It’s no surprise that small firms are the most vulnerable when it comes to online risk. Less time, less money and less staff to keep abreast of threats. What’s surprising, though, is how little law firms do to protect clients’ privileged information when collaborating electronically.
Recently released results from the LexisNexis Law Firm File Sharing in 2014 survey show that despite a growing awareness of new collaboration tools — along with the dangers of compromising client data— there is a real “disconnect” between security fears and the measures law firms actually take to secure confidential information. The smaller the firm, the more vulnerable — or lax.
“Law firms are caught in a bit of a bind because their clients demand a simple way to collaborate, but the risks, as this survey found, are exceptionally high,” says Christopher T. Anderson, Sr. Product Manager with LexisNexis.
Law Firm File-Sharing Habits
The online survey was conducted in March (disclosure — Attorney at Work helped with distribution), aiming to understand the file-sharing habits of attorneys and legal professionals working in U.S.-based law firms. Participating were 282 attorneys and legal professionals from across more than 15 different practice areas, representing 40 different states and two territories. Most respondents (73 percent) represented firms with 10 or fewer attorneys, and 49 percent identified as solo or two-lawyer-firm lawyers.
Here are some of the top findings, and more insight from Anderson, who also analyzed the survey for the Business of Law Blog.
More lawyers are “file sharing aware.” Whether it’s due to pressure from clients or the ubiquity of free services like Dropbox and Google Drive, 72 percent of law firms surveyed said file sharing is more important this year than in previous years. Small firms seem to feel a more pressing need than large firms, with almost 75 percent of small firms stating file sharing is important, compared to 55 percent in large firms.
At the same time, there is increased awareness that a compromise of privileged communications has serious consequences. When asked to describe the possible outcome to their business if an unauthorized third party gained access to shared client data, more than 80 percent of respondents agreed a breach would be consequential or “very” consequential. (Another 4 percent, though, said it would be “of little consequence.”)
As for actual use of the tools, when asked “how” they communicate and collaborate with clients on privileged information, the majority reported that email, phone, U.S. mail and fax are still their primary means of collaborating with clients. Only 36.5 percent said they use a file-sharing service or client portal.
Email is still the primary means of collaboration between lawyer and client. And here’s the disconnect. Law firms rely on email more than any other tool — 89 percent of respondents reported using email, and 73 percent said they are using email to share information with clients every day — yet only one-third of these email users reported using encrypted email. And that drops to 22 percent when asked more specifically about measures taken to protect client confidentiality. Small firms are most vulnerable here, too: 60 percent of those who said they encrypt email come from large firms, while only 29 percent come from solo and small firms.
Words will protect me. So how do law firms say they secure privileged communications in email? Mostly, they rely on words. Confidentiality statements are the most common shield against compromising confidentiality, with 77 percent reporting their law firms rely on a confidentiality statement below the body of their emails as the primary — sometimes only — means to protect privileged communication. Some also include confidentiality statements in an email subject line.
“Relying on a mere statement of confidentiality when sharing privileged communications by email is a weak measure — it might protect the law firm but affords very little protection for the client,” says Anderson.
What technology is deployed, if any? A minority of firms reported actually using security technology to protect electronic communications, including email encryption (22 percent), password protection of documents (14 percent) and use of a secure file-sharing site (13 percent). As for client permission, 17 percent require written permission and 13 percent require oral permission before sending confidential documents. Amazingly, in an open-ended answer section, 4 percent of respondents said they take no measures at all to protect client-privileged communications, not even a confidentiality statement.
Half use free file-sharing services. Just about half of all respondents said they have used free commercial file-sharing services to transmit privileged information. And the data suggest that free services are probably used more often than senior law firm leaders are aware. Again, the disconnect: “Half of the firms reported some use of the ‘free,’ consumer-oriented file-sharing services — services that do not meet basic ethical standards for protecting client confidentiality and make no promises to that end,” says Anderson. Yet, he says, that level of protection is readily available in the marketplace, sometimes from the same vendor, and at truly nominal cost.
Less than 20 percent of all respondents said they use enterprise-grade file-sharing services — 65 percent said they did not, and another 15 percent were unsure. “And even in the larger firms, with more resources, only half report enterprise-grade, secure file-sharing being used at their firms,” says Anderson.
Some may ask, what’s the harm in uploading documents to one of these free services so you can access them at home? “The answer is … none … until this causes an inadvertent disclosure,” says Anderson. And that, he says, begs lots of other questions like:
- How secure is your password?
- How secure is your home computer?
- What are your policies on deleting information once you’re finished “reviewing it at home”?
- What games do your kids play on your computer that grant access to third parties?
“It’s not all James-Bond-style snooping,” he adds. “It’s giant dragnets out there looking and sifting for pertinent information. It’s an ounce of prevention to prevent a ton of headache. The real question is, ‘What is the harm in engaging the services of a secure file-sharing service, at a nominal cost, to better secure your clients’ confidences … and then of making it a firm policy that they be used?’”
Top-Ranked Features for File-Sharing Services
When asked to rank the most desired features in a file-sharing service, the one that respondents ranked highest was the ability to add a watermark to documents. The ability to revoke or modify access privileges after a document was sent ranked second, and the ability to also use a file-sharing service for document storage ranked third. The features most in demand are pretty modest and, better yet, says Anderson, they all exist in currently available applications.
His own dream feature? “An extremely easy-to-use feature that notifies me, and the client, of every access to a privileged document — a real-time log of who, when, where and how the document was accessed, with red flags if those criteria don’t match expectations.”
Get the Complete Report
So, a final takeaway for firms: “There are far more secure ways to share privileged documents than by unsecure email or free file-sharing tools. Law firms need to perform their due diligence, stay abreast of technology and ultimately protect their clients’ interests online,” says Anderson.
Joan Feldman is Partner/Editorial at Attorney at Work and a Fellow of the College of Law Practice Management. Follow her on Twitter @joanhfeldman.