In this information age, data is more valuable than ever. Ask Google, a company racing to organize all of the world’s information, and which makes a tidy profit by doing so. But also ask identity thieves and scam artists. A quick glance at the news these days reveals countless information heists, with cybercriminals stealing huge amounts of private information, selling it for profit, and sometimes holding it for ransom. Recent news also reveals repeated incidents of companies misplacing customer data, company data being accidentally erased and irretrievable due to inadequate data backups, private business information getting leaked on blogs and social networking sites, and other data mishaps.
For law firms dependent on large amounts of client data and digital work product, and governed by ethics rules regarding attorney-client privilege, confidentiality and records retention, these new information security realities should raise a red flag. Are law firms doing enough to protect their computer systems and data?
Averting data disasters goes beyond information security basics such as firewalls and antivirus and anti-spyware software. Employees must be made aware of information security best practices as outlined in security policies. Going to the wrong types of Web sites, downloading the wrong types of files, not storing firm data in the right repositories, and discussing certain aspects of work on blogs and social networks are activities that can endanger firm data and should be covered in firm policies.
According to the 2009 ABA Legal Technology Survey Report
, 44 percent of respondents report that their firms have a computer acceptable use policy, 44 percent an Internet use policy, 47 percent an e-mail use policy, 44 percent a document management/records management policy, and 35 percent an e-mail retention policy. Eleven percent report firm policies on blogging, 9 percent on social network use, and 4 percent on microblog use. And, although training on appropriate use of technology may be essential to help thwart external and internal information security threats, 26 percent of respondents report that they have no technology training available at their firms.
The ABA Legal Technology Resource Center surveyed lawyer members in private practices from January through May 2009. The final report provides more than 480 pages of detailed statistics and trend analysis on the use of technology within the legal profession.
Keeping Firm Data from Prying Eyes
Ninety-three percent of respondents report that they send confidential or privileged communications or documents to clients via e-mail. However, 85 percent report that they rely on confidentiality statements and disclaimers as a security precaution when sending such information, which may be ineffective in keeping information private. Only 23 percent of those who send such information to clients via e-mail report using e-mail encryption—and only 9 percent report password protecting such documents.
Metadata removal software can help lawyers avoid the unintentional exposure of confidential information via document metadata, which can include comments, tracked changes and other hidden information. But less than half (46 percent) of respondents report the availability of metadata removal software at their firms.
Firm data can also fall into the wrong hands with stolen or misplaced mobile devices. While 92 percent of respondents report using password protection on their laptops, only 24 percent report using encryption and 2 percent remote data wiping. Ninety percent report using password protection on their PDA/smartphone/BlackBerry, but only 11 percent report using encryption and 6 percent remote data wiping.
While 89 percent of respondents report that their firms have a data backup strategy, 26 percent report that their firms do not back up data daily, and 12 percent report that they do not back up weekly, which could result in a disastrous amount of irretrievable data loss in the case of computer or server malfunction.
Based on these statistics, it looks like law firms are taking a variety of preliminary information security steps, but leaving many security gaps that must be filled to protect valuable firm and client data.