Regardless of their size, law firms are becoming more reliant on technology to manage their day-to-day business activities, interact with clients, or find critical information hiding in massive private data repositories and on the Internet. Many lawyers use smart phones and other mobile devices to share information with clients and communicate with their teams when they are out of the office. These new and accessible technologies raise many security and privacy concerns, and clients need to start demanding that their law firms pay attention to these issues.
A lawyer’s improper or careless use of mobile technology, court systems, and the firm’s systems can result in loss of clients’ data and legal liability for the firm. This post discusses some common data breach risks firms and their clients should be aware of. In future posts, I’ll cover practices that can reduce these risks.
The Nature of the Risk
One important risk that law firms must anticipate and prepare a rapid response plan for involves security breaches. Law firms are an attractive data theft target, as they often hold a high concentration of clients’ most sensitive information in their files.
That information may be easily obtainable because of the simple Account-Matter structure that many firms use to keep client files organized. Client systems, in contrast, may be difficult to understand, and it’s often hard for outsiders to identify the subset of information they seek. Lawyers who have pulled a complicated client database or shared team folder can likely commiserate.
Data security is not a new issue for firms. State-sponsored hackers have been blamed for several high-profile law firm data breaches motivated by an interest in merger and acquisition information, intellectual property assets, and other sensitive strategic or competitive information. For example, China-based hackers targeted several Canadian law firms while the firms were involved in a $40 billion company takeover deal.
In 2009, the FBI issued an advisory warning to law firms that hackers were specifically targeting them, and in 2011, the FBI began organizing meetings with top law firms in the U.S. to highlight the cybersecurity and corporate espionage risks, particularly for firms with offices in countries like Russia and China. In 2012, security company Mandiant reported that an estimated 80% of the 100 largest American law firms had some malicious computer breach in 2011. That same year, the FBI found one New York law firm’s client files (all of them) on a server in another country as they were being transferred to China. Since then, the data breach risks have only increased.
Data Breaches in the Modern Firm
There are three major categories of reported data loss issues involving lawyers and law firms: improper or incomplete disposal of client records, mobile device theft or loss, and misuse of firm systems and security protocols. Other losses occur because of lax policies, inadequate training, or the inattention of system users.
One particularly popular method of hacking into law firm networks involves phishing emails. These so-called “spear phishing” attacks may involve emails sent to people in the firm that seem to come from a colleague. If an email recipient clicks on a link or attachment to these emails, they may unknowingly download malware onto their computer. That malware may sit dormant for a while or it may immediately activate. It can infect the network and any cloud computing systems accessed on an infected device. It might also track keystrokes and obtain usernames and passwords for any site accessed after the infection occurs.
Additionally, law firms must be vigilant about the security measures put in place on client portals and document sharing systems. Enterprising parties can insert malware and spyware in website code (even the firm’s own website) that monitor a user’s activity and collect all kinds of information the user does not intend to share. This software can disrupt the operation of a system, gain unauthorized access to system resources, and engage in other types of intrusive and abusive behavior involving firm systems.
One area of extreme vulnerability involves a lawyer’s use of mobile devices. Many mobile apps collect lots of user data, and the device can transmit information regarding the user’s location, purchases, Internet activities, and communications without the user’s knowledge or approval. Any confidential information accessed on the device may be stored in locations that are difficult for the user to access and hard to delete. Finally, if a lawyer uses an unsecured WiFi to connect to the Internet and fails to encrypt all of their data, the data packets can be intercepted and sensitive client communications may be compromised.
Clients Should Focus on Data Security
Firms of all sizes lose their clients’ files, and many never learn of the loss or notify the client. Unfortunately, most law firms start to improve their protection of client data after their security systems are breached.
If clients think that they cannot give private or sensitive information to their firm because it might be leaked, this becomes a huge confidence problem for the profession.
But clients can make a difference—they should demand that their firms have made client data security a high priority. Law firms should show that they are taking concrete steps to stop hacking attacks. If they don’t, a client should take their business to another firm.
This blog post relates to a paper prepared for the Journal of Law and Technology (JOLT) Symposium, which will be held on February 27, 2015, at the University of Richmond School of Law. This year, the symposium will focus on mobile technologies and explore the legal, practical, and technical issues relating to the important role they play in our lives.