Law Firms in the New Normal: Protecting Legally Privileged Information

Home » Blogs » Law Firms in the New Normal: Protecting Legally Privileged Information

Protecting legally privileged information becomes more complex when your fee earners are working remotely. By taking these six steps your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.

Law has never been the most progressive sector when it comes to adopting new technology. Although many firms began 2020 very much office and paper-based, the coronavirus pandemic has forced them to adopt remote working models that, frankly, some weren’t ready for. However, needs must. Law firms throughout the UK are now taking steps towards a ‘new normal’ operating model, in which office-based work will be complemented by increased remote working.

Law firms hold highly sensitive, legally privileged information that requires high levels of security. Many firms will use a document management system to manage the confidentiality, integrity and availability of this information. However, technology alone is not enough to achieve comprehensive data protection.

In this new hybrid working operating landscape many rules will be generously interpreted to put it mildly, not for malicious reasons but simply to get things done. This may be functional in the short-term, but the new normal will require a reassessment of these rules if they are to remain fit for purpose not just throughout the coronavirus pandemic but also into the future. In this blog post we will provide guidance around how your law firm can protect legally privileged information whilst users are accessing it from outside the safety of the corporate environment.

By taking these six steps your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.

Protecting Legally Privileged Information

When you expand your law firm’s operating footprint, you increase the risks it faces. This happens in two key ways: introducing threat vectors through which cyber criminals can target you, and increasing the chance of users causing an accidental data breach by not paying attention to the data risks they face. For law firms that manage highly confidential legally privileged information, these risks need to be mitigated in order to avoid potential financial, operational and reputational damage.

Fortunately, there are steps your firm can take to protect legally privileged information whilst your users access it remotely. We’ll take you through six of these steps one at a time:

Implement multi-factor authentication. Properly configured multi-factor authentication (MFA) is the first line of defence against a compromised account. In an ideal world, all accounts should have MFA enabled. However, we appreciate this may not always be a practical solution. You may want to look at alternatives like risk-based authentication, which we describe below.
Consider risk-based authentication. Risk-based authentication is a good option for law firms looking to enhance cyber security without adversely affecting user experience. Built around a set of rules such as first sign-in from a new location, device, or a user’s risk score which is based on their behaviour. Think about Verified by Visa – if you’re logging into a website you’ve purchased from before, from your home laptop, you’ll be allowed through. If you’re on an unfamiliar website, perhaps on a new device or from a different location, you will be challenged with MFA or even denied. The same principles apply here.
Use location services. Do you know where your users are? IP addresses are geo-locatable, which is extremely useful when it comes to monitoring and alerting on suspicious activity. Impossible travel alerts, triggered by the likes of a login from a UK location immediately followed by a login from a US location from the same IP address, are an early indicator of a compromised account. And even better, this functionality is included in Microsoft 365 and Azure.
Train your people in cyber security best practices. Remote working impacts on employees, clients and IT teams. The simple fact is that where you introduce people, you introduce risk. Minimise this risk by providing continual training around cyber security best practices. People are less likely to follow these best practices when working from home, so it’s important that you target this training to make sure they remain educated and alert.

Review your data management processes. Confidential legally privileged information should be controlled, and your law firm should have processes in place to maintain the confidentiality, integrity and availability of data. However, many processes at many firms have been broken by COVID-19. If your people have legally privileged documents stored locally, you need to get them under control. You should scan remote devices for potential compromises before reintroducing them to the corporate environment. And at the same time, you should check local document stores for any legally privileged information stored there that shouldn’t be – bring it back under central control.
Optimise your technology. Whether it’s hardware access, connectivity, access to sites/systems, cyber security tools, or even something as seemingly simple as printing privileges, technology has the potential to go a long way towards solving many of the cyber resilience challenges your law firm faces. Productivity tools such as Microsoft 365 have all the cyber security features you will need. However, you need to invest time in configuring your Microsoft 365 tenancy to ensure the most appropriate levels of security, agility and performance.

Adapt to Thrive in the New Normal

By taking the appropriate steps, your law firm can implement people, process and technology measures that will enable your fee earners to do what they do best. At the same time, your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.

If you would like support in enhancing your firm’s cyber resilience, download the Six Degrees of Cyber Security to support your journey, then talk to one of our expert consultants.

Company No.:	03036806
VAT No.:	135526617
Tel:	0800 012 8060
Tel:	+44(0)20 7858 4000
Email:	info@6dg.co.uk

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_cfuvid	session	Cloudflare allows the Cloudflare WAF to distinguish individual users who share the same IP address.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-26222241-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	LinkedIn registers statistical data on users' behaviour on the website. Used for internal analytics by the website operator.
lo-uid	2 years	Lucky Orange to provide marketing tracking unique id
lo-visits	2 years	Lucky Orange to provide marketing tracking across pages
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.

Law Firms in the New Normal: Protecting Legally Privileged Information

Protecting legally privileged information becomes more complex when your fee earners are working remotely. By taking these six steps your law firm will minimise the risk of data breach and uphold the confidentiality, integrity and availability of the sensitive data it manages.

Protecting Legally Privileged Information

Adapt to Thrive in the New Normal

Subscribe to the newsletter today

Related posts

Like this article?

Capabilities

Resource Hub

About Us

Useful Links