Law firms have long been targets for cybercriminals; they handle vast amounts of sensitive, valuable data, and work across multiple devices. As firms have sped up their tech adoption, a necessary development during the COVID-19 pandemic, data privacy strategies have also needed to expand and adapt to the new normal.
Jenkins Fung, team lead - advisory and corporate development at SS&C Intralinks, says that law firms face a range of potential risks, including leaked information “especially confidential client data or regulated content,” which can result in significant fines and reputational damage.
“The increase in cyber-attacks of corporations worldwide, the misuse and abuse of confidential data, and the near-impossibility of creating a functional system with no security weakness all contribute to lawyers’ vulnerability to cyber espionage,” Fung says.
But law firms can take practical steps to enhance their cybersecurity resilience to ensure greater resistance from cyber-attacks. Law firms, particularly those with higher levels of internal resources, Fung says, may opt for in-house solutions to manage the risks.
“Based on an assessment of their specific needs, new tools are developed to perform functions like e-signatures, e-meetings, e-discovery, and document management,” he adds.
For law firms that lack such a scale of resources, or prefer to invest these in other areas of the business, “third-party solution providers, such as Intralinks, have created a suite of often cloud-based products to help law firms safeguard their data and day-to-day processes while meeting stringent regulatory demands and reducing risks,” he says.
With remote work likely to continue to stretch on, both as the result of the global coronavirus pandemic and newly established flexible working arrangements, Fung says there are steps that lawyers can undertake to ensure they follow best cybersecurity practices.
“Now that more of the world is working from home than ever, remote employees need to ramp their digital vigilance and cybersecurity savvy,” Fung says.
Among the measures Fung suggests are VPNs and data encryption-in-transit and at-rest. “A requirement in many cases for remote workers, VPNs allow employees to connect securely to their work network over the public internet,” he notes.
“Sensitive information is crossing networks, firewalls and geographies more frequently than ever. Some of this information can be materially non-public (MNPI) or personally identifiable (PII) and thereby highly useful for fraudulent activity. This information must be encrypted in transit (i.e. as it moves through networks as past firewalls) and at rest (on the device that stores/receives the information),” Fung adds.
Other important things to be aware of include backups and archiving, “We’ve likely – or at least know someone who has – been victim to losing important files stored locally on our devices, be it work files, personal information, or even photos. Backing up files is part of a holistic data security practice and can be your lifeline in the instance that coronavirus-inspired attackers take your files hostage or corrupt your device. Relying on a secure, cloud-based storage/backup/archiving service (thoroughly vetted by your corporate IT) is perhaps the easiest and most practical method available,” he says.
Lastly, firms to ensure compliance reporting measures remain intact, as a significant workforce working from home means extremely heightened regulatory and operational risk.
“Compliance teams need to step up their game with tools and procedures to monitor, track, audit and report on employee activity, as well as access to and use of sensitive information. They also should keep a keen eye on file sharing and the increased use of collaboration tools to mitigate malicious data use and intercept other operational risks,” says Fung.
When handling sensitive data, law firms also need to ensure they put in place processes, measures and tools to secure data management, “such as using secure document exchange as an alternative to emails and Information Rights Management (IRM) to control granular data access,” says Fung, adding these also keep track “of data movement and a full audit trail which will serve as proof of compliance with relevant regulations in the event of an incident.”
To contact the editorial team, please email ALBEditor@thomsonreuters.com.