Download our FREE whitepaper on data loss prevention best practices. Download Now

How DLP Helps Law Firms Protect Their Data

Due to the nature of their work, law firms collect vast amounts of highly sensitive data. Not only personal information relating to their clients but also confidential corporate information, trade secrets, intellectual property and more. As a consequence, they have become very attractive targets for both cybercriminals and malicious insiders.

An American Bar Association report found that 29% of US law firms that participated in their survey suffered a security breach in 2020, with 21% not knowing whether their firm had ever experienced a data breach. Reported consequences of security incidents included consulting fees for repair and loss of billable hours. Breaches can also cause high reputational damage for law firms: important clients must trust that a firm will be able to keep their information confidential.

Unlike organizations that simply collect personally identifiable information (PII) on a large scale and mostly attract opportunistic attackers, law firms are also targeted by nation-state actors and individuals looking to use confidential client information for insider trading.

Employees themselves pose a considerable threat to data security. The risk of insiders stealing sensitive client data before they leave a company is considerably higher in the legal sector than in other fields. Negligence is also a contributing factor to data loss: according to the Ponemon Institute and IBM’s Cost of a Data Breach Report 2020, 23% of all data breaches have employees as the root cause.

Data Loss Prevention (DLP) solutions have emerged as an essential tool in the implementation of data protection strategies across all sectors. Designed to protect data directly rather than the systems storing them, DLP technology ensures that companies know where sensitive data is stored and who is using it and controls its transfer and use. But let’s take a closer look at the advantages DLP solutions offer law firms.

Protecting all sensitive data

DLP is well-known as a tool for compliance with regulations that usually protect PII, often providing predefined profiles that support compliance with regulations such as GDPR, PCI DSS, GLBA etc. Some solutions offer profiles for intellectual property as well. However, these definitions are also customizable, meaning that law firms can choose what sensitive data means to them, based on their needs and field of expertise.

Once sensitive data is defined, policies are applied that monitor and control files containing information deemed sensitive. Using content inspection and contextual scanning, DLP solutions can search hundreds of file types for sensitive data and prevent it from being transferred through insecure channels such as file sharing and cloud services, messaging apps and personal email addresses and from being printed or copy-pasted.

Restricting the use of removable devices

Removable devices are the easiest way for employees who have access to work computers to exfiltrate data. USBs in particular, that are easy to hide, but also to unintentionally lose or forget, have been a long-standing cause of data leaks. Using DLP solutions, law firms can block the use of all peripheral and USB ports as well as Bluetooth connections or limit their use to company-approved devices.

Companies wishing to continue to allow the use of removable devices such as USBs also have the option of opting for a DLP solution like Endpoint Protector, which comes with enforced encryption features that ensure that any data is copied onto a USB will be automatically encrypted with password-based AES 256-bit encryption. In this way, should a USB be lost or stolen, no one will be able to access the data stored on it without a decryption key.

Limiting access to sensitive data

Another way to reduce the chances of employees making off with valuable company data is to limit access to it. Of course, storing and archiving client files is an essential part of law firm operations, but it is also important that, once a file is closed or archived, copies of them aren’t left to float around the company network.

To prevent this, companies can use DLP solutions to search for sensitive information stored locally on employees’ computers. Once data is found in unauthorized locations, it can be encrypted or deleted remotely, ensuring that it no longer faces the risk of being stolen or lost.

Monitoring sensitive data

In order for law firms to be able to protect sensitive data, they must first know where it is being stored and how it is being used by employees. DLP sensitive data monitoring allows law firms to understand data flows and find vulnerabilities in the way sensitive information is being handled.

By identifying problematic practices among employees, law firms can organize data security training that addresses them directly. DLP data monitoring can also help discover potential insider threats such as employees attempting to exfiltrate important client information.

 

Frequently Asked Questions

What kind of sensitive data do law firms store?
Law firms collect, process and store personally identifiable information (PII) relating to their clients, employees and partners. In the interest of representing a client before a court, they might also collect highly sensitive categories of data such as information relating to race, religion, sexuality etc. In the course of corporate legal work, litigation and other legal services they perform, law firms and in-house legal teams also collect confidential corporate information such as trade secrets, patents and intellectual property as well as sensitive data such as tax returns.
Does GDPR apply to US law firms?
Any US law firm that serves clients in any of the European Union’s 27 member countries and the UK is subject to the General Data Protection Regulation (GDPR). They are obligated to provide their European clients with all the privacy rights granted them under GDPR. Law firms marketing their services to client prospects in the EU are also subject to GDPR. Any personal information collected from EU data subjects for the purposes of mailing lists for example is protected under GDPR. GDPR has an extraterritorial reach, meaning that it can be applied to any company that collects and processes the personal information of EU data subjects, regardless of their geographical location.
Are law firms, data controllers or data processors?
Under GDPR, law firms are considered data controllers. According to the UK’s Information Commissioner’s Office (ICO), once personal data is handed over to law firms, they take on data controller responsibility for the data and process it for their own purposes, even though they are acting on behalf of their client. Law firms can be considered data processors only under a limited number of cases such as when a client retains a law firm for the express purpose of processing data and provides specific direction and control regarding how the data is to be processed.
explainer-c_learning

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

guest
0 Comments
Inline Feedbacks
View all comments
Join a great community of

Data Protection Professionals

Get expert tips, industry trends, and the latest updates about our products and solutions. Subscribe below:
Please use a valid email address!
Almost finished... We need to confirm your email address. To complete the subscription process, please click the link in the email we just sent you.