Law firms and privacy compliance

What are the main privacy-related issues affecting law firms in 2017 and how can they be resolved? As part of a series of articles to mark Data Privacy Day, we ask a data protection expert from a prestigious international law firm about the privacy issues faced by his and other law firms.

Before it’s here, it’s on Lexis®PSL. Click here for a free trial. 

What problems does privacy frequently present to law firms and how can they be best avoided?

Due to the nature of the work and well-established rules on legal privilege and confidentiality, law firms hold significant amounts of business sensitive data. This includes employees’ and clients’ personal data, as well as financial data and sensitive information about corporate clients which is of interest to a variety of parties.

As a result, law firms can be key targets for cyber security attacks, and many are now becoming more aware of the privacy and security risks they face, not only from attacks perpetrated by third parties, including foreign states, but also from data exfiltration by disgruntled or former employees. In early 2016, nearly 50 top law firms were subject to cyber-attacks by hackers reported to be linked to the Chinese Government. The attacks were aimed at gaining commercially sensitive information for the purpose of insider trading, and hackers attempted to obtain this information by accessing lawyers’ email accounts. The trend of ‘bring your own device’ (BYOD), which has permeated the legal services industry, and remote working have exacerbated the risks.

Law firms should ensure that appropriate security measures are in place and ensure that their lawyers and staff receive sufficient training to prevent against security attacks and/or breaches. We are seeing a trend of more US firms engaging security specialists and personnel adept at guarding a firm’s critical infrastructure—client and marketing lists, electronic directories and files, and communications networks—from security threats, as well as introducing policies and procedures to regulate the behaviour of staff.

With a number of high profile breaches taking place in 2016, including the Panama Papers leak, is there now more of an onus on law firms to carry out cyber security checks and ensure compliance? Is there a need for an IT risk assessment to be enshrined in law?

Under current data protection law, holders of personal data (including law firms), are responsible for ensuring adequate safety measures are in place to avoid personal data breaches. This has long been the law. That said, the increase of high profile breaches, such as the Panama Papers leak, has increased awareness for law firms that greater security measures may need to be put in place to prevent these incidents happening again in the future.

Among other things, recent high profile breaches illustrate the reputational consequences that come from a failure to safeguard against data breaches. The reputational harm is a significant motivator for law firms, given the damage it can cause to sensitive client relationships, so having IT risk assessments enshrined in the law is probably not essential. Certainly, any law firm today that is not carrying out cyber security checks, on a regular basis, as well as monitoring the health of their IT networks is taking on board a significant risk, both in terms of legal exposure as well as reputation.

Is cloud-based software being integrated into law firms and if so what are they doing to ensure client confidentiality is not breached?

Cloud-based software is increasingly being used by all manner of organisations to ease the technical and compliance load of storing and processing large amounts of personal data. Cloud-based software providers are also under obligations regarding the protection of personal data. That said, we have seen varying practices among firms in terms of reliance upon cloud-based solutions to their hosting and storage of their data.

Some firms remain wary of the potential loss of control over the data and note their obligations to ensure confidentiality (which may be hard to ensure in the event law enforcement authorities compel cloud providers to furnish access). Other firms appear more willing to use cloud providers, perhaps for human resources data and possibly for other data, and somehow square their ethical and professional obligations with the fact that the data uploaded on to the cloud may be subject to new security and privacy vulnerabilities.

Do you have any best practice tips for firms on exercising due diligence when controlling and managing corporate data belonging to clients?

A key tip for law firms is ensuring that lawyers and staff are properly and regularly trained and made aware of security risks when it comes to managing data belonging to clients. This is particularly important as the trend towards remote working and BYOD gather pace, and employees access and transfer data across the internet. Remote access to systems should be authenticated and logged.

Further best practice steps include ensuring appropriate security measures are in place, such as password protecting devices, regularly updating passwords, encrypting data, and keeping paper files locked away. Law firms should also ensure that they are using trusted software when managing data electronically. Related to this, firms should be conducting regular checks of their systems and engaging competent personnel to oversee IT security matters throughout the firm. Cyber security threats change and develop over time, so firms have to understand that their defensive measures will need to adapt and change as a result.

Is there any regulatory guidance available on these topics?

Under the Legal Services Act 2007, solicitors must abide by certain principles, including a duty to maintain client confidentiality. The Solicitors Regulation Authority (SRA), in 2014, published a report called ‘Spiders in the web: the risks of online crime to legal business’ which raises awareness of potential cybercrime risks to law firms and offers useful examples of good practice that law firms should be striving towards. The SRA also has a dedicated cybercrime page on its website in which it publishes other useful resources to help raise awareness and support for law firms.

Will the General Data Protection Regulation (GDPR) apply to law firms and how should they prepare?

Much like the current data protection regime, the GDPR will apply to anyone, including law firms, processing personal data. Law firms regularly process personal data obtained from clients such as recording and storing for the purposes of being able to provide legal advice and transactional assistance.

The GDPR introduces various new requirements that businesses processing personal data will have to comply with. These include new record-keeping obligations, the appointment of a data protection officer (for certain businesses), and a duty to report certain data security breaches to relevant supervisory authorities. Law firms will need to ensure that they are placed to meet these obligations by May 2018.

What should firms be doing about data transfers to the US?

Businesses may transfer data from the EU to the US by certifying to the EU-US Privacy Shield framework. While many businesses have certified, it does not appear many law firms have chosen this option. This may be due to fears that their practices become a matter of public record, via the Privacy Shield certification process. This makes many firms uncomfortable.

However, data may still be transferred to the US by ensuring other appropriate safeguards are in place such as through using standard contractual clauses (in a European Commission approved form) or through binding corporate rules. Alternatively, there are various derogations under the Data Protection Act 1998 (and under the GDPR) which, if satisfied, mean the data may still be transferred to the US (an example is where the data subject has consented).

Law firms should ensure that they are using any one of these legal means when transferring data to the US, and we have seen some interest from the UK’s Information Commissioner’s Office to penalise law firms where they fail to comply with the UK’s data protection regime.

Interviewed by Robert Matthews. The views expressed by our legal analysis interviewees are not necessarily those of the proprietor.

Relevant Articles
Area of Interest