Law_Firm_Info_Security_Report_June2011 (1)

5 Reasons why

Information Security is now a

Business-Critical Function for Law

Firms

Valuable insights into the importance and challenges of securing information systems in law firms

EXECUTIVE INSIGHT SERIES REPORT SPONSORED BY

2 Copyright 2011 NorthPage Research LLC www.northpage.com

About this Report Information Security is a business-critical

function for modern law firms.

Through the insights in this report, lawyers and

law firm executives will gain a better

understanding of the threats, risks and realities

challenging today’s technology-enabled law

firms.

This report seeks to help law firms of any size

to ensure continued success and growth

through reliable, productive and secure

information systems. Understanding the

threats posed by the widespread adoption of

technology is a business-critical imperative for

law firms.

NorthPage Research produces independent

publications and online guides to help business

decision makers

3 Copyright 2011 NorthPage Research LLC www.northpage.com

5 Reasons Why Information Security is Now a Business-Critical Function for Law Firms

Danger By Design: The Unique Role Of Information In Law Firms

Does your law firm protect and secure confidential information to the levels required by law, professional codes and ethics?

The Law Firm Information Gold Mine

Do you know everything you are obligated to know about when, where and how information is created, communicated and stored by your firm? Do you know how accessible that information is to those with malicious intent?

Trusted Information Systems Are The Lifeblood Of The Modern Law Firm

What level of priority does the ensuring of trusted and secure information systems have in your firm? Are you taking the steps necessary to make certain your information systems remain a business accelerator and not a source of liability and loss?

Information Systems Sprawl in Law Firms

Do you have visibility into and control of your firm’s information systems footprint? Are your security controls consistently implemented across the organization? What are the levels of information security risk, exposure and vulnerability your firm faces?

Information Security Impacts Law Firm Compliance

Is your firm storing, encrypting, securing and protecting its confidential data in adherence with the growing number of related laws and regulations?

4 Copyright 2011 NorthPage Research LLC www.northpage.com

EXECUTIVE SUMMARY

Information systems have

become business-critical assets

for modern law firms.

Traditionally, law firms relied on

the instincts, creativity and

knowledge of the firm’s

practitioners. That reliance has

now been materially advanced

by the adoption of firm-wide systems, devices, applications and networks.

Today, virtually every function in the modern law firm is impacted greatly

by the implementation and utilization of information systems.

In conjunction with the dramatic gains realized by the technology-

enabling of law firms, equally dramatic risks and vulnerabilities have

arisen. Technology-based capabilities, particularly when combined with

prolonged economic downturns, create environments ripe for attack and

compromise by malicious hackers as well as espionage by opportunistic

employees and competitors.

Given the expanding information security threat landscape, technology-

enabled law firms must understand these threats, vulnerabilities and risks

and aggressively secure their systems and data.

5 Copyright 2011 NorthPage Research LLC www.northpage.com

DANGER BY DESIGN: THE UNIQUE

ROLE OF INFORMATION IN LAW FIRMS

The unique nature of legal information creates elevated levels of

information security risk. In contrast with most industries, lawyers' work-

products are typically comprised of sensitive and highly confidential data.

LAW FIRMS’ BURDEN TO SECURE INFORMATION

By law, professional codes and

ethics, lawyers are duty-bound to

secure electronic information. Law

firms are similarly required to

proactively protect their client’s

electronic information.

The American Bar Association's

Model Rules of Professional

Conduct provide the following

guidance on preserving the confidentiality of information:

A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.

MALPRACTICE AND INFORMATION SECURITY

Information security has major malpractice implications for law firms. Law

firms and lawyers must account for malpractice liabilities ranging from

information security negligence to inadvertent breaches of client

confidentiality. Failure to do so can result in tort, breach of fiduciary duty

or breach of contract claims.

Does your law firm’s management and its protection and of secure

and confidential information rise to the levels required by law,

professional codes and ethics?

LAW FIRM REALITY

6 Copyright 2011 NorthPage Research LLC www.northpage.com

THE LAW FIRM INFORMATION

GOLD MINE

Law firms electronically create, handle

and store vast quantities of highly-

valuable information. Much of this

information is of great value to

hackers, current and former

employees and competitors.

LEGAL INFORMATION EXPLOSION

The typical law firm’s information

assets double every six months.

Information assets are defined as the operating and confidential or

privileged information produced, communicated or stored by a law firm.

Today, more than 90 percent of legal information exists in digital form.

Accelerating the growth of the legal data footprint are the copying,

sharing and distributing of information assets across multiple systems,

applications, devices and groups of users. The increased development

and use of multiple data formats further increases the quantity of

information assets to be managed and secured by law firms. Common

formats and data requiring protection include word processing

documents, spreadsheets, databases, email messages, text messages,

digital images, audio, video, website content, proprietary applications and

social networking information.

INFORMATION RETENTION

Few law firms implement effective electronic information retention and

deletion policies. Such policies ensure that firms retain only what is

required for business or legal reasons. Well managed policies also

constrain the confidential data explosion while reducing the levels of

information systems risk.

LAW FIRM REALITY

7 Copyright 2011 NorthPage Research LLC www.northpage.com

LEGAL INFORMATION GOLD MINE

The information assets created, communicated and stored by law firms

represent an information gold mine for hackers. According to the 2009

Data Breach Investigations Report from Verizon, most data breaches

originate from external sources with 91 percent of all compromised

records linked to organized criminal groups.

Law Firm Information Assets

High-value law firm information assets of great interest to hackers

include:

Pending litigation

Details on new patents and products

Intellectual property

Client Information

Computer generated forensic recreations and simulations

Trade secrets

Confidential and Privileged information

Identity Information

Personal information

Source data

Do you know everything you are obligated to know about when,

where and how information is created, communicated and stored by

your firm? Do you know how accessible that information is to those

with malicious intent?

Who is Behind Data Breaches?

74% resulted from external sources

20% were caused by insiders

32% implicated business partners

39% involved multiple parties

* Verizon 2009 Data Breach Investigations Report

8 Copyright 2011 NorthPage Research LLC www.northpage.com

TRUSTED INFORMATION SYSTEMS ARE

THE LIFEBLOOD OF THE MODERN LAW

FIRM

THE IMPACT OF INFORMATION SYSTEMS ON LAW FIRMS

The impact of information systems on the legal profession is profound

and growing. Technology-enabled law firms dramatically enhance their

practices by:

Providing increased levels of service to clients

Recognizing substantial operating efficiencies and improved firm-wide

productivity gains

Reducing costs

Developing and maintaining

competitive advantage

The impact of leveraging

information systems for law firms

is extensive:

Increased revenue

Improved client satisfaction

Increased referrals

Improved profit

INFORMATION SYSTEMS RISK

The business and economic benefits provided by the successful

implementation and adoption of information systems create new risks and

vulnerabilities that potentially compromise law firms’ continued successful

operation and existence.

LAW FIRM REALITY

9 Copyright 2011 NorthPage Research LLC www.northpage.com

A law firm’s near-absolute reliance on information systems introduces

business-critical financial, regulatory, operational and market risks related

to the compromise of systems and data. Everyday examples of law firms’

reliance on information and potential information systems exposure

include:

Clients receiving and paying invoices through

electronic billing and payment systems

Lawyers producing, reviewing and communicating

confidential and privileged information with their

“Smartphones”

Lawyers, staff and experts creating and presenting

computer generated forensic recreations and

simulations

Clients and lawyers sharing confidential documents via email

Administrative staff backing up servers and systems to portable media

Offshore legal services firms providing research and document

processing services

The aggressive adoption of information systems by law firms and the

rapid growth in the numbers and types of users, systems, devices,

applications and access points has resulted in unprecedented information

systems risks and vulnerabilities.

What level of priority does the ensuring of trusted and secure

information systems have in your firm? Are you taking the steps

necessary to make certain your information systems remain a

business accelerator and not a source of liability and loss?

10 Copyright 2011 NorthPage Research LLC www.northpage.com

INFORMATION SYSTEMS SPRAWL IN

LAW FIRMS

The build-out and use of

information system components

in law firms continues to grow

with the adoption and

deployment of new systems,

applications, network access

points and devices. The levels of

a law firm’s information security

risk, exposure and vulnerability

grow exponentially in relation to

the adoption and usage of

technology.

An example of the dramatic adoption of information systems by lawyers

and law firms is the complete “virtualization” of law offices by a significant

number of lawyers. According to the ABA’s 2010 Legal Technology

Survey Report, 14% of lawyers reported that they ran a virtual law office,

working with clients over the Internet and rarely meeting them in person.

LAW FIRM REALITY

11 Copyright 2011 NorthPage Research LLC www.northpage.com

INFORMATION SYSTEMS VULNERABILITY

Hackers need only a single vulnerability point to successfully access a

law firm’s systems and data. According to the 2009 Data Breach

Investigations Report by Verizon, 98 percent of all records breached

included at least one of these attributes:

the attacker exploited a mistake committed by a user in the targeted

organization

the attacker hacked into the network

the attacker installed malware on a system to collect data

Systems

At the heart of the law firm information system

operation is the system infrastructure. From

expansion of capabilities to system

maintenance, including updates, upgrades

and patches, the systems component sets the

foundation for information system security.

These components include:

Communication and data transfer

Operating systems and databases

Security hardware and software

Servers

Storage

How do Breaches Occur?

67% were aided by significant errors in security

64% resulted from hacking

38% utilized malware

22% involved privilege misuse

9% occurred via physical attacks

* Verizon 2009 Data Breach Investigations Report

12 Copyright 2011 NorthPage Research LLC www.northpage.com

Legal Applications

As digital collaboration becomes the norm between law firms and clients,

the number and types of applications used and the amount of application

usage continues to grow. Popular and potentially vulnerable law firm

applications include:

Case Management

Client Relationship

Management

Docketing and

calendaring

Document Management /

Enterprise Content

Management

E-Discovery

Electronic Billing

Electronic evidence

Email

Financial Management

Knowledge Management and Enterprise Search

Library and on-line research

Litigation Support

Office Suites (word processing, spreadsheets, presentation)

Portals, Extranets and Collaboration Systems

Records management

Time entry and billing

13 Copyright 2011 NorthPage Research LLC www.northpage.com

Access

Remote and distributed resources require system

access for collaboration, communication and

application access. The dramatic growth in the

types of access and the volume of access requests

provides an especially acute information security

risk for law firms.

Intranets & Extranets

Local and Wide Area Networking

Remote Access

SharePoint Servers

Wireless Access

Devices

As devices such as laptops, “Smartphones” and flash drives proliferate,

and allow lawyers and staff to carry thousands of pages of legal

documents, the corresponding security risks perpetually grow.

Desktop Computers

Laptops

Mobile devices including Smartphones

Portable Memory (Flash Drives) and Media (CDs

DVDs)

Printers, Scanners and Copiers

Voicemail

Employee home computers and mobile devices

It takes only one compromised system, application,

network access point or device to create a business-

critical issue and liability for a law firm.

Do you have visibility into and control of your firm’s information

systems footprint? Are your security controls consistently

implemented across the organization? What are the levels of

information security risk, exposure and vulnerability your firm

faces?

14 Copyright 2011 NorthPage Research LLC www.northpage.com

INFORMATION SECURITY IMPACTS

LAW FIRM COMPLIANCE

Complying with government and legal industry regulations is a major

concern and challenge for law firms. The distributed nature of law firm

information systems increasingly adds to the compliance challenges.

Web of Compliance

Compliance with state and federal law places

increased importance on a law firm’s

information security function and practices.

Currently, 46 states have or are enacting

data breach notification legislation. Federal

law prescribes multiple information security requirements. An example of

a federal law dictating information security is the HITECH provisions of

the American Recovery and Reinvestment Act of 2009. Lawyers need

to be aware of the potential implications for their clients and for the

practice of law relating to these compliance requirements.

Information Systems Compliance

Increasingly, law firms are bound by law and regulation to store, backup,

encrypt, secure and protect their confidential data. Law firms have to

demonstrate an information security policy that proves they have the

proper range of steps and measures in place. If these policies are not

adhered to, regulators reserve the right to prosecute.

The retention, migration, and destruction of client information are critical

to achieving and maintaining compliance for law firms. Lawyers and law

firms must reasonably provide and account for the retention, migration,

and destruction of client information in accordance with legal agreements,

ethical standards, regulations and laws.

Is your firm storing, encrypting, securing and protecting its

confidential data in adherence with the growing number of related

laws and regulations?

LAW FIRM REALITY

15 Copyright 2011 NorthPage Research LLC www.northpage.com

WORKS CITED

Brian L. Whisler, Baker & McKenzie. May 18, 2010. Corporate Espionage and Global Security: Protecting Your Business Interests. <http://www.buyusa.gov/nyc/bakerpresentation.ppt>

M. Peter Adler, Pepper Hamilton LLP. 2008. A Unified Approach to Security Compliance. <http://www.pepperlaw.com/pdfs/DieboldFinal_adlerp0408.ppt>

Kevin Woo, Law.com. September 16, 2009. Data Loss Prevention Systems at Your Firm. <http://www.law.com/jsp/lawtechnologynews/PubArticleLTNC.jsp?id=1202433814819&Data_Loss_Prevention_Systems_at_Your_Firm>

Alejandro Martínez-Cabrera, San Francisco Chronicle. March 20, 2010. Law Firms are Lucrative Targets of Cyberscams. <http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/03/19/BU3E1CIIGE.DTL>

Kristi L. VanderLaan, Goodman Allen & Filetti, PLLC. February 12, 2010. Legal Practice in a HITECH Environment: An Overview of the HITECH Act and its Affect on Lawyers as Business Associates. <http://www.primerus.com/news/resources_business/legal-practice-in-a-hitech-environment-an-overview-of-the-hitech-act-and-its-affect-on-lawyers-as-business-associates/>

V. Dion Haynes, Washington Post. March 9, 2009. Recession Sends Lawyers Home. <http://www.washingtonpost.com/wp-dyn/content/article/2009/03/08/AR2009030801549.html>

Jim Calloway, Oklahoma Bar Association, July 28, 2010. Why You Need to Switch to Digital Client Files Now. <http://lawyersusaonline.com/blog/2010/07/28/why-you-need-to-switch-to-digital-client-files-now/>

David Collins, US Department of Justice. 2005. DOJ Litigation Case Management System (LCMS). <https://collab.core.gov/adl/en-US/9488/File/5766/Industry%20Day%20Brief%20Full%20Final%20(2).ppt>

Microsoft Corporation. 2005. Trends Reshaping Law Firms. <https://msdb.ru/Downloads/Dynamics/industries/profservices/expertmark/Law%20Firm%20Prospect%20Presentation%20-%20Large%20Firms.ppt>

William E. Olson, DeMars, Gordon, Olson, & Zalewski. Law Firm Management Technology for Home Offices & Small Law Firms. <http://demarsgordon.com/LawFirmManagementTechnologyIssues.PPT>

Karnika Seth, Seth Associates. July 2007. Legal Process Outsourcing in India-An Insight into The Growing Industry. <http://www.sethassociates.com/wp-content/uploads/legal%20process%20outsourcing%20in%20India-%20An%20insight%20into%20the%20growing%20Industry.ppt>

Susan Freund, Larrimer Associates, Inc. November 19, 2009. Privacy and Information Security: Laws and Regulations.

16 Copyright 2011 NorthPage Research LLC www.northpage.com

Sara Anne Hook, ARMA. Date. Ethics and E-discovery: Where the Rubber Meets the Rules. <http://armaindy.org/Resources/Documents/Session%203%20-%20Sara%20Hook%20Ethics%20and%20E-discovery.ppt>

John T. Lambert, The University of Southern Mississippi. 2008. Attorneys and Their Use of Technology. <http://www.alliedacademies.org/Publications/Papers/EE%20Vol%2013%202008%20p%2083-99.pdf>

C. Matthew Curtin and Lee T. Ayres, Interhack. 2009. Using Science to Combat Data Loss: Analyzing Breaches by Type and Industry. <http://web.interhack.com/publications/interhack-breach-taxonomy.pdf>

Verizon. 2009. 2009 Data Breach Investigations Report. <http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf>

Catherine Sanders Reach, American Bar Association. 2008. Dangerous Curves Ahead: The Crossroads of Ethics and Technology. <http://www.abanet.org/tech/ltrc/presentations/arkbarethicstech.pdf>

Brinig, B. & Gladson, E., 2000. Developing and Managing a Litigation Services Practice. San Diego, CA: Harcourt Professional Publishing.

Lambert, J.. 2006. Economic and Management Factors Affecting The Adoption of Presentation Technology by Law Firms. <http://libraryds.grenoble-em.com/FR/PUBLICATIONS/Pages/theses.aspx>

Ed. Paulus R. Wayleith, Data Security: Laws and Safeguards. Nova Science Publishers, 2008.

Kevin P. Cronin and Ronald N. Weikers. Data Security and Privacy Law : Combating Cyberthreats. Thomson/West, 2002.

Kimberly Kiefer et al. Information Security : A Legal, Business, and Technical Handbook. American Bar Association, 2004.

U.S. Government Accountability Office. Personal Identifiable Information and Data Breaches. Nova Science Publishers, 2009.

TERMS AND CONDITIONS

While the information is based on best available resources, NorthPage Research LLC disclaims all warranties as to the accuracy, completeness or adequacy of such information. NorthPage Research LLC shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. Opinions reflect judgment at the time and are subject to change. All trademarks appearing in this report are trademarks of their respective owners.