Five essentials for secure legal communications with Accellion
Lawyers work with some of the most sensitive information of any profession. An attorney or client can damage the outcome of a case by mishandling a single critical document, and even a small cyber breach can bring down an entire practice. Law firms therefore are constantly on the lookout for easier and more comprehensive ways to manage these risks.
You must defend your communications and data against hackers and inadvertent leaks, both inside and outside the organization. Lawyers frequently communicate clients’ sensitive information to third parties as part of doing business, and these communications need protection. In addition, your cybersecurity systems must keep pace with legal profession changes. For example, any outsourcing of tasks, such as discovery, requires communicating information across the open internet that formerly stayed safely within the firm’s own systems. Attorneys need risk controls that work behind the scenes so that they can focus on their jobs rather than creating workarounds to protect their law firms’ and clients’ confidential information.
Thankfully, you can find cybersecurity and governance tools to meet these needs in the marketplace. They allow you to rigorously track and protect the confidentiality of documents and files you exchange with clients and external parties. You won’t create extra work for lawyers, even when collaborating with multiple parties on complex litigation. You can implement governance policies that automate need-to-know limitations and minimize the opportunity for errors and abuses. Apply powerful visualizations and machine learning to detect suspicious activities before they grow into major threats to the business. Read on to learn five essentials to secure the confidential documents and communications practices of your firm, reduce risks of data loss, and better serve your clients.
1) Safeguard Sensitive Legal Documents from Hackers and Eavesdroppers
Provide a Strong Cybersecurity Foundation
When you send a sensitive document to a client or third party, you expose confidential information to a variety of dangers, including hackers probing your systems and employees for vulnerabilities. Fortify your digital assets with enterprise level security standards, starting with NIST 800-53. Implement its comprehensive IT and physical security controls, including configuring firewalls, authenticating users, monitoring for intrusions, and protecting inbound email against malware.
Assign need-to-know access restrictions on all data, and keep these governance policies up to date as lawyers’ assignments change. To make these restrictions stick, always require users to authenticate prior to accessing any data source.
Encrypt all your stored data, even behind the firewall. Otherwise, hackers who infiltrate your enterprise can have a field day with your unprotected data, transferring out damaging information and covering their tracks well enough to work undetected for months. Also, make sure you store your sensitive data on your own premises, enabling you to maintain sole control of your encryption keys. There are cases in the United States whereby documents and emails stored on third party cloud vendors are subject to blind subpoenas as part of law enforcement and other investigations.
Ensure email privacy with encryption and legal ownership of its contents. When you send a traditional unencrypted email, eavesdroppers working for corporations, criminal organizations and governments can read it as it passes through compromised servers en route to the recipient. How can you protect it? Most firms find end-to-end encryption options like Pretty Good Privacy (PGP) unworkable because they require special applications and confusing extra steps for both employees and recipients. A third party encrypted mail service that has the keys to unlock your files may be subject to subpoena. Choose an email system that stages confidential email attachments and contents in encrypted storage on your own premises.
2) Protect Attorney-Client Privilege from Human Error (and Intention)
Utilize Secure Communication Technology
The judge rules that you have technically waived attorney-client privilege. How did this happen? You failed to keep a sensitive document confidential. Maybe your co-council mistakenly shared it with the wrong parties over the internet. Perhaps your client, the VP of Operations at a parts supplier, inadvertently forwarded it to the entire manufacturing staff. Or a well-meaning associate uploaded information to an unprotected cloud-based collaboration site. You could have avoided this by using strongly governed client communications technology so you could enforce need-to-know policies and block unsanctioned forwarding.
Protect one-way and bi-directional communications with secure email. Use a tool that lets you send encrypted attachments directly from your document management systems (DMS), file shares or other repositories. Require recipients to authenticate before accessing the sensitive information you send and prevent them from forwarding your emails. Maintain confidentiality by using a view-only web mode– preferably with an incriminating watermark to discourage screenshots. Finally, keep the whole conversation confidential by automatically securing recipients’ replies.
Safeguard multi-party collaborations with a secure file sharing portal. Strictly enforce need-to-know access to the documents to prevent accidental (and intentional) breaches of confidentiality and ethical walls. Reduce data leaks by giving lawyers a simple way to share documents with just the right individuals: a folder for each matter or project. Invite only those individuals who have a need to know. For more involved projects, create subfolders with different membership tuned to the need-to-know circumstances of each subtopic.
Maintain confidentiality and compliance with granular governance policies over email and collaboration. Control who is allowed to send documents, who is allowed to set up shared folders and who is allowed to access their contents. Limit sharing to legitimate corporate email addresses. Your firm may use data leak prevention (DLP) software, which scans the text in documents for confidential information that should not leave the firm. Be sure to leverage this technology in all outgoing communications, but implement a simple process to override any false positive indications quickly to avoid disrupting business.
3) Remove the Temptation of Risky Shortcuts
Make Secure Communications Quick and Easy
Don’t shoot yourself in the foot. Don’t roll out the strongest security technology, only to discover lawyers find it too cumbersome and circumvent it to meet their deadlines. And of course, don’t adopt lightweight collaboration software that dangerously defaults to “share with anyone” mode.
Secure and govern legal professionals’ communications conveniently where they work: in Microsoft Outlook®, the Web and work product management software such as iManage®. Use a product that gives them secure access to the documents they need from any device and any location, even outside the firm’s internal firewall. Make sure it is as quick and easy as a consumer-grade app so they’ll use it, and ensure that it handles even the largest evidence files, including video, with ease.
What if you’ve blocked access to cloud sharing sites to prevent out-of-compliance communications, but your clients and external colleagues still use them to send you documents? Provide a governed, auditable tool to enable select employees to pull this information into your own repositories. Scan every download for malware and apply your firm’s governance policies as you share or store the file internally. Lastly, record a history log entry every time the file is touched, providing a defensible audit trail.
4) Maintain Chain of Custody
Track All Secure Communications Automatically
Lawyers communicate thousands and thousands of documents, yet they need to maintain a detailed chain of custody to ensure evidence integrity and admissibility. They obviously need automation to help them track the entire history of actions performed on each document or file. Who provided the files? When? Did opposing counsel receive the document? Did they download it? Lawyers need immutable audit trails that capture all this information, complete with simple audit reports they can run on a moment’s notice, as well as comprehensive, customized reports internal auditors can extract.
5) Catch Hackers in the Act
See Where Your Sensitive Documents Are Going
External hackers pepper your systems with constant attacks, and even conscientious insiders make inadvertent document sharing mistakes. Protect your clients and law firm with communication technology that shows where your sensitive documents are going and who has them.
Monitor the files that leave your firm to avoid breaches and compliance violations, starting with a complete, centralized log of all document and file activity. Use the log data to create clear and complete real-time answers to the most important security questions about your file traffic. Finally, invest in emerging machine learning technology that alerts your staff to anomalies in file sharing patterns – and helps them reduce false positive indications. Is an employee not affiliated with a matter accessing and sending hundreds of case files? Are unknown parties downloading documents to a company you don’t do business with? Use this technology to answer not just the who, what, where and when, but also to answer questions you didn’t know to ask!