In our previous post, we gave legal professionals three questions to ask their vendors or potential vendors about security. Those questions were meant to help lawyers meet their ethical duty to keep client confidences and reasonably protect client information. While the ethical duty exclusively obligates the lawyer, lawyers rely heavily on the technologists and vendors (many of whom will be attending ILTA 2012) to provide good information and good direction. It is a mistake to believe that lawyers will have the time and necessary knowledge to drive security forward in this industry in isolation. Rather legal security must be seen as a community effort where all parties (lawyers, technologists, clients, and vendors) are actively involved in specifying and designing protections appropriate for confidential client data.
Clients to Law Firms: Security Isn’t Optional Anymore
Given the large number of data breaches and the growing threats of cyber espionage, it is no surprise that security is the number one concern for general counsels and directors in public companies. It’s therefore not surprising that those concerns now surface in their dealings with law firms, especially in light of the FBI’s public statement that law firms have been targeted for their valuable client data and comparatively weak security. We heard anecdotal evidence of this growing client concern at LegalTech West 2012 back in May where panelists mentioned an increase in the number of RFPs and outside counsel guidelines (OCG) specifying security requirements.
Pat Archbold, Head of IntApp’s Risk Practice Group, has worked with a number of law firms looking to improve their data protections. He predicts that industry attention will stay focused on security in the coming days and summarizes the current state of security as follows:
“Most law firms still leave their information internally open and accessible by default, particularly in their document management system. Clients, insurers and regulators are increasingly asking firms for tighter controls on the information their law firms hold for them.”
Easier Said Than Done
At a time when law firms are being asked to tighten data security, more data than ever is being shared with vendors and stored in cloud services. Outsourcing can actually increase risk when vendors don’t implement the appropriate level of security. As a result, concerns about security will apply regardless of whether data is stored locally or in a cloud service. Archbold explains that “[a]s firms move to the cloud, information governance controls still have to be applied.” The importance of such controls cannot be underestimated in light of the numerous cyber threats that law firms now face.
In fact, law firms may treat security controls as non-negotiables when evaluating cloud service vendors. That attitude has been borne out by Archbold’s experiences with customers using his company’s Wall Builder product. He explains, “IntApp Wall Builder has been widely adopted because law firms see the value in automating the enforcement of information security generally and ethical walls specifically. Law firms increasingly regard this as essential functionality. If they can’t use Wall Builder in a given cloud-based DMS or other application, they may not be willing to adopt that service.”
Fortunately, companies like IntApp understand the value cloud services can deliver to law firms and Archbold reports the company “has already successfully integrated Wall Builder with cloud services from several vendors.” However, such integration will require the cooperation of security-minded cloud vendors who understand the needs of their clients and are willing to employ teamwork to deliver value and security.
An Industry Shift Underway
ILTA as an organization has enjoyed success because it has been built by the tremendous IT talent that the legal industry attracts. It is no surprise that ILTA recognized the growing security needs of the community and took action to address them by forming the LegalSEC working group. The group aims to provide law firms with tools and templates to help address the emerging and increasing security requirements facing law firms.
Because the group is still taking shape, few details have been released about its short-term plans, but it’s clear that education will be one of the groups primary objectives. Education is key as it will get law firms focused on security risks and ignite conversations about how best to address them, both internally within firms and more broadly within the industry. As a result, even if legal vendors have not been subjected to careful scrutiny in the past, vendors should be prepared for a better informed and more skeptical customer base in the days to come. In many ways this is a blessing for vendors as it is actually easier to design security for a law firm who comes to vendors knowing their needs.
No ONE Can Solve This Problem
The challenge of law firm security is a shared one and working together will reduce costs for everyone. After all, it’s really not just about one law firm dealing with one vendor. Law firms are outsourcing and adopting diverse technologies to improve efficiency and maximize value for clients. A single law firm may deal with many vendors, each of whom needs to implement the appropriate level of security. Vendors may also be dealing with many law firms, each bringing its own set of security questions or requirements.
If we approach this problem the traditional way--each isolated from the other--with every law firm trying to validate the security of every vendor, there could be an enormous amount of duplicative effort and unnecessary cycles on both sides. As Pat Archbolds observations demonstrate, in some cases vendors may need to cooperate in order to provide a law firm the required level of security (so vendors, talk to each other!)
There is no one group that can solve these problems alone. While the ethical obligation lies with each individual lawyer to implement and maintain a high level of client confidentiality protection, lawyers will rely on the community here at ILTA 2012 to provide them good guidance and good information. By working together to provide legal practitioners with useful and more secure technologies,we can help lawyers better the profession as a whole and more effectively serve the clients they represent.
If you’re attending the ILTA conference next week be sure to check out Pat Archbold’s session on Best Practices for Managing Document and Data Confidentiality Rules. Also make sure to check out the LegalSEC sessions. We’ll definitely be there.