What are the security implications for law firms using emerging technologies such as cloud computing? The solicitors' profession is rapidly evolving in an age where working 'in the cloud' is increasingly common due to its attractive cost efficiencies and flexibility – but it comes with significant cyber security risks. Lockton are experienced in advising law firms on managing the risks inherent in adopting new technology, and we offer strategic, efficient and timely solutions to those risks.
What is 'Cloud'
Cloud computing is the outsourcing of data processing and storage to an external, remote provider. It necessitates the surrender by firms of full control of their software and data - frequently to providers which store the information in unspecified jurisdictions.
What are firms' information security obligations?
Firms must comply with their obligations under the Solicitors' Code of Practice and:
- Comply with Chapter 7 of the Code (Management of your business) in relation to information security
- Data controllers must Comply with the Data Protection Act 1998
- Firms monitoring or storing electronic communications must comply with s3.2 Regulation of Investigatory Powers Act 2000 and
- Ensure compliance with the Computer Misuse Act 1990.
These requirements are set out in full in the Law society's Practice Note on Information Security
Is the profession failing?
It has some way to go: in its recent report on cloud computing, law firms and risk, the Solicitors Regulation Authority (SRA) found that risk management by firms using cloud computing is somewhat lacking. The SRA, which acknowledges the benefits cloud computing brings to law firms, expressed concern at a "lack of due diligence on the part of firms over their outsourcing arrangements".
What are the risks?
Cyber security risks include hacking by politically or ideology-motivated 'hacktivists'; individuals searching for confidential information; and attacks by criminals seeking to steal funds by accessing account information. Potential risks also arise where a firm has workers who are not under the firm's control.
Government-level surveillance is an additional risk identified by the SRA in its report, warning that widespread data surveillance by the National Security Agency (NSA) could threaten the security of cloud computing for firms acting in confidential mergers.
Law firms, particularly financial and corporate practices, are seen as soft targets, possibly a reflection of the relatively weak risk control endemic within the profession. Nor is this just an issue for large firms working on high profile matters. Indeed, smaller firms and businesses may be at particular risk of a cyber-attack as they are perceived to be more vulnerable. And the risks to firms increase where cloud computing is adopted.
What can you do?
It is critical to understand the risks to your firm and its potential financial exposure if it outsources 'into the cloud'. Identify where your firm's data is being held; and check the small print of outsourcing agreements. Providers are generally unwilling to accept liability for cyber risks - and firms are advised to contact Lockton for expert advice on managing the risk and achieving an effective solution. The SRA's report also includes 'best practice for due diligence' which firms will find helpful - and we can advise you on how best to implement this in practice.
How can we help?
We are the leading experts specialising in advising law firms on their insurance and risk management solutions. Whatever the size of your firm, we offer full insurance and risk management solutions that meet your unique needs. We also offer clients free advice, information and guidance to help them effectively manage their business in a highly technological age.
Lockton are pleased to be hosting an Information Security and Cloud Risk/Reward seminar in our London office on 23rd January 2014. You can read more about the event or sign up using the above link. Alternatively, contact our Risk Manager, Calum MacLean for more information.