Privacy and confidentiality concerns took centre stage in April in the wake of Panamanian-based law firm Mossack Fonseca’s massive data leak. The theft of millions of its confidential documents exposed the names of the firm’s clients and their use of offshore shell companies and tax havens.
Founding partner Roman Fonseca told Reuters the firm had ruled out an internal leak of the information. “This is not a leak. This is a hack,” he said. But whether the documents were leaked by an insider or hacked by an outsider, the big question is: What firm will be next?
“Law firms are appealing and sought-after targets,” said Dan Pinnington, vice president claims prevention and stakeholder relations at Lawyers’ Professional Indemnity Company in Toronto. “We’ve got loads of sensitive and confidential information, frequently have large sums of money in the trust accounts, bank accounts and, relative to many of our clients and particularly bigger institutions or corporate clients, we tend to have weaker security. So the hackers literally come after us.”
More than 80 per cent of American law firms have had some type of breach, according to a 2015 Bloomberg article. And there’s a wide range of hackers out there, including foreign governments, hacktivists, organized or petty criminals—even high schoolers trying their luck at breaking into a firm’s files.
The Panama Papers have provided a very practical lesson for law firms, said Pinnington. He advises managing partners to take a hard look at their security and do an assessment. But it takes time, effort and money to make sure a system is secure. Most law firms need expert, often outside, help. Medium-sized or smaller firms don’t have the same resources to employ dedicated IT and security people as major corporations or financial institutions, he said, and “they don’t dedicate the time to make sure their systems are 100 per cent secure and up to date.”
Malware is typically the vehicle that allows hacking to occur, Pinnington added. There’s a wide range of malware, including ones that open a back door to the system, as well as keystroke loggers that capture login names and passwords. Ransomware encrypts data and hackers will demand bitcoins in return for a decryption key to recover the stolen files. Unfortunately, “there’s no quick fix or silver bullet that will fix everything for you,” he said.
Here are a few ways to mitigate risks:
Pick a better password
Passwords are often the weakest link in protecting data. Pick ones that aren’t short, obvious or common words, Pinnington advises. “The best practice is to create a unique, complex and random password for every service you use.”
Look at the cloud from both sides
Pinnington hears from many lawyers who are extremely concerned about the safety of using the cloud to store a firm’s information but he believes it’s become more acceptable as a practical and a technically safe option. However, he cautions that placing client or firm data in the hands of third parties raises issues of security, privacy, regulatory compliance and risk management, among others. Perform due diligence and consider all risks and benefits before moving any firm data to the cloud.
Designate a privacy officer
Lawyers don’t just have to worry about outside threats, they also must be concerned about protecting privacy and confidentiality from within. Designate a privacy officer, understand the legal obligations under the Personal Information Protection and Electronic Documents Act and have appropriate policies in place that govern the protection of personal information. Teach lawyers and employees about the dangers and have technology-use policies that set out the rules.
Create and circulate a written privacy policy
It “should be made accessible on the firm’s intranet site or whatever format they use to communicate their policies,” said Lindsay Wasser, co-chair of the privacy and cybersecurity groups at McMillan LLP in Toronto. The policy should be brought to the attention of new employees in particular.
BYOD shouldn’t mean Bring Your Own Disaster
The bring-your-own-device trend allows lawyers and staff to work remotely but opens to the door to risks of loss or theft or malware.
Many organizations use company-issued devices with limits on personal use. If personal devices are allowed, firms can implement software to contain or “sandbox” the personal information from the company-owned information. A separate password can be used to access the work container and the technological safeguards applicable to that will be “higher than the safeguards that are on the personal information in terms of not allowing random applications to be downloaded to that, which may have viruses or malware,” said Wasser.
Confidentiality clauses
Contractual requirements can help to protect information from leaking out. Many firms have a provision in their contracts with employees that specifically states they will protect the confidentiality and security of personal information in accordance with applicable laws and/or that they will comply with the firm’s policies, including policies on protecting personal information.
The law surrounding privacy obligations is rapidly developing, said Wasser. “In the past five years the Ontario courts have recognized two new privacy-related torts, intrusion upon seclusion and public disclosure of private facts, and, even absent those causes of action, plaintiffs’ lawyers are alleging things like breach of contract, negligence, breach of statute, etc.”
Do something
Class-action lawsuits are becoming more common for breaches of privacy and the misuse of personal information, said Wasser, “and that’s where there’s really significant potential for liability.” Do as much as possible to protect the privacy of the firm’s information, she advised. At the very least, do something “to show that you knew there was an issue and tried to make sure that your employees and your partners are aware of the issue and paying attention to it. If you do nothing and there’s a breach, you’re going to have trouble demonstrating that you did what was necessary and reasonable in the circumstance to protect the information.”
Provide training for everyone
“In a small law firm, even a meeting just to make sure that employees are aware of the obligations and the potential consequences of non-compliance, something to fulfil your obligations as an organization to ensure that your employees or your partners are complying with their obligations, is good practice,” said Wasser.
She advises managing partners “not to rest on the assumption that just because you’re dealing with lawyers, they know what they’re supposed to be doing.”
Ann Macaulay is a Toronto writer.