Rethink firm systems

Certain go-to systems and tools used widely by law firms have significant pitfalls when it comes to compliance and security – says Peter Wright, managing director or DigitalLaw.

The provision of legal services by definition involves large volumes of personal data, from client confidential information, commercially sensitive documents and employee salary, training, HR, and benefits information. Effective communication, particularly with staff working from multiple locations through home working, remains essential both internally and externally and often now takes place across multiple platforms.

Given the critical importance of data and secure communications to the provision of legal services, it is surprising that often multiple overlapping systems are used across organisations with no real over-arching strategy having led to their widespread use. Many organisations had to adapt to enabling working from home at pace in 2020 and began using systems that ordinarily a due diligence process would probably have eliminated from consideration. What systems should highly regulated organisations provisioning legal services be avoiding, and what regulatory and compliance issues need to be borne in mind when making tech procurement decisions?

Internal communications – do not allow the use of WhatsApp or WhatsApp groups amongst staff for business-related purposes. Even though it is encrypted, WhatsApp is simply not a secure enough platform to be suitable for use in a highly regulated profession such as the provision of legal services. WhatsApp stores copies of all WhatsApp messages on its servers and has fallen foul of GDPR Data Protection fines on multiple occasions, being fined almost a quarter of a billion euros in 2021 and another five million in January this year for persistent failings in complying with GDPR. However, it isn’t just a problem from a legal and regulatory perspective. The UK National Cyber Security Centre (NCSC) strongly recommends against the use of WhatsApp for business purposes. A better alternative, which does not have any servers containing copies of your messages getting in the way, is Signal, which is encrypted between the sender and receiver’s handsets and allows for instant messaging and file sharing while also offering a useful desktop app.

External communications – can you offer clients an alternative to email? Does your case management system provide a secure means to communicate with a client? Do not assume that certain clients will be resistant to the use of technology. Some of our clients who are semi-retired have been the keenest to embrace the use of secure messaging integrated within our case management system through mobile apps and do not access email regularly.

Do not start using an app or communications system just because a client expresses a preference for it. Many firms start using apps, for example the Telegram messaging service, because a client expresses a preference to use it and firms go along with this out of a desire not to upset the client. However, sometimes it can be worth pushing back against a client in their own interest. The Telegram app, like WhatsApp, is completely unsuitable for providing a highly regulated service like legal advice. The NCSC is even less keen on Telegram compared to WhatsApp. If a client perceives Telegram to be not only convenient but also secure, they are very much mistaken. Sometimes firms are reluctant to push back against a client for fear of losing them, but in this instance, a client should respect a firm that insists on communicating legal advice through the securest possible channels. In the same way, the open access free version of Google Docs should not be used for sharing documents with clients just because it is convenient for the client.

Printers. Many brands of printer store a copy of every single document that is printed on them, which, in the case of a multi-function printer in a busy office, could be hundreds of thousands of confidential documents. When that printer leaves the office, it will potentially take that record of confidential documents with it, and a hacker undertaking reconnaissance of an organisation will be provided with a treasure trove of information from which to seize personal data or confidential data or from which to pinpoint weaknesses in a system and target an attack in a manner that could cause maximum damage.

Video conferencing. Zoom has cornered the market as the easiest to use and most flexible video conferencing platform, useful for conference calls as well as presenting seminars and online conferences. However, its early history was problematic – Zoom faced a class action lawsuit in 2019 from its own investors, who had found assurances made to them and to the market over the way that the platform stored user data to be incorrect, with encryption not in being in place despite assurances to the contrary and the use of servers in China raising questions. Since then, assurances have been given that the platform meets the necessary standards, such as GDPR, but recent GDPR enforcement against Meta, Amazon, Google and other large tech firms has demonstrated that assurances often do not stand up to scrutiny. The point here is that for the delivery of a highly regulated service such as legal advice, we cannot use any products or platforms that leave room for doubt, and Zoom is one of these. Microsoft Teams may be clunky by comparison, but it does demonstrate the necessary compliance.

Microsoft. “Everyone else is using Microsoft 365, so clearly it is the best option and the only question is clearly not if but when we adopt.” Not necessarily. Microsoft can be slow to innovate, and unreliable. The fact that it is used so ubiquitously means that armies of hackers spend their time trying to search for vulnerabilities that can be exploited, which brings us to the below.

Patching. Microsoft is forever issuing patches and security updates to its products as vulnerabilities are discovered. However, be aware that some vulnerabilities can remain open to exploitation for a significant period of time before Microsoft issues its patch, as happened with the Microsoft “Follina” exploit last year, which took some 14 days to be patched. Some IT providers put together their own security patches in the interim for their customers, but the majority were left with a major vulnerability in their systems for the better part of 2 weeks.

Bring your own device (BYOD). The fashionable trend of staff using their own IT equipment to carry out their work rather than having to use bulky old legacy laptops and desktops was dying on the vine before the pandemic and should no longer be a realistic option in a highly regulated organisation providing legal services. This is due to the difficulties in IT being able to ensure that the various differing platforms used by staff would be demonstrably secure, not to mention often unstable with various operating systems being used. Firms need to provide staff with the necessary laptops, phones, tablets or other equipment to allow staff to do their jobs, and even a small firm should be able to find an IT supplier who can facilitate this without breaking the bank, hopefully spreading the cost of new hardware.

Case management/practice Management. Always an important procurement decision –no one ever wants to take responsibility for these as every office always seems to be carrying multiple inefficient systems that are legacies of previous decisions that echo across firms for decades to come. Like any important decision, don’t be reeled in by sales promotional patter from a rep who is on commission and a sales target, take your time and work with colleagues to reach the right decisions. Make sure that the right questions are asked of suppliers before anyone signs on the dotted line, and if you can’t get satisfactory answers to the following questions and points, you should consider walking away:

1. What security measures are in place? this includes encryption and multi-factor identification (MFID)
2. Where will your data be held? That’s to say, where are the servers located, and, if located outside the UK/EEA, are the appropriate safeguards in place?
3. When you are offered terms by the supplier, make sure you are not locked into a long, fixed-term contract – ensure there is a break clause without a hefty termination fee
4. Does the platform meet basic regulatory standards as required by the SRA, ICO and other applicable regulators such as the FCA depending on the activities of your clients?
5. Is the platform cloud-based?
6. Does the platform offer integrations with some of the existing systems that you may already be using?
7. Does the system allow for files of any size or format to be uploaded?
8. Ask the developer if any new functions have been added to the platform over the last 12 months.

Technology should make the operation of a highly regulated provider of legal services easier, not harder. It should not restrict, it should not annoy its users, and it should not get in the way of getting the job done. Following some of the tips above should mean that you are using the right platforms that are not exposing the organisation to unnecessary risks from a regulation and compliance perspective, and should ease your path to using technology to help, not hinder, your business.