Writtern by Gareth Bridges, Senior Manager, Enterprise Markets, Equinix Asia Pacific
Every organisation fights internal battles, but few are more emotive or critical than the struggle over control of information and the devices used to access it.
Not long ago, corporate data could only be accessed via client software that was firmly under the control of the IT department, on computers that were owned and managed within that domain. Today, smartphones have crept into almost all areas of our lives (including work) and have more recently been joined by their big brother; the tablet.
Both devices are ubiquitous, and employees in all companies increasingly expect to be able to use their mobile devices for work, which can mean anything from accessing email to managing documents in the cloud. This introduces a huge number of challenges for IT departments in all kinds of organisations.
Law firms are no exception, and there are significant “soft and hard” benefits (both in theory and in practice) from a seamless transition between the work and personal computing environment. These include increased productivity, flexibility, and employee satisfaction, as well as a better level of service for clients.
The flip side of the BYOD equation is that it can create significant threats.
According to a recent BYOD in Law Firms report commissioned by Equinix, more than half of employees at firms across the Asia-Pacific are already using their personal devices for work, despite significant risks.
The report was based on interviews with IT decision-makers in law firms with more than 250 employees across Hong Kong, Singapore, Australia, Japan and China. It found that an overwhelming proportion of staff (80 percent) are accessing work email, legal documents, case matter documents and customer data on their personal phone.
Worryingly, legal IT departments are not safeguarding employee data, leading to over 60 percent of law firms facing network breaches and viruses.
The Benefits of BYOD Bring Significant Risk
Data security is the number one area of concern for law firms, with respondents scoring it on average at 4.2 on a scale of 1 (not important) to 5 (very important). This should come as no surprise given the danger to law firms and their employees associated with data, especially privileged client data, falling into the wrong hands.
Risks can come from any number of places: through devices being lost or stolen, through devices being connected to other devices or through unauthorised access by apps or services running on devices.
Due to the duty of care that lawyers owe to their clients to protect their information, the impact can be profound. This requirement is unrivalled in any other profession and extends beyond qualified lawyers to every member of the law firm or in-house practice teams, including support staff, consultants and locums.
While the details of legal professional privilege may differ from region to region, the penalties are generally just as severe. Failure to sustain adequate standards can result in litigation from clients, or actions against the individual or law firm concerned, which could even lead to revocation of a licence to practice law.
Other disadvantages of BYOD highlighted by law firms include a lack of control over the geographical location of confidential customer data and a lack of control over the dissemination of confidential customer data, both rating around 3.9 out of 5.
Compliance with local jurisdictions appears to be a top challenge across the board, with 39 percent of respondents rating it as very important. There was some correlation to the geography of respondents, indicating that this concern may depend on the likelihood or severity of sanctions in a particular country, such as Singapore for example.
Potential Risks Translate into Real-World Problems
Many of the potential disadvantages of BYOD practices have actually translated into real problems experienced by more than half of the firms surveyed. This is a shockingly high proportion, especially given the reticence that companies of any type usually express in relation to data breaches.
Perhaps most worryingly, half of the firms reported that either an individual or the firm had been exposed to criminal prosecution as a result of BYOD, with Hong Kong recording a slightly increased trend compared to other countries.
While not being a security breach per se, the duty of care relating to how documents are handled digitally is an area of increasing legislation around the globe. The common movement of case matter and other confidential material to personal devices can increase the possibility of a company falling foul of the law and being left open to prosecution.
What is clear from the survey is that virtually all of the issues faced are not country-specific, but are seen across them all. This raises the obvious question: what can law firms do to mitigate these problems and reduce their risk of being exposed to criminal prosecution.
A range of measures are possible. For example, in some jurisdictions, demonstrating indicative behaviours to achieve specific outcomes can help. This may include ensuring that the firm complies with its fiduciary duties in relation to confidentiality and disclosure. It may also mean outsourcing work only to providers who have taken all appropriate steps to ensure the safety of confidential information.
It does seem that law firms are experiencing problems that highlight the deficiencies in certain data security practices. This is particularly true for international law firms who work on highly confidential matters for large, international clients. A recent article in the New York Times, entitled “Law Firms Are Pressed on Security for Data,” described how some financial institutions are now asking law firms to fill in 60-page questionnaires detailing their cyber security measures, while others are doing on-site inspections.
Control Over Geographical Location of Confidential Customer Data
One aspect of BYOD in law firms that deserves closer examination is control over the geographic location of confidential customer data, such as case matter.
This came out as a top challenge in our survey, ranking alongside data loss as a key challenge when law firm employees use their own mobile devices for work. An overwhelming 88 percent of respondents ranked this as 4 or 5 out of 5 in terms of the size of the challenge.
The problem, of course, is that when an employee moves between jurisdictions, so too do their mobile devices and any data stored on them. This raises the question of whether, once in another jurisdiction, data then accessed via a mobile device in that jurisdiction has actually travelled to it. Given that any data displayed on a device’s screen must, almost by definition, have travelled to this new jurisdiction, it is a difficult area to defend.
The risk comes from the fact that many regulators and authorities in Asia have introduced new laws, regulations and compliance requirements in an attempt to decrease the security and data privacy risks associated with data hosted on servers and accessed from disparate locations.
According to a recent white paper issued by the Asia Cloud Computing Association (“ACCA”), the rapid rate of new legislation as countries attempt to keep up with technological developments is compounded by a lack of consistency across countries.
The ACCA paper notes that legal environments among Asian countries have significant differences, creating a huge challenge for those adopting cloud services and satisfying requirements across the multiple jurisdictions.
To take just a couple of examples, China has “strict and unclear restrictions on cross border data flow” and its “province level” regulations do not align with “globally accepted standards”, while Singapore’s regulatory regime is “business friendly” but has “minimal transparency in data access mechanisms.” In Hong Kong, the same issue is present as in Singapore, which means that “authorities are permitted to intercept communications”.
Thankfully, help is available for those firms trying to navigate the issue of data privacy across jurisdictions. For instance, the APEC Cross-Border Privacy Rules (the “CBPR”) are a relatively new development and operate where businesses submit their plans for governing data transfers to “accountability agents” that are responsible for assessing and ultimately certifying whether businesses meet the standards set out in the CBPR.
Measures in Place and Planned
Beyond these broad approaches, Equinix’s research indicates that law firms are taking a wide variety of specific precautions to protect the data stored on (and accessed from) personal mobile devices.
Password management is used almost across the board (eg, in almost 90 percent of law firms). In addition to securing their communications, many law firms are also taking steps to control the data itself, with three-quarters of law firms implementing automatic locks on data.
Indeed, the vast majority claim that they have technology in place to prevent loss of mobile data. However, only 65 percent have the ability to remotely wipe data from a mobile device that is lost, stolen, or perhaps belongs to an employee who has left the firm.
Law firms generally appear to recognise the issues raised by the BYOD revolution and are now trying to reach the same compliance standards as their customers. Of the respondents to the survey, 68 percent have a remote configuration policy, which in practice means that their employees have to comply with certain device requirements.
Two-thirds of law firms have also carried out an assessment of BYOD security threats. However, that means that at least one third of firms have not properly evaluated the risks they face.
Broadly speaking though, a wide range of other measures have been undertaken, with around half of firms surveyed noting they have implemented policies or contractual/user-based measures to safeguard sensitive data and control devices.
The trend to increase security measures is set to continue over the next 12 to 18 months, with 88 percent of law firms indicating that formulating a comprehensive mobility and BYOD strategy is clearly underway amongst large legal firms in this area and is a key priority.
BYOD is Here to Stay
BYOD is clearly here to stay. Particularly in law firms where the people demanding the mobility and flexibility it delivers are very often the partners who will be directing the priorities of the IT department. Understandably, IT departments are also seeking to control this burgeoning BYOD environment.
Addressing BYOD issues will be a balancing act between successfully aligning the goals and needs of employees with those of corporate integrity and client confidentiality. To minimize exposure to criminal investigations or security violations in storing, retrieving, and working with legal case information, law firms will need to continue driving company productivity and client satisfaction while adhering to the relevant local laws and maintaining corporate data security and client confidentiality.
There are considerable rewards for getting things right. Increased levels of service for clients flow naturally from increased flexibility. When a client needs legal advice, they often need it immediately, and mobile devices that provide access to the information systems at a law firm are the ideal tools to facilitate this level of service.
It is easy to see how employees who have more flexible work arrangements and offer increased levels of service to their clients will experience more job satisfaction and be more productive.
Clearly, law firms need to ensure that they can safely support employees who want to use their own personal devices for work-related tasks, as failing to do so could negatively impact productivity, employee satisfaction and by extension, client satisfaction, as the levels and quality of services received declines.