attacks making daily headlines and news of key global figures such as Hilary Clinton turning to personal email to manage work-related tasks, legal professionals must take it upon themselves to stay up to speed on industry news, especially relating to information security. If an IT department or CSO is available within a law firm, regularly check in to ensure the firm is adhering to cyber safety protocols. Staying abreast of ever-changing industry ethics requirements is a key factor in ensuring end-to-end compliance and complete peace of mind.
While each law firm has a unique way of operating, the guidelines above should be implemented throughout the industry as a whole, establishing a new standard for maximum security and ethical compliance. Not only will this prevent firms from becoming victims of headline grabbing hacker attacks, but it will also help protect against a far more prevalent threat to most, human error. Cybersecurity should be a top priority within the legal profession – starting with implementing proper technologies, tools and policies to ensure lawyers and their support staff are being as ethical as possible with how data is handled.
Email doesn’t have to be a risk within an organisation and it doesn’t always have to be unethical, so long as one takes the appropriate steps to remain secure. For more information on secure email exchange within the legal sector, please visit