5 Reasons why Information Security is now a Business-Critical Function for Law Firms Valuable insights into the importance and challenges of securing information systems in law firms EXECUTIVE INSIGHT SERIES REPORT SPONSORED BY
Jul 15, 2015
5 Reasons why
Information Security is now a
Business-Critical Function for Law
Firms
Valuable insights into the importance and challenges of securing information systems in law firms
EXECUTIVE INSIGHT SERIES REPORT SPONSORED BY
2 Copyright 2011 NorthPage Research LLC www.northpage.com
About this Report Information Security is a business-critical
function for modern law firms.
Through the insights in this report, lawyers and
law firm executives will gain a better
understanding of the threats, risks and realities
challenging today’s technology-enabled law
firms.
This report seeks to help law firms of any size
to ensure continued success and growth
through reliable, productive and secure
information systems. Understanding the
threats posed by the widespread adoption of
technology is a business-critical imperative for
law firms.
NorthPage Research produces independent
publications and online guides to help business
decision makers
3 Copyright 2011 NorthPage Research LLC www.northpage.com
5 Reasons Why Information Security is Now a Business-Critical Function for Law Firms
Danger By Design: The Unique Role Of Information In Law Firms
Does your law firm protect and secure confidential information to the levels required by law, professional codes and ethics?
The Law Firm Information Gold Mine
Do you know everything you are obligated to know about when, where and how information is created, communicated and stored by your firm? Do you know how accessible that information is to those with malicious intent?
Trusted Information Systems Are The Lifeblood Of The Modern Law Firm
What level of priority does the ensuring of trusted and secure information systems have in your firm? Are you taking the steps necessary to make certain your information systems remain a business accelerator and not a source of liability and loss?
Information Systems Sprawl in Law Firms
Do you have visibility into and control of your firm’s information systems footprint? Are your security controls consistently implemented across the organization? What are the levels of information security risk, exposure and vulnerability your firm faces?
Information Security Impacts Law Firm Compliance
Is your firm storing, encrypting, securing and protecting its confidential data in adherence with the growing number of related laws and regulations?
4 Copyright 2011 NorthPage Research LLC www.northpage.com
EXECUTIVE SUMMARY
Information systems have
become business-critical assets
for modern law firms.
Traditionally, law firms relied on
the instincts, creativity and
knowledge of the firm’s
practitioners. That reliance has
now been materially advanced
by the adoption of firm-wide systems, devices, applications and networks.
Today, virtually every function in the modern law firm is impacted greatly
by the implementation and utilization of information systems.
In conjunction with the dramatic gains realized by the technology-
enabling of law firms, equally dramatic risks and vulnerabilities have
arisen. Technology-based capabilities, particularly when combined with
prolonged economic downturns, create environments ripe for attack and
compromise by malicious hackers as well as espionage by opportunistic
employees and competitors.
Given the expanding information security threat landscape, technology-
enabled law firms must understand these threats, vulnerabilities and risks
and aggressively secure their systems and data.
5 Copyright 2011 NorthPage Research LLC www.northpage.com
DANGER BY DESIGN: THE UNIQUE
ROLE OF INFORMATION IN LAW FIRMS
The unique nature of legal information creates elevated levels of
information security risk. In contrast with most industries, lawyers' work-
products are typically comprised of sensitive and highly confidential data.
LAW FIRMS’ BURDEN TO SECURE INFORMATION
By law, professional codes and
ethics, lawyers are duty-bound to
secure electronic information. Law
firms are similarly required to
proactively protect their client’s
electronic information.
The American Bar Association's
Model Rules of Professional
Conduct provide the following
guidance on preserving the confidentiality of information:
A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.
MALPRACTICE AND INFORMATION SECURITY
Information security has major malpractice implications for law firms. Law
firms and lawyers must account for malpractice liabilities ranging from
information security negligence to inadvertent breaches of client
confidentiality. Failure to do so can result in tort, breach of fiduciary duty
or breach of contract claims.
Does your law firm’s management and its protection and of secure
and confidential information rise to the levels required by law,
professional codes and ethics?
LAW FIRM REALITY
6 Copyright 2011 NorthPage Research LLC www.northpage.com
THE LAW FIRM INFORMATION
GOLD MINE
Law firms electronically create, handle
and store vast quantities of highly-
valuable information. Much of this
information is of great value to
hackers, current and former
employees and competitors.
LEGAL INFORMATION EXPLOSION
The typical law firm’s information
assets double every six months.
Information assets are defined as the operating and confidential or
privileged information produced, communicated or stored by a law firm.
Today, more than 90 percent of legal information exists in digital form.
Accelerating the growth of the legal data footprint are the copying,
sharing and distributing of information assets across multiple systems,
applications, devices and groups of users. The increased development
and use of multiple data formats further increases the quantity of
information assets to be managed and secured by law firms. Common
formats and data requiring protection include word processing
documents, spreadsheets, databases, email messages, text messages,
digital images, audio, video, website content, proprietary applications and
social networking information.
INFORMATION RETENTION
Few law firms implement effective electronic information retention and
deletion policies. Such policies ensure that firms retain only what is
required for business or legal reasons. Well managed policies also
constrain the confidential data explosion while reducing the levels of
information systems risk.
LAW FIRM REALITY
7 Copyright 2011 NorthPage Research LLC www.northpage.com
LEGAL INFORMATION GOLD MINE
The information assets created, communicated and stored by law firms
represent an information gold mine for hackers. According to the 2009
Data Breach Investigations Report from Verizon, most data breaches
originate from external sources with 91 percent of all compromised
records linked to organized criminal groups.
Law Firm Information Assets
High-value law firm information assets of great interest to hackers
include:
Pending litigation
Details on new patents and products
Intellectual property
Client Information
Computer generated forensic recreations and simulations
Trade secrets
Confidential and Privileged information
Identity Information
Personal information
Source data
Do you know everything you are obligated to know about when,
where and how information is created, communicated and stored by
your firm? Do you know how accessible that information is to those
with malicious intent?
Who is Behind Data Breaches?
74% resulted from external sources
20% were caused by insiders
32% implicated business partners
39% involved multiple parties
* Verizon 2009 Data Breach Investigations Report
8 Copyright 2011 NorthPage Research LLC www.northpage.com
TRUSTED INFORMATION SYSTEMS ARE
THE LIFEBLOOD OF THE MODERN LAW
FIRM
THE IMPACT OF INFORMATION SYSTEMS ON LAW FIRMS
The impact of information systems on the legal profession is profound
and growing. Technology-enabled law firms dramatically enhance their
practices by:
Providing increased levels of service to clients
Recognizing substantial operating efficiencies and improved firm-wide
productivity gains
Reducing costs
Developing and maintaining
competitive advantage
The impact of leveraging
information systems for law firms
is extensive:
Increased revenue
Improved client satisfaction
Increased referrals
Improved profit
INFORMATION SYSTEMS RISK
The business and economic benefits provided by the successful
implementation and adoption of information systems create new risks and
vulnerabilities that potentially compromise law firms’ continued successful
operation and existence.
LAW FIRM REALITY
9 Copyright 2011 NorthPage Research LLC www.northpage.com
A law firm’s near-absolute reliance on information systems introduces
business-critical financial, regulatory, operational and market risks related
to the compromise of systems and data. Everyday examples of law firms’
reliance on information and potential information systems exposure
include:
Clients receiving and paying invoices through
electronic billing and payment systems
Lawyers producing, reviewing and communicating
confidential and privileged information with their
“Smartphones”
Lawyers, staff and experts creating and presenting
computer generated forensic recreations and
simulations
Clients and lawyers sharing confidential documents via email
Administrative staff backing up servers and systems to portable media
Offshore legal services firms providing research and document
processing services
The aggressive adoption of information systems by law firms and the
rapid growth in the numbers and types of users, systems, devices,
applications and access points has resulted in unprecedented information
systems risks and vulnerabilities.
What level of priority does the ensuring of trusted and secure
information systems have in your firm? Are you taking the steps
necessary to make certain your information systems remain a
business accelerator and not a source of liability and loss?
10 Copyright 2011 NorthPage Research LLC www.northpage.com
INFORMATION SYSTEMS SPRAWL IN
LAW FIRMS
The build-out and use of
information system components
in law firms continues to grow
with the adoption and
deployment of new systems,
applications, network access
points and devices. The levels of
a law firm’s information security
risk, exposure and vulnerability
grow exponentially in relation to
the adoption and usage of
technology.
An example of the dramatic adoption of information systems by lawyers
and law firms is the complete “virtualization” of law offices by a significant
number of lawyers. According to the ABA’s 2010 Legal Technology
Survey Report, 14% of lawyers reported that they ran a virtual law office,
working with clients over the Internet and rarely meeting them in person.
LAW FIRM REALITY
11 Copyright 2011 NorthPage Research LLC www.northpage.com
INFORMATION SYSTEMS VULNERABILITY
Hackers need only a single vulnerability point to successfully access a
law firm’s systems and data. According to the 2009 Data Breach
Investigations Report by Verizon, 98 percent of all records breached
included at least one of these attributes:
the attacker exploited a mistake committed by a user in the targeted
organization
the attacker hacked into the network
the attacker installed malware on a system to collect data
Systems
At the heart of the law firm information system
operation is the system infrastructure. From
expansion of capabilities to system
maintenance, including updates, upgrades
and patches, the systems component sets the
foundation for information system security.
These components include:
Communication and data transfer
Operating systems and databases
Security hardware and software
Servers
Storage
How do Breaches Occur?
67% were aided by significant errors in security
64% resulted from hacking
38% utilized malware
22% involved privilege misuse
9% occurred via physical attacks
* Verizon 2009 Data Breach Investigations Report
12 Copyright 2011 NorthPage Research LLC www.northpage.com
Legal Applications
As digital collaboration becomes the norm between law firms and clients,
the number and types of applications used and the amount of application
usage continues to grow. Popular and potentially vulnerable law firm
applications include:
Case Management
Client Relationship
Management
Docketing and
calendaring
Document Management /
Enterprise Content
Management
E-Discovery
Electronic Billing
Electronic evidence
Financial Management
Knowledge Management and Enterprise Search
Library and on-line research
Litigation Support
Office Suites (word processing, spreadsheets, presentation)
Portals, Extranets and Collaboration Systems
Records management
Time entry and billing
13 Copyright 2011 NorthPage Research LLC www.northpage.com
Access
Remote and distributed resources require system
access for collaboration, communication and
application access. The dramatic growth in the
types of access and the volume of access requests
provides an especially acute information security
risk for law firms.
Intranets & Extranets
Local and Wide Area Networking
Remote Access
SharePoint Servers
Wireless Access
Devices
As devices such as laptops, “Smartphones” and flash drives proliferate,
and allow lawyers and staff to carry thousands of pages of legal
documents, the corresponding security risks perpetually grow.
Desktop Computers
Laptops
Mobile devices including Smartphones
Portable Memory (Flash Drives) and Media (CDs
DVDs)
Printers, Scanners and Copiers
Voicemail
Employee home computers and mobile devices
It takes only one compromised system, application,
network access point or device to create a business-
critical issue and liability for a law firm.
Do you have visibility into and control of your firm’s information
systems footprint? Are your security controls consistently
implemented across the organization? What are the levels of
information security risk, exposure and vulnerability your firm
faces?
14 Copyright 2011 NorthPage Research LLC www.northpage.com
INFORMATION SECURITY IMPACTS
LAW FIRM COMPLIANCE
Complying with government and legal industry regulations is a major
concern and challenge for law firms. The distributed nature of law firm
information systems increasingly adds to the compliance challenges.
Web of Compliance
Compliance with state and federal law places
increased importance on a law firm’s
information security function and practices.
Currently, 46 states have or are enacting
data breach notification legislation. Federal
law prescribes multiple information security requirements. An example of
a federal law dictating information security is the HITECH provisions of
the American Recovery and Reinvestment Act of 2009. Lawyers need
to be aware of the potential implications for their clients and for the
practice of law relating to these compliance requirements.
Information Systems Compliance
Increasingly, law firms are bound by law and regulation to store, backup,
encrypt, secure and protect their confidential data. Law firms have to
demonstrate an information security policy that proves they have the
proper range of steps and measures in place. If these policies are not
adhered to, regulators reserve the right to prosecute.
The retention, migration, and destruction of client information are critical
to achieving and maintaining compliance for law firms. Lawyers and law
firms must reasonably provide and account for the retention, migration,
and destruction of client information in accordance with legal agreements,
ethical standards, regulations and laws.
Is your firm storing, encrypting, securing and protecting its
confidential data in adherence with the growing number of related
laws and regulations?
LAW FIRM REALITY
15 Copyright 2011 NorthPage Research LLC www.northpage.com
WORKS CITED
Brian L. Whisler, Baker & McKenzie. May 18, 2010. Corporate Espionage and Global Security: Protecting Your Business Interests. <http://www.buyusa.gov/nyc/bakerpresentation.ppt>
M. Peter Adler, Pepper Hamilton LLP. 2008. A Unified Approach to Security Compliance. <http://www.pepperlaw.com/pdfs/DieboldFinal_adlerp0408.ppt>
Kevin Woo, Law.com. September 16, 2009. Data Loss Prevention Systems at Your Firm. <http://www.law.com/jsp/lawtechnologynews/PubArticleLTNC.jsp?id=1202433814819&Data_Loss_Prevention_Systems_at_Your_Firm>
Alejandro Martínez-Cabrera, San Francisco Chronicle. March 20, 2010. Law Firms are Lucrative Targets of Cyberscams. <http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/03/19/BU3E1CIIGE.DTL>
Kristi L. VanderLaan, Goodman Allen & Filetti, PLLC. February 12, 2010. Legal Practice in a HITECH Environment: An Overview of the HITECH Act and its Affect on Lawyers as Business Associates. <http://www.primerus.com/news/resources_business/legal-practice-in-a-hitech-environment-an-overview-of-the-hitech-act-and-its-affect-on-lawyers-as-business-associates/>
V. Dion Haynes, Washington Post. March 9, 2009. Recession Sends Lawyers Home. <http://www.washingtonpost.com/wp-dyn/content/article/2009/03/08/AR2009030801549.html>
Jim Calloway, Oklahoma Bar Association, July 28, 2010. Why You Need to Switch to Digital Client Files Now. <http://lawyersusaonline.com/blog/2010/07/28/why-you-need-to-switch-to-digital-client-files-now/>
David Collins, US Department of Justice. 2005. DOJ Litigation Case Management System (LCMS). <https://collab.core.gov/adl/en-US/9488/File/5766/Industry%20Day%20Brief%20Full%20Final%20(2).ppt>
Microsoft Corporation. 2005. Trends Reshaping Law Firms. <https://msdb.ru/Downloads/Dynamics/industries/profservices/expertmark/Law%20Firm%20Prospect%20Presentation%20-%20Large%20Firms.ppt>
William E. Olson, DeMars, Gordon, Olson, & Zalewski. Law Firm Management Technology for Home Offices & Small Law Firms. <http://demarsgordon.com/LawFirmManagementTechnologyIssues.PPT>
Karnika Seth, Seth Associates. July 2007. Legal Process Outsourcing in India-An Insight into The Growing Industry. <http://www.sethassociates.com/wp-content/uploads/legal%20process%20outsourcing%20in%20India-%20An%20insight%20into%20the%20growing%20Industry.ppt>
Susan Freund, Larrimer Associates, Inc. November 19, 2009. Privacy and Information Security: Laws and Regulations.
16 Copyright 2011 NorthPage Research LLC www.northpage.com
Sara Anne Hook, ARMA. Date. Ethics and E-discovery: Where the Rubber Meets the Rules. <http://armaindy.org/Resources/Documents/Session%203%20-%20Sara%20Hook%20Ethics%20and%20E-discovery.ppt>
John T. Lambert, The University of Southern Mississippi. 2008. Attorneys and Their Use of Technology. <http://www.alliedacademies.org/Publications/Papers/EE%20Vol%2013%202008%20p%2083-99.pdf>
C. Matthew Curtin and Lee T. Ayres, Interhack. 2009. Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry. <http://web.interhack.com/publications/interhack-breach-taxonomy.pdf>
Verizon. 2009. 2009 Data Breach Investigations Report. <http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf>
Catherine Sanders Reach, American Bar Association. 2008. Dangerous Curves Ahead: The Crossroads of Ethics and Technology. <http://www.abanet.org/tech/ltrc/presentations/arkbarethicstech.pdf>
Brinig, B. & Gladson, E., 2000. Developing and Managing a Litigation Services Practice. San Diego, CA: Harcourt Professional Publishing.
Lambert, J.. 2006. Economic and Management Factors Affecting The Adoption of Presentation Technology by Law Firms. <http://libraryds.grenoble-em.com/FR/PUBLICATIONS/Pages/theses.aspx>
Ed. Paulus R. Wayleith, Data Security: Laws and Safeguards. Nova Science Publishers, 2008.
Kevin P. Cronin and Ronald N. Weikers. Data Security and Privacy Law : Combating Cyberthreats. Thomson/West, 2002.
Kimberly Kiefer et al. Information Security : A Legal, Business, and Technical Handbook. American Bar Association, 2004.
U.S. Government Accountability Office. Personal Identifiable Information and Data Breaches. Nova Science Publishers, 2009.
TERMS AND CONDITIONS
While the information is based on best available resources, NorthPage Research LLC disclaims all warranties as to the accuracy, completeness or adequacy of such information. NorthPage Research LLC shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. Opinions reflect judgment at the time and are subject to change. All trademarks appearing in this report are trademarks of their respective owners.