In matters of data security, a firm’s lawyers are often the weakest link.
Illustration by Sandy Nicholls/Threeinabox.com
Keeping clients’ data safe has always been essential for lawyers and their law firms. And the challenge isn’t about to get any easier as they face a vast and growing underground community of hackers who can readily adapt to evolving security technologies and tactics.
“It’s a mammoth problem that’s being underestimated and firms have to be proactive in identifying threats and implementing technologies to mitigate the risks,” says Barry Sookman, senior partner and former chair of the Technology Law Group with McCarthy Tétrault LLP in Toronto. “Gone are the days when the biggest concern was the staff that came to pick up documents for shredding. Law firms need to realize that in the 21st century, the old idea of, ‘We have locks, keys and pass cards’ just doesn’t cut it anymore.”
For law firms, keeping electronic information safe has become an ongoing business priority. “When using any type of technology, the onus is on lawyers and their firms to keep abreast of new technology and put the necessary safeguards in place to protect and preserve client confidentiality,” says Diana Miles, director of professional development and competence at the Law Society of Upper Canada.
It’s up to law firm leadership to take the lead and set the agenda by devoting significant efforts toward cyber security. It has to be on the their governance agenda, says Duncan Card, a partner at Bennett Jones LLP in Toronto. “We’ve got to be asking the right questions, we’ve got to stay up to date on the latest innovations, we’ve got to have the [chief investment officers] reporting to us, and we should have regular security audits and assessments.”>
But in any security system, the weakest link in the chain is the most important, and those are the lawyers themselves. “Lawyers are not the most technically savvy people and they will tend to do things like click on links in emails if it looks half legitimate, or go to a website and not be too concerned about which one they’re visiting,” says Shane McGee, general counsel and vice president of legal affairs with cyber-security firm Mandiant Corp. “The vast majority of these attacks, the way they get entry into the network is by sending phishing email from someone you trust. You click on a link and not only do you compromise your whole system once you do, but once they get in, it’s not hard to get across to other systems and to access the data on the file server.”
A five-point plan to having a rock-solid data-protection plan:
1. Establish a security team
Having a strong IT team in place is the solution to dealing with many of the emerging data-protection threats, right? Well, that’s only half the battle, says Shane McGee, GC at Mandiant Corp.: “Good IT guys don’t have nearly the level of expertise on security as security professionals. Many law firms lack the understanding, don’t spend the money or don’t put the right people into those roles.”
2. Conduct a security assessment
Law firms should get external security experts to conduct an assessment on their servers and security protocols. These are the people who know how and where to look for a system’s vulnerabilities.
“We do reverse-engineering exercises for our [law firm] clients where we try to break into their [networks] and steal data. You’d be surprised at how easy it is,” says Daniel Tobok, national managing director, forensics, with Telus Security Solutions in Toronto. “So, law firms should be getting external security assessments on a regular basis.”
3. Put security policies in place
Having a good security policy in place will help tremendously because they usually have “techniques that detect for fraud, surreptitious activity and unauthorized access,” says Barry Sookman, senior partner at McCarthy Tétrault in Toronto.
What’s more, if your firm happens to experience a security breach or a complaint to the privacy commissioner, “they’ll look at whether the company has adopted policies to protect clients’ and employees’ information,” says Éloïse Gratton, partner and co-chair, privacy, McMillan LLP in Montreal.
4. Govern and test those policies regularly
Once you have a good security policy in place, it needs to be “vetted, continually updated and tested,” says Sookman.
“Test the controls regularly,” adds Tobok. “The technology landscapes change frequently. The operating system, application and network environment is in a state of flux, constantly. Patches, upgrades and fixes may result in a more stable and, seemingly, secure environment; however, some of those small changes can make for a large vulnerability without you knowing.”
5. Educate your staff — including lawyers
Training everyone in a law firm on its security protocols is critical for creating a culture of security and ensuring everyone stays onside. “Statistics show that a high proportion of data that gets shared [with the wrong people] does so because of mistakes,” Sookman says. “Training creates awareness about security.”
Gratton, who conducts such training with her corporate clients, says this is in greater demand than ever because it’s now a legal requirement. She notes that if there’s been a breach of some sort, “the privacy commissioner usually asks if there was a security policy in place, if the employees were aware of the policy and if there was training in place.”
Trends in data protection in Canada
Protecting a law firm’s confidential data from hackers is a cat-and-mouse game as they are getting smarter and craftier by the minute. Here is a look at some trends to keep in mind:
• It’s still common for a law firm to house everything within the boundary of its own environment. But when considering advances in general bandwidth, the decreasing costs for storage and the general ease and flexibility and cost-effectiveness of cloud-based services, we’re likely to see a continuing trend of outsourcing or using software-as-a-service solutions.
• Mandatory breach notification will become more common under the various privacy laws. It is already the case in Alberta since 2010. It will soon extend to the federal PIPEDA, and Quebec and British Columbia are also expected to follow suit.
• A growing number of privacy-related class-action lawsuits are being initiated — and they’re passing the certification stage. Over the next few years, we’ll have a better idea of the damages firms face if they fail to keep their clients’ data secure.
Advice from the experts
Éloïse Gratton, partner and co-chair, privacy at McMillan LLP in Montreal
“There were two massive security breaches in 2013 in Canada and both involved an employee losing an unencrypted laptop containing a ton of personal information. In many situations, a security breach will be triggered by an employee not being aware of the law or the policy … [and] training at least provides the necessary information to staff.”
Daniel Tobok: national managing director, forensics, with Telus Security Solutions in Toronto
“Have everyone sign an acceptable privacy user policy — with the key word here being sign, not just acknowledge — and everyone needs to be fully aware of the consequences. This needs to be revisited annually. You should also have an incident response plan and team in place to deal with external and internal breaches as well as privacy and data leaks.”
Barry Sookman, senior partner and former chair of the Technology Law Group with McCarthy Tétrault LLP in Toronto
“Where law firms have a third-party provider that is hosting some of the data, there should definitely be very specific agreements that cover the access and use of information. So, this would include the security that has to be in place … and the agreements should spell out who can have access, for what purposes, the level of security that will be taken and the obligations to disclose if there’s a data breach.”
Duncan Card, partner and co-head of information technology, Bennett Jones in Toronto
“We routinely seek the help of outside security and information technology experts, both in the public sector and the private sector, whether those are public safety officers, police officers or other agencies like the RCMP and CSIS, they will help, if asked. I recommend law firms consider very broad and comprehensive strategies to ensure IT security.”
Shane McGee, general counsel and vice president of legal affairs with Mandiant Corp. in Arlington, Va.
“It’s important to have information sharing [with security teams at other law firms] because hackers are using the same attacks over and over again. We’re now seeing this in the financial services industry, where they’ll share the nature of the attacks and the indicators so colleagues can stop it before it happens.”
Pablo Fuchs is a journalist based in Toronto.