Client confidentiality is a cornerstone of the law, but does an era of digital leaks and data breaches threaten privacy?
Schillings is a law firm that made its name with aggressive actions in defence of its clients’ reputations. Today the 31-year-old business has expanded into offering advice on the wider subject of risk and data security. And the firm has a very clear sense that protecting the client information it holds is critical for its own reputation.
David Prince, IT security director, believes lawyers have a real incentive to take threats of data breaches seriously. Of course clients need to trust them with sensitive information. But the nature of their relationships with corporate clients may prompt hostile interests to seek out law firms in search of key files relating to mergers or joint ventures. “Law firms can be seen as a weak link between different corporate targets – they hold a wealth of commercially valuable information,” he says.
Mr Prince regards the loss of information that is covered by regulations as a potential risk neglected by many lawyers. Hence his concern about fraudulent e-mails posing as legitimate requests for information, known as phishing attacks. He says it is simply not enough for a law firm to have rules about data-handling. These principles must be evaluated by regular exercises in which the firm’s own IT security specialists attempt to hack systems and lure staff into data breaches via phishing.
Law firms can be seen as a weak link – they hold a wealth of commercially valuable information
The Solicitors Regulation Authority (SRA) is the obvious source of rules governing how a law firm should protect data. But the Information Commissioner’s Office (ICO) also has an interest in investigating allegations of improper use of personal material through the Data Protection Act.
As Mr Prince sees it: “If regulated data gets leaked, the law firm involved is under the spotlight and may face penalties and audits from the SRA or the ICO. But the impact on reputation is the biggest threat here. People will remember that this is a firm that cannot ensure client confidentiality.”
DEFEND YOUR GOOD NAME
He argues that, while it is impossible to guarantee a defence against every cyber threat, a law firm has to be able to demonstrate it has taken the possibility of a breach seriously. “You don’t want the media to say that a breach could have been prevented,” he says. With a strong presence in media law, Schillings is very aware of the cost of bad publicity.
Kevin Poulter, legal director at Westminster-based law firm Bircham Dyson Bell, views mobile working and cloud storage with suspicion. “Employees of law firms have to think about the consequences of checking devices in a crowded public place. And clients use cloud services like Dropbox to send over files that are too big for e-mail.”
At Bircham Dyson Bell employees avoid Dropbox in favour of a more secure service that can only be accessed by approved e-mail addresses. But Mr Poulter concedes that a balance has to be reached between security and what is practical for both clients and lawyers.
Different cases call for different approaches. QualitySolicitors Jackson Canter is a 60-year-old law firm with offices in Liverpool and Manchester. The ongoing inquests into deaths at the Hillsborough football stadium disaster involves Jackson Canter, which is representing bereaved families.
SECURE DATA SYSTEMS
Given the high profile of this inquest a secure data system has been set up for the participating law firms. This embodies a level of security above Jackson Canter’s procedure for sensitive documents, whereby staff can only access files from locations beyond their office via the firm’s own firewall. “When you deal with sensitive cases you must ensure the best protection with encryption as an added layer of security,” says chief executive Andrew Holroyd.
The firm offers all clients the option of e-mail encryption software in much the same way as online banks attach optional extra levels of security to their accounts. Like Schillings, Jackson Canter has embraced the concept of penetration testing and is hiring what the IT world calls an ethical hacker to try out its cyber defences.
Encryption is not a magic solution, however. Debbie Mactaggart, senior employment solicitor at Yorkshire law firm Bhayani Bracewell, recalls that when encryption was first adopted for communication between lawyers it created a problem.
“My last firm recommended encryption of all e-mail correspondence. That became impossible to manage because the clients, our opponents and many of the courts could not make the encryption work for their systems so often the e-mails did not get to the recipients, which created real difficulties,” she says.
This has led Ms Mactaggart and her colleagues to revert to faxing or posting documents. Whether or not she encrypts e-mailed files depends on the client and the nature of the job. Not all her clients want to deal with encryption so on occasions she bows to their taste and rejects digital technology in favour of the old-fashioned fax machine or the postman.
CALL IN THE LEGAL SWAT TEAM
It’s an unusual service to be offered by a law firm, but the creation of a Data Breach Swat Team is a sign of the times. The term “Swat”, taken from US police Special Weapons and Tactics teams, is perhaps beloved of white-collar outfits trying on a macho image.
But in the case of law firm Schillings, the team emerged when it expanded its remit into risk and IT consulting under the alternative business structures (ABS) regime. ABS firms can employ non-lawyers. So this team has niche expertise in the form of experts in digital forensics and acts to minimise the fallout from a data breach.
David Prince, IT security director at the law firm, explains that hitting back after a breach calls for cross-disciplinary action. “It’s about minimising the damage. We can deal with the technology side, but a client will also need help in making a public statement.”
This team has niche expertise in digital forensics and acts to minimise the fallout from a data breach
Mr Prince insists that any breach of client information must be disclosed as soon as possible. Trying to hide such an incident from clients or regulators makes things far worse.
And don’t even think about shifting the responsibility on to some hapless geek in the IT department. ” One of the common errors a company makes in this situation is to try and pass the blame on to someone else. Doing that just amplifies your incompetence,” he says.
Schillings makes a big play out of the value of reputation. Its website talks of building reputation resilience and promises to deliver a “robust response” when a client finds their reputation under attack. Call for the Swat squad.