Cloud computing and mobile devices are posing significant challenges for law firms when it comes to ensuring data protection. Claire Chaffey reports.

A recent survey regarding the use of mobile devices amongst lawyers found that 95 per cent use some kind of smartphone, while two thirds use a tablet*.

In our increasingly digitalised society, these numbers are only set to increase in the coming years.

This proliferation of smart devices is posing a significant challenge for law firms, as traditional methods of controlling law firm data are confronted with a growing demand for flexibility and a shift from the strictly corporate BlackBerry to the catch-all iPhone.

BYO trouble

According to Allens technology, media and telecommunications partner Gavin Smith, the increase in the number of lawyers using “bring your own (BYO)” technology has meant a change in strategy for the firm.

“There are more and more ways in which data could potentially become compromised as technology develops and one is the proliferation of mobile devices, particularly BYO mobile devices,” he says.

“It is harder to control. Employees bring their smartphones into the firm and are hooked up to the firm’s email system, which means there is confidential information of various sorts on the device. The question is: what happens when that device is lost or stolen or you’ve got a malicious employee who leaves the firm and takes the data with them or misuses the data?”

According to Smith, the traditional firm-provided BlackBerry is much easier to manage from a data security perspective.

“If the firm owns the device, if an employee leaves, then you get it back and they are not going to take away any data sitting on that device when they leave,” he says.

But there is a tool that allows Allens a certain level of control over BYO devices used for work purposes.

“One of the key ways we try to minimise the risk of data falling into the wrong hands is by running a platform called MobileIron,” says Smith.

“It sits on an iPhone or android device and allows the firm to wipe the device clean of the firm’s confidential information if the device is reported lost or stolen, or if we think it’s being misused.”

Freehills’ chief information officer Nicole Bamforth says one of the biggest challenges for law firms is the notion of “consumerisation” and the advent of consumer-based tools developed with convenience – and not security – in mind.

“Those tools, such as Dropbox (an online file-sharing tool), are morphing into people’s working tools. It is all about convenience and they don’t have the same sort of corporate, rigid and controlled protocols that you would expect from a corporate tool or device, so there is a real challenge to balance risk with convenience,” she says.

“It doesn’t have the inherent security and controls around it and people need to understand that it is therefore not a safe way to share confidential information.”

iPad, youPad

Another growing technological reality for law firms is the increasing use of iPads and other tablet devices, which carry yet another challenge.

“For us, it is really important that our employees have the flexibility to work anywhere, anytime, in any location and on any device,” says Bamforth.

“To facilitate that, about 18 months ago we implemented the Citrix Solution … You can work from any device, like your iPad, and access all of the data you could access if you were in the office, but in a completely secure bubble and no data is left on that device.

“That was a really important investment for us; to provide lawyers with flexibility whilst working remotely but at the same time ensuring data security.”

Allens is using something similar and says it is tools like this that are key to allowing firms to embrace new technologies.

“Partners at the firm get an iPad, and there has been some debate about the security of iPads,” he says.

“Effectively, the iPad can link into documents sitting on the firm’s servers, rather than the documents sitting on the iPad itself. That is a really good way of being able to embrace technological changes; because we want to embrace them but to do so in a manner where we’re keeping our data secure.”

Head in the clouds

When it comes to the oh-so-hot topic of cloud computing, law firms admit they’re not at the forefront in terms of adopting it.

Given the questions remaining over how exactly it works and what exactly the risks are, most law firms are content to sit back and see what happens before jumping in headfirst.

“We use the cloud in a very, very limited way. We don’t store client data in any cloud-based platform. We use it more in terms of services that can be provided, so it’s not used for anything that might involve confidential client data at this point in time,” says Bamforth.

“It’s an emerging area and, until there is more confidence about the underlying and overarching security in those environments, there is a nervousness to embrace it too broadly.”

 Like Freehills, Allens has been slow to adopt cloud computing.

“I wouldn’t say there is any single reason {why} the firm hasn’t rushed into cloud computing. It’s more that we are more than happy with how our own systems run at the moment,” says Smith.

“There are obviously legislative issues around transferring data into the cloud if it means you’re transferring offshore. To the extent that we have personal information then we would need to ensure that if it was being transferred it was done so in accordance with the Privacy Act. That is something the firm would be very careful about if we were to consider doing it {in} the future.”

One of the main stumbling blocks around cloud computing – and one which is a constant cause of concern for clients seeking advice about it – is the US Patriot Act, which allows certain American law enforcement agencies to access confidential data stored on US servers, or somehow linked with the US, if it believes it could assist in the fight against terror or protect US soil.

“At every presentation I give on cloud computing or privacy someone sticks their hand up and asks about the Patriot Act, so it is definitely effecting a lot of people,” says Smith.

“The reality is that most companies in Australia don’t necessarily understand how it works and what the implications are for them.

“Cloud computing is still in the reasonably early stages of adoption, so technology teams at companies are looking at cloud computing and asking what the operational risks and constraints are and what the legal risks are.

“If data is stored in the US does that mean it is potentially liable to access from law enforcement agencies in the US in a manner that is not necessarily the same as it would be in your home jurisdiction? Those issues are of significant interest to companies.”

Be prepared

When it comes to data security in law firms, the only real certainty is that the exact nature of the risks will remain uncertain – and law firms have to be ready for anything.

“The risks are broad and varied, and part of it is the uncertainty of not knowing what the risks could be. You have to be flexible in your approach and have processes in place to monitor and look for risks that may emerge,” says Bamforth.

“You may not see a risk today, but you don’t know what may emerge tomorrow. I think that is the biggest challenge. Just as there are lots of technological developments that are good and positive, there is also a lot happening out there that has the potential to be very negative and have downsides associated with it.”

Smith, too, says being prepared for the unpredictable is the key to maintaining the integrity of the firm’s data.

“There are a number of different data security risks that firms face; all the way from your malicious employee, through to inadvertent disclosure of confidential information and hacking attacks, where you’ve got targeted hacking attacks on law firms,” he says.

“We’re very cognisant of the fact that we have to have really strong internal processes, IT systems and security processes to protect against all those possible data security risks. Our strategy is a multi-faceted one, to be able to ensure that we have preempted the likelihood of any of those things happening … and that we have best practice in place in the horrible event that something does happen. Hopefully that never occurs.”

*Thomson Reuters, Mobile Device Usage in Law and Accounting in Australia, March 2012