To understand the importance of digital trust, particularly in the legal world, one doesn’t have to look far. Recent history is littered with examples of what can go wrong if that trust is misplaced. The most famous being the massive data breaches suffered by the Panamanian law firm Mossack Fonseca and the offshore firm Appleby, which respectively led to the Panama and Paradise Papers scandals. In the case of Mossack Fonseca, which announced its closure in March, the reputational damage was fatal. The firm’s sobering fate will have prompted plenty of in-house and private practice lawyers to reassess how they harness and protect their digital data. Given the consequences when things go wrong, for them to sleep well at night would require a huge amount of trust. Not just in the internal employees and external collaborators who have direct access to the data, but also in the technology put in place to protect that data, and the people who are developing and managing that technology. Digital trust on that scale requires careful management.
In order to gauge how the legal market is approaching the all-important issue of Digital Trust, The In-House Lawyer teamed up with Safelink Data Rooms to survey over 50 key individuals within the industry, including general counsel, chief technology officers and leading IT decision makers. The findings show that while many respondents have confidence in the strategies they are implementing, there is still plenty of room for improvement, particularly when it comes to external collaboration. Of the respondents, only 61% had a formal Digital Trust Management Policy (DTMP) for both internal and external collaboration. And while 76% of respondents acknowledge that it is important to have a DTMP in place, a worrying 24% claim they don’t understand the implications and consequences of not having one.
‘If you don’t have a framework that enables you to trust things are being done appropriately, then the consequences are dire,’ says Harry Boxall, a director at Safelink Data Rooms. ‘It’s not just the compliance and security risk, but the breakdown in supply chain implications, and the implications for your brand if they don’t work. People say they have a policy, but for what? Who does it include and how far down the supply chain does it go?’
A company might have the best processes in place, but they won’t count for much if their external collaborators aren’t holding up their end of the bargain. Worryingly for in-house legal departments, the survey exposes the fact that law firms are far less confident about their own digital trust management than their clients. 32% of law firm respondents said they couldn’t confidently tell their internal stakeholders that they were covered for key digital trust issues, such as GDPR. The same divergence occurs when it comes to DTMPs for external collaboration. Only 59% of law firms have policies in place for external collaborators, compared to 94% of in house legal departments surveyed. In spite of this, in house legal departments are generally more confident in their external collaborators than law firms (76% compared to 62%), which raises the question of whether this confidence is misplaced.
Rob Booth, general counsel and company secretary at The Crown Estate, feels that the largest law firms are heading in the right direction.
‘Two years ago, I would have had a pretty patchy response back from the law firms with regard to how they manage their data and what protections they have in place,’ says Booth, who is also The Crown Estate’s ‘senior information risk owner’. ‘I talk to firms now and I get a pretty sophisticated response back. At the very top end, the bigger commercial firms we work with have better information security systems in place than we do, which is very comforting. Over the last year there has been a real improvement at the top end, which might slightly be driven by Mossack Fonseca or the Paradise Papers. Sometimes you need a crisis to catalyse change. Anecdotally, I understand it can still be quite patchy with some of the smaller firms.’
When it comes to the shortfalls, the problems are typically cultural ones, rather than technological ones.
‘Most law firms will mandate that partners can’t use certain file sharing websites because they aren’t secure and they’re a terrible break point, yet they all will because they are partners and think they can do what they like,’ says Dan Brown, an independent technology consultant. ‘The best practices aren’t being implemented. Because law firms tend to be run by the people who own them, they are always trying to cut corners because of their budgets. If you look at transactions between big corporates and banks, law firms are the weakest links, and they are made worse by partners who will continue to utilise certain programs as part of external collaboration tools.’
The human factor
One thing that most can agree on is that an organisation should establish a solid foundation of responsible human behaviour before it invests in the latest IT software. Spending millions of pounds on the finest firewall won’t get you far if the finance director leaves their laptop on a train.
‘It’s very much a culture first, tech second approach,’ says Booth. ‘The vast majority of best practice for us comes out of having a well-educated and engaged workforce who are alive to the requirements, the issues and the threats that can be thrown in our direction.’
Figuring out the most important stakeholders is also vital, as this can vary from organisation to organisation.
‘For a lot of organisations that aren’t acting in a sensitive space, the HR team will hold some of your most sensitive information, so working closely with them is a sensible thing to do. Then we’re looking at the physical security side too, because walking into a building and stealing information is often more easy than hacking the IT,’ says Booth, who applies similar considerations to his external collaborators. ‘One thing to look for is how professional the organisation is with regard to where it leaves its information. Do people leave their computers on their desks, do people carry sensitive papers around? You can get a sense of how seriously an organisation takes it by watching the little things.’
Once an organisation has its internal culture in order, then it can start investigating the best ways in which it can harness and protect its digital data. One obvious issue here is that data and technology have always been locked in a game of digital leapfrog, and this is never likely to change. Today’s technology cannot necessarily be trusted to protect the data of tomorrow. Equally, technological advances will bring about new types of data and new ways to access it, both legally and illegally. This is why a forward-looking management policy is crucial, as it forces you to look beyond the protections you currently have in place.
‘A big part of the discussion isn’t necessarily in the here and now, it’s about finding the skills gaps and managing the trust issues that will arise in the coming years,’ says Brown. ‘Have you seriously considered the impact of some of this next generation technology and how it will impact your trust and security considerations? This is an evolving issue that needs much more consideration than uploading a new program.’
The preference for many clients now is that they establish their own ecosystem for collaboration that remains under their control.
Law firms and other external entities will then have to fit in accordingly, rather than the other way around. This is becoming easier to achieve than it was in the past, as the providers of data storage and collaboration tools become more adaptable.
‘We’re seeing a more collaborative approach between the tech providers, so that widget X can speak to widget Y and widget Z,’ says Booth. ‘A material part of what we look for is compatability with other systems.’
If that compatability exists, then client organisations, and their respective law firms, can achieve much greater efficiency.
‘It’s not about doing more with less, it’s just about doing less,’ says Boxall. ‘It’s about finding how to take some of the inefficient processes that exist within the department and automating those. For large organisations, being able to do that and being able to reduce the reliance on external parties is a huge thing. What they really need are technologies to enable it, and, more importantly, they need the time to map out what these processes look like.’
Ultimately, it is only when an organisation understands and regularly engages with those processes, both at the digital and the human level, that it can learn how to trust them.
Do you have an understanding of the implications and consequences of not having a Digital Trust Management Policy and supporting processes?
Yes: 76% (In-house legal departments 88%, law firms 71%)
No: 24% (In-house legal departments 12%, law firms 29%)
Do you have a Digital Trust Management Policy for internal and external collaboration and communication?
Law firms with a DTMP for external collaboration: 59%
In-house legal departments with a DTMP for external collaboration: 94%