One of the subjects I have as part of my LLM is Delivering Legal Services Through Technology, which has become one of my favourite modules because it exposes me to the most innovative lawyers and legal tech developments. Last week we had a presentation from Littler Mendelson, which is one of the top labour and employment firms globally. One of the presenters spoke about cybersecurity and he raised a number of points I had not considered before regarding how lawyers need to be more prudent how we keep clients’ information.
As legal practitioners we have access to clients’ extremely sensitive information, such as personal information of individuals in organisations from general labourers to the C-Suite executives (addresses, phone numbers, ID or social security numbers, certified copies of identity documents, salaries etc), financial information of private companies, details on intellectual property- including trade secrets or applications that are still in draft, Wills, Trusts and critical information that relates to commercial transactions. Legal practitioners are ripe for hackers that want to attack either individuals or organisations for ransom or to find information to sell to rivals. Unfortunately legal practitioners are lagging behind in developing a security protocol from a digital perspective to ensure clients’ data is secure.
The Big Deal on Data
The General Data Protection Regulation (“GDPR”) came into effect in 25 May 2018 and was adopted by the European Union Parliament with respect to the treatment of data that relates to any EU citizen. Personal data is considered to be “information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, etc.”
[Side note:If you are subscribed to any type of app, do you remember when there was a period where they all sent updates in line with the GDPR?]
As we have moved from the paper age to the digital age, the word on the street is that “Data is the new oil”, and we have seen the profitability of harnessing data with the rise of “unicorns” (companies with a valuation of more than $1 billion) such as Facebook, Airbnb and Uber. This same information can also be used extremely maliciously from online banking fraud, creating deep fakes, stalking and crimes resulting in loss of life.
A number of countries globally have began to promulgate legislation to protect data and even some businesses will consider the data protection laws of the country before beginning operations. If you aren’t sure what laws your country has in place you can have a look here. This is very important, as failure to adhere to these laws could land you in a lot of legal trouble with fines or even jail time, eg failure to comply with the GDPR could lead to a fine of €20 million or 4% of the annual global turnover of the company.
Why You Should Care:
- This is the law.
- As a legal professional (and if you are a director of a firm, or company) you have duty of ethics to your clients- which includes diligence, care and skill in the work you do.
- It makes you more competitive to clients. A number of clients have started to request that legal professionals show them their Governance, Risk and Compliance registers to see which service providers they use to provide data protection support and the protocols that occur in the event of a breach.
- It could happen to you. If a large law firm like DLA Piper could be the victim of an attack, just imagine how easy it would be for hackers to get into your system.
Who Let The Dogs In?
In most instances someone in the company lets the hackers in, either by becoming a victim of Phishing Attacks, using a USB you randomly found in a conference room, losing a work laptop or phone, or visiting websites that are filled with viruses (hint: the sites with pop ups that say you just won something you didn’t apply for, or tell you how easy it is to make money working from home).
You also tell them who your clients are through your website on the section of “Our Clients”- you aren’t just marketing to other potential clients, but also to hackers. You are telling them who is home.
What You Can Do:
Come back next week because we talk to a Cybersecurity expert and he will give us tips on what to do regardless of the size of your practice. In the mean time, like your mom said, don’t talk to strangers!