Managing sensitive legal information has always been complex. Today, it’s more complicated than ever with the rise in cybersecurity threats, volume of information and new and emerging data sources. In response, the legal department’s influence on information security decisions has increased in the past three years, and it comes none too soon: more than 90% of legal operations professionals cite security as a major concern, up substantially from just three years ago.
This concern is grounded in reality: a recent study found that hackers attack computers with internet access every 39 seconds.
Looking beyond traditional legal roles
It’s no secret that legal professionals are a soft target for cybersecurity threats. They hold treasure troves of high-value sensitive company information and communications, including IP, trade secrets, proprietary information, customer PII, information about pending litigation and regulatory requests, and more. With the increase in mobile devices and the movement to the cloud, much of this data is now digital, presenting additional challenges for data security.
On top of this, increasing regulatory obligations, government rules and data privacy protections such as the GDPR and California Consumer Privacy Act further complicate data security in legal organizations, necessitating a holistic enterprise approach to securing sensitive data that is likely to continue as more states contemplate new legislation. In the 2018 legal operations survey, 69% of respondents reported that data privacy regulations have changed the roles and responsibilities in their organization around security and compliance, and 80% of respondents advised that data privacy concerns affect how they handle discovery and investigations. This is particularly important given that 49% reported that the volume of government or regulatory investigations has grown over the past 12 months.
Further, attorneys have ethical obligations around data security and privacy. For example, the ABA Model Rules of Professional Conduct and Formal Opinion 477R make it clear that lawyers have an ethical responsibility to use reasonable efforts to manage the risk of inadvertent or unauthorized disclosure when communicating client information using the internet.
Despite these concerns, a full 10 percent of legal department professionals are still using non-encrypted email as one of their data transfer methods, citing management and IT change management as obstacles to improvement.
How to get ahead of security and data privacy risks
For legal professionals looking to change their approach to data security and privacy, here are some key strategies and tactics you can adopt:
- Centralize eDiscovery data and processes: Initial results from our 2019 legal operations survey indicate that 94% of respondents have data security concerns around distributing ESI to multiple discovery vendors and law firms—an increase from 91% in 2018, 89% in 2017 and 72% in 2015. You can mitigate the risk of sending ESI data out by centralizing legal data processes and management in a single repository (like this global technology company) and correctly coding or tagging privileged, confidential, trade secret or sensitive documents just once for use many times across repetitive matters (e.g., IP litigation related to a pharmaceutical core compound) so they don’t get miscoded in subsequent litigations and inadvertently produced. Centralization also helps keep your data secure by allowing in-house teams to control access and limit the flow of sensitive information across disparate law firm and vendor databases.
- Take advantage of the cloud: Cloud adoption is on the rise and for legal professionals, there can be security benefits to moving to the cloud—such as optimizing data transition and data management. There is no need for legal support staff or IT personnel to import and export data between systems: ESI can move seamlessly and without needless vendor intervention–from collection to processing and early case assessment to review, and ultimately to production. Certainly, there is a continuing need for some level of on-premise tools that can collect from diverse and often idiosyncratic endpoints, but a majority of eDiscovery processes can now be conducted seamlessly in the cloud.
- Conduct a security audit of your law firms: Corporate clients are increasingly auditing their law firms’ security protocols, which can help to mitigate cybersecurity risks. In 2018, the number of clients that audited outside counsel grew from 26% in 2017 to 31%, and we expect this pace to continue. In connection with this trend, many legal operations professionals indicated that their law firms sign a data protection agreement, and anyone who receives personal data must undergo a mandatory initial security assessment.
- Protect content at the document level, not just the device level: To better address security on high-value content beyond the device level, corporate legal and law firms are using proactive monitoring tools embedded in content management systems to enable rapid detection response to insider threats. For example, OpenText™ eDOCS and the eDOCS Defense module protects content at the document level with proactive activity monitoring and realtime alerts if unauthorized users try to view sensitive information, along with document-level encryption at risk—both features designed to prevent insider threats, the fastest source of cybersecurity risk.
Join us at Enfuse to learn more
Join me at OpenText Enfuse 2019 from November 11-14 at The Venetian Resort Las Vegas to hear more about these trends and the best ways to proactively mitigate risk and respond when a cybercriminal does attack. With more than 100 sessions, Enfuse is a great opportunity to learn how OpenText can help you meet the changing cybersecurity needs in the legal profession.