Managing Cyber-Risks: Strategic Approaches for Law Firms

August 31, 2002

In the rush to reduce costs, an increasing number of lawyers now use computers to draft, alter and manipulate documents. It is also commonplace for lawyers to be in regular contact with clients by way of e-mail.

Before computers were connected to the Internet, it was relatively easy to have effective security measures in place to protect the electronic files on individual computers or systems. However, now computers have become communication systems as well as working tools for lawyers, the risks attendant upon this new breed of “communications working platform” have increased substantially.

The twin issues of protecting the privacy and confidentiality of a client’s affairs are central to the practice of all lawyers. Before being connected to the Internet, the possibility of a lawyer being negligent with client files was relatively low. Once connected to the Internet, the probability of being found negligent for compromising a client’s affairs increases significantly, especially with e-mails and documents being misdirected.

The nature of security

Many of us understand security in the physical sense, such as the provision of locks and physical barriers such as safes or preventative measures such as security guards and burglar alarms that are designed to alert the owner of a property to an attack in progress. Whilst physical threats exist in the electronic world (computers are prone to being stolen and can be damaged when the power supply is suddenly interrupted), the most dangerous threats are those that are intangible and cannot be seen by most end users.

Static security measures do not work after you have connected your computer or system to the Internet. Lawyers now need to think of security as a continuous process. Your budget must include a figure for electronic security each year. You must continually update your practices and procedures. Keeping members of staff educated is a crucial component to the successful implementation of your security ethos.

To defend an action in negligence, you will need to show you made yourself aware of the issues and that you took suitable precautions to fulfil your duty of care. It is not a question of whether your confidential client files will ever be compromised, but the effectiveness of the security you have put in place when they are compromised.

A new guide

This is where this new book by Rupert Kendrick will help lawyers identify risks, develop appropriate risk management strategies and implement suitable solutions. The book is divided into four parts. The author begins by putting the use of the Internet into context and outlines the help he received from the law firms that agreed to take part in the book, by providing examples of current practice.

Part II considers the types of risk that are associated with use of the Internet. The risks, to varying degrees, affect all lawyers, from the sole practitioner to the large firm. Although most lawyers will be familiar with many of the different types of risk mentioned in Chapter 4, those new to the medium will find the discussion will improve their overall awareness of the nature of the World Wide Web and why implementing a risk management strategy is so important.

It is the content of Chapter 5, on the assessment of risks, that will open a new vista to many lawyers familiar with dealing with problems that can best be described as tangible risks, such as making sure documents are sent to the correct fax number. As Rupert Kendrick states in this chapter, e-risks are not “always obvious and can emerge quite unexpectedly”. This means that many lawyers, who have never assessed the risks of running a practice, should carefully consider the practical points made in Rupert Kendrick’s guide. Lawyers will need to become familiar with how to approach risk assessment, the information that must be collected, how to develop a risk control plan and how to draw up a risk register. At present, many people consider such activities as optional, despite the provisions of the Turnbull Report, produced by the Institute of Chartered Accountants. Once insurance companies remove cover for e-risks in their general policies, however, lawyers will be required to make a realistic assessment of the e-risks they face.

This is where Parts III and IV of Rupert’s book provides an invaluable help to the reader. Chapter 6 gives a useful introduction to the various types of technology available that help to identify how some risks can be managed. The author does not, quite rightly, assess the technical merits of the different technologies. There are other means by which you can determine answers to the suitability of the assortment of technologies, such as specialist magazines and advice from independent consultants. The various issues that follow from having a presence on the World Wide Web are then addressed in Chapter 7. Lawyers specialising this area may feel they are well aware of the points mentioned by the author. For those new to the concept of e-risks, this chapter merits a close reading. It takes the reader through such issues as the management of a Web site, legal compliance relating to jurisdiction, applicable laws, improper use of the Internet and the legal provisions governing the monitoring of employee’s communications.

The principal value of this book, if the reader is not already eager to rush out and buy a copy, lies in the content of Part IV. It is here that Rupert Kendrick guides the reader through the various stages that the lawyer should consider in approaching e-risks. First, Chapter 8 considers the formulation of a risk management strategy. It is argued that the management framework for cyber-risks cannot be left to an individual. Both Allen & Overy and Hegarty & Co agree that the duties and responsibilities relating to e-risks must include key people within the firm. Discussion covers the risk manager, the management team and strategies, including defining the project, approving financial resources, identifying objectives and how to manage and implement the project. Further, consideration is given to handling incidents, the audit process and the relevance of ISO/IEC 17799, the Information Security Standard, in establishing appropriate procedures to protect the firm.

Chapter 9 introduces the reader to the concept of the “cyber-secure practice”. The author points out that the Internet “introduces new types of risk requiring a new approach” and goes on to emphaise that these risks “affect all areas of the practice at all levels”. The responsibility rests with the partners. If clients are to trust lawyers in the future, law firms will have to treat e-risks seriously. This chapter discusses how to manage, plan and implement the necessary changes. The implications for the structure of the firm are discussed, whilst the problems faced by small firms and sole practitioners are also considered. Both Mark Slade of Fidler & Pepper and Michael Kaye of Kaye Tesler & Co offer readers the benefit of their experience of dealing with e-risks.

Regardless of the size of firm, Rupert Kendrick concludes that partners must begin to understand their new roles that connection to the World Wide Web brings. First, they must make decisions about the services provided by the firm at the strategic level. This may mean that they will have to accept the need to take the advice of outside consultants where they lack in-depth knowledge inhouse. Second, partners must motivate and drive the initiatives of the e-risk team. Partners must demonstrate effective leadership.

As Rupert Kendrick has amply demonstrated in this book, partners must address cyber-risks. Failure to do so may be catastrophic for both the partners collectively, and the firm. Herein lies the effectiveness of Rupert Kendrick’s analysis.

© Stephen Mason, 2002