After a slow start with many legal firms taking a back seat when it comes to digital transformation, the industry as a whole has now become more connected and mobile. While law firms still have significant concerns about compliance and damage to reputation – if a firm was to suffer a data breach – the benefits of digital transformation have been mostly embraced.

My experience is that most legal firms have a good grasp of cyber security and data protection measures when it comes to their communications and data processing in the office environment. They’ve taken advice from the regulator and engaged the expertise of IT and cyber security providers to ensure that their clients’ data – which once was held under lock and key in filing cabinets – is now secure using cloud storage, private servers or hybrid models.

However, one area of data protection and cyber security that is sometimes overlooked, and often misunderstood, is the use of mobile devices and remote working.

Being able to visit clients and share information, work in a coffee shop between appointments, and reduce office overheads by having partners or members of staff working remotely, is a boom to most businesses. The legal sector is no exception. This flexibility and mobility increases productivity and saves money, key drivers for any legal firm today.

Moreover, the use of mobile devices for communication and for buying services has been widely adopted by consumers – you and me – and we want the same convenience in our working lives too.

The problem is that in many businesses employees and senior partners are using mobile devices without any thought to cyber security or data protection. They are not deliberately being reckless; it’s just not on their radar as something that needs to comply with the information security policies that exist in the office environment. They believe that they are a safe pair hands and that their personal devices are not a target for hackers.

Furthermore, those responsible for information security within a firm may not have the whole picture on how client data is being jeopardised. They don’t necessarily know that a partner is using a company laptop in public places. Or that an employee routinely accesses the CRM system from their own tablet. Until, that is, when an incident does occur and a client discovers that their highly sensitive information is in the wrong hands.

 

Implications of a data breach in the Legal sector

The implications for clients are far reaching. It could affect a legal case and put a client at a disadvantage. It might mean that valuable IP owned by a company is seen by a competitor. A data breach at a law firm could also provide a back door into your clients’ systems – cybercriminals are targeting businesses that give them access to larger enterprises with more valuable data to steal. Legal firms certainly fit the bill.

For the firm itself a data breach is likely to result in fines from the regulator, and from May 2018 significant fines from the ICO when GDPR legislation comes in force. This EU directive applies to all legal firms while we remain in the UK and will continue to apply after Brexit if your firm processes and stores data on any EU national – your European clients. Fines could potentially be as much as €20 million (or 4% of annual gross revenue).

Damage to the firm’s reputation is another reason you may want to shore up your cyber security policies to include mobile devices and remote working. Legal firms trade on their reputation for confidentiality and discretion, so a high-profile data breach can be disastrous.

Therefore, it is imperative that mobile devices and remote working are part of your firm’s information security policies and processes, and that partners and staff understand why. Awareness and education is always the best way to keep data secure, combined with cyber security and data protection tools.

For advice on managing a remote and mobile workforce, please see our article on the subject here.

We also run cyber security workshops in London and Surrey for business leaders and senior partners to help them identify the threats and risks that their business is exposed to. Our experience working with a number of legal firms and other regulated businesses means that these workshops are highly relevant and engaging. Click here for more details.