The Missing Link: Law Firm Data Security

Editor’s Note: This article is written by Philip Favro, Senior Discovery Counsel for Recommind, Inc.

The perils of inadequate data practices have been on full display in recent months, from the Sony computer network hack late last year to revelations about Hillary Clinton’s email practices, and so it’s no surprise that law firms faced increased scrutiny too.

That law firm data security practices have managed to escape scrutiny largely stems from the lack of disclosure rules on this subject, according to a recent industry report. That report, generated by Citigroup’s cyberintelligence center, also made clear that the banking industry generally views law firm security as needing improvement.

Law firms are at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications,” according to a recent New York Times article on the report. As the report indicates, digital security at many law firms generally remains below the standards for other industries.

The Citigroup report made clear numerous law firms have experienced security breakdowns, and it discussed the nature of particular hacking methods – network attacks, phishing campaigns, and website attacks – to which firms are vulnerable. It also alluded to the FBI and the U.S. Department of Justice’s efforts to convince law firms “to promptly inform clients and law enforcement authorities of attacks that could compromise confidential information.”

Beyond these macro issues are the equally important (though perhaps overlooked) data security problems that exist at the micro level of litigation. One such problem is the production of confidential client information in the discovery phase of a civil lawsuit. Sensitive client data is routinely disclosed during this process, though typically only after the parties have executed a protective order to control its distribution. However, as evidenced by the recently concludedApple v. Samsungsmartphone litigation, protective orders may be ignored or disregarded . Moreover, once client data is turned over to opposing counsel, the security procedures that previously restricted the flow of that information are no longer applicable. This leaves clients at the mercy of litigation adversaries who frequently lack sophisticated security measures to safeguard their data. Any of which could result in a data breach and disaster for the client.

Law firms that are looking to improve their protection of client information could adopt an assortment of measures. Securing the firm’s computer network is an obvious priority. Implementing security controls on firm-issued mobile devices to safeguard client information should be another priority. Because lost or stolen devices represent a significant security risk, firms should adopt suitable countermeasures to guard against misappropriation of client data.

On the litigation and discovery front, firms should consider cloud computing providers and other companies with secure Software as a Service offerings for storing, analyzing, and producing client data. Such offerings generally provide a secure framework for hosting client data as well as transmitting it to and from the cloud. Furthermore, they may provide a secure yet neutral environment for hosting data during discovery for opposing counsel, eliminating the problem of turning client data over to a litigation adversary with unknown or non-existent security measures.

Unfortunately, there is another side to this discussion that’s not often mentioned: Even the most effective data security programs may not be sufficient to defeat sophisticated attacks on a firm’s network. Nevertheless, they can mitigate the extent of the damage. Effective data security programs also have the potential to address lesser attacks and remedy other related and collateral issues. Given what has transpired in 2015 on the data security front, the alternative choices – doing nothing or taking nominal remediation measures – are certainly not viable options.