I remember as a young solicitor being at a meeting with a partner who was asked about the security of information held in the offices. The security, he said, lay in the fact that it was all too boring and too difficult to find within the office. He was, of course, being flippant, but his off-the-cuff answer is perhaps more-or-less accurate for many law firms, at least relative to the care which their clients take of their data while it is on their own systems.
eDiscovery and information management company Consilio has looked at this issue in an article called Can you trust your law firms with your data? This matters, partly because a recent survey suggests that one in four larger law firms has experienced a security breach; it also matters because, as the article puts it,:
…outside counsel possess a host of sensitive and invaluable data, such as trade secrets, patent applications, details about proposed business transactions and other valuable confidential information about their clients…”
This issue acquires greater focus when you appreciate that the business of giving legal advice generally involves collecting the most important documents together for analysis and review. That flippant answer about the data being “too boring” disappears when the raw data has been carefully filtered so as to leave just the most critical documents in one place.
The problem does not end with the data of the firms’ own clients – one of the concerns when giving discovery / disclosure is that, however good your own lawyers’ systems may be, the firm receiving the data on behalf of opponents may be less secure.
Having identified the problem, the Consilio article goes on to make four suggestions for improving data handling in law firms, extending beyond the firm’s own control systems and into those of third parties, such as eDiscovery vendors, to whom the data may be passed in the course of the dispute or transaction.
Perhaps most important of these suggestions as the last one, measuring compliance by the development of a “security scorecard” which takes account of the type of information and….
….the firm’s security certifications, mobile device management protocols, data loss prevention efforts, encryption measures, information flows, recovery and retention plans, other data-related policies and procedures and training and enforcement mechanisms
There is more to all this than insuring against prospective future disaster. Increasingly, clients are subjecting their law firms and other third parties to detailed enquiries about their security as a precondition for sending their business to them. You won’t get the chance to lose their data if you lose their business.