The ABA 2014 Legal Technology Survey Report shows a continuing trend of increasing use of technology by attorneys led by devices like smartphones and tablets. This is a highly positive trend because it enables attorneys to practice more efficiently and effectively and to better serve clients. The Survey shows that many attorneys and law firms are employing a number of the safeguards covered in the questions. However, it also shows that the same demographic is not employing the basic security measures used frequently in other businesses and professions.
The ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to clients (ABA Model Rules 1.1 and 1.6). Attorneys also have common law duties to protect client information and often have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information—like health and financial information. These duties present a challenge to attorneys using technology because they often lack security training and awareness. Compliance requires attorneys to understand limitations in their knowledge and to get qualified assistance when necessary. These obligations are minimum standards—failure to comply with them can constitute unethical or illegal conduct. Attorneys should aim for security that goes beyond these minimum standards.
Data security is addressed most directly in the first volume of the Survey, Technology Basics. It is further addressed in Volume IV, Web and Communications Technology and Volume VI, Mobile Lawyers. This Security Snapshot reviews responses to the security questions in this year’s Survey and discusses them in light of attorneys’ duty to safeguard information.
Recognizing the Risk
The headlines are filled with reports of data breaches—ranging from small businesses to high profile incidents like Target, Home Depot, and JP Morgan. Likewise, there have been law firm data breaches, where incidents range from lost or stolen portable drives to long-term network intrusions that expose everything in the network.
Information security starts with a risk assessment to determine what needs to be protected and the threats that it faces. Comment  to Model Rule 1.6 includes a risk assessment approach to determine reasonable measures that attorneys should employ. The first two factors in the analysis are: “The sensitivity of the information,” and, “The likelihood of disclosure if additional safeguards are not employed.” This analysis should include a review of both security incidents that an attorney or law firm has experienced and those experienced by others in the legal profession. The Survey includes information about threats in its questions regarding security breaches.
The 2013 Survey reports that about 14% of respondents reported that their firms had experienced a security breach at some point. The question is not limited to the past year, it’s “ever.” The majority of respondents—60%—reported that their firm had not experienced a breach. The remaining respondents—25%—responded that they don’t know if their firm ever suffered a breach.
There is no trend by firm size on experiencing a breach. The lowest percentage—10%—is reported by firms of 100-499, followed by solos at 12%. The highest is firms of 10-49, at 19%, then 500+ at 17%. Larger firms have more people, more technology, and more data, so there is a greater risk. They also should have more resources to protect them. It is difficult to tell the accuracy of these responses and whether larger firms have experienced fewer breaches, because those reporting that they don’t know about breaches directly goes up with firm size. Over half of the respondents in larger firms report that they don’t know: 53% in firms of 50-99, 61% in firms of 100-499, and 67% in firms of 500+.
The most serious consequence of a data breach for a law firm would most likely be unauthorized access to client data. The Survey shows a very low incidence of this result—1% overall. The only firm size for which it reports a percentage is solos, with just under 5%. While these percentages are very low, any exposure of client data can be a major disaster for a law firm and its clients. The responses make it difficult to tell how many incidents there have actually been with exposure of client data, because almost 12% report that they don’t know about the consequences, with “don’t know” responses by 33% of respondents in firms of 50-99, 25% in firms of 100-499, and 60% in firms of 500+. The uncertainty is increased by the high percentage of respondents, discussed above, who don’t know whether their firm experienced a data breach.
The other reported consequences of data breaches are significant, but relatively low. Downtime/loss of billable hours was reported by 26% of respondents; consulting fees for repair were reported by 19% and replacement of hardware/software was reported by 17%. Any of these could be very serious, particularly for solos and small firms. A little over 5% responded that they notified a client or clients of the breach.
The Survey also inquired about infections of viruses/spyware/malware. 45% reported infections and 28% reported that they don’t know. Infections can cause serious consequences, including compromise of confidentiality and loss of data. With just under half of respondents reporting infections, strong safeguards against them are clearly warranted.
Security Programs and Policies
At the ABA Annual Meeting in August, 2014, the ABA adopted a resolution on cybersecurity that “encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.” The organizations covered by it includes law firms.
Security includes protection of confidentiality, integrity, and availability of data. Too often, attorneys (and others) focus only on the confidentiality part. Security programs should include measures to prevent breaches, like policies that regulate use of technology. Additionally, they should include measures to detect breaches, respond to them, and recover from them.
The 2013 Legal Technology Survey Report, which predates this resolution, asks respondents about a variety of technology-related policies, rather than about an overall security program. Attorneys and law firms should view these kinds of policies as part of a coordinated program rather than individually.
According to the 2014 Survey, 56% of respondents report that their firms have a document or records management and retention policy, 46% report that the firm has a computer acceptable use policy, 47% report a policy regarding email use, 47% for Internet use, 42% for email retention, and 34% for employee privacy. All of these percentages are up slightly from the 2013 Survey, meaning there has been an increase in their adoption. These numbers increase with firm size. For example, about 46% of solo respondents report having a computer acceptable use policy compared to 82% of respondents at firms with 500+ attorneys.
Two responses that raise a major security concern are: those that report having no policies, and those reporting that they don’t know whether their firm has security policies. They show that, overall, about 23% say that they don’t have policies, and 9% say that they don’t know.
There is a clear trend by firm size in the responses of having no policies. There are no respondents in firms of 50-99, 100-499, or 500+ who report having none. It goes down to 6% of firms with 10-49, 24% in firms with 2-9, and 55% (over half) of responding solos. While it is understandable that solos and smaller firms may not appreciate the need for policies, all firms should have them—appropriately scaled to the size of the firm. For solos, it may just be a series of checklists and who to call for what, but they should have something that covers these areas.
Security awareness is a key to effective security. There cannot be effective security if users are not trained and do not understand the issues and applicable security policies.
In accordance with the ABA resolution on cybersecurity programs (and generally accepted security practices), all attorneys and law firms should have security programs tailored to the size of the firm and the data and systems to be protected. They should include training and security awareness.
Authentication and Access Control
Authentication and access controls are the first line of defense. They are the “keys to the kingdom”— controlling access to networks, computers, and mobile devices. The Survey covers access controls for laptops and smartphones. It would be interesting to see how attorneys fare on networks, desktops, and other devices.
For laptops, a strong majority of responding attorneys—nearly all—report that they use access controls. Overall, slightly less than 95% report using passwords. Firms of 110-499 and 500+ both report at 100%, while solos come in at 88%. Additionally, 8% report using other authentication, such as fingerprint readers and other alternatives. While this might suggest that all attorneys use some form of access control (95% + 8%), that is not the case. In fact, 5% report that they use none of the listed laptop security measures, although the response of “none” is limited to solos and firms with fewer than 100 attorneys. As noted above, the larger firms report 100% use of passwords.
Use of authentication controls on smartphones is similar to those on laptops. Reported use of passwords is 90% overall—increasing with firm size from 83% for solos to 99% for firms of 500 +. 8% report using other authentication, while another 8% use none of the listed measures.
For both laptops and smartphones, use of passwords or other authentication should be 100%.
Encryption is a strong security measure that protects data in storage (on computers, laptops, smartphones, tablets, and portable devices) and transmitted data (over wired and wireless networks, including email). Security professionals view encryption as a basic safeguard that should be widely deployed. It is increasingly being required by law for personal information, like health and financial information. The Survey shows that use of the various encryption tools included by attorneys are all very low.
Full drive encryption provides strong protection for all of the data on a server desktop, laptop, or portable device. The data is readable only when it is decrypted through use of the correct password or other access control. Only 14% of respondents report an overall use of full drive encryption, ranging from 8% for solos to 35% for firms of 500+. File encryption protects individual files rather than all the data on a drive or device. Use of file encryption is higher—36% overall, ranging from just under 30% for solos to 57% in firms of 500+—but still just over one-third. Use of encryption on smartphones appears to be significantly under-reported. Respondents report an overall use of encryption of smartphones by only 10%. However, 67% overall report using iPhones and 90% report that they use password protection on their smartphones. On current iPhones, encryption is automatically enabled when a PIN or password is set. It appears that many attorneys are using encryption on their smartphones without knowing it.
Verizon’s 2014 Data Breach Investigation Report concludes that, “Encryption is as close to a no-brainer solution as it gets,” for lost or stolen devices. Attorneys who do not use encryption on laptops, smartphones, and portable devices should consider the question: Is failure to employ what some consider a no-brainer solution taking competent and reasonable measures?
E-mail encryption is another security measure with reported low use by responding attorneys. Overall, 35% of respondents reported that they use encryption for e-mail of confidential/privileged communications/documents sent to clients. This ranges from 26% for solos to 52% for firms of 500+. There has been a gradual trend toward increased use of encryption for e-mail, growing from 23% overall in the 2011 Survey to the current 35%. There is a discrepancy in answers to questions on e-mail encryption in different parts of the Survey. Attorneys responding to the Web and Communication Technology questions report this overall use rate of 35%. Of those responding to the Technology Basics questions, 25% reported that their firms have e-mail encryption—a 10% disparity in the different parts of the Survey. In response to a separate question, 14% of respondents overall reported that they password protect documents.
Once again, the rate generally increases with size of firm, from 13% for solos to 26% in the largest firms. In current versions of Microsoft Office, Adobe Acrobat, and WinZip, setting a password for the document encrypts it. While password protection of documents is not as strong as encryption of a complete email and attachments, it is much more secure than no encryption.
Unless some reporting attorneys are using both e-mail encryption and password protection for the same communications, these responses together indicate that 40% of solos (26% + 14%), and 78% of attorneys in 500+ firms (52% + 26%) are using some form of encryption for these kinds of communications. This indicates that overall, a total of just under 50% of attorneys use some form of encryption for these kinds of communications. Google and Yahoo, at least in part driven by the disclosures about NSA interception, have recently announced that they will be making encryption available for their e-mail services. In its announcement, Google compared unencrypted e-mail to a postcard and encryption as adding an envelope. This postcard analogy has been used by security professionals for years. Hopefully, the percentages of attorneys reporting that they have added the envelopes, where appropriate, will grow in future surveys.
As discussed above, effective security must have measures to protect the availability of data, including backup and recovery. Threats to availability of data can range from failure of a single piece of equipment to a major disaster like a fire or hurricane.
Overall, 13% of respondents report that their firm had experienced a natural or man-made disaster, like a fire or flood. The highest incidence was 27% in firms of 100-499, which is over a quarter of respondents. The lowest reported incidence was for solos—6%. Disasters of this kind can put a firm out of business—temporarily or permanently. These positive responses and the potentially devastating results demonstrate the importance for law firms of all sizes to be prepared to respond and recover.
Despite this clear need, only 56% of responding attorneys report that their firms have a disaster recovery/business continuity plan. A little over 22% responded that they don’t have plans, and the remaining 22% respond that they don’t know. The overall incidence (13%) and potentially devastating results suggest that too many firms are not prepared.
In the equipment failure area, 36% of respondents report that their firm experienced a hard drive failure, while 35% reported that they did not. The remainder reported that they do not know, with the “don’t knows” increasing by firm size. In firms of 500+, 86% responded that they don’t know. In firms of 100-499, it was 61%. It is very likely that most large firms have suffered multiple hard drive failures, just not known by the individual responding attorneys. Even limiting the analysis to known hard drive failures reveals that one-third of respondents have still been impacted. That’s a high risk, particularly considering the potential consequences, and all attorneys and law firms should implement backup and recovery measures.
The Survey responses show that 50% of respondents back up once a day, 15.3% more than once a day, 13% weekly and 7% monthly. 11% report that they don’t know, with unknowns increasing with firm size. Attorneys and firms that don’t back up on a daily basis, or more frequently, should revaluate the risk in light of the incidents reported in the Survey.
The 2014 Legal Technology Survey Report provides a good roadmap of what attorneys and law firms are doing to protect information. Those who are behind the reporting attorneys on safeguards should evaluate their security posture to determine whether they need to do more to provide competent and reasonable safeguards. Those who are in the majority, or ahead of the pack, still need to review and update their security as new technology, threats, and available safeguards evolve over time. Effective security is a process, not just a “set it and forget it” effort. All attorneys should have appropriate security programs that include training and constant security awareness.