Data breaches are sadly all too common. In fact, the Identity Theft Center posted that 2014 was a record high for hacks — with over 783 data breaches identified by the Identity Theft Resource Center and 85,611,528 records exposed, as reported in the Identity Theft Resource Center December 31, 2014 Data Breach Report.
Considering all of the data breaches that make the news, it’s interesting to note that the legal profession in the U.S. is rarely covered in these particular headlines. This is not because law firms are not targets. In fact, last year Bloomberg reported that, according to the cybersecurity firm Mandiant , at a minimum, 80 of the 100 largest firms in the U.S., by revenue, have been hacked since 2011. This past week the New York Times article entitled “Citigroup Report Chides Law Firms for Silence on Hackings” pointed to “[t]he unwillingness of most big U.S. law firms to discuss or even acknowledge breaches…”. This posture “has frustrated law enforcement and corporate clients for several years.”
As LawSites lawyer and blogger Bob Ambrogi articulated in his March 16, 2015 blog, lawyers must maintain competence in technology. This competence includes understanding the current benefits and risks associated with relevant technology. Unfortunately, many law firms rely heavily on the “fig leaf” disclaimers at the bottom of their emails to protect the security and confidentially of content.
These catchall disclaimers often read like this:
Disclaimer: This electronic mail and any attachments are confidential and may be privileged. If you are not the intended recipient, please notify the sender immediately by replying to this email, and destroy all copies of this email and any attachments. Thank you.
Why is this so?
Like people, organizations behave based on the positive and negative metrics that they are measured on. For example, in general, in the U.K. lawyers may be considered more sensitized to the obligations they have to their clients’ digital assets. This is based on established guidelines and rules laid out in the 1998 Data Protection Act and by the Solicitor Regulation Authority. A small but poignant example is the U.K.-based British Pregnancy Advisory Service, which was fined £200,000 for housing client contact information on its website that was subsequently hacked. Aside from the financial implications, the reputational damage was just as significant. This hack was widely covered in the U.K., and I am sure it was not missed by the legal community.
The way to effect real change in the U.S. law firm community is to move toward material measurements that have impact. Organizations and their law firms should work to securely protect and control sensitive information at every stage of the content lifecycle in a secure repository that yes — resides outside of email.
In one of our recent blog posts, Bob Blacksberg, principal of Blacksberg Associates, talked about the importance of information security in law firms. Email messages should never include attachments to confidential files, but instead, messages should include links to files kept in a secure shared location which only authorized users have access to, one that includes information rights management on all documents so you can control access to your information even after it’s been shared.
With material metrics in place, behaviors will change. IT investments that will really protect client data will then be made. As the renowned management consultant Peter Drucker said, “What gets measured gets done.”