Failure to protect and safeguard data is more than just a potential liability for law firms: it can also have adverse consequences for the firm’s clients. Law firms are extraordinarily alluring for threat actors since profitable information, including trade secrets or intellectual property, are dealt with daily.
The Australian law firm, Allens, was the victim of a cyberattack after its file-sharing system hosted by Californian cloud company Accellion was compromised in early January 2021. Accellion’s file-sharing system held sensitive information for Allens, such as commercial-in-confidence documents related to Westpac, an Australian bank and financial services provider, in its defense of a case regarding anti-money laundering compliance. Allens is a legal adviser to almost three-quarters of Australia’s top 100 companies and had used Accellion since 2011. The file-sharing system, used to store and share sensitive information, is a two-decade old product which was updated in mid-December 2020 when Accellion discovered a vulnerability in the system. So what are some key takeaways that law firms using cloud-based file transfer systems should consider?
To protect your firm’s cloud services, providers need to be adequately vetted. The cloud offers protected options to help your firm operate more efficiently. However, not all cloud providers are the same. When comparing legal cloud-based providers for your firm, it’s essential to ask the following questions:
· Do they have a security team? An experienced and devoted security team indicates that cybersecurity is a priority.
· Do they encrypt data both in transit and while stored? Sensitive data should be safeguarded by the provider while in motion and while stored or archived.
· Are they compliant? Cloud providers should disclose their compliance with laws such as GDPR and CCPA.
· Do they offer an uptime guarantee service level agreement (SLA)? An SLA conveys that a minimum level of service will be administered by the company to a customer in their contract. Cloud providers should guarantee an amount of uptime (the amount of time that the cloud service provider is available to end users).
· Are they endorsed by bar associations and law societies? Endorsements and recommendations from legal associations signal industry recognition for following high-security rules.
· What security-concentrated features do they support? What other measures does the provider take to help guarantee reinforced security with their software?
· For more questions to review, please see Microsoft’s Cloud Services Due Diligence Checklist
Safeguarding your clients’ and your firm’s data is more than just a favorable thing to do – it’s ethically and professionally crucial to your duty as a lawyer. Understanding your responsibilities and best practices can reduce your risk of data breaches.