A prominent law firm will experience an embarrassing, expensive, and damaging data security breach. Client data will be circulated, litigation will result, and the reputation of the firm will be irreparably harmed when its lack of protection becomes apparent.
That was a prediction I made in late 2014 in 25-Plus Predictions for the Legal Industry in 2015 published on the LexisNexis Business of Law blog. I was right. It just took a while for the data to surface. Suddeutsche Zeitung was first secretly contacted about the leak of 11.5 million law firm documents in early 2015.
The embarrassing, expensive, and damaging breach at Mossack Fonseca didn’t become public until 2016. Even I didn’t know how right I’d been.
The law firm says this was a hack of its systems, not an internal leak.
Of course, reveling in my success as a prognosticator isn’t becoming, especially when it comes at the expense of a law firm and its clients. I’ll keep my happy dance inside the house going forward.
It has long been clear that you need to be sure your data is secure. You need to expend some effort on this, because the consequences of a breach are ugly. However, most of us have delegated this responsibility to a local technology provider of dubious expertise. It’s time to get this right. It’s time to get serious and call in the smart people.
Here’s the quick and dirty on how to secure your data:
1. Fire the Computer Dude (or Dudette)
Okay, okay, firing people is mean. You can keep your IT person for trivial tasks like opening the box that has the new laptop and then installing your PDF viewer. But, if you’re still using a local IT person for managing servers or anything that involves security, then it’s time to get serious.
You’ve had that IT person who’s handling your data security for a long time. Why? Because he sucks. If your IT person is still screwing around with small law firms, then he isn’t very good. By now, that person should have found a way to make some real money doing real work for a booming business. There’s a shortage of talented people in the technology universe.
That’s harsh, but the pool of people who solicit our business isn’t particularly talented. The tech economy is healthy, and your business isn’t that appealing. They want you because they aren’t smart enough to get the good stuff. Jettison your person. Get rid of him now. It’s time to move on, because you don’t have the foggiest notion of whether he has a clue.
Assume that economics are a good indicator of ability, so if you can afford him, then you don’t want to hire him. That’s brutal. But it’s the best you can do if you’re not going to educate yourself about how IT people do what they do, and you’re not, right?
2. Get Rid of the Servers
Move your data to the cloud, where it can be watched and secured by smart people. The best and the brightest get hired by the big dogs. Put your data in their doghouse. Use a cloud-based practice management system, and let those Georgia Tech, MIT, and Stanford-educated developers worry about the hackers.
Sure, the big providers will screw up, but they’ve got a better chance of getting it right than that amateur you’ve been paying to go to Best Buy and buy a new laptop. The tiny, six-person IT shops are good for setting up a new iPhone or hooking the copier up to the WiFi. However, don’t trust them with anything important.
And pick a winner for your data. Don’t move your mission-critical information to some practice management system started three months ago by two guys in a co-working space. Let their company grow up first.
3. Pay Attention As You Experiment
Most of us are pretty conservative. We hesitate to try new things with technology. I’m not. I like to experiment, and I hope you will too. There’s a lot to be gained by pushing the technology and using it to enhance the client experience you deliver. But be sure to factor security into your experiments. Keep it high on the checklist when you implement something new.
Today, one new piece of technology can easily open the door to your data residing on other systems.
For instance, we’re big proponents of Slack in the law office. It’s great technology and encourages and increases communication and sharing. But is it secure? That’s an important question you should ask before you open pathways from Slack to rest of your data. Slack competitor ClearChat pitches itself as the secure alternative. Should you worry about products like Slack? You should do your due diligence before opening the door to your data.
4. Don’t Listen to Their Arguments
This is the part where you show this to your technology people and they try to scare you into continuing to run a server (or servers) in your office. They tell you why I’m wrong and how dangerous it is to shift away from them. They sow fear, uncertainty, and doubt. They create a path of least resistance, and you’re tempted to follow it.
When IT people get really nervous about losing you, they jump to their backup position. They suggest moving what you have now to a “virtual desktop” so you don’t have to migrate your data to new products. Don’t do it. Invariably, they want to manage the virtual desktops after leasing space on servers. That’s a bad idea, because they aren’t any better at managing security on remote servers than they are at doing it on servers in your office. Don’t delay.
Look, I love the IT people. They bring nice holiday gifts, and some of them drop off cookies. Who doesn’t love a cookie? But, seriously, do you really want to trust your data security to someone with a cookie?
5. Don’t Delay
Deal with this issue now if you haven’t already. The last thing you want is to go down in history for being the law firm that leaked something like the Panama Papers. You don’t want to be the law firm that suffers when “Client data will be circulated, litigation will result, and the reputation of the firm will be irreparably harmed when its lack of protection becomes apparent.” Trust, me, I’m good at predicting this stuff.