Data Security for Law Firms: Part 1

Nov 20, 2018

In the first of a two-part series, Korbitec president Alan Bass looks at data security for law firms.

Data Security Part 1In the rush to stay on the cutting edge of data security, some law firms risk forgetting the small things that are key to protecting client information, says Korbitec Inc.’s Alan Bass.

Bass, company president at the Toronto-based leader in document automation, tells AdvocateDaily.com that data security has understandably become a key consideration for law firms in the modern world.

“They hold a lot of privileged information on behalf of their clients, so it’s extremely important that it all be kept confidential. Data security is a big part of that,” he says. “As a result, they are prepared to make huge investments of time and money into things like data centres and cloud storage.”

And there’s no shortage of scare stories for law firms looking for an incentive to tighten up their defences. Some retail giants have found themselves on the wrong end of high-profile hackings, while a major international law firm hit the headlines last year for a ransomware breach that temporarily froze its systems.

“It’s become very much top of mind in the last few years, and perhaps even more confusing because everyone is trying to stay ahead of the hackers and fraudsters,” Bass says.

The effort and expense could all be for nothing if law firms ignore some low-tech security measures that are just as important, he says.

“There are small things that need to be addressed,” Bass says. “They don’t tend to be as expensive, but they do have to be fixed.”

He says simple mistakes by lawyers and their staff are often the primary source of data breaches.

For example, a misaddressed email from a rushed and busy lawyer who fails to check they have the right recipient can send client data to a completely unrelated party, or potentially worse, could result in privileged communications being sent to the opposite side of a matter, explains Bass.

“You get some nice people who will delete the information and let you know of the mistake, but that doesn’t always happen,” he says.

Bass has also seen examples where lawyers draw up a document based on the firm’s central store of precedents without wiping metadata, potentially revealing previous versions filled with other clients’ personal details.

He says he’s frequently surprised by law firms’ onboarding processes, which often involve employees being assigned either the same password for accessing company infrastructure or one based on their name or position.

“They’re asked to change it on their own, but there’s no follow-up, and if they don’t, then everyone else in the place knows what their password will be,” Bass says.

In addition, he remembers talking to a law firm executive at a trade show about the firm’s decision to keep its servers on-site.

“He was a very tech savvy individual who said he felt much more comfortable having control over his own servers, instead of sending the data away to some off-site storage facility,” Bass says. “So I asked him where the servers were kept, and it turned out they were in an unlocked closet where any member of the staff or cleaning crew could access it. Imagine if it was soaked with a mop, or worse, just swiped by someone.

“People can get lulled into a false sense of security about how protected they are,” he adds.

Stay tuned for part two, where Bass will explore how the company’s marquee software product — Automated Civil Litigation — can minimize the chance of a breach.