Cyber Security for Lawyers: Inspirations from the UK
Information Technology (IT) has transformed how many industries used to function and businesses were run. To this paradigm shift, the judiciary and legal industry are not exceptions. This article is a part of our series on Cyber Security for Lawyers through which we aim to initiate a discussion on why cyber security is important for lawyers and suggest best practices for modern-day legal professionals in India. In this article, we derive best practices and inspirations from the United Kingdom (UK).
The Information Technology Panel of the General Council of the Bar has prepared a guidance document to assist barristers with maintaining a reasonable level of information security for protecting client information. Last reviewed in July 2019, this document is not legally binding on any barrister; however, it prescribes a series of good security practices under various heads which should be followed as a minimum.
Background
As per the handbook published by the Bar Standards Board (BSB), a barrister is
- Responsible for protecting the confidentiality of each client’s affairs, except for such disclosures as are required or permitted by law or to which your client gives informed consent (rC15.5)
- Responsible for taking reasonable steps to ensure that proper arrangements are made for ensuring the confidentiality of clients’ affairs (rC89.5)
At gC134, the BSB handbook sets out the following requirements to fulfil the obligation under rC89.5:
- Implementing and enforcing adequate procedures for the purpose of confidential information,
- Complying with data protection obligations imposed by law,
- Taking reasonable steps to ensure that anyone who has access to such information or data in the course of their work must comply with these obligations, and
- Taking into account any further guidance on confidentiality which is available on the BSB handbook.
Barristers working for Government departments/agencies are required to comply with the Attorney General’s Guidelines on Information Security and Government Work. For the purpose of our discussion in this article, data protection laws include the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act of 2018.
Good Security Practices
Recommended security practices across various heads are elaborated below:
1. Receipt and handling of physical confidential material
- Should not be kept in a position where it might be read by any other person entering the room
- Should not either be worked on or read in a public place where others can overlook it
- Should be stored in a secure place for which the barrister has regular access
- Should be moved securely and should not be left unattended during the travel
2. Material taken to court
As representatives of the parties, barristers are in the role of data controllers for parties’ copies of court papers, documents provided for the use of witnesses, and any document supplied earlier for the exclusive use of the court. All such documents must be removed immediately after a hearing ends. If court papers containing sensitive personal data are left unattended in a court or court building, a data breach may be reported as per applicable data protection laws.
3. Physical security of electronic devices
A barrister must take appropriate steps to ensure the physical safety of PCs, laptops, tablets, PDAs, smartphones, and USB drives containing confidential data. Recommended practices are:
- Devices should not be left unattended in a car overnight or at a public place.
- Devices used for professional purposes should be kept and used in a manner that their screens cannot be overlooked.
4. Laptops and other portable devices
Losing confidential data stored on devices and removal storage is a violation of the BSB handbook as well as applicable data protection laws. It is recommended to minimise the confidential data stored on removable storage devices (refer to data minimisation in Article 5.1(c) of GDPR).
5. Electronic security and encryption
A barrister should process personal data to ensure its security, including protection against unauthorised/unlawful processing and accidental loss, damage, destruction (refer to integrity and confidentiality in Article 5.1(f) and 32 of GDPR). Similar precautions should be adopted with respect to confidential data of clients that do not fall under the definition of personal data. Encryption and pseudonymisation are recommended safeguards. Good security practices prescribed are:
- Perform regular scans for malware and keep software and applications up to date.
- Avoid clicking on links in emails or downloading attachments/files from sources you do not know or trust.
- Phishing emails can also be fabricated to appear from a colleague or a client.
- Set up a secure password for PCs, laptops, tablets, smartphones, and other such devices.
- Change the default passwords.
- Use different passwords for different services and devices.
- Using biometric technologies (fingerprint/facial recognition) are acceptable alternatives to passwords.
- Take regular back-ups of information stored electronically. Back-up media used for confidential data should be locked away and disconnected from the main network when not in use. If back-ups are taking place over the cloud, point-in-time recovery should be possible.
- Devices used at home to access confidential data must be protected from unauthorised/unrestricted access by third parties.
- Storage of personal information or confidential data on any device should be in encrypted form. Encryption is also necessary for password-protected devices. Whole disk encryption should be preferred over encrypting particular folders.
- Any code, password, or device to be used for emergency recovery of encrypted data should be stored in a reasonably secure manner.
6. Communication
- Encrypted email communication should be used. A barrister can agree with the client about what encryption to use.
- Password required to decrypt an attachment should not be sent in the same email as the attachment.
- Caution is advised while using CC and BCC features for sending confidential data.
- If a barrister is able to access their emails across devices, all such devices should be password-protected and encrypted.
- Lists of previously used phone numbers, email addresses, and fax numbers should be maintained and kept up to date.
- Connecting to public or unencrypted access points should be avoided.
- A barrister should not make their computer detectable by others on the network.
Besides, the barristers should exercise caution while selecting an email service provider as the data protection laws specify restrictions on the transfer of personal data to the countries outside European Economic Area (EEA) which do not provide an adequate level of security. It is recommended to choose a service provider who provides data storage facilities in EEA.
7. Cloud Computing
Barristers using cloud services should assure that their selected service providers have sufficient safeguards in relation to confidentiality, security, reliability, availability, and data selection procedures. Similar to what is recommended for email service providers, service providers based out of EEA should be preferred. Irrespective of whether a cloud service provider encrypts files or not, barristers should consider encrypting data themselves before it is uploaded to the cloud.
8. Fax Security
- Consider whether there is a more appropriate means to send the information, i.e., courier service or email.
- Double-check the fax number on which fax has to be sent.
- Inform the sender not to leave the fax unattended in an open office space.
- If the fax contains highly sensitive information, confirm with the recipient that the fax machine has sufficient papers, and someone is ready to receive the fax.
- Use a cover sheet to highlight the intended recipient and confidentiality.
- Call the recipient to ensure that the entire document has been received.
9. Chamber Matters
- There should be an information risk policy in place to safeguard the information within chambers.
- A barrister should take reasonable steps to ensure the reliability of IT and other staff who have access to IT systems.
- All the individuals associated with a chamber, including barristers, pupils, and other staff, should be given training on the importance of information security.
- There should be a procedure in place for reporting any loss of electronic media or papers containing confidential data. When a loss/theft occurs, the client and if required, the police should be informed immediately.
- Every chamber should maintain a log of devices where confidential data is stored, along with serial numbers and details about the encryption software installed on those devices.
10. Outsourcing
When a chamber outsources certain services to a third party, the outsourcing arrangement should not alter a chamber’s obligations to the client. The chamber/barrister continues to remain responsible for complying with relevant obligations. Outsourcing arrangement is subject to contractual agreements such that the service provider
- is subject to confidentiality obligations same as that of a chamber/barrister
- processes any personal data under the instructions received from the chamber/barrister
- is required to allow BSB or its agents to obtain information or inspect the records concerning the outsourcing arrangement, and
- processes any personal data under outsourcing arrangement which is compliant with the applicable data protection laws.
Such service providers processing personal data on a barrister’s behalf will be considered as data processors. There should be a contract in place as per the requirements of Article 28 of GDPR.
11. Disposal
- Data protection laws require that personal data should not be retained for longer than it is needed. However, this maybe seven years or more for case files.
- Data retention, review, and deletion schedules should be set up in chambers. For a chamber having multiple barristers, the chamber will be a data processor while the barristers will be data controllers.
- Individual barristers will need to implement data retention, review, and deletion on their own IT systems.
- There should be a procedure in place for secure disposal of confidential data and electronic media such as CD-ROMs and hard drives.
This guidance document specifies that mere deletion of files, single-pass overwriting, or rewriting the disk are not efficient ways to dispose of confidential data stored on electronic media. Barristers should prefer using recognised methods to put the data beyond recovery.
12. Data Breaches
- If a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, it must be reported to the Information Commissioner’s Office (ICO).
- ICO must be informed within 72 hours after a chamber/barrister becomes aware of a personal data breach.
- If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must also be communicated to data subjects without undue delay.
Ending Notes
Though this guideline is not mandatory in nature, it appears to be a good starting point to incorporate good security practices in the delivery of legal services by legal professionals. At multiple instances, we have seen that the relevant data protection laws apply to barristers/chambers, in the same manner they would apply to a different organisation. Whether a barrister or chamber adopts these practices or not, compliance with GDPR and UK DPA (2018) is unavoidable. With Indian data protection law currently in the Parliament, it will be interesting to see how our data protection law can be interpreted for lawyers and legal professionals in India.
An initial draft of this article was prepared by Akshara P. Kamath, an undergraduate student at Symbiosis Law School, Hyderabad, during her internship with The Cyber Blog India in June/July 2020.
With inputs from Raj Pagariya.
Featured Image Credits: Job vector created by stories – www.freepik.com