At an LPO conference last week, a fairly routine question came from the audience about data security concerns. What was more interesting was the reply from the LPO provider. The speaker was a former partner at a major US firm, and went on a (good natured) rant about how secure the offshore operations were when compared to the extremely lax information security regime in his former law firm, and how to compare the two was laughable.
Thinking about this, one of the fundamental differences between the way the two organisations (a law firm and an outsourcing provider) deal with security seems to me to be the extremely high level of trust within the law firm environment. In many firms there are very limited physical and logical controls on access to client information, especially when compared to the much more rigorous environments in offshore data and process centres. Most lawyers can dip onto the system and pull up documents on the firm’s clients without any questions being raised. There are no checks to see what staff are taking home in their bags in the evening, and pretty limited controls on what can be accessed and copied in the office. While law firms are often paranoid about data security in terms of third parties getting in to their network, internal controls are not implemented to the same levels. In the information security world, the model could be described as “crunchy on the outside, soft in the middle”.
The interesting thing about this, is that by and large, the model has worked pretty well to date. Security breaches are few and far between, and much of this can be attributed to the integrity and professionalism of the lawyers. Precedent documents often follow lawyers from firm to firm, the odd email goes astray and perhaps conversations are overheard on a train, but nothing major has hit the headlines. That said, I do still believe that information security is an issue law firms need to take seriously, and while the lawyers may resist more stringent internal controls, the inconvenience these processes may cause far outweighs the damage a serious information security breach could cause.
During my time in private practice, information security was an area of particular interest. As part of my practice, I qualified as a BS7799 (now ISO 27001) information security auditor. Afterwards I went through a campaign educating my colleagues on the importance of information security by sending emails from their unattended PCs to my email account, with some spurious content (for example, “Mark, I promise to make you a cup of tea every morning for the next month”) , and signed by “the hooded claw”. As the weeks rolled by, my “education campaign” began to wane, but my colleagues were much more careful about locking their screens when away from their desk.
So, beware the hooded claw. If you are thinking of sending data offshore, rigorous due diligence on security is absolutely critical, but it might also be worth considering how secure your data is onshore too.