In matters of data security, a law firm’s lawyers are often the weakest link

Featured as a privacy expert

Keeping clients’ data safe has always been essential for lawyers and their law firms. And the challenge isn’t about to get any easier as they face a vast and growing underground community of hackers who can readily adapt to evolving security technologies and tactics.

“It’s a mammoth problem that’s being underestimated and firms have to be proactive in identifying threats and implementing technologies to mitigate the risks,” says Barry Sookman, senior partner and former chair of the Technology Law Group with McCarthy Tétrault LLP in Toronto. “Gone are the days when the biggest concern was the staff that came to pick up documents for shredding. Law firms need to realize that in the 21st century, the old idea of, ‘We have locks, keys and pass cards’ just doesn’t cut it anymore.”

“There were two massive security breaches in 2013 in Canada and both involved an employee losing an unencrypted laptop containing a ton of personal information. In many situations, a security breach will be triggered by an employee not being aware of the law or the policy … [and] training at least provides the necessary information to staff”

For law firms, keeping electronic information safe has become an ongoing business priority. “When using any type of technology, the onus is on lawyers and their firms to keep abreast of new technology and put the necessary safeguards in place to protect and preserve client confidentiality,” says Diana Miles, director of professional development and competence at the Law Society of Upper Canada.

It’s up to law firm leadership to take the lead and set the agenda by devoting significant efforts toward cyber security. It has to be on the their governance agenda, says Duncan Card, a partner at Bennett Jones LLP in Toronto. “We’ve got to be asking the right questions, we’ve got to stay up to date on the latest innovations, we’ve got to have the [chief investment officers] reporting to us, and we should have regular security audits and assessments.”

But in any security system, the weakest link in the chain is the most important, and those are the lawyers themselves. “Lawyers are not the most technically savvy people and they will tend to do things like click on links in emails if it looks half legitimate, or go to a website and not be too concerned about which one they’re visiting,” says Shane McGee, general counsel and vice president of legal affairs with cyber-security firm Mandiant Corp. “The vast majority of these attacks, the way they get entry into the network is by sending phishing email from someone you trust. You click on a link and not only do you compromise your whole system once you do, but once they get in, it’s not hard to get across to other systems and to access the data on the file server.”

To find out more

This content has been updated on August 23, 2014 at 14 h 14 min.