Security breaches at large retailers, banks, and Equifax have grabbed the lion’s share of headlines recently. Meanwhile, the idyllic image of a small-town Main Street attorney working out of a plate-glass window front office with a shingle hanging outside has largely remained intact. People often don’t associate the local law office with hackers, but the reality is different.
Twenty percent of U.S. law offices experienced some sort of cyberattack in 2017 according to The American Bar Association’s 2017 Legal Technology Survey. Some of these attacks have been little noticed small-town hacks, while others have unleashed waves of international intrigue.
Smarter MSP reached out to some leading IT and law experts and found that the problem is only going to get worse.
Managing Attorney-Client Privilege
MSPs have an extra set of challenges to deal with when managing the IT needs of legal clients. At the core of the challenge: the protection of attorney-client privilege. The attorney-client privilege is a pillar of the American jurisprudence system. Breaches can occur from bad actors, but MSPs also need to be sensitive when managing the data itself. An IT tech may accidentally see some innocuous data when managing, for example, the data of a local library system (new releases this month in non-fiction), but much like with HIPPA-protected medical records, seeing some legal information, even if it’s for an instant accidentally, can have ramifications.
Having an attorney as a liaison working closely with an MSP can help head off any data breaches, internal or external.
“Having an attorney involved in the process of creating technical inventories, vulnerability scans, and penetration tests helps to increase the chances of maintaining attorney-client privilege” says Lee Holcomb, a Boise, Idaho-based lawyer, consultant, and nationally noted expert on the convergence of IT and the law. If the tests are part of “assisting” an attorney, the attorney-client privilege could be lost.
“To help increase the chances of maintaining attorney-client privilege, have an attorney retain the MSP and maintain involvement in the supervision of the MSP,” Holcomb says.
Doing so can help you navigate what is potentially a minefield for an MSP. You want to manage the information without seeing the information.
Despite the risks involved, more and more law firms are turning to MSPs to help manage their systems. After all, the quintessential small-town lawyer on Main Street has more often been replaced with law firms consisting of a main office and satellite offices, all with sophisticated IT needs.
Heading for the Cloud
“Many law firms are increasingly using service providers with cloud-based service models,” Holcomb says. This transition from the in-house system to a cloud-based, professionally managed one has, Holcomb says, the advantage of providing access to leading tech services to law firms of all sizes without a deep financial commitment to infrastructure and personnel.
“Depending on the size of the firm, the in-house IT department may not have the necessary education and training that an MSP with a larger and more experienced IT department can provide,” Holcomb says. Which route is best for a law firm, she says, involves an allocation of cost and risk that includes the size of the firm and the type of clients represented. And, again, the issue of attorney-client privilege is core and needs to be factored into the MSP relationship.
“When possible, contracts with MSPs should define who is liable if a breach occurs and a customer’s data is stolen,” Holcomb says.
Chris Michalec is the founder of Greensboro-based Parkway Tech and a legal IT consultant. Parkway Tech is an MSP that specializes in law firm IT needs in the Carolinas.
Like Holcomb, Michalec points to the confidential information that most law firms process as being the biggest challenge for an MSP from a security standpoint.
“It is the volume of confidential information. Many firms have medical records, wills, tax returns, etc., and that makes them a ripe target for hackers,” Michalec says.
“The employee education is the most difficult but also the most important part,” Michalec says. Employee turnover at such firms ensure that the education aspect is an ongoing one
Lawyers aren’t governed by any separate statutes or regulatory requirements, but they do need to follow HIPPA guidelines when dealing with medical records.
“Ensuring that everything possible is restricted on a ‘need to know’ basis. We don’t want some hacker getting into confidential information simply because some paralegal, who should have never had access to a particular matter anyway, was an easy target for phishing,” Michalec says.
Army of One or an MSP?
Michalec cites a range of advantages that MSPs offer law firms, especially small ones in the 30-to-50-employee range.
“One of the surprising things about law firms is how many of these smaller firms have at least one full-time IT staff person,” Michalec says. Plowing that money instead into an MSP can bring a range of benefits.
“For what they pay one person, they can get a whole team and quite a few IT services they need. Another key advantage is the processes and tools. I’ve been around enough small IT departments to know that they not only lack the sophisticated tools we use to support hundreds of devices across clients, but they also lack the processes to successfully minimize disruption to a firm,” Michalec says.
Even the best tech minds, if they are a staff of one or two, can only do so much, Michalec says. Not to mention that MSPs can develop a cross-section of knowledge from working with a broad array of legal firms.
“When working with 50-plus clients and over 1,000 devices day in and day out, you just see more and learn more than a single employee at a single firm,” Michalec says.
For law firms, the future is the the cloud, and the key is to make sure it isn’t a storm cloud.
“As law firms make a natural progression to cloud-based services, attorneys will have to be particularly careful to ensure the vendor is competent and securing data in a way which is consistent with the law firm’s own policies and representations to clients. This includes the ethical duty to protect confidential client information. In short, the vendor must have appropriate cybersecurity safeguards in place, and client data should be segregated,” Holcomb says.