Is workplace messaging a security time bomb for law firms?

7 April, 2017 by Paul Shlackman

Is workplace messaging a security time bomb for law firms?

For many legal firms workplace messaging is a ticking security time bomb.

Office culture is changing fast. Legal practices now benefit greatly from allowing employees to use productivity-enhancing applications on their own mobile devices.

Among the most popular are messaging apps like iMessage or WhatsApp that enable employees to chat and share information in real-time.

These services may be useful but they also introduce new security risks.

In an Ipsos Mori survey of more than 600 solicitors, 59% said they use their smartphones to access the internet for business purposes. Around a third (32%) conceded keeping up with technology developments could be difficult while 42% believed that maintaining cyber security was a key issue.

Without proper controls, it’s a matter of time before careless employee messaging habits cost a law firm a serious breach of client confidential information.

Legal precedents

Most companies have a duty to keep client information confidential but this is especially true for lawyers and law firms.

Cybercriminals understand this and are actively targeting legal organizations.

A possible reason for this may be their reputation for being slower than most to adopt advanced security measures.

According to a report by NatWest bank as many as 1 in 4 UK law firms were hacked or hit by fraud last year.

In the U.S. 80% of the largest law firms have experienced a malicious data breach, giving hackers access to private business strategies, intellectual property and pending M&A deals. In 2016, attacks were reported by 48 of the top legal practices.

Arguably the most notorious incident was the Panama Papers scandal which allegedly involved an IT worker at law firm Mossack Fonseca leaking 11.5 million confidential client documents.

Regulatory pressures building

Mossack Fonseca was fined $440,000 for this security lapse. The incident has also left a lasting stain on their reputation.

Nonetheless some industry observers saw the fine as “embarrassingly inadequate”. Notwithstanding the U.S. administration’s current stance on privacy, the long-term regulatory climate governing law firms worldwide is likely to only get tougher.

At least one new compliance standard – the EU General Data Protection Regulation (GDPR) – is already on its way.

GDPR reflects the EU’s view that data protection is a human right. It will apply whenever organisations handle data about EU individuals or the data has the potential to identify individuals that are living and working in the EU.

Organizations that fail to comply can be fined up to Euros 20 million (USD 21 million) or 4% of their worldwide revenue.

This is causing concern in some quarters. In studies, 87% of CIOs admit to being worried that their current information security policies and procedures are not just putting their company at risk, but will also leave them exposed under the GDPR.

U.S. companies are similarly concerned. A PwC survey  that polled 200 U.S. companies with more than 500 employees found 77% plan to spend at least $1 million on GDPR compliance.

The EU also has plans for messaging and collaboration apps.

In 2016 the EU proposed extending the scope of existing telecoms regulations. The aim is to update the current framework surrounding the encryption, security and confidentiality of text, mobile and landline calls.

In future web companies that provide voice calls and instant messaging services over the Internet will also have to comply. Among those that will be affected are Skype and WhatsApp.

What action should law firms take?

As EU laws on data tighten it is clear that legal practices cannot afford group chat in the workplace to continue to play Russian roulette with client confidentiality.

Fortunately there is much that can be done to reduce these risks.

A first step is to introduce new policies and procedures that specifically address what types of data can and cannot be shared in standard mobile group chat and collaboration sessions.

Additionally, it is worth considering investing in a secure messaging and collaboration platform that is built for business rather than consumer use.

Such applications feature full encryption for data at device level, while in transit and when stored. Law firms can now be sure client information remains private and secure at all times while message data is stored centrally in an encrypted database.

And because they retain full ownership of that data – along with the encryption keys – firms can produce proof of compliance to auditors should they need to.

In summary, it is important for legal professionals to take steps to protect themselves against inherent risks in workplace messaging well in advance of new legislation. Failure to do so will potentially leave firms vulnerable to a data breach and heavy penalties.

To date the number of serious data breaches at law firms like the one at Mossack Fonseca have been mercifully few.

However, the balance of power in terms of data rights is shifting away from companies towards individuals. At the same time fines for non-compliance will get heavier.

Legal firms need to ensure they have sufficient measures in place for managing employee behaviour in mobile group chats and total privacy control over the data they share.