An Internet search for the phrase “data breach” will certainly yield no shortage of headlines. In 2016 alone, the Panama Papers exposure, the Democratic National Committee leak, Yahoo’s reported breaches, and many other incidents have shown that no one company, law firm, government agency, or even individual is immune from the consequences of a data breach.
According to a report by the Identity Theft Resource Center and CyberScout, 2016 was a record year for data breaches. U.S. companies and government agencies suffered nearly 1,100 data breaches, which represents a staggering 40% increase from the prior year.1
What can be done to prevent data breaches? What safeguards actually make a difference? Equally important, whose responsibility is it to protect company data?
In most organizations this duty falls squarely on the shoulders of the information technology (IT) department. IT is responsible for data security measures such as securing the organization’s network perimeter, implementing centralized threat-detection software, enforcing two-factor authentication, and deploying mobile device management programs.
But IT cannot do it alone. The reality is that it takes a collective effort from every department and every employee to properly secure and defend a company’s most important asset – its data.
This holds especially true for legal professionals, including attorneys, paralegals, administrative staff, litigation support, collection specialists, and operations resources. Legal professionals have an even greater responsibility due to the fact that they 1) have access to sensitive/proprietary information, 2) preserve copies of information in locations, and for periods of time, outside of standard business operations, and 3) routinely use external providers to support legal matters.
Here are five practical recommendations to help legal professionals better protect the data they manage and strengthen their position with IT to safeguard company data.
In the April 2016 filing of Shore v. Johnson & Bell, Ltd., the plaintiffs accused the law firm of using multiple Internet-accessible systems with known critical vulnerabilities. As a result, they claimed that this promoted a practice of “systematically exposing confidential client information and storing client data without adequate security.”2
While aspects of this case are still ongoing, it highlights why it is vital to ensure that law firms and vendors (collectively “providers”) have proper data security policies and procedures in place.
We recommend starting this process by first defining a standard set of minimum data security requirements against which a provider’s policies and procedures can be evaluated. This activity is best executed when IT and/or information security (InfoSec) are involved to help create a robust and well-defined list of requirements.
An organization’s requirements should take into account such factors as the sensitivity or proprietary nature of data being shared, regulatory requirements, and the organization’s internal security controls. A great resource to consult during this process is the Association of Corporate Counsel’s Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information.
Once defined, the requirements can be leveraged to drive a comprehensive review of each provider that is currently in custody of company data. An approach commonly employed to manage this process is to create a Data Security Questionnaire that requests each provider to supply 1) written responses that detail the tools, processes, and resources used to meet each requirement, 2) an inventory of company data currently in possession by matter, and 3) copies of formal data security policies.
Collaboration with external providers on legal matters has become the rule as opposed to the exception. Law firms, eDiscovery vendors, experts, and legal process outsourcing (commonly known as LPO) firms all play a vital role in the management of legal disputes, transactions, and other special projects. As a result of this, information is unavoidably passed back and forth between parties.
Many IT departments have secure electronic file-transfer solutions that should be leveraged over sending physical media. However, when physical media must be used, encryption should be applied to minimize the risk of data theft or loss while in transit. Encryption is better than password protecting files, as encryption converts the data into an unreadable format that can only be viewed if the decryption key is applied.
There are many encryption options available. Freeware programs such as VeraCrypt provide industry-standard encryption capabilities and are very easy to use. Paid programs such as AxCrypt, Folder Locker, and PGP are also available and provide additional encryption options. Some manufacturers now even make USB thumb drives with encryption pre-enabled.
Alternatively, organizations are increasingly adopting collaboration tools to invite authorized providers into company-controlled data repositories instead of sending copies of data outward.
For example, Logikcull, a cloud-based eDiscovery software provider, offers ShareSafe, which enables organizations to grant outside counsel access to a secure portal to view, download, and share production materials. Similarly, iManage, a market-leading document management (DM) solution, has introduced iManage Share, an integrated file-sharing portal that allows organizations to perform the usual functions of a DM system and also share files/folders with external providers, all from a single interface.
IBM’s X-Force Threat Intelligence Index 2017 reported that 58% of attacks in the financial services industry and 71% of attacks in the healthcare industry in 2016 were carried out by “insiders,” or individuals with physical or remote access to company assets.3 This includes attacks carried out by employees with malicious intent (e.g., stealing contact lists), as well as attacks enabled by inadvertent, nonmalicious employee activities (e.g., falling victim to a phishing scam or opening an email with a virus attached).
These attacks present a unique challenge from a defense standpoint because the attacker has credentialed access to the data. This is why legal teams should enforce the “principle of least privilege” on file repositories, physical assets, and technology solutions (e.g., document management, legal hold, contract management, document review systems).
The principle of least privilege limits an employee’s access and privileges to the bare-minimum level required to fulfill his or her job responsibilities. This approach reduces the amount of data each employee has access to (or can transfer), thus minimizing the amount of data he or she can steal or expose.
Below are examples of how this principle can be applied in practice:
As a general rule of thumb, the longer company data is left with a provider, the greater the potential risk of it being exposed to unauthorized parties. Unauthorized exposure takes many forms and does not necessarily mean that the data will be subject to a cyberattack or large-scale data breach. For example, the accidental loss of an attorney’s briefcase/computer or the poor enforcement of “need to know” network security controls could lead to damaging unauthorized exposures.
To minimize this risk, swift action should be taken to regain custody of, or initiate data disposition processes for, data stored with providers following the close of a matter.
While this may seem like a simple concept, in practice it is routinely overshadowed by the desire to release the legal hold, file key case documents, pay final invoices, and then move on to the next high-priority matter.
To help keep this task top-of-mind, consider implementing a standard Matter Close Checklist that outlines each action that must be taken to properly close a matter. Furthermore, determine whether opportunities exist to automate the matter close or data retrieval process by leveraging functionality within knowledge, matter, or legal process workflow management tools (e.g., trigger a data return request to outside counsel from the matter management system once the matter status is changed to “closed”).
Proactive measures should also be taken to facilitate the timely return of data from providers. Incorporating language into master service agreements, engagement letters, and outside counsel guidelines that define how data should be returned or disposed of is a great way to ensure a standard process is followed. Specific items to include are servicelevel agreements (commonly known as SLAs), rates/costs, request forms, approval workflows, data transfer and encryption protocols, and authorized providers to use in the event physical media destruction is required.
Also, consider whether a milestonebased payment agreement can be established that links the final invoice payment to the return or disposition of matter data. This is a creative approach to promote the proactive return of data from providers.
Over 70% of all insider attacks across the financial services, information and communications, manufacturing, retail, and healthcare industries were caused by inadvertent, nonmalicious employee activities (e.g., providing a password in response to a phishing scam).4 As cliché as it sounds, this statistic gives credence to the age-old saying: “You are only as strong as your weakest link.”
Even with the best central defenses in place, all it takes is one employee mishap to expose the organization to a data breach. This is why educational programs on data security dos and don’ts should be a pillar of all data security programs.
Educational programs should focus on not only data security requirements, such as HIPAA compliance, but also best practices to protect company data and the risks every employee should be aware of, such as how phishing scams work.
Furthermore, these programs should be a continual effort throughout the year – not just a one-time mandatory new-hire training. To be most effective, educational programs should include a combination of different learning approaches and communication channels, such as annual compliance trainings, informational webinars on known risks, recurring communications to highlight new collaboration/data security tools available, rotating posts on intranet sites with best practices reminders, and even staged phishing tests conducted in partnership with IT.
Setting up a well-defined and executed data security education program takes time, as well as close collaboration with compliance, IT, and other areas of the business. However, it is a worthy investment that should be made to keep employees prepared as the first line of defense, a concept upon which legal and IT teams can certainly agree.
Senior Analyst - Management Consulting