Law firms hold a vast amount of sensitive client information, making them a prime target for “outsider trading” cyber attacks, according to the FT. Even for law firms not privy to such high-profile insider information, the risk of sensitive client data getting into the wrong hands via unauthorised document sharing cannot be underestimated.
Regulatory and compliance issues aside, clients expect professionalism and confidentiality in return for what are often deemed to be high hourly rates. Firms are often now asked what their data security policies are in the vetting process, and so they need to be able to withstand scrutiny.
We explore the common ways that sensitive documents can be shared without proper authorisation and the steps that firms need to take to prevent these risks.
Sending documents to the wrong people
Unfortunately, human error is often the largest risk to client confidentiality. ICO data in 2015 showed that the most common security risk in law firms was caused by private data being sent to the wrong recipient by post, fax or email.
Lawyers may be renowned for their attention to details but with high billable targets, long hours and client demands, mistakes will happen. Secondary checks can only go so far and are often impracticable. The SRA recommends that law firms prevent or restrict the use of data sticks or email attachments and instead using secure direct log-ins and online collaboration tools.
Mobile devices and the rise of ‘shadow IT’
The same ICO survey found that failing to secure data on mobile devices was the second biggest risk, opening up law firms to potential cyber attacks where sensitive data can be accessed – particularly across Wi-Fi networks.
With lawyers on the move and under pressure, if technology is not in place to enable quick sharing of documents and data to the correct people, they will find workarounds. It is therefore imperative that mobile solutions are in place from the start that offer the required level of security.
Unauthorised sharing at the other end
Your own law firm may have cutting-edge data security systems and policies in place, but this will not necessarily prevent sensitive client data being subsequently shared – advertently or inadvertently – with unauthorised persons at the other end.
Again, log-in portals and online collaboration tools can assist here.
Cyber attacks such as hacking, malware and ransomware can result in client data being ‘shared’ with criminals, and the SRA has published guidance on how to deal with the issue.
Firms should ensure that their computers and mobile devices use the latest spyware and malware protection, and that they are using the latest operating systems. Those using cloud solutions will find that this is undertaken automatically, but they would be wise to put in place additional precautions such as proactive server monitoring for breaches.
Loss of documents
While paper copies of documents cannot always be retrieved before someone reads them, solutions exist that allow data held on mobile devices such as laptops and phones to effectively be ‘wiped’ if lost.
Navigating modern clients’ confidentiality risks can appear to be an insurmountable hurdle for law firms. However, measures do not need to be costly or time consuming. Firms can now take advantage of the power of cloud solutions like Microsoft 365 that offer access to the latest technology at much lower costs, such as secure file sharing and online collaboration tools with log-in access, mobile document encryption and the latest anti-virus and anti-malware technology.