Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Legal firms vs. data security: How to solve the tension between lawyers, their IT teams, clients and data security

Traditional ways of working in the legal world clash with modern technology and tech-savvy clients. Outdated law firm tech might be safe, but it makes customers unhappy.

There is a tension between lawyers, their IT teams and their clients. Law firms don’t like to recognise this, at least publicly. But there is a clash between “the way things are done”, customer service and the convenience provided by modern technology.

Outdated law firm tech creates tension

Law firms generally have a set way of doing things, which often translates into a requirement that their clients use outdated and less capable technology systems than those the clients are used to, and prefer to use.

Let’s take clunky ‘data rooms’ to start with. If you are a lawyer you’ll know what these are. If not, it’s just online file-sharing. But made harder than the slick systems most businesses use. Want to have a meeting with your solicitor? Please install some obscure video conferencing software that insists you install yet another add-on. Why? Because the legal firm requires you to.

IT teams are responsible for supporting the firm’s entire technology stack. The job gets harder when they have to support a wider variety of software. Maybe a lawyer wants to use a new application but there isn’t a genuine or clear business need. So there is internal tension.

And lawyers like to follow rules, but their business clients are inherently more willing to take risks. That’s kind of the point of lawyers, isn’t it? To counter-balance the risk-takers and reach some sort of sensible consensus?

So this tension worsens the customer experience, while potentially creating security risks for the firm.

Commercial vs. compliance

Humans, and particularly legally-trained ones, are intelligent problem solvers. So if a key client complains about finding a law firm’s data room difficult to use, and sends a Dropbox link instead, the lawyer will be sorely tempted to use the Dropbox link to keep the client happy. A vague memory of some firm-wide internal training long ago, about the security risks of Dropbox, weighs lightly on the lawyer trying to meet their annual billing targets. So the lawyer doesn’t tell IT and cracks on with the client work via Dropbox for an easy life.

Different law firms have different cultures. Commercially-driven firms may be more likely to have staff willing to work around IT, while more conservative rules-focused firms might repress staff effectively. Guess which type of firm is more likely to survive the tech revolution.

Sign up to our monthly business and personal security newsletters.

Generation old

This tension also highlights a division between different generations of lawyers. Clients resisting outdated law firm tech will often suggest using technology that younger generations of lawyers already use in their personal life.

“I’ll just upload this to my Google Drive (with which I am so familiar I don’t even think about it as a potential risk)”.

Contrast this to the older generation of lawyers, where the internal narrative is more likely to be:

“I don’t understand the cloud and it sounds risky, so I’ll wait/ not do the work/ ask IT to handle this next week.”

This is a difficult line to draw, though. Clients have their own behaviour too, and law firms can’t make a client behave more securely with their own use of email, file sharing etc.. Given that clients accept greater risk, should law firms accept that same level or create a block? A block that clients only face when trying to deal with lawyers…

Client experience and data security

The select few will provide a more pleasant and productive (and probably cheaper) client experience. These will be innovative law firms and start-ups that can strike a balance between using capable software tools while supporting their staff adequately on how to use them.

This will see the end to the dinosaurs (and the world’s most expensive small talk). Video conferencing has to be more attractive to clients than a trip in to London with all the grief and inconvenience that brings. It is doubtful that major law firms would today support the use of video conferencing had the COVID-19 pandemic not happened.

Don’t (always) trust the cloud

But it’s dangerous to assume that the large tech companies will keep private data private. Google, Apple and others have made private files public accidentally. And YouTube can do weird things with content sharing under some unexpected circumstances. Even experts get caught out from time to time. The overworked lawyer, trying to send a document to a client quickly, makes mistakes too.

Using Outlook’s auto-complete feature, while in a hurry, can send a document to the wrong person. Be honest – we’ve all done it.

Email security measures block password-protected Zip files a lot. So much so that the bad guys often don’t use this as a technique very much these days. And so outdated security policies shut out a legitimate use case that no longer poses much of a threat.

Law firms need a better understanding of the cyber risks that exist and that pose the most likely problems. This understanding should form the basis of secure working practices that best secure client information, while keeping clients happy. And tracking bad guy behaviour can also help free up unnecessarily restrictive practices that seek to solve a problem no one is having.

Authors: James Boyle (Taylor Vinters) and Simon Edwards (SE Labs)

Posted on June 17th, 2021 by Simon PG Edwards and tagged 2021, cyber security, enterprise, home user, law firm, small business