The practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle is a simple but effective definition of data security. Data security matters – especially for lawyers and law firms.
As the use of technology continues to expand across industries, the importance of proper cybersecurity practices also continues to grow. Law firms and legal organizations should put strong practices in place to protect sensitive digital information from unauthorized access. This includes everything from internal firm documents to employee information to client records. You and your firm must have well-considered practices and policies in place to protect sensitive digital information from unauthorized access, corruption, or outright theft.
Lawyers Must Protect Client Information
Whenever users or systems create, access, or transfer sensitive information, organizations have a responsibility to protect it using effective data security strategies. It is important to emphasize that lawyers and law firms are subject to some additional data security regulations. Attorneys have a professional duty to protect the sensitive information of their clients. It is a professional rule of conduct cited by the American Bar Association (ABA) (rule 1.6 Confidentiality of Information) and state bar associations.
As stated clearly by the ABA’s Rule 1.6(2), “a fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.”
A data security breach, inadvertent or deliberate, could constitute a violation of this ever-important professional rule of conduct for legal professionals. An attorney in a law firm, legal department, public agency, or other legal organization that fails to take data security seriously could run afoul of her or his state’s bar association.
If an attorney working on a case for one client accidentally sends documents to another client, that would violate ABA Rule 1.6(2) and may constitute a data breach. Someone with malicious intent inside the firm could take sensitive documents and share them with outside parties. Outside parties might hack the firm or a user is subject to a malware incident that would expose sensitive client or internal documents. In all cases, you need to prevent unauthorized people from accessing this sensitive information.
Global data security breaches cost those involved more than $1 trillion in damages each year. Unfortunately, the legal industry sees more than its fair share of serious incidents from both internal and external sources. More than a quarter of law firms in a 2022 American Bar Association survey said they had experienced a data breach, up 2% from the previous year.
The diversity of client data that law firms handle makes them a valuable target for cybercriminals as well as trusted insiders with malicious intent. This includes financial statements, medical data, criminal records, M&A information, general client case data, and personally identifiable information (PII) on clients and firm personnel.
Encrypt Client Files and Limit Access
Many law firms and legal organizations use case management or other content management systems to manage the collection, creation, distribution, and use of sensitive documents. Even those using traditional file shares typically know where their sensitive data is located.
The key to protecting these sensitive documents is to encrypt them and assign dynamic access control so you can limit a user’s ability to view, edit, print, take a screenshot, and share sensitive data with unauthorized users and systems both inside and outside your organization. You ensure that only authorized users can access your sensitive data based on security policies that validate user access continuously.
One method of protecting sensitive documents is to encrypt them as users download them from the case or content management system. A common approach to control access is to use an application that provides an ethical wall between clients so that only people assigned to that client or matter can access the sensitive documents. Since the roles of attorneys and support teams may change over time for a specific client, it is important that security and IT administrators can change access controls and permissions dynamically. By tying the access controls to the ethical wall system, you dynamically control who can access a sensitive document in real-time.
Let’s say an attorney, paralegal, and some support staff work on a case for a large manufacturing company. Security personnel assign access to the documents for this specific client and matter related to the case through the ethical wall system. As the team downloads files, they are encrypted with metadata that ties them to the originating case or content management system. As users open the files to work on them, the system calls back to the ethical wall system to validate their access to the file in real time.
If the paralegal moves off the team, an administrator can change her access to documents immediately in the ethical wall system. The next time she tries to open any case documents, she will not be able to open them. This is applicable regardless of where she is accessing the file; from a desktop, mobile device, or even a home system. If she is reassigned to the case, her access can be restored immediately.
Protect the Data
Preventing data breaches is not complicated when you think about protecting the data. Protecting servers, networks, and storage locations is important, but focusing on the data is the most important thing. The best way to protect information that is critical to your firm is to encrypt documents with a persistent, dynamic security policy. This protects the security and privacy of files while on your computer, in the cloud, on your mobile device, and in use.
By dynamically validating user access and permissions each time someone opens a document ensures you do not violate ABA rules and minimizes the possibility of a data breach. If an unauthorized person gets your document, it’s useless to them, since they can’t read the information inside without your express permission.
Give yourself some piece of mind by protecting the information that is most critical to your firm, agency, or legal department. You will prevent a data breach, protect your company, and sleep better at night.
