2013 Am Law Tech Survey: Firms' Data Security Fears Rise
Data security has become a top concern for law firm technology chiefs.
But it's not just cybercriminals spurring the law firms to batten down the hatches. "The short, glib answer is, clients are driving the heightened focus," says one CIO who asked not to be identified. "There is a lot of noise, especially out of the banking industry, about looking specifically at your law firms." Tougher regulatory frameworks, not just in finance but in sectors like health care, are causing clients to ask more questions about the security their firms do, and don't, have in place. "We're seeing a significant increase in client security questionnaires and on-site reviews," says another CIO, who asked not to be identified. "Many firms are [secured] pretty well, but clients may require certain things and firms may have to add systems."
Increasingly, these conversations are happening before engagements are won. "Now as part of the RFP process, you'll need to provide very detailed specifications on what you have in place," says Mayo. "It's becoming a factor in whether you will get the business." Nor is it only preventive measures that clients want to know about. "We'll get requests about our response plan in the event of a cyber-breach," says one CIO. "So [now] we have a cyber-response plan."
In the area of mobile technology, the survey shows widespread use of consumer smartphones, but reveals a much more tepid embrace of tablets. Just 8 percent of responding firms supply them to lawyers, the same figure as in 2012's survey. Nor are most lawyers bringing them in on their own. At nine out of 10 firms, less than half of the attorneys—and often far less than half—are using tablets. Given the burgeoning volume of law-related apps, blogs, and tech show seminars, that might raise some eyebrows.
But in follow-up interviews, survey respondents painted a jury-is-out picture for the tablet market. Current devices, they say, work far better for some lawyers than others. Those who consume content—reading PDFs, performing research, reviewing documents—tend to gravitate towards tablets. Those who primarily create content—writing and editing memos, for example—tend to stick with their laptops. Indeed, the ever-shrinking profile and poundage of business laptops has made them nearly as portable as tablets. So perhaps it isn't surprising that when it comes to their next hardware refresh, the most popular strategy is to deploy laptops only, with 38 percent of firms planning to do so (up from 35 percent last year). Desktop-only and desktop-and-tablet strategies tied for second, with 21 percent of firms each, with the laptop-tablet model following at 20 percent.
This means that nearly 60 percent of law firms have no plans to issue tablets firmwide in the foreseeable future. One of those firms is Gibson, Dunn & Crutcher, which has instead deployed Lenovo X1 and Apple Macbook Air laptops. "They're lightweight, they're fast, they have the capacity to support all [of our] applications and security parameters," says Brett Fazio, Gibson Dunn's chief information officer. In other words, the new generation of ultra-light laptops get everything right—something that has so far eluded every type of tablet. "For creating and editing documents, I don't know that the iPad is there yet," Fazio says. "The Surface Pro ["Surface Appeal," February 2013] comes close with the full suite of Office . . . but our testers say the weight is the same [as the X1 and Macbook Air laptops] and it doesn't run as many applications. At this time, we will support tablets but not issue them as default equipment."
Nor are firms quite ready to fully embrace cloud computing. Here, the story is familiar, little changed from last year, or the year before that. While more than two-thirds of responding firms (69 percent) are using hosted solutions in some fashion, few are trusting them with their most sensitive information. Just 12 percent use the cloud for storage, and a mere 5 percent use it for document management (numbers that were close to last year's results). Where are firms using the cloud? E-discovery and litigation support (with 62 percent of responding firms) and human resources (56 percent) were the most common uses.
Once again, the biggest worry about the cloud was security. Yet while 68 percent of responding firms cited it as a concern last year, 92 percent did so this year. On one hand, the bump meshes with firms' heightened focus on security. On the other hand, it contrasts with the burgeoning popularity of the cloud in other sectors, not to mention the idea—embraced by many consultants and cloud users—that a provider that lives and breathes technology can be a lot more effective in keeping systems secure than a law firm can. "It's really an issue of control," says Brett Burney, founder of Burney Consultants, which provides technology-related services to corporate executives and legal professionals. "The cloud isn't just magic and smoke; data is in a physical location, highly secured, with redundant backups. But law firms want to be able to say that the data a client entrusted to it is on their server, in their office—not on a server they can't even tell you where it is. They just can't get comfortable with that."
That wariness is unlikely to disappear soon. The cloud may offer efficiencies, but in an environment where clients are asking more about law firm IT, and even coming on site to kick the tires, it can also add complexity. "Clients will ask if you store their data on a third-party server and if you do, what security provisions you have with them," says Fazio. This means that a firm has to ask prospective providers tough questions—and it may not get the answers it needs. "In some cases, public cloud providers won't offer a formal nondisclosure agreement or a guarantee about what happens if there is litigation that involves data on their systems," says Fazio.
Perhaps it isn't security per se that is holding back the cloud, but those old demons long familiar to lawyers: vagueness and ambiguity. For many firms, there just isn't enough clarity, or certainty, about how cloud providers operate. "What happens if I switch vendors?" asks one CIO. "How do I get my data back and off their systems? I get stuck in the contractual language every time." The cloud would be cheaper for the firm, he notes, than running the systems itself and paying for all the real estate they take up. "But in the end," he says, "I just throw up my hands."
Contributing editor Alan Cohen writes about law firms and technology.