Editor's note: In the process of reporting Law Technology News magazine's April cover story, "Feeling Insecure? You should be: Cybercriminals (and the government) may have access to your confidential data," I interviewed numerous professional, including this Q&A with Ben Sapiro of KPMG Canada. —Monica Bay
Q. In the context of Big Law, what are the three biggest threats in 2014 to client confidentiality?
1. Data moving outside the realm of classic corporate control to mobile devices and the cloud.
2. The opportunistic or incidental compromise in which your systems are infected or otherwise breached not because of who you are (or who you provide services to).
3. The third-party attack in which you are compromised to allow the criminals to gain access to a third party that trusts you (or the inverse where you are breached via a third party you placed undue trust in).
Q. What are the three most important things that Big Law must do to protect the confidentiality of client data?
1. Clearly understanding client expectations when it comes to protecting their information. If you don’t understand what your clients expect of you, then you cannot invest in the appropriate level of protection and make informed decisions about risk. Once you understand what is expected of you must demonstrate to yourself (and stakeholders, such as clients or regulators) that your protections are both adequate and effective—pointing to the existence of a specific technology or a policy isn’t sufficient anymore when it comes to protecting client information. You need to show both yourself and others that your protection efforts are working as expected and are appropriate for the level of protection required.
2. Keeping track of your client information in a mobile and cloud world. Client information in electronic format flows like water among email, removable storage (such as USB drives), cloud services, laptops, tablets and mobile phones. Firms must be clear on where their data is allowed to go; how it must be protected; and what they will do if the device or system storing the information is lost, unavailable, or subject to unauthorized access. Knowing where your information is—and having clarity on how to protect it—will drive conversations on what you should be doing and what you will tell your clients about the confidentiality of your data.
3. Create a detailed and practiced response plan to deal with data breaches. Even the best protection technologies and processes fail; nothing is perfect, nobody is infallible. Practicing different scenarios not only helps identify gaps in your process and technical capabilities, but increases the likelihood you’ll handle an incident properly when it actually happens.
Q. What strategies should Big Law be using to protect confidentiality of client data?
Before you invest in new defensive technologies, start with the basics:
1. Designate a senior professional who is accountable for protecting client data and can make decisions around strategy and investment. Your IT team can help implement technologies and practices, but they likely are not sufficiently skilled, resourced or senior enough to own this problem. Your security and privacy leader should "own" a clear policy and governance framework—and must report to the senior partners.
Remember that security is a complex topic, similar to complex areas of law requiring specialized expertise; so ensure that the person accountable for security either possesses that expertise from years of experience and study, or is supported by experienced professionals and advisors.
2. Identify all your technology and the data it holds. Create a process that keeps the information current, which is essential to respond to confidentiality breaches. More importantly the list will define everything you need to protect.
