In 2016, Mossack Fonseca, a law firm in Panama, was hit with a media and legal whirlwind after 11.5 million confidential documents were leaked exposing the tax dealings of wealthy clients.
Known as the Panama Papers, this leak exposed the cyber security and internal compliance shortfalls of most firms in the legal sector. An American Bar Association (ABA) survey found that 26 percent of firms with over 500 associates have suffered leaks and hacks. Another ABA survey revealed that the top 80 percent of firms (by revenue) had been victims of cybercrime in the last six years.
Cyber security experts and security agencies are concerned that most law firms are at least three years behind data security best practices. A reluctance to invest is putting more firms at risk, especially with the widespread use of poorly secured apps and cloud services. The Panama Papers was a wake-up call to many, since careless habits, as much as external threats, expose lawyers to unnecessary legal and financial risk.
With cybercrime set to rise, law firms would benefit from implementing some IT best practices to safeguard themselves and the confidentiality of their clients.
#1: Assess IT practices and failings
Review what the firm does, from managing email through Google Apps or Gmail to writing passwords down on Post-It Notes, you should have a clear idea of current practices. Note down potential security risks and practices that, even to the untrained eye, need to be reviewed.
As part of this review, make a list of the people or companies involved in IT implementation and support. Are they qualified? Is the service fit for purpose? If you are working with an IT partner, are they delivering the service you need?
#2: Design an IT Strategy
Look at where you are now, and how you want to grow over the next few years. What IT provisions and services are you going to need? What do you need right now - e.g. a password management system - which you don't currently have?
An IT strategy doesn't need to be overly complex, but it does need to be something a firm can use to document potential solutions as a firm grows. Within this, a strategy should outline plans for:
• Who is responsible for IT: Internally and externally?
• How IT can increase efficiencies (e.g. using secure cloud storage and sharing for documents, Evernote for collecting evidence, a website and social media for sales and marketing, etc.)
• How internal and external policies and services can ensure confidential documents are secure, which should include a system of safeguards to avoid the potential harmful leak of client files.
#3: Create Layered Defences
Data is rarely kept in silos anymore, which means more is moving around internally than ever before.
At a minimum, confidential files should be stored and sent using encryption, behind internal firewalls, even when a lawyer takes work home or is meeting with a client. Two-factor authentication and secure systems that log who is working on files will also reduce the chance of leaks or hacks.
#4: Have a Disaster Recovery Plan
Lawyers are masters at planning and preparing, and yet, so few are ready in case they’re caught unaware by hackers and cyber criminals. Don’t assume it won’t happen. Even small firms regularly get hit, but rarely talk about it, unless they're blackmailed, or a breach goes to Court. Don’t leave your firm unprepared. Have a plan.
Be ready to work with the police, cyber experts and forensic investigators if necessary. Make sure your IT strategy involves multiple storage facilities so that if anything does happen, everything is backed up elsewhere, thereby limiting the damage and keeping downtime on active cases and accounts to a minimum.
Working around an IT strategy, with secure procedures in place, is the most effective way to give your clients and team confidence that your firm is equipped for practising law in the digital age.
5 IT Strategies for business success
Information Technology (IT) has revolutionised the lives of individuals and organisations. Innovation in this sphere has created business opportunities that did not exist five, ten or twenty years ago, both in the way companies operate as well as the services and products they sell.