Data Security and Clients’ Demands (Richard Kemp in The Lawyer Special Report)
Law firms are having to put more focus on data security as clients grow more demanding. Richard participated in the Lawyer’s expert
panel to discuss issues such as the Cloud and data sovereignty, and how they affect delivery of legal services, concluding that good management is paramount for law firms as clients increasingly demand a more proactive approach to data.
Q: What do you see as the most significant concerns clients currently have in relation to how their data is being managed by law firms?
Richard Kemp, founder, Kemp IT Law: The computerised information that a law firm holds can be its clients’ most sensitive data. Big clients therefore view data security as one of the most important aspects of their law firm relationships.
Q: What exactly is data sovereignty and why is it becoming a significant issue for firms and their clients?
Kemp: Data sovereignty is the control – or rather, when control can be lost – that a firm has over access to its data in the place where that data is located.
When firms hold data in their onsite servers this generally isn’t an issue. But as the Cloud becomes the new normal, there are attractive benefits for a firm putting its data in the Cloud provider’s data centre.
Those benefits come at a cost. One of those is the times when a third party can access that data in the data centre without the firm’s consent, or even knowledge.
‘Data sovereignty’ focuses on access by the data centre provider’s home or overseas security services, but it really covers any unauthorised access.
Hand in hand with data sovereignty goes data domiciliation – knowing and controlling the jurisdiction where your Cloud client data is located in order to manage data sovereignty risk.
Q: Are you seeing clients increasingly insist on any of the following: information security reviews; requiring their law firms to comply with client information security policies/procedures; and requesting data audits?
Kemp: Clients are becoming more assertive in their law firm relationships in using the range of IS management tools and techniques they apply to their procurement generally.
At law firm tendering stage, these range from questionnaires about the firm’s IS to mandating specific IS technology and penetration testing to determine the adequacy of the firm’s IS. In the engagement agreement, the client may require the firm to comply with the client’s own IS and related policies and procedures and may make provisions for auditing the firm’s IS – whether routinely, when the client’s own regulatory position requires, or in the event of actual or suspected breach.
Q: What practical steps would you suggest firms take to reassure their clients that their data is secure?
Kemp: Information security is a strategic issue for every firm advising enterprise clients, and firms should think about the quality of their IS in the same way as they think about quality of their legal advice and service.
This means allocating budget, time and resources to getting IS right – to the level of best industry practice – and then keeping up to date and improving; articulating and maintaining IS policies and procedures; and training all staff in IS awareness. Certification to the ISO’s data security standard, ISO 27001, is something that more law firms are now starting to consider.
Q: Do you believe that data security and the implications of data breaches are fully understood at board level in the legal market?
Kemp: Guaranteeing confidentiality and discretion and handling sensitive data are so much a part of what a law firm does that the legal services market is particularly at risk from data breaches.
Up to now, data breaches have tended to be about the laptop left in the cab or the disk lost in the post and the implications of these are well understood. But as more data migrates to the Cloud and hackers get more sophisticated and bolder, law firms could well end up in the crosshairs.
Do you believe that Cloud providers generally understand the requirements of firms and their clients in an increasingly cross-border market?
Kemp: The Cloud provider industry is at an inflection point right now, and this means that there’s a huge range of Cloud service providers (CSPs) in terms of cost, quality and size. For the largest CSPs, law firms are seen as a proxy for the enterprise client market – because they handle the biggest companies’ most sensitive data – so there’s an opportunity for the law firm world in this market to help shape these CSPs’ service offerings and learn what a firm really needs to manage Cloud client data effectively.
The bigger risk is at the lower end of the CSP market, particularly over the next couple of years or so before it starts to consolidate, where some providers will inevitably sell on cost and may be less thorough around data security.
Q: Do you expect to see more legal-specific services in the Cloud over the next few years and if so, what issues and benefits does that raise?
Kemp: Over the next few years, the same difficulty will arise for firms and Cloud service provision (CSP) as for firms and IT generally over the past 20 years. This is that while firm CSP requirements are very specific and bespoke, the law firm market is small in relation to the enterprise computing market as a whole and so possibly may not justify large-scale investment from the CSPs.
This means that unless law firm CSP requirements mirror mainstream enterprise CSP requirements, it may be difficult for firms to shoehorn themselves into what will increasingly become a ‘one size fits all’ CSP environment. However, this will enable specialist CSPs to develop, perhaps on a global basis, which will be able to manage the range of law firm data protection, security, sovereignty and domiciliation issues down to a jurisdiction-by-jurisdiction level.