Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
Mobile technology has invaded the legal profession and forever changed the way lawyers operate. As we move toward an increasingly “paperless” world, devices like smartphones and tablets allow attorneys to access law firm data remotely. Cloud storage further increases mobility, granting access to data in amounts far beyond the capacity of a given device. Since law firms cannot avoid incorporating these tools into their practice, they must acknowledge the security risks involved and minimize them as much as possible.
For the last two years, a survey of law firms conducted by the International Legal Technology Association (ILTA) has identified mobility and cloud computing as two of the “most exciting technology trends.” The necessity of mobile technology has lead law firms to provide mobile devices to employees directly, or to enact “bring your own device” (BYOD) policies. In 2015, approximately 68% of law firms purchased smartphones for attorneys, and 58% purchased tablets. The remaining 32% percent take the BYOD approach, which allows employees to use the same device for both personal and professional use. Adoption of cloud computing has gone hand in hand with mobile device use, and a growing number of firms are utilizing this technology as well. The “cloud” is best understood as a linkage among networks of servers that operate as a single entity. Instead of being limited to one specific server, cloud users can connect to several servers through cloud-based software providers.
The benefits of both are clear; they increase productivity, reduce costs, and improve efficiency while providing better client service. Attorneys can conduct work on the go by easily accessing firm data and legal research platforms from any location. They can collaborate with colleagues across the globe and conveniently share information at any time, day or night. In the past, clients and their attorneys communicated largely by telephone, U.S. mail and e-mail. Today, clients can maintain attorney contact through phone calls, text messages, e-mail, and even social media platforms; connecting has never been easier. Mobile technology is cost-effective as well. Firms that provide devices to employees can select the type and brand to keep costs down. Those with a BYOD approach save money by passing the device costs to the end users. Cloud storage further reduces costs by minimizing the need for purchasing, maintaining, and upgrading hardware, servers, and software; employing staff to perform those functions; or renting space to house equipment.
Despite these advantages, both tools pose significant threats to the security of law firm and client data. The more accessible data becomes, the greater the danger the wrong person will gain access. Although law firms have embraced these advances in technology in many ways, a majority have not taken the appropriate steps to protect themselves and their clients from security breaches. In fact, law firms are disturbingly behind the curve when it comes to digital security. A 2013 ILTA study reported 64% of law firms did not automatically encrypt emails, and a majority had no intrusion-detection or intrusion-prevention tools in place. According to Mandiant, a cybersecurity firm, 80 of the 100 largest U.S. law firms have been hacked since 2011; 14% reported cyber-attacks in 2014 alone. Considering the incredibly sensitive information law firms are privy to, and the ethical considerations involved in protecting client data, law firms cannot afford to ignore the risks. Enacting a Mobile-Device Management (MDM) plan directing the use of mobile technology is essential to data security.
An effective MDM plan will involve encrypting data, training employees to ensure compliance, instituting disciplinary actions for violations, and appointing an individual in charge of keeping data secure. The BYOD approach should be avoided, as it complicates the process of implementing and enforcing security procedures. Incidentally, if a device has personal and professional information on it and the firm receives a “Notice to Preserve,” the BYOD policy becomes quite a frustration for the employee whose cell phone is now locked in storage.
First, data encryption is a must because it converts confidential information into a form that only intended recipients can read. While a BYOD policy could demand encryption it would be hard to check for compliance, and the use of multiple devices with varying encryption options could pose problematic. Law firms that provide devices can better guarantee encryption by setting up the devices before they are distributed. Password protection could also be set-up prior to distribution, and allow an individual in charge to better enforce a strong password policy. As for the “cloud,” a number of state bar associations have issued formal ethics opinions on its use, and have concluded the use is ethical, provided attorneys exercise reasonable care to protect client information. Performing due diligence on cloud vendors is imperative to fulfilling this duty. Firms should analyze a cloud vendor’s privacy policy, level of encryption offered, and authentication process when granting access to users. It is also wise to select a cloud vendor that offers 24/7 security, which many reputable vendors do.
Second, employee training will provide clear expectations of security procedures, and specify disciplinary actions for violations. Lawyers are well aware of their professional responsibilities and will want to be proactive in protecting their clients and themselves from data breaches. Still, the most effective tool to increase compliance with security policies is to have clearly-defined consequences and penalties. The individual in charge of data security should communicate procedures and penalties on an ongoing basis.
Last, firms should have a fail-safe tool in place, when a security issue inevitably occurs. When that happens, programs that remotely wipe devices and data loss protection (DLP) systems will save the day. GPS and location tracking options may assist with device recovery, but remote wiping capabilities will guarantee device data remains confidential. There are a number of companies that provide full-service mobile-device management software that law firms can use to track devices and remotely erase data; many of which charge less than $100 per user per year. DLP systems are designed to monitor confidential information, and can actually stop files from transferring. These will prevent criminals, and even employees themselves, from attempting to transfer/download files to an unauthorized location.
The legal profession will not be able to avoid mobile technology, but risks can be minimized to keep data secure. By implementing a mobile device management plan, conducting due diligence on cloud vendors, and taking advantage of the wealth of security options, law firms can protect themselves and their clients from cyber-attacks.
