Updated: Feb 3, 2020
Today’s lawyers have an ethical and legal responsibility to think critically about the measures their firms are taking to protect client data.
Melinda Levitt, partner at Foley and Lardner, explained how it’s a lawyer’s responsibility to protect client data as well as any confidential documents received during litigation: “You have an ethical duty. If you’re receiving discovery responses in the form of documents, and there’s a protective order, you have an obligation on both sides to secure it and ensure the information will not become publicly available.”
While lawyers have an obligation to protect their clients’ data, many think of cybersecurity as an IT responsibility. “Lawyers, just like people in other industries, rely tremendously on their IT departments, as well as litigation technology specialists and outside vendors, to implement steps that will protect against cyber hacking and promote cybersecurity,” said Levitt. “I would venture to guess many lawyers don’t know what these steps are.”
So, what should lawyers know about cybersecurity? Here are a few things to keep in mind in the context of today’s threat landscape.
Law Firms are an Emerging Cyber Target
Law firms store their clients’ most critical and sensitive records, including documents and communications that are vital to their businesses. This prompts consideration into data classification and destruction measures when cases come to an end.
“In a paper world, attorneys could put documents in a shred box and never worry about them again. That’s not true with electronic data,” Levitt said. “Once documents are collected and processed for review, the data is in the firm’s database. Unless the entire database is taken down, the documents remain there.”
Because of the data law firms hold, they become a target when someone is on the hunt for sensitive information about one of their clients. In 2016, the Federal Bureau of Investigation (FBI) issued a warning to law firms about cyber crime. The notification stated that, “a financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures.”
Just like other organisations that house sensitive information—such as healthcare providers and financial services firms—law firms should be on alert for possible cyber attacks.
Compliance Is Important, But It’s Not Security
Many firms and organisations use various compliance standards to determine if their vendors introduce an inappropriate amount of risk into their environment. These certifications are a way for vendors and organizations to verify that their information and security practices follow a set of standards and assure customers that their data is safe. They lay out security procedures that have been widely agreed upon in the information security community.
A global standard for information security is ISO 27001. With stringent requirements to obtain the certification, the standard provides a baseline to ensure security best practices are being followed.
While compliance is important—and these certifications certainly aren’t easy to obtain—it’s not the end-all or be-all of security. Instead of focusing on checking off boxes to pass a compliance standard, think security first and make sure you’re doing what’s needed to keep your data safe. If organizations are doing security right, they’ll be able to check off boxes along the way and compliance will fall into place.
Rely on Technology Providers to Do the Heavy Lifting
While attorneys should understand their firm’s security posture and keep security in mind, you can look to technology providers to create a secure base for your data. Cloud providers can provide a solid foundation for security, but it’s important to note that unstable implementation within the cloud environment can create vulnerabilities.
Here at Relativity, security is our way of life. Sure, we have certifications, but we also have the practices, platform, and people to back them up. Our security team—Calder7—is a group of product and cybersecurity specialists delivering a uniquely holistic solution to defend data. RelativityOne’s security program, utilising Microsoft Azure as a foundation, lightens your organisation’s security burden, so you can focus on your clients.
Cybersecurity is no longer only an IT problem. While it’s not up to attorneys to build their firm’s security programs, you must be cognizant of the measures being taken to protect your clients’ data.
Jerry Finley is the director of cybersecurity and deputy CSO for Relativity. Previously serving in a consulting role for Fortune 50 organisations and foreign governments, he has developed expertise in threat intelligence, security strategy, and AI-based hunting analytics.