Talk about lawyers’ hubris: although 49 percent of legal businesses believe they will experience a data breach in the next five years, almost as many – 46 percent – report they have left confidential documents out in the open.
The hubris, disclosed in Shred-it’s 2020 Data Protection Report, has practical consequences: 24 percent of clients said they would stop doing business with firms that experienced a data breach.
“Legal businesses need to close this transparency gap and demonstrate to their clients that the protection of their data is important to them,” said Michael Borromeo, Vice-President of Data Protection at Stericycle, which provides Shred-It information security solutions to business, in an email responding to written questions from LegalWriter.net. “Thus, it’s important to ensure that organizational processes are in place to support the goal of maintaining privileged and confidential information sharing.”
As well, the advent of COVID-19 and its impact on the workplace suggests that the worst is yet to come.
“It’s no secret the pandemic has changed how and where we work, forcing millions of people to swap their office desks for kitchen tables for the foreseeable future,” Borromeo said. “However, remote work opens the door for more data security risks.”
Clients certainly look at it that way: some 83 percent of C-suite executives and 64 percent of small business owners who responded to the Shred-It study agreed that the risk of a data breach increases when employees work off-site or are not in the office.
It makes sense: working from home adds another location where lawyers or staff can leak information unintentionally to outside sources.
“Risks can include potential mishandling of physical documents, such as the improper disposal of confidential information, visual theft by visitors, and digital threats such as an unsecure Wi-Fi connection,” Borromeo said.
Yet some 20 percent of law firms confirmed they do not have a policy in place for disposing of information when employees work remotely.
According to Montreal-based Dominic Jaar, Canadian Advisory Leader, Clients and Markets at KPMG, cybersecurity issues in the legal industry tend to be proportional to the size of the firm.
“The major law firms have been under attack for years and are pretty well-equipped with procedures and technology to defend against potential breaches,” he said. “Solo practitioners, by contrast, are at the opposite end of the spectrum with many of them even lacking VPN connections to protect data.”
And while much of the brouhaha surrounding data security focuses on digital information, the threat to physical or paper-based information is just as real. Indeed, one of the key findings of the Shred-It study is that fully 20 percent of security threats to legal businesses stem from “physical loss or theft of sensitive information and external threats from vendors or contractors”. This includes not only paper-based documents but hard drives, laptops, cellphones, and other electronic devices which contain digital data.
“It is critical for organizations to have and follow a strong data protection policy for all types of information, regardless of format,” Borromeo said. “We believe that security for physical and digital documents is equally important, and businesses should not overlook physical security compliance to reduce risk.”
According to the study, law firms are particularly susceptible to “social engineering” scams. These typically rely on someone posing as a vendor or contractor in an attempt to have employees grant them unauthorized access to information or systems.
“The scams occur via email, letter, phone call, or even through social media,” Borromeo said. “They can cost organizations an egregious amount of money.”
The upshot is that it’s more important than ever for lawyers to address gaps in firm policies and procedures, implement best practices (Shred-It offers Clean Desk Policy and Remote Work Policy guidance online), put in place security measures for storing and sharing physical and digital information, and emphasize employee training on data protection.
It’s no time to get smug.
“The information security landscape is constantly evolving,” Borromeo said, “Data security must remain a priority.”
RELATED STORIES
Law firms falling down on physical data security
What to expect from Canada’s new privacy legislation
Canada’s privacy regime is a mess
Chatbot aids firms’ privacy compliance by tagging clients’ exposure to data breach laws
Julius Melnitzer is a Toronto-base legal affairs journalist, writing coach and media trainer for lawyers and law departments. Readers can reach him at [email protected] or at https://legalwriter.net/contact.