Effective cybersecurity is essential for law firm operations, for regulatory compliance and for keeping a good reputation, but it requires a familiarity with the principles of secure IT. Legal ethics require that lawyers keep private information secure and preserve client records. As a member of the legal profession, you have to ask how service providers deal with confidential data but also advise clients on how to keep their information safe when interacting with your firm.
Many lawyers are catching up in developing an understanding of data protection technologies and communication vulnerabilities. They take the protection of confidential information seriously but they discover that high security is often balanced by inconvenience and what is sold as complete protection has serious gaps.
Service Provider Security
External service providers are a key concern. These include companies offering cloud services, security software vendors, email and file sharing services and mobile device managers. Many of these suppliers have access to some or all of your data, either on a routine basis or during software installation and troubleshooting.
You have to ask yourself whether it is possible that suppliers or their employees keep and use any of your information and what the implications would be if they did. Aside from actual data, do they access and store metadata, or data about the data? Do they sell information based on your data, possibly with privacy information removed?
The most important issues concern the operations of such suppliers. Do they have effective encryption and other data protection measures? Do they have adequate physical protection of their facilities? How do they correct or delete data? How do they notify you and others when a data breach occurs? What are their policies regarding access for government and law enforcement officials? What are your contractual rights and remedies with respect to all these questions?
What law firms need is a method of data protection that is independent of third party service providers. Lawyers have to be able to determine which data is sensitive and keep control of who can view the data. With such an approach, the need to know exactly how the various service providers handle their data disappears.
Ethical Duty to Secure and Preserve Data
Apart from regulatory or business reasons for keeping confidential data secure, the American Bar Association has published rules for data protection and preservation based on legal ethics. These rules specify that a lawyer has a duty of confidentiality to current clients as well as prospective and former ones. At the same time a lawyer must preserve records and evidence and ensure that key data is not lost or erased. A complete cybersecurity strategy addresses these issues and ensures that compliance is transparent and verifiable.
While there is an emphasis on data protection for personal identifiable information and personal health information, a lot of the data stored in law firms is financial and commercial data from company negotiations, contracts, mergers and acquisitions. When there is a data breach of personal data, there are legal and regulatory consequences but when the leaked data is financial or commercial, it may result in loss of clients and claims for damages.
Securing Both Ends of an Exchange of Data
When your law firm addresses data protection effectively, you may be able to secure your own servers and devices but you have not considered what happens at the other end of a communication or an exchange of data. You also have to advise your clients on how to keep the data you exchange with them protected and secure. Protected means that only authorized persons can view the data and secure means that the data is preserved unchanged.
Several US jurisdictions and some state bars recommend the use of encryption for communications that include sensitive data. Encryption can be secure but you have to know exactly where the encryption takes place and who has access to the encryption keys. A system in which emails are encrypted while being transmitted but are then stored in clear text when at rest has serious security gaps. If the keys are not stored securely or if third parties may have access to them, the security the encryption offers is limited. If you choose to encrypt your communications to comply with legal ethics requirements, you should have control of your keys. The communications along with attached files should be encrypted end to end, from the time they leave your device to when an authorized person views them.
An Effective Encryption Solution
To comply with the requirements of legal ethics you ideally retain control of your data. This means data is encrypted as soon as it leaves your control and remains inaccessible except to authorized individuals. In practical terms, as you type emails into an application on your computer or mobile device, the text is encrypted with a method for which you retain the keys. It remains encrypted during transit and storage for everyone except those you specifically authorize to view the text. Nobody can read the text, not Google, not hackers, not colleagues – not even your firm’s own IT professionals.
The issues with third party service providers become irrelevant because, no matter what they do or how they store your communications, they won’t be able to read them. They can pass your communications on to third parties or to government agencies but, because they don’t have the encryption keys, they will only see encrypted, garbled text. Even your clients can’t read your messages until you authorize them to do so. You have protected and secure communications and can comply with legal ethics requirements in confidence.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
