Maybe not, according to a group of legal IT professionals who work with lawyers every day. 47 attendees completed C&W's survey at the 2012 International Legal Technology Association conference last week at the Gaylord National resort in Maryland. Respondents were asked 5 simple questions about the security preparedness of their firm and their lawyers.
One of the questions echoed new language from the recent revisions to the ABA’s Model Rules of Professional Conduct addressing technology and client confidentiality. The comments to Rule 1.1 ("Competence") now direct lawyers to keep up with “the benefits and risks associated with relevant technology.”
Respondents at ILTA were asked to choose whether they Agree or Disagree with the following statement:
“Overall, the lawyers you work with have the security knowledge and technical expertise to evaluate the benefits and risks of technologies they encounter.”
Only 9 or 19.5% of the respondents agreed. 38 or 80.85% disagreed, indicating that overall lawyers do not have the knowledge or expertise to evaluate the benefits and risks of technologies.
Here is the full breakdown of the questions and answers:
Admissions and Disclaimers
Before any more discussion about these results, I feel it is important to point out that we are not professional statisticians or pollsters. 47 respondents is not a large number and well below the sample size I initially hoped to have. Given such a small sample, it is hard to say whether these results are representative of the industry as a whole. However, these are the responses of 47 IT professionals actively working in the legal industry. In that regard, they are interesting even just from an anecdotal perspective.
To get responses, I simply walked up and asked individuals after sessions if they would be willing to take a brief, anonymous survey. When multiple people from the same firm were present, I would only ask one to take the survey on their firm’s behalf. I was offering Ghirardelli chocolate as an incentive to take the survey but I would also give out chocolate to those who refused. Based on this ad-hoc, unscientific methodology, the following populations may have been oversampled: chocolate lovers, people who looked friendly, people who looked bored, and people who failed to run for the exit as soon as a session ended.
Analysis and Surprises
Ethical Cause for Alarm
Despite the small sample size, there appear to be some interesting patterns. l will admit that I was a bit surprised to see such widespread agreement on some of the questions, especially with solid representation from different sized firms. The most extreme example was the 80.85% of respondents who felt that overall their lawyers did not have the expertise to evaluate the risks and benefits of the technologies they were using.
This sentiment should be cause for concern as it indicates that lawyers may not be in a position to meet their ethical obligations under the ABA Model Rules of Professional Conduct (now adopted by 49 states). We still expect more guidance from the ABA to help lawyers analyze the risks and benefits of technology, but no matter what advice the ABA gives, it was clear that the respondents did not feel their lawyers had the knowledge to perform a meaningful evaluation.
It was good to see that many more firms (about half or 46.8%) had confidence in their lawyers’ ability to identify fake or fraudulent phishing attacks. Phishing attacks are extremely cheap, easy to launch, and on the rise, so it is important for lawyers to be prepared. One respondent noted how “no one” can spot perfectly crafted phishing emails and felt that everyone should have marked “Disagree” on the phishing question. I understand and partially agree with that position, especially when a firm has no technical controls to prevent internal email spoofing. However, I also believe that lawyers must have at least a basic awareness of the threat of phishing attacks and review email with a healthy dose of skepticism. The question might have been better phrased, “Overall, your lawyers have a basic awareness of the dangers of phishing attacks and are unlikely to fall victim to obviously fraudulent emails.”
Some Training Programs Already Are In Place
The fact that 40% of the firms surveyed already have a training program in place was also a bit of a surprise given that we’d heard anecdotally from many firms that are just now considering or implementing security training. Initially we thought that there might be a connection between firms with a training program and the ability of a firm’s lawyers to identify phishing attacks. However, in these responses there did not seem to be a correlation between training and the readiness. 47% of firms (9 of 19) with a training program said their lawyers were prepared for phishing and 46% of firms (13 of 28) without a training program also said their lawyers were prepared for phishing attacks. As you can see, the training put in place did not seem to have a big impact on the preparedness of lawyers which makes me wonder what is preparing lawyers for phishing attacks if not training (in one form or another)? It also makes me wonder whether those who provide training are adequately focusing on phishing attacks...?
When it came to identifying major limiting factors to the overall security of a law firm, again there was surprisingly strong agreement among the respondents. Almost 81% (38 of 47) cited “End-user security awareness” as a major limiting factor in the overall security of a law firm. “Firm culture” was the second highest choice with about 61% (29 of 47). There was also strong overlap between these factors with 25 people selecting both “Firm culture” and “End-user security awareness” as major limiting factors to their firm’s security. This link is not surprising given that both of these issues relate to human behavior, indicating that the “people problems” are currently the most difficult to solve for this group of IT professionals.
Another surprise: “Budget for Software/Hardware” received the fewest number of votes (10 of 47), indicating resources are not the biggest problem in law firm security. Law firm management should take note, IT professionals need your support (and not just a budget) to help tackle some of the top security issues law firms face.
Not surprisingly, inadequate time was also frequently cited as a limiting factor. This makes a lot of sense because the security workload of a firm may build slowly over time and simply get added to the existing IT workload without additional staff. At a certain point it makes sense for a firm to add dedicated security resources to consolidate the security work and allow for specialization. Indeed, there were many firms at the ILTA 2012 conference who mentioned having dedicated security personnel on staff, including one firm with four. A firm without dedicated security personnel isn’t a firm without security work to be done. Instead, the security work is either getting done by IT or not getting done at all due to a lack of sufficient time.
Conclusions and Takeaways
These results should give pause to law firm management (and individual lawyers) who have assumed lawyers possess the requisite knowledge to meet their ethical obligations with respect protecting client confidences. The legal IT staff who provide service and support every day are likely to be in a very good position to assess the expertise of a firm’s lawyers. Based on the responses of this survey, a large majority of legal IT professionals seem concerned that that lawyers lack the awareness and expertise to select reasonably secure technology. This should concern firms with BYOD policies or those without strict rules (and strictly compliant lawyers) about the technologies lawyers can use to handle sensitive client matters.
It should not be seen as an insult or slight to say that lawyers lack the security expertise to evaluate technology risks. Evaluating the security of technology can be very difficult, especially when vendors do not provide enough information to do so. However, that difficulty cannot be an excuse for exposing client data to unnecessary and unacceptable risk. Even if many lawyers do not currently possess the skills to evaluate technology, they can certainly be educated to spot potential sources of risk in technology and seek expert guidance to assess that risk.
The issue of “Firm Culture” (another “major limiting factor” in firm security) may also be addressed through an effective education program. It would make sense that people unfamiliar with the nature and severity of a set of risks are more likely to be reckless and/or unwilling to change. This is why it is so important not to treat security as solely a technical issue. Doing so frustrates a firm’s attempts to address the non-technical aspects of security, such as unsafe behavior or training deficiencies.
Law firms must find a way to help lawyers use technology safely and in a manner consistent with the demands of legal ethics. Expecting every lawyer to become a security expert is neither realistic nor desirable. Instead, law firms should provide basic policies and training to help lawyers avoid common risks and appreciate the importance of security. Lawyers can certainly learn to spot potential pitfalls in technology and to seek expert help when in doubt. Law firms would do well to provide that type of training proactively rather than waiting for an incident that could seriously harm both clients and a firm’s reputation.
Carlson & Wolf LLC offers security awareness training designed specifically for the legal industry. In addition to covering security topics in context, we can help lawyers understand the legal and ethical significance of adequate security awareness. For more information about our services, please use our contact form to request details.