Eye on Discovery -Can You Trust Your Law Firms With Your Data?
Your data is only as safe as the data of your least secure link to it. Unfortunately, for many organizations, suppliers that host data have typically proven a much easier bullseye for hackers and other external threats. Consider, for example, the HVAC vendor that was the conduit for the Target breach in November 2013. Attackers used an e-mail phishing campaign to steal the vendor’s login credentials to a Target-hosted web service used for e-billing, contract submission and project management. Once in the system, the hackers uploaded seemingly innocuous files that allowed them to hide in plain sight so they could infiltrate more systems and, ultimately, steal customers’ credit card information.
While many organizations have learned lessons from the Target breach and have shored up their protocols for vetting third-party vendors, they often overlook digital security when shipping their most prized secrets to their outside counsel. But recent breaches at top U.S. law firms and studies showing lax security measures at many others suggest that this blind trust is misplaced. According to an American Bar Association survey, one in four law firms with at least 100 attorneys has experienced a security breach. These statistics should come as little surprise, as outside counsel possess a host of sensitive and invaluable data, such as trade secrets, patent applications, details about proposed business transactions and other valuable confidential information about their clients, that puts them squarely in hackers’ sights.
With threats to law firm networks on the rise, what’s a business to do? Incorporate law firms into their third-party information governance program to manage the risk. Here are four practical steps for getting started.
1. Maintain greater control over data.
Reducing the volume of confidential or sensitive data hosted by outside counsel is one way concerned organizations can stem the risks. Businesses can start by halting the shipment of data to outside law firms. Instead, businesses can share data in a centralized platform that they host, where they can apply heightened security requirements to it and closely monitor all access.
2. Inventory and remediate existing data.
Organizations should survey their law firms to identify where their data is located and how much data each firm houses. They should then identify any outdated data and develop a plan to remediate it with the law firm’s assistance. Outside counsel should not retain data for a moment longer than necessary, particularly when matters close or when lawyers leave the firm.
3. Establish a go-forward policy.
Organizations should include law firms in their policy governing all third-party data use. One way to structure the policy is to create tiered responsibilities for managing the organization’s data. For example, all law firms must have basic security protocols, but firms that receive over a certain threshold of data may be required to implement additional security measures. Some of these measures can include annual reviews or on-site digital security assessments. Regardless of the measures, clients should require all outside lawyers to reaffirm their understanding of their role and obligations involving data security, perhaps coincident with outside counsel guideline updates. Once established, organizations need to communicate the new policy to their law firms as well as to their in-house counsel and law firm relationship managers.
4. Measure compliance.
Many businesses use surveys to evaluate their vendors’ compliance. Unfortunately, these surveys can be highly subjective and time-consuming. They can also make it difficult to compare apples to apples, particularly when it comes to law firms, which occupy a special niche given their nearly carte blanche access to an organization’s most complex and sensitive data. Instead, companies should use a quantitative survey instrument customized to law firms to facilitate a meaningful assessment. A security scorecard is one way to encourage law firms to improve their privacy and security practices, and it ties in with holistic law firm performance management strategies for rates, diversity, responsiveness and the like. The security scorecard can account for the type of information the law firm holds, the type of services it provides and its data security infrastructure. More specifically, it can consider the firm’s security certifications, mobile device management protocols, data loss prevention efforts, encryption measures, information flows, recovery and retention plans, other data-related policies and procedures and training and enforcement mechanisms. With this information, organizations can objectively weigh the level of risk in sharing data with their law firms against other factors, such as their cost, to ensure that the highest-risk matters are protected by firms with the highest security standards.
By taking these four steps, organizations can create the foundation for a sound information governance program that can mitigate the hazards of sharing data with their outside counsel.