New Rules: Confidentiality and Data Security in The Digital Age
Thursday, July 7, 2016
Posted by: Jason Krause
By Marc Zamsky, CEDS
The Panama Papers leak earlier this year was perhaps the biggest security breach in history, with more than 11.5 million documents, or 2.6 terabytes of data leaked to a German newspaper. The victim of the breach, Panamanian law firm Mossack Fonseca, was just one of the most recent cybersecurity incidents involving a law firm, a list that includes some of the oldest and most respected American law firms. Law firms are obvious targets for hackers seeking sensitive data, so what can a law firm do?
Attorneys traditionally kept client files locked in cabinets and access to such information was limited or restricted. But in today’s ESI-driven environment, and especially in light of recent data breaches, how do attorneys protect their clients’ confidentiality? If client information is now contained in data, then breaches of data security are reasonably considered to be violations of confidentiality and the attorney-client privilege as well.
Unfortunately for those affected, cybersecurity doesn’t always garner the full attention or focus required of those in control of budgets until something has gone terribly wrong—hopefully somewhere else. But the truth is that the issue was, is, and will continue to remain a hot one long after the news settles about the Panama Papers.
So what’s a lawyer to do with critical customer information? What are some steps or considerations that need to be undertaken? It is unclear what form or format the next cyber-attack or data breach is going to take, but it is fairly certain that one will happen. This article is NOT designed to overwhelm legal professionals by imposing on them the duty to also become IT experts and overstating the vigilance they must dedicate to data security. Instead, it is meant to present an understandable and very personal approach to the notion of data security and its impact on the everyday practice of law and life of a lawyer.
Lock Down the Data
Keep in mind the distinction between the approach of an IT professional and that of a legal one. The first consideration that needs to be investigated is that of control over the physical storage of data for eDiscovery (or other legal) purposes. Whether confidential client data is kept on desktops, laptops, flash drives, tablets, smart phones, or other portable devices, it needs to be secured in such a way so that the data contained within is locked down. Despite policies and procedures that may be in place for maintaining the physical security of these objects, plans for handling their loss or theft, and ways to minimize or mitigate the risk still must exist such that the data is not accessible. So, what can you do?
Passwords. Having strong passwords is a critical part of any security plan. They should be complex and changed regularly. Consider implementing a two-factor authentication protocol with Smart Phone App, RSA Tokens, or SMS messaging.
Impose technology constraints. Only certain information should be available on certain technical devices. Not everyone in a firm or legal department should have access to client information simply because they are using a company tablet or laptop. Each assigned device should have controlled permissions and access to certain files should only be granted to those with a legitimate need to see them.
Training. Many legal professionals assume if they CAN get online, they should. While this MAY be true, it is not always so. Using a public network raises the risk that information viewed can be visible to others. Teaching legal personnel, the safe ways to use their technology is as important as teaching them to use it at all. Ensuring that legal professionals learn to recognize when they should or should not open an email, for example, is a critical step to controlling the flow of information.
Data Return/Destruction. Any information that is not necessary should not be retained. This does not mean the destruction of original records, of course, or of any data that may be relevant in the future but simply that the data held by counsel on behalf of a client whose case is resolved should be returned to the client (if original) or destroyed (if a copy and no longer necessary).
Dealing with E-Discovery in the Cloud
Moving past the physical representations of data, the larger question becomes what happens with all of the information that is stored somewhere in “the cloud” or accessible via the internet. Lawyers can share documents collaboratively working in different parts of the country or the world through cloud-based services, which is itself a wonderful technological advancement. But cloud-based applications that allow the sharing of information, without proper security protocols attached, can pose a risk for protecting shared data. So, how can legal professionals manage this risk?
Keep Current. In order to justify the potential exposure presented by use of cloud-based data storage and sharing, firms and corporate environments need to be on the cutting edge when it comes to data protection, even for data stored off-site. If a hacker breaks through the most complex and current safeguards available, the best thing a legal operation can do is show that they were using the best known practices available and treating their clients’ confidential information with the greatest of care.
Choose Wisely. Selecting a third-party technology vendor needs to involve more than a dart-game or the flip of a coin. For many firms and in-house legal operations, it may be the biggest decision they make, and the maintenance of confidential customer records demands that the vendors be chosen with an eye towards their understanding of and adherence to these concerns. With the proper protections in place, a cloud-based provider can provide as much, if not more, security than a non-cloud environment. It simply bears repeating that you have to vet your vendors and their adherence to security.
Use Multiple Protection Layers. Strong passwords alone are not enough, but combined with the use of data encryption, security provisions, and multi-step logins as well as user education, it begins to look like a security system rather than a simple gateway or step. And that’s what is demanded and deserved. To access confidential client information should require more than simply having the right device, guessing a password, or clicking a link with a stored password (NEVER STORE PASSWORDS for sensitive material).
Dedicate Resources. Obviously, the job of an attorney is to advocate for and represent his or her clients and their interests, not get a secondary degree in technology management. But when it comes to protecting client data, ignorance is not an acceptable defense. How can a legal operation protect itself? It needs to dedicate resources, both in terms of finances and personnel. The IT division or department cannot be an afterthought and the person or persons responsible for controlling the security of client data needs to be included on the decisions and deals that affect that information.
Have a Plan
This is not a complete road-map for an IT department, but rather, to present a personal and professional overview for those engaged in the practice of law to consider when dealing with confidential client information. A valuable lesson to be learned from past data breaches is that the public will not stand to learn about them later. So a plan needs to be in place to identify any security risks that could lead to a breach, find any breaches that have already occurred or do occur in the future, and then communicate with the affected parties. And, of course, carefully investigating and selecting any e-discovery or other vendors who understand the security and confidentiality concerns of client data can only help.
About the author:
Marc Zamsky, CEDS, is currently the COO of Compliance Discovery Solutions, a System One Division, based in Philadelphia, PA. As COO of Compliance, Marc focuses on implementing next generation technology solutions and analytics, coupled with project management and managed review to deliver comprehensive, cutting-edge discovery solutions to corporate legal departments and law firms. Marc practiced law as a Commercial Litigator and has held executive positions in the e-discovery solutions industry since 1996.