In-house counsel and IT directors at tech companies are facing tough challenges in balancing data protection compliance and responding to increasing pressure from law enforcement agencies for access to data without compromising security or consumer confidence.

One of the reasons for this is the introduction of new data protection regulation in 2016, including the Privacy Shield agreement following the dissolution of Safe Harbor and the confirmation of the forthcoming EU General Data Protection Regulation (GDPR).

GDPR has been anticipated for the past three years. However, the Regulation was only finalised in 2016, giving companies just two years until the GDPR is enforced in May 2018.

The main points of interest are:

• Increased fines for breaches of the GDPR, up to 4% of the annual global turnover
• A “Privacy by design” provision requires that data protection is designed into business services. Measures to protect data must be taken from the start of client engagement with clients.
• Explicit consent must be obtained for the collection and processing of data. Contracts with clients should include a section on consent.
• Multinational companies working across the EU will be required to appoint an independent Data Protection Office. This will be a challenging role to fulfil given the breadth of knowledge required to manage both IT systems and be familiar with the legal aspects of the GDPR.
• International companies based outside the EU, but which hold data inside the EU, will be subject to these regulations.
• “Right to erasure”. A client has the right to request the erasing of personal data. Organisations need to take steps to understand how easily and cost-effectively they can comply with these requests.

In addition to this, companies transferring data between the United States and the EU will now be subject to the recently-agreed Privacy Shield arrangement.  The basis for the agreement is centred on the following 7 privacy principles[i]:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse Enforcement and Liability

In addition to these principles, the EU-US Privacy Shield will:

• Introduce an Ombudsman to investigate any complaints regarding access to data by US Intelligence agencies
• Conduct a joint annual review by the European Union and Department of Commerce of the program

Although many of the changes in data protection law have been in response to technological developments such as social media, the European Commission has also taken a consumerist focus, commenting that privacy is a key concern for its citizens and as such, legislation such as the GDPR takes this into account.

Equally, Safe Harbor was dissolved due to action by a Maximilian Schrems, a private citizen, who had concerns over the way data belonging to EU citizens was being handled. This background, as well as the need for regulatory compliance perhaps explains why companies have been resistant to comply with growing pressure from law enforcement.

The FBI v Tech providers

In 2015 and 2016, Apple received and challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these sought to compel Apple to assist with extracting data from locked iPhones in order to assist in criminal investigations and prosecutions. A few requests, however, involved devices with more extensive security protections that would require Apple to write ‘back door’ software to allow the government to directly access data.

Many commentators have been sceptical that the FBI needed to take Apple to court and that they have the technical know-how to extract data from these devices without assistance. Some privacy advocacy groups believe these court cases are not about technology but establishing a legal precedence for wider access/surveillance.

A number of organisations such as Whatsapp, the online messaging service, have responded to this climate by introducing end-to-end encryption to increase users’ privacy and security. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.

In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo or video travelling through its network. Like Apple, WhatsApp is, potentially, blocking law enforcement agencies, but is doing so on a larger scale than Apple, as WhatsApp is used on one billion devices including iPhones, Android, Windows, and even older Nokia phones.

Although third party forensic specialists can now decrypt Whatsapp messages, it is likely that this will result in Whatsapp retaliating with further security updates. This effectively creates a vicious cycle of encryption and decryption.

This places in-house counsel in a difficult position, caught in the middle of these conflicting demands On the one hand, they must ensure that their business practices meet the privacy requirements of regulators such as the European Commission and the standards demanded by their consumers. But equally, agencies such as the FBI have been putting increased pressure on companies to comply with their demands.

Companies with a low risk from law enforcement cases may opt to focus on ensuring they comply with all relevant data protection legislation. If a company does operate within a sphere that could attract the attention of the FBI and other enforcement agencies, (e.g. communications, social media), then this is a delicate subject and one on which the company should seek expert legal advice. However, one potential resolution is cooperating with the enforcement agency to provide the information they seek via other channels and techniques.

As devices become more connected, it can be possible to access the required data from another device. For example, rather than examining a phone, an investigator could look at a computer (which might feature backups) or the Cloud.

Many people backup their phones on a computer. Investigators are then able to recover this data via taking an imprint of the computer’s hard drive and using forensics methods to search within the back up. This approach can often yield the following data types:

• Emails
• Photographs
• Chat transcripts from apps such as Whatsapp
• Notes

If a case requires emails or other kinds of unstructured data such as chat records, a wider net can be cast by including correspondents in the search for data.  Ediscovery technology can sift through huge sets of unstructured data such as emails, instant messenger and techniques such as predictive coding mean what could be a time consuming exercise can be completely relatively efficiently.

By looking at the iPhone owner’s network of contacts, any incriminating evidence could be gained from data owned by the receiver rather than the original custodian. Ediscovery technology is especially suited to this kind of exercise as trained users can run searches for keywords and suspected code words which may be missed if someone simply reads the emails sequentially.

For suspected fraud, it may be possible to isolate patterns from available financial data using data visualisation tools. Data analytics specialists can take large sets of structured data (e.g. spreadsheets, data held in relational data bases) and find previously unseen abnormalities that can be pinpointed to specific individuals. This evidence can then be used alongside other data to build a case.

Conclusion

2017 is unlikely to see a dilution in the tension between security and data privacy. The UK’s decision to leave the EU and the Prime Minister’s announcement that Article 50 will be invoked in March may even have the effect of complicating the situation still further. However, from a lawyer’s point of view, the ability to identify and report on a wide range of data sources using intelligent technology will only become more important across the board.

[i] https://www.privacyshield.gov/EU-US-Framework

The legal industry faces a number of marketing challenges. Setting your firm apart, doing something interesting or innovative, or finding ways to engage current and potential clients is tough in the law business. But, legal marketing doesn’t have to be “boring” or uninteresting, and there are a number of nifty marketing tools that will not only make your legal practice stand out for the right reasons, it will make the marketing of your firm faster, simpler and far more effective.

At leading legal marketing firm, The Eisen Agency, we thrive on being successful leaders in today’s fast moving global marketplace, and have the time, energy and expertise to focus on individual industries and great marketing tools to marry those strategically and tactically to the benefit of our clientele. Each of our executive’s knowledge and expertise span across a wide variety of industries – from travel to accounting – so our team’s expertise is our client’s advantage. Here are five cool tools every legal marketing rock star needs to understand in 2016.

1. Buffer

This simple analytics platform is the best way to decrease social media time, increase engagement and drive traffic to your organization’s website. This interface allows you to share content across multiple social media platforms and accounts. Buffer uses data specific to the legal industry to analyze and distribute your published post during the best times of the day. The platform also allows you to add photos and videos or use their new tool, Pablo to visualize your post. Pablo creates social media images, allowing users to choose different templates and fonts. So, save yourself a few hours each week and purchase Buffer.

Buffer saves legal marketers time by housing their social media accounts.

2. Scoop.it

Scoop.it allows businesses and professionals to discover, curate and publish a wide array of content to increase visibility and drive visitors to their website. This platform not only allows you to collect articles on specific content, but search millions of users and topic boards related to the legal industry. And, this tool integrates with Facebook and Twitter, sharing
your curated content with the click of your mouse.

With Scoop.it legal marketers can share and create curated content.

3. Klear

Klear is a social intelligence platform that serves as a sophisticated influencer search engine. This platform can connect you to the right people around the world and become a very successful networking tool. It will also analyze your engagement, performance, benchmark your landscape and provide insight so you can stay ahead of the curve.

Klear connects legal marketers to influential leaders.

4. Canva

Producing engaging content and producing it consistently are two large obstacles when it comes to implementing a marketing plan effectively. If you are looking for an easy-to-use tool, loaded with features to create visually engaging content to share with your audience, you have found it. From magazine covers to social media ads, Canva has you covered.

Canva allows legal marketers to produce visually engaging content.

5. Lexicata

Lexicata allows legal marketers to analyze customer’s data.

This platform serves as a hybrid between a customer relationship management and client intake software. It allows legal marketers to capture and intake lead information, sign and create documents, and track your progress until the deal is closed. Lexicata also integrates with the favored cloud-based software for lawyers, Clio, making this platform a valuable asset to your organization.

And, while this is by no means an exhaustive list of every “cool” tool out there, it’s a good sampling of some of the whiz bang tools our team uses to the advantage of our clientele. As in in house marketing executive or small business owner, having an outside agency that is dedicated to constantly finding better ways to share your message and grow your business efficiently is a tremendous competitive advantage. Just like having your law firm, our team can comprise a specific strategy and tactical plan to assist in your growth.

https://www.canva.com

Most law firms believe the challenges they face set them apart from the industry at large – and this is largely correct.

The phrase ‘time is money’ perhaps doesn’t ring as true for other businesses as it does for the legal sector.  When every minute is clocked, it is important that business processes run smoothly and therefore, security controls in legal organisations need to be effective, yet lightweight as not to adversely impact the day to day running of the practice.

A further element is that often law firms are asked by key clients and prospects (particularly in finance) to implement specific security controls to achieve assurance or compliance. Rather than being helpful, this presents a significant problem, as the required controls are procured with no understanding of the specific attack paths and threat actor methodologies covered. At best, this is a budget spent to enable a firm to win business. At worst, it gives a false sense of security.

While the challenges may be different the reality is the same. In the world of information security, compromises are inevitable.

Effective detection controls

Legal firms need to face the fact that determined attackers will eventually get in.

It may be because of a vulnerability in the network perimeter, maybe a zero-day exploit, or a combination of phishing emails carrying custom malware and social engineering or maybe even through gaining physical access.

However, a single compromise doesn’t equate to game over for the organisation. With an understanding of the motivation and capability of the probable threat actors (as detailed in the first article in this series) effective detection controls can be chosen and deployed.

Here are five common compromise indicators and controls:

Phishing: Filtering email content may provide clues of an attack against the firm. For example, Sender ID or Sender Policy Framework (SPF) can be used to check for spoofed emails. Email content can also be inspected to look for typical phishing patterns and, in particular, for links and attachments. Such links and attachments can be automatically analysed within sandboxes to see if they expose suspicious behaviour and can be stopped before reaching the end user.

Anomaly analysis: In an organisation the majority of endpoints will have similar programs starting at boot time. By looking across the organisation to find the one or two computers that are starting something in addition to what all the others are starting, organisations might be able to spot malware for which no signatures exist.

Suspicious patterns: Look for connections to, or even from, odd places or at odd times; also be aware of any unusual user-agents in the proxy logs. A large number of failed logins to a server may indicate a brute force attempt.

Lateral movement: Behaviour to watch for includes suspicious Windows logon events, new services being installed, tasks being scheduled, and remote execution with legitimate Windows tools. All of these will be recorded in typical Windows event logs.

Data Exfiltration: There are several options an attacker might employ to exfiltrate data, from the basic (uploading files to webmail), to the advanced (DNS tunnelling), depending on the security controls in place. As part of this, volume based analysis can be particularly powerful as well. For example large unexpected transfers of data between hosts may indicate aggregation of files prior to an exfiltration.

Early detection is key

The ability to detect an attack largely depends upon two critical factors; first, having the right data available, and second, actually looking at it. Most organisations that fall victim to network intrusions have the evidence of compromise sitting in their logs all along, but the problem is that often nobody reviews logs until an incident occurs.

There is a choice when it comes to the output from a security control. It could be an unfiltered list of log events that require further manual investigation by in-house staff; or it could first be filtered to remove false positives, so that the only output is a confirmed security incident needing an immediate response. Law firms tend to prefer the latter category unless they have a large and hands-on security team, and that needs to change.

The application of prevention and hardening measures combined with effective intrusion detection and incident response can slow attackers down, forcing them down known paths and essentially making them ‘noisy’ and more easily caught.

Data exfiltration detection is too late

However, if you rely on the detection of data exfiltration alone, then you have already lost.

It is too late in the process to instigate an effective response and the costs of cleanup will be exponentially greater than if the initial compromise is detected as it occurs.

Furthermore, an advanced attacker will employ a stealthy exfiltration method to bypass security controls during this phase. Detection controls should be focused as early in the process as possible.

The best way to combat cyber threats is through 24/7 attack detection and response, which is capable of revealing the initial compromise early enough in the breach process and before any kind of control channel is opened to the attacker. Harking back to the motivations of attackers, it’s also imperative for legal firms to choose effective detection controls with an understanding of the motivation and capability of the probable threat actors.

The earlier the detection, the better chance the company has at making a full recovery and saving itself a lot of time, money and reputational damage in the process.

Countercept has written a whitepaper detailing how cyber security in law firms is misunderstood – and what can be done about it. This can be downloaded from: mwr.to/legalwhitepaper

The legal sector is currently in a state of flux. Research[1] has shown law firms are aware technology must be embraced to meet their full growth potential but very few have taken the plunge and tackled this issue head on.

It’s worrying there are legal firms which haven’t realised the benefit of embracing the latest technological advances, especially when 24 per cent of legal professionals cite enhancing operational efficiencies as a main priority. Due to the vast amount of rules and regulations in place within the sector, lawyers can spend days at a time completing admin, rather than adding value to their clients and the company as a whole. Updating the technology used to complete these tasks is now becoming critical to the future success of the business.

Recent statistics show 74 per cent of legal firms plan on investing in new technology to address business and IT challenges over the next two years. Such investment has the potential to turn the hard work already in place within the sector into increased business growth. However, to do so law firms must implement technology with these growth goals in mind to ensure they achieve the greatest return possible.

Building a legacy

The first step is to take stock of the technology used within a law firm and ask if it is truly fit for purpose. Systems that only meet the bare minimum requirements to carry out a task may seem perfectly viable, but legal professionals may be doing themselves and their clients a disservice due to time wasted using inefficient systems. This is shown by a staggering 42 per cent of law firms stating their business growth plans are hampered by the legacy IT systems they have in place. Clearly, investment must be made to remedy this issue, even by firms aiming to keep expenditure low to increase profit margins.

When looking at investment, it’s clear there is a fine line between smart financial planning and removing funding from key arms of the business. Investing in new technology is the perfect example – many budget holders will be more interested in spending on recruitment to facilitate new business goals, which in turn can drive growth. However, if the technology used is hampering productivity, the business is setting itself up for failure as clients may look elsewhere for firms which offer more competitive service level agreements.

Legacy hardware will be slow running, while legacy software will fail to integrate to any new industry services or applications; from free digital storage to the latest database management tools. The time dedicated to research ahead of trials, communication with clients and even powering up hardware is exacerbated. Additional minutes spent on individual tasks quickly add up and equate to time wasted, which could be spent adding value to the business.

Every Cloud has a silver lining

Legacy hardware is relatively easy to replace but for law firms to remain competitive, they must update their technology to ensure their services continue to evolve. Lawyer’s today may need to access trial-critical documents on the move, rather than just from the office. This is why it’s so important law firms securely embrace Cloud computing and mobile devices to ensure the workforce is working as smartly as possible. If lawyers are spending tens of hours every week out of the office, accessibility to an office server becomes an essential part of their armoury.

Growing a firm with a Cloud-based infrastructure ensures lawyers can easily work on upcoming cases securely while travelling. If technology is utilised well, the ability to work from any location with an internet connection will see law firm productivity increase noticeably.

The law firm’s IT team will also have a clearer view over the entire system, as updates can be efficiently deployed over a Cloud infrastructure, rather than tackling devices separately. There is absolute peace of mind that each and every corporate device, whether it be a desktop, laptop, tablet or smartphone, will be secure and users have access to business critical files and applications. The IT team can then invest its time in adding value to the business, rather than constantly fighting against issues caused by legacy systems.

Embracing new technology

Once a law firm has embraced the Cloud, it is in a position to build on its competitive advantage. Productivity gains will be clear once a remote server is available, but applying emerging technology on top of this will further increase business efficiency.

An example of this is the AI technology which is revolutionising the way lawyers research into previous cases and legal precedents ahead of trials. Traditionally this saw lawyers spending hours pouring over text books and journals with very little steer as to where the information they need is located. New technology enables lawyers to simply type a question into an app and the required information will be available in a matter of seconds. Reducing the research process from days to hours or potentially even minutes is having a vast impact on legal firms which have already adopted this technology, enabling them to take on more cases and increase the scale of their growth plans. The competitive advantage which can be gained through technology will then become apparent.

The UK’s legal firms are at a pivotal fork in the road, down one path are mediocrity and a continued reliance on legacy IT and age-old processes, while the other path increases productivity and facilitates business growth. Clearly, the time has come to invest in technology and revolutionise the legal sector for the better. Those who fail to do so will be left behind by their competitors and quite simply won’t survive to tell the tale.

[1] Legal sector & IT challenges – is it time for strategic change? (2016)

As technology has become embedded in our daily lives and society has become more fast paced, our expectations on service and responsiveness have changed dramatically. In a world where customers now expect businesses to respond to their emails in just one hour[1], it’s essential that companies are evolving their offer to stay relevant, gain competitive advantage and survive in the ever-changing marketplace.

For businesses to stay in touch with with customers and clients, they should be innovative and always be on the search for ways to revolutionise. However, not all industries have the same experience with change, and innovation may not come quite as naturally to some as it does to others: unfortunately, the legal sector is one of those industries.

For a long time, legal firms have had a set way of working. Believe it or not, there are still many practices with mainly paper-based filing systems. Working to the adage, ‘if it ain’t broke, don’t fix it’, many in our sector have remained profitable and successful without a focus on change or innovation.

The winds of change

But the pace of technological change in our society has never been so dramatic. At the same time, seismic regulatory shifts in the legal sector are also forcing decades of the ‘business as usual’ approach to be torn up. Now, we have reached a point where it’s critical, if not acutely necessary, that our industry sits up and takes notice.

As changes such as the Jackson reforms make the reliance on claims marketing firms to deliver new leads much more difficult and fixed fees cause firms to balance efficiencies and quality of service, the legal sector is being forced to adopt a more business-minded mentality. In line with this movement, leading lawyers are looking to digital technology as a means to improve processes and practices, be more commercially focused and give clients the customer experience that is expected from an established service based industry.

The case for improved case management

In the main, the legal sector has continued to cling on to increasingly out-dated systems to conduct key day-to-day activities. However, by improving working methods in these areas, and especially those that account for the lion’s share of a lawyer’s time, firms will see a major difference in their efficiencies and capacity. Case management is one prime example.

Historically, a lot of time was absorbed by lawyers manually searching through endless piles of paperwork or waiting for members of staff to come back into the office to get an update on a case. And while computerised case management systems have taken the place of these antiquated practices, many of the programs currently adopted by firms still aren’t fit for purpose or reflective of today’s needs.

With these ‘off-the-peg’ solutions, instead of rifling through paperwork, lawyers now trawl through complicated menus to find documents or follow complex workflow processes to action even simple tasks. Ultimately, by implementing programs that aren’t bespoke to their needs, many firms are becoming slaves to the technology designed to set them free.

But when you think about the slick and intuitive technology we use in our everyday lives, it doesn’t have to be that way. The solutions our industry wants and needs are already out there, it’s just that at present, they aren’t available in a tailored format for our businesses.

Day-in day-out most of us use voice recognition and touch screen technology, whether its asking “Siri” to search Google, put a reminder in our calendar or bring up a map with directions to a chosen destination. Therefore, it’s easy to see how this technology can be applied to legal practice case management allowing lawyers to ask their computer to bring up the case they want, swipe between documents quickly on the screen, or even dictate an email using voice recognition software.

Intuitive systems have the power to reduce the time spent on case management, freeing up capacity to do core legal work and provide the best quality service to clients. In fact, so clear are the benefits to the legal sector that, in the absence of widely available tailored options, more progressive firms are taking the need into their own hands.

By creating their own bespoke systems that are more aligned with the new-model legal practice, these firms are using technology to improve efficiency while providing the exact service their clients need. As well as enabling these businesses to get what they need now, this bespoke route opens the door to future innovation and adaptations so firms can easily incorporate new ideas or changes that occur further down the line.

A more (artificial) intelligent approach

Another emerging technology making inroads into the legal sector is Artificial Intelligence (AI). Having cut its teeth in medical diagnosis and financial services, AI is becoming a more recognised way to reduce human input in favour of greater efficiency and improved accuracy in business analytics and decision making.

Looking outside of our sector, Santander and HSBC for example, recently announced plans to use voice recognition technology in their banking services to improve security. Similarly, wealth management firm Charles Schwab has developed an algorithm that decides where best to invest money according to market changes. AI applications are also being utilised in healthcare systems in both the USA and the UK to assist clinicians with Cancer diagnosis and the predictive analysis of degenerative conditions such as Alzheimers.

Drawing from these learnings and innovative applications, forwarding thinking law firms are now exploring how AI can be used in the legal profession, in particular, looking at its role in reducing time consuming data analysis.

Although still in its infancy, AI could be extremely valuable in assisting lawyers to review large volumes of current and past case work much faster than any human could do alone. By drawing on the vast reserves of legal data available inside law firms and in external databases to find specific precedents or existing case law, such programs could slash research timescales and help lawyers to make quicker, more accurate decisions in the daily course of their work. By removing these laborious elements, lawyers could then instead focus their time on tasks like core legal analysis.

In fact, this approach is being pioneered by a number of US law firms through technology such as ROSS, ‘the world’s first artificially intelligent lawyer’. Developed by IBM and powered by its WATSON AI platform, ROSS enables lawyers to ask questions and be signposted to citations and topical articles from a variety of sources. Going beyond a simple knowledge database, technology such as ROSS uses machine learning to understand legal language, search and collate all available information on cases and provide increasingly sophisticated hypotheses for possible courses of action.

As this technology is still in the early stages of development, only a limited number of UK firms have begun to exploit the vast potential of these AI solutions. However, over the next 12-36 months, it is likely that AI will make waves in the UK legal industry, automating time consuming data analysis and making intelligent legal decisions to assist lawyers.

Used and positioned correctly, this technology will be extremely disruptive to the legal market and for the early adopters who are wise and bold enough to recognise the benefits – plus, have the appropriate company culture to integrate it – AI could be a substantial accelerator for growth.

Focusing on service

New technology such as AI and bespoke case management software have the ability to reduce or remove many needlessly time consuming tasks; time that can be better spent on servicing and supporting clients. But as well as freeing up hours, technology is also an enabler in improving this customer experience and communication between lawyer and client.

The legal process can be overwhelming for clients, so anything that alleviates this stress and improves communication will increase client satisfaction as well as be a key differentiator.

Although many law firms ‘went digital’ years ago, currently very few legal services are actually available online or merely comprise external links to communication services such as Skype or online forms. Similarly, a limited number of legal firms offer end-to-end fully integrated online services. As a result, the legal sector is severely lagging behind industries like insurance and financial services where such online offers are commonplace.

While digital services are sparse within the legal sector, some pioneering firms are already making headway. Specialist workflow systems and processes, such as mobile interface platforms, are being created by these businesses, enabling clients to submit details and receive information about their case from anywhere and on any device. As well as allowing clients to have greater contact with the team handling their case, ensuring they are always informed at all stages, these platforms also make it easier for lawyers to obtain important information about the case. By simplifying processes, such systems improve the client experience but also have a commercial benefit as lawyers can start working on claims within minutes of information being received.

Keeping up with the pace

When it comes to innovation, law firms have, for many years, rested on their laurels. However, in a fast-paced society and with ever-more resourceful, knowledgeable and discerning clients, the sector must evolve to ensure the legal expertise that has been the preserve of our sector remains valuable and relevant, and critically, commercially viable.

As businesses in all sectors evolve to become more service-led, legal firms must too find ways to differentiate their offer and appeal to customers. Undoubtedly, innovation will be key in creating this stand out, building an operational infrastructure and providing a service that’s reflective and befitting of the 21^st century.

For more information, please visit www.fletcherssolicitors.co.uk

[1] Toister Performance Solutions, 2015