Law Firms' Prime Data Security Threat Is Their Own Employees

“The single biggest threat still is people inadvertently bringing down a virus from outside or through a phishing scheme. ' That's where the training gets critical,” Reed Smith Chief Information Officer Gary Becker says. “You can never tell your workforce enough 'don't do this' or 'don't do that.'”

So for Reed Smith and many other firms, the first step in data protection is having a current, active information security policy that is explained clearly and often to every person employed by the law firm.

As many who spoke to e-Commerce Law & Strategy's ALM sibling The Legal Intelligencer noted, firms are in the midst of a balancing act between protecting data on one hand and running an efficient business that doesn't resemble what one person referred to as a “police state.”

John F. Mullen, chair of Lewis Brisbois Bisgaard & Smith's data privacy and network security practice, says law firms' security policies are useless if they aren't being enforced. He says firms are vulnerable to a data breach from three main areas: 1) an employee who downloads a virus or mistakenly leaves an unencrypted laptop in a taxi, for example; 2) the law firm's vendors who have access to client information getting breached; or 3) foreign hackers looking to get information from firms working on major business deals or IP matters.

Mullen says some firms will say they are immune to threats from foreign hackers because they aren't working on deals any hacker would care about. But Mullen says that is a mistake because some viruses don't seek out a certain firm, but rather any company that has a certain type of software.

Scott Vernick, a Fox Rothschild partner whose practice focuses on data security issues, says law firms need to think of themselves as any other business when it comes to security threats.

“To a certain extent, we've always been highly mindful of the confidential nature of client data, but I don't know that that's translated completely to the thinking that we are just like any other business and so we have to think about data security like any other business,” Vernick says.

Blank Rome has been thinking about this issue, and in August hired a Director of Information Security to develop and run a security management program for the firm. The one tapped for that job, Robert Weaver, says most programs that follow a standardized method will hit all of a typical client's needs.

“Having said that, law firms have the very unique challenge of having a variety of clients with a variety of needs,” according to Weaver. “So you can't create a one-size-fits-all program and apply it to an entire firm. That's the challenge of doing what's right for everybody and enabling the firm to operate in an effective and efficient manner.”

Firms Don't Want To Be 'Police State'

One of the latest debates on how law firms protect client data is whether firm employees should be allowed to access personal e-mail that operate on Web-based platforms, such as Gmail or Yahoo. Some firms have banned access to such accounts from firm devices while other firms have implemented technology to protect what information is sent through those e-mail accounts.

Becker says that issue has become a big point of discussion. Reed Smith hasn't blocked e-mail accounts.

“What we're trying to do is walk that very fine line,” Becker says. “We don't want to be punitive in our approach, but we do have to put technology and protections in place that prohibit use of such Web-based systems for confidential information.”

For all outbound information, Reed Smith tracks the source as far as what client file and matter the document is coming from. Alerts are generated when the information is confidential, he said.

“Without becoming a police state, you are trying to review and watch everything going out of your environment,” Becker says.

Weaver says personal e-mail access is an issue that comes up from clients. With the ubiquitousness of personal mobile devices, Weaver questioned whether employees had to use firm computers to access personal e-mail.

“I don't know how much longer that debate will last,” Weaver says. “I don't think regulated industries will back down on that. They were regulated to stop that a long time ago.”

Remote Access Increases Risk

The more offices a law firm has, the more spread out its data and the more touch points there are for a breach. The problem is compounded by the growing use of remote access and employees using their own devices to access firm data.

Becker notes that the law firm's business continuity plan, created in 2005 to protect the firm against data loss in the event of a disaster, has helped in the protection of client data from cyberthreats. Becker says storing information in a cloud-based system or on an off-site server has taken data out of local offices.

Other ways to secure remote access is by creating strong passwords that change every 90 days, Becker says. His firm also requires a two-factor authentication for remote access, meaning a password is needed and then a code generator is used. That generator, which can be a key fob an attorney carries or an app on a mobile device, generates a new code every 30 seconds.

Reed Smith has installed mobile data management programs on its mobile devices, allowing the firm to issue a “kill command” when a device is lost. The command wipes the device clean. When employees log on remotely, certain functions are disabled, Becker says. In order to prevent “data leakage,” remote users can't print certain documents that could then be easily printed and thrown in the trash without being shredded. They also can't save documents to local drives.

“Our financial services clients have these standards and that's what they expect of us,” Becker says.

Weaver points to international travel as another area where companies of any type are taking precautions. Travelers need to think about what information and technology they are taking with them overseas and the networks they are connecting to overseas. They also need to consider what they are bringing back from their travels and plugging into their networks in the United States, he says.

Other Security Measures

Managing vendors is a key aspect of data security, Weaver says, noting it was a Target vendor that caused the retail company's data breach late last year. Weaver says it is a “core demand” of clients for the law firms to manage the data security of law firm vendors. “It's definitely a new way of doing business from ' [a] due diligence perspective.”

Weaver says most firms are doing the basic blocking and tackling, using antivirus software and firewalls to protect their networks. Vernick notes there was some discussion in recent years about whether videoconferencing opened up firms to a potential breach. He says his firm doesn't use a Web-based system for that, but rather goes through its firewall-protected network.

Physical security can be just as important as cybersecurity. Becker says a badge is needed to get into every access point of every office. Firms need to manage access to their offices because confidential documents could be sitting on attorney desks and on printers. Reed Smith's data centers, though hosted by a third party, have cameras monitoring the sites at all times, as do the firm's data communication closets in Reed Smith offices, Becker says.

To ensure as best it can the security measures are working, Reed Smith hires a company to conduct third-party security audits.

“We pay them to try to hack into us and to show us where we have any gaps in our security programs and policies,” Becker says.

From protecting USB devices firm employees use to what websites they can access, the issues for law firm security specialists are varied and growing.

“Our challenge ' [is] what are the risks of allowing those things,” Weaver says. “Is there a business value to this function that you are allowing and weigh that against the risk.”

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected]. Follow her on Twitter @GPassarellaTLI.

From kill commands and encryption codes to government espionage and foreign hackers, law firm life is beginning to resemble the plot line of a spy thriller.

Law firms' efforts to protect client data from breaches may be less dramatic than a typical Hollywood blockbuster, but they entail complex productions when it comes to ensuring the physical and cyber security of their clients' information.

And while those in IT say the threats from hackers in places such as China or Russia are real, the biggest threat to a law firm's information security comes from its own employees.

“The single biggest threat still is people inadvertently bringing down a virus from outside or through a phishing scheme. ' That's where the training gets critical,” Reed Smith Chief Information Officer Gary Becker says. “You can never tell your workforce enough 'don't do this' or 'don't do that.'”

So for Reed Smith and many other firms, the first step in data protection is having a current, active information security policy that is explained clearly and often to every person employed by the law firm.

As many who spoke to e-Commerce Law & Strategy's ALM sibling The Legal Intelligencer noted, firms are in the midst of a balancing act between protecting data on one hand and running an efficient business that doesn't resemble what one person referred to as a “police state.”

John F. Mullen, chair of Lewis Brisbois Bisgaard & Smith's data privacy and network security practice, says law firms' security policies are useless if they aren't being enforced. He says firms are vulnerable to a data breach from three main areas: 1) an employee who downloads a virus or mistakenly leaves an unencrypted laptop in a taxi, for example; 2) the law firm's vendors who have access to client information getting breached; or 3) foreign hackers looking to get information from firms working on major business deals or IP matters.

Mullen says some firms will say they are immune to threats from foreign hackers because they aren't working on deals any hacker would care about. But Mullen says that is a mistake because some viruses don't seek out a certain firm, but rather any company that has a certain type of software.

Scott Vernick, a Fox Rothschild partner whose practice focuses on data security issues, says law firms need to think of themselves as any other business when it comes to security threats.

“To a certain extent, we've always been highly mindful of the confidential nature of client data, but I don't know that that's translated completely to the thinking that we are just like any other business and so we have to think about data security like any other business,” Vernick says.

Blank Rome has been thinking about this issue, and in August hired a Director of Information Security to develop and run a security management program for the firm. The one tapped for that job, Robert Weaver, says most programs that follow a standardized method will hit all of a typical client's needs.

“Having said that, law firms have the very unique challenge of having a variety of clients with a variety of needs,” according to Weaver. “So you can't create a one-size-fits-all program and apply it to an entire firm. That's the challenge of doing what's right for everybody and enabling the firm to operate in an effective and efficient manner.”

Firms Don't Want To Be 'Police State'

One of the latest debates on how law firms protect client data is whether firm employees should be allowed to access personal e-mail that operate on Web-based platforms, such as Gmail or Yahoo. Some firms have banned access to such accounts from firm devices while other firms have implemented technology to protect what information is sent through those e-mail accounts.

Becker says that issue has become a big point of discussion. Reed Smith hasn't blocked e-mail accounts.

“What we're trying to do is walk that very fine line,” Becker says. “We don't want to be punitive in our approach, but we do have to put technology and protections in place that prohibit use of such Web-based systems for confidential information.”

For all outbound information, Reed Smith tracks the source as far as what client file and matter the document is coming from. Alerts are generated when the information is confidential, he said.

“Without becoming a police state, you are trying to review and watch everything going out of your environment,” Becker says.

Weaver says personal e-mail access is an issue that comes up from clients. With the ubiquitousness of personal mobile devices, Weaver questioned whether employees had to use firm computers to access personal e-mail.

“I don't know how much longer that debate will last,” Weaver says. “I don't think regulated industries will back down on that. They were regulated to stop that a long time ago.”

Remote Access Increases Risk

The more offices a law firm has, the more spread out its data and the more touch points there are for a breach. The problem is compounded by the growing use of remote access and employees using their own devices to access firm data.

Becker notes that the law firm's business continuity plan, created in 2005 to protect the firm against data loss in the event of a disaster, has helped in the protection of client data from cyberthreats. Becker says storing information in a cloud-based system or on an off-site server has taken data out of local offices.

Other ways to secure remote access is by creating strong passwords that change every 90 days, Becker says. His firm also requires a two-factor authentication for remote access, meaning a password is needed and then a code generator is used. That generator, which can be a key fob an attorney carries or an app on a mobile device, generates a new code every 30 seconds.

Reed Smith has installed mobile data management programs on its mobile devices, allowing the firm to issue a “kill command” when a device is lost. The command wipes the device clean. When employees log on remotely, certain functions are disabled, Becker says. In order to prevent “data leakage,” remote users can't print certain documents that could then be easily printed and thrown in the trash without being shredded. They also can't save documents to local drives.

“Our financial services clients have these standards and that's what they expect of us,” Becker says.

Weaver points to international travel as another area where companies of any type are taking precautions. Travelers need to think about what information and technology they are taking with them overseas and the networks they are connecting to overseas. They also need to consider what they are bringing back from their travels and plugging into their networks in the United States, he says.

Other Security Measures

Managing vendors is a key aspect of data security, Weaver says, noting it was a Target vendor that caused the retail company's data breach late last year. Weaver says it is a “core demand” of clients for the law firms to manage the data security of law firm vendors. “It's definitely a new way of doing business from ' [a] due diligence perspective.”

Weaver says most firms are doing the basic blocking and tackling, using antivirus software and firewalls to protect their networks. Vernick notes there was some discussion in recent years about whether videoconferencing opened up firms to a potential breach. He says his firm doesn't use a Web-based system for that, but rather goes through its firewall-protected network.

Physical security can be just as important as cybersecurity. Becker says a badge is needed to get into every access point of every office. Firms need to manage access to their offices because confidential documents could be sitting on attorney desks and on printers. Reed Smith's data centers, though hosted by a third party, have cameras monitoring the sites at all times, as do the firm's data communication closets in Reed Smith offices, Becker says.

To ensure as best it can the security measures are working, Reed Smith hires a company to conduct third-party security audits.

“We pay them to try to hack into us and to show us where we have any gaps in our security programs and policies,” Becker says.

From protecting USB devices firm employees use to what websites they can access, the issues for law firm security specialists are varied and growing.

“Our challenge ' [is] what are the risks of allowing those things,” Weaver says. “Is there a business value to this function that you are allowing and weigh that against the risk.”

Gina Passarella is a Senior Staff Reporter for The Legal Intelligencer, an ALM sibling of e-Commerce Law & Strategy. She can be reached at [email protected]. Follow her on Twitter @GPassarellaTLI.