In short, they’re not. Most Barristers, and their Chambers, fall woefully short of any reasonable level of IT and data security, let alone the levels that a casual observer would presume they meet, given the type of client data they deal with on a daily basis.
From an outsider’s viewpoint, many consider the UK Legal market in the same stature as financial and healthcare verticals. It follows that all three will share a similarly high regard to data security then, doesn’t it? No, quite the opposite actually. Healthcare and Financial markets are more heavily regulated and policed and are now several years ahead of Legal, who have dragged their heels and paid scant attention to this critical issue.
Let’s pause for a moment to reflect on the topic of conversation here – this isn’t a geeky desire to impose unduly prescriptive rules but a duty to protect precious and sensitive client data. Consider case types, such as Child Abuse, Terrorism, Human Rights and Organised crime – yup, I’d like to think someone was taking really good care of that data.
Let’s briefly look at two regulatory bodies:
The General Council of the Bar, known as the Bar Council, is the Approved Regulator of the Bar of England and Wales. Surely, any sensible IT requirements would be driven and regulated by them? To help you make up your mind, let’s review two:
- How to dispose of your hard drive securely
- …removing the hard drive from the computer and hitting it repeatedly with a heavy hammer
- facial recognition software is an acceptable alternative
That is serious, published advice to Barristers from one of their main regulatory bodies from their ‘Guidelines on Information Security’ (which also helpfully contains several dead links to external websites).
The Information Commissioner’s Office covers various pieces of legislation including the Data Protection Act, handles complaints and concerns regarding information rights issues and has the power to serve monetary penalties of up to £500,000. Much of the advice and guidance on the website is useful and practicable.
However, take a quick look through their published monetary penalties, decision notices and undertakings and you will quickly see that the Legal marketplace is virtually absent. Local and central government offices along with NHS trusts form the majority of their published enforcements. Is there an apparent selectivity or bias as to what kinds of entities the ICO pursues?
How do Chambers work?
- 80% of barristers are self-employed and belong to a Chambers where they share central resources, such as their building, the Clerks/staff, utilities and computer systems
- Barristers have been individually purchasing and managing their PCs, smartphones etc., long before anyone coined ‘BYOD’
- Members of Chambers are Data Controllers within the meaning of the Data Protection Act 1998 and have statutory duties in respect of any Personal Data and Sensitive Personal Data that they hold. Pursuant to the seventh data protection principle, members of Chambers must ensure that they protect data to which the Act applies using an appropriate level of security given the nature of the data and the harm that might result from unauthorised processing or loss.
Real world examples, of self-prescribed Legal IT ‘security’:
- Every barrister and staff member with non-expiring passwords
- Everyone with the same password
- Everyone being a Domain Administrator
- Firewalls with any>any in and out
- PPTP vpn
- Continued use of Windows XP, Server 2000 etc
- No backups
- No desktop anti-virus
- No gateway anti-virus
- No patching or updates
- No IPS/IDS
- No firewall at all!
- Regular transfer of data outside EEA
- Inadvertent man-in-the-middle DHCP ‘attacks’
- Sharing Dropbox data with the wrong parties
- Personal, unsecured WiFi devices bridging to the corporate network
- Unencrypted laptops, PC’s and USB devices
- Shared/Home PC’s regularly used to store sensitive data
- Single factor authentication
- No authentication
- Authentication sharing
- Data synchronisation without limit to device, location or platform
- Client data on personal email platforms
- No PIN or encryption on mobile email devices
- No IT training
- Unprotected and internet facing financial and client data
- 3389 over the wire, without credential requirement
Chambers struggle to ‘enforce’ data security policies or make sensible practice a requirement of tenancy, because of the organisational hierarchy. So, surely, effective regulatory compliance is the best way to ensure that client data is secured – at least to a reasonable level? Immediate and minimum requirements, might include:
- Password complexity and expiration
- Multi-Factor Authentication
- Full disk, centrally managed, encryption to FIPS 140-2
- Disallowed use of non FIPS 140-2 encrypted USB devices
- Annual training/awareness on data security
- Enforced TLS email encryption, between counsel
- Secure WiFi – e.g. 802.1x, perhaps with RADIUS
The list of technologies that might be used is long. The real question is what ‘standards’ must be met and how they will be enforced and maintained. This quick list may help the ICO and Bar Council attract the right kind of attention:
- Publish and enforce minimum ‘requirements’, not ‘guidelines’
- Unannounced audits and pen testing
- Allow IT staff on to panels, to give quality and credence
- Remove unhelpful and poor advice
- Utilise existing standards and schemes such as ISO 27001, Cyber Essentials and Axelos
It is time that the Legal sector stopped pretending that IT security responsibilities do not apply to them – they hold, control and process some of their client’s most critical and sensitive data and are now seen as the least defended path to that information. It’s time that the regulating authorities stood firm, stopped dithering and started fining. Published minimum requirements, enforcing authorities and financial penalties work – we can see that in other markets; so why not in Legal? Let’s begin to build a culture where barristers care for client data and respect the requirements set by their authorities. In an age where chambers are suddenly realising that they do have a shared identity and that market reputation is key, how long will it be before they also realise that good, solid IT security can be a differentiator and an opportunity to win more business?
Gartner reports that 10% of legal services are in the Cloud today, but that 90% will be cloud based, by 2018. Incoming EU General Data Protection laws will see increasing fines of up to 5% of global turnover. ManagingPartner’s recent market research found that ‘the most successful law firms of the future will have lawyers who embrace new technologies’. These are all reasons to start getting this right, right now.
Chambers do not function as a regular ‘business’, barristers are self-employed and often not subject to any centralised IT policy, regulatory compliance is commonly seen as optional and yet we expect barristers to use an ‘appropriate level of security’. That’s not fair and it won’t ever work. It doesn’t work, now. A largely non-technical workforce cannot reasonably be expected to attain the right levels, or make the right choices, consistently and on an individual basis. Governing bodies must help Chambers to manage this issue, with the prescription of sensible and proportionate policies and requirements. It’s not complicated but it’s the very least that the precious data deserves.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
Title image courtesy of ShutterStock