Law firms have long been viewed as the most trusted of advisors to their clients, and lawyers learn early in law school the importance of maintaining confidentiality of information shared with them by their clients.
However, the security of that relationship has been threatened of late by the emergence of external cyberattacks and in some cases, weak internal controls. Criminals have in fact identified firms as ideal targets to obtain highly sensitive data that could be used for financial gain and political disruption.
Recently, Neil Sternthal, managing director in Legal for Thomson Reuters Canada, Australia and New Zealand, sat down with Charles Morgan, national leader of McCarthy Tétrault LLP’s Information Technology Law Group and co-leader of the firm’s national Cybersecurity, Privacy and Data Protection Group in Montreal, to discuss how firms like McCarthy Tétrault are managing the cybersecurity challenge.
Neil Sternthal: In the wake of fears around recent ransomware attacks targeting law firms and the 2015 Panama Papers incident, what are the risks legal professionals need to be aware of when dealing with client data in the normal course of information exchange and storage?
Charles Morgan: The main thing law firms have to realize is that we are targets of cyberattacks like any other major business in the world. Law firms have a lot of valuable, confidential client information and so we’re going to be targets, just like anybody else. We have to approach cybersecurity issues through the same “enterprise-wide risk” assessment lens as many of our clients.
As lawyers use more and different kinds of technology that offer new opportunities for efficient communication with clients, so too the “bad guys” are finding new tools to infiltrate that information.
Law firms have a lot of valuable, confidential client information and so we’re going to be targets, just like anybody else. We have to approach cybersecurity issues through the same “enterprise-wide risk” assessment lens as many of our clients.
We have put in place safeguards such as encrypted computer hard drives, encrypted mobile devices and dual-factor authentication for any remote access to the firm’s networks.
Hackers are becoming increasingly sophisticated and increasingly convincing in their efforts to present themselves as either legitimate firm clients or as members of an expansive deal-team. The best way to protect against that is to reinforce a culture of vigilance and awareness through training.
In this regard, law firms have a natural advantage over many other businesses in mitigating such cybersecurity risks because the importance of maintaining the confidentiality of client records is hardwired into lawyers’ training, culture and professional responsibilities. But as hackers become ever more sophisticated, it is important to refresh old reﬂexes. Every lawyer and employee in our firm has received recent training on how to spot red flags
Sternthal: A couple of years ago it was thought that law firms were the “soft underbelly” of data security. Is that a dated view or is there still some truth to that?
Morgan: I can’t speak for all firms, but as regards large firms, it is probably a dated view. It may have once been a legitimate concern – but the risks have become apparent and large law firms are acting accordingly.
Law firms have adopted enterprise-wide risk assessment and mitigation strategies.
You can read the full article in the new issue of Forum magazine.