On Security: Law Firms Must Advocate for Themselves
Lawyers are stereotypically paranoid people (I’m a former attorney myself). It’s what makes attorneys so valuable to their clients – we dig to the bottom of things, leave no stone unturned in due diligence, and prepare for the unexpected. In any client matter, lawyers are privy to highly sensitive information, and to borrow a phrase from American Lawyer, “law firms have a unique role in data protection.” Legal firms – unlike other organizations – are called to discover and collect as much information as they need to better serve clients, which makes them treasure troves of confidential data.
And yet, while attorneys work tirelessly to mitigate risk for their clients, their firms have been slow to mitigate security risk for themselves. When 47% of firms don’t have a response plan in the event of a data breach, how then do we secure client information, and why do we care?
Current security investments aren’t working. Security at law firms continues to focus on two things: securing the location where sensitive data is stored: laptops, smartphones, and network drives; and preventing against malware-based attacks. However, the problem with this conventional approach is that it’s like building a massive safe with an easy-to-guess PIN. Once you’re in, you have access to everything of value, and there’s nothing stopping you from removing the contents and using them freely. There’s no secure shell – no encryption at the data-level – to protect the files themselves.
While some would argue law firms aren’t spending enough on security (firms spend 1.9% of gross revenue on cybersecurity), we know more spending doesn’t solve the problem if you’re not protecting what matters: the information itself. Encryption, which secures individual files and makes sure only the right people can access the information, is surprisingly the least used form of security in law firms. Firms need to rethink their security investments, and take a data-centric approach that secures the files themselves, not the container where they’re stored.
Security risk translates to reputation risk. Unlike other notable breaches – AT&T, Charles Schwab and the National Guard – where an insider leaked data, law firms are most frequently targeted from the outside by foreign hackers looking to access and resell highly confidential information. Since 2011, 80% of the top law firms have been hacked, and the FBI has singled out legal firms as some of the most vulnerable entities.
Trust is not only at the core of attorney-client privilege, it’s a firm’s differentiator in a highly competitive legal market and the glue that keeps institutional clients engaged. Compromised client data means compromised trust. But when you protect client information at the data-level, you not only prevent against data loss, you’re preserving and reinforcing trust.
Clients demand control. A recent Citigroup report alerted banks that law firms are at “high risk for cyberintrusions” and demanded greater transparency on the legal community’s security practices. More and more, financial firms are asking their legal partners to complete cyber-audits and make sure attorneys are upholding their side of the bargain. Your firm can expect more requirements to tighten control over the non-public information you create, store, and share.
As part of these audits, firms need to demonstrate the right type of controls and proactively show they can secure, track, and revoke access to confidential information that’s leaked. Clients expect control because control over information is possible.
Vera works closely with our legal customers to help them secure, track, and revoke access to information, even after it’s left their control. And we’re doing it in a way that doesn’t change the way they work, or threaten the way they do business. Learn more about how we’re working with firms here or request a demo from an expert on the team.