I had to do a double-take when I read that Japan’s deputy chief of government cybersecurity strategy, Yoshitaka Sakurada said he has never used a computer.
That pretty quickly became a triple-take the week after when Sakurada admitted that when it came to cybersecurity matters "I myself am not familiar with that", and went on to suggest his main role was "to read written replies without making any mistakes." All of which got me thinking that maybe it is perhaps wise to remember that it's not just lawmakers who sometimes seem ill equipped when it comes to cybersecurity; lawyers can be far from perfect in this regard as well.
Not that I'm suggesting law firms are ignorant when it comes to understanding the implications of the EU General Data Protection Regulation (GDPR), far from it. However, there's a difference between understanding the law and implementing the best protocols to ensure you don't inadvertently sleepwalk into becoming a lawbreaker yourself.
Given that the PwC UK Law Firm Survey 2018 shows that 60% suffered a security incident during the year, law firms need to pay attention here. What I am suggesting is that law firms could, should and must do better in certain aspects of their cybersecurity management strategy.
Another recently published report, the Law Firm Cybersecurity Q4 Scorecard from legal IT consultancy LogicForce, reveals several areas where the legal industry is falling short.
Client confidentiality is a core concept that every lawyer understands from the moment they start studying law through to the day they retire from practicing it. That this concept now extends deep into the digital ether courtesy of the technology we use every day should not be overlooked.
Increasingly, confidentiality has become so core to corporate clients that they will often require (for regulatory compliance if nothing else) a law firm to undergo a security audit before a prospective business relationship becomes a real one. This is an accepted part of doing business in regulated industries, and not an alien concept to lawyers by any means.
Yet, according to the LogicForce report, the same isn't true in reverse: 63% of law firms are not vetting the cybersecurity and data management policies of their third-party service providers. Say what now? This isn't doing enough to protect client data; third-party risk sits right up there at the top of the 'things to be mitigated' list in my opinion, and likely that of any breach investigation with GDPR compliance in mind. That 88% of law firms invested in penetration and vulnerability testing isn't going to be enough on its own.
Not that it's all bad news, but it is a case of one step forward two steps back much of the time. So, while according to LogicForce 99% of law firms implemented password management, 53% didn't employ multi-factor authentication. It's a given that client data is going to be front and center on any threat actors' radar.
Just as it is that internal threats (accidental as much as malicious) are as problematical as external ones; the PwC report revealed 46% of law firms had reported a security incident related to their own staff involving the leakage of confidential information in 2018.
Getting the rules right regarding access to that data isn’t optional, and that means ensuring you not only know what and where the sensitive data you hold is but who has access to it and when. All of which makes another of the findings from that LogicForce report jump out at me: 45% of the law firms questioned didn't have documented cybersecurity policies and procedures. Say what again? Surely this kind of thing should be covered by information governance policies within the law firm itself (and if not, then maybe you need to be asking yourself why not?) and almost certainly will be by your corporate clients?
Getting the basics right can be the difference between being a secure practice and the potential next Mossack Fonseca. Nobody wants to be at the center of a Panama Papers scandal, yet in the face of an ever-evolving threat landscape populated by ever-better resourced threat actors, and the insider risk of course, what constitutes 'reasonable effort' to protect against disclosure of data is something of a moving target.
The principle that ignorance of the law excuses no one is not unfamiliar territory to lawyers, but neither must 'ignorance of cybersecurity' be when it comes to protecting client data.