Wednesday, June 19, 2019 @ 10:55 AM | By Julius Melnitzer
Forget cybersecurity — because law firms, it appears, can’t even keep their desks clean.
Notwithstanding all the noise coming from C-suite types and in-house counsel about the critical nature of data protection, a recent survey from Oakville, Ont.,-based Shred-it — which is, somewhat ironically, a multinational data destruction company — Canadian businesses, including law firms, are still not prioritizing physical information security, even as they remain in denial of the consequences of a data breach.
Indeed, Shred-it’s ninth annual Data Protection Report (DPR), conducted by Ipsos, reveals that security is lacking at even the most fundamental levels. For example, it turns out that human error, whether by an external vendor (39 per cent) or an internal employee (33 per cent) is the leading source of potential data breaches at law firms.
No surprise, really, given the fact that only 25 per cent of law firms have a locked console and an in-house shredding machine; only 28 per cent train their employees on information security procedures twice a year or more; and just 57 per cent believe that their employees adhere to organizational policy for storing and disposing of confidential information.
“Law firms do a pretty good job formulating policy, but they fall down in managing their data protection practices and training their employees properly,” said Peter Vincett, vice-president at Stericycle Canada, provider of Shred-it solutions.
It’s not that law firms aren’t aware of this: in fact, 90 per cent feel they need to do more to show employees and customers how they are protecting personal information. But as the survey shows, they’re somehow of the view that data protection is better left to others — as in what’s good for the goose clearly isn’t appropriate for the gander. So, while blissfully neglecting their own house, no less than 89 per cent of law firms feel that data security is a top priority when choosing their business partners.
All this even though 26 per cent of clients told Ipsos that they would stop doing business with their current law firm if a data breach were to occur. And that doesn’t just apply to business clients. Millenials, who make up the dominant consumer pool, are the group least forgiving of data breaches: 43 per cent would lose trust; 39 per cent would tell others about the breach; and 43 per cent would seek compensation.
“All lawyers, from major firms to sole practitioners, are vulnerable to the consequences of sloppy data protection practices,” Vincett said.
So how are law firms getting away with it? Fortunately, for them, their clients’ performance in this arena doesn’t appear to be any better. Industry-specific results from the financial, health care, education and hospitality sectors are equally dismal.
“There’s a disconnect throughout the business community between the importance organizations say they place on treating confidential information properly and the extent to which they are taking the requisite steps to handle the data,” Vincett said.
Most distressingly, perhaps, the DPR revealed that while more than 47 per cent of C-suite executives in large businesses believe that data breaches are “not a big deal” or “blown out of proportion”, 82 per cent of consumers disagree. Maybe that’s why the number of reported data breaches in Canada has doubled in the past year, with 45 per cent of C-suites confirming a breach as opposed to 24 per cent previously.
Putting a policy that focuses on “keep your desks clear and your storage places locked” as the overriding mantra, then, is only the first step in compliance.
“Laptops and mobile devices should be tethered or locked down — stick those laptops, as well as anything else that has confidential information in it, in secure filing cabinets if you have to,” Vincett said. “Do walkarounds to ensure that your employees have clean desks and follow up initial training sessions by revisiting them at least once a year.”
Equally important is the implementation of a screening process for employees, vendors, and, according to Vincett, “anyone who comes in contact with the office setup.”