The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/80353
ask the expert All firms should be conducting formal risk assessments to best protect client data. which affects big and small firms alike and can result in the loss of client data or personal information. Human error is always a problem — you can have the best policies and technology in place to deal with information security, but they will only be effective if people follow the policies and use that technology appropriately. And then there's the issue of insider trading. We've seen quite a few cases recently where lawyers have accessed confidential information on document management systems and then used that information to engage in improper conduct. Tom Crowe: I see data security, remote access and social engineering as the big three. Data security is about maintaining the confidentiality of our client data. If we lose our clients' secrets, we're going to lose their trust and eventually lose their business. Attorneys are very mobile, and providing remote access solutions is important. If we don't offer a way for them to be productive when they're out of their office, they're going to find a way themselves. And possibly the weakest link is social engineering. We can apply technical solutions to problems, but security lapses such as a password being provided over the phone or failure to stop an unfamiliar person walking around the office are real threats to security. _________________________________________________________ What additional security challenges do international firms face? Annette: One of the biggest security challenges is the sheer size of an international firm. There's a greater concentration of sensitive information because international firms across the world have so many offices and clients, so there are more people who can access that information, and there's more information being received that needs to be identified and protected. They're also operating in various jurisdictions around the world, which means there are different standards and regulations for data protection and confidentiality. Also, because international firms are generally acting on big deals with high-profile clients, they can be a bigger target for hacking and insider trading. Brian: As Annette said, security is made more difficult because of the various regulations and specifics of countries and regions. There are prohibitions against exporting/importing technologies. There are requirements to register security technologies in places such as China. Personally identifiable information is regulated differently in the EU than it is in the U.S. The bottom line is more countries and regions mean more complexity and cost of compliance. Tom: Cultural differences play a huge role in the perception of privacy and data protection, especially regarding regional security vulnerabilities. For example, hacking attempts in the U.S. don't necessarily reach European and Asian offices. As for mobile device adoption and MDM solutions, policy settings and privacy concerns in Europe are very different from those in the U.S. Europeans are creating unified policy that encompasses regulatory and compliance concerns while taking into account regional specifications. It can be very difficult having standardized policies across your entire infrastructure when places in the EU have stricter privacy concerns. Matt: Laws aren't as strong in some parts of the world regarding things like spying and software and intellectual property theft. There are also some serious efforts by governments today to spy on people and organizations. Firms that operate internationally have an extra layer of security to deal with because of this. _________________________________________________________ Should law firms periodically conduct risk assessments? Jeff: All firms should be conducting formal risk assessments to best protect client data. These assessments help management 110 Peer to Peer