In-House Legal Tech – a Data Security Checklist

As legal data is highly sensitive, data privacy, cybersecurity, and compliance are the top corporate organizational focus areas. Yet despite the scrutiny in-house legal rightly applies to business activities and counsel, they are not necessarily applying this same focus when evaluating the legal technology, they use within their departments. The sensitive nature of the information that passes through legal systems means that data security should be paramount.

Anecdotally, we hear of legal tech projects where data security requirements are raised late in the game, sometimes after IT becomes involved in the project, and can result in the favourite vendor getting immediately disqualified from the selection because of weak security features and policies.

This is understandable. Most lawyers and even technology-savvy legal operations managers are not data security experts. The main focus when buying legal software are the features that assist in daily work and decision-making, so the “under the bonnet” functionality is not always front of mind, nor do in-house counsel necessarily know the right questions to ask.

The following list of security considerations will aid you in asking pointed questions so you can address system safety at the same time as the ‘core’ functional requirements of the technology. This will save you time in the selection process and make picking the right solution for you that bit easier. There is already a lot of cyber risk that could be affecting your company, your legal technology should not be one of these worries.

ENCRYPTION (“AT-REST-ENCRYPTION”)
Legal documents contain sensitive data. Therefore, encrypt with a secure and up-to-date algorithm. Many legal tech vendors encrypt the hard disk while storing unencrypted data in the database. This interpretation of at-rest encryption is a measure that prevents data leaks in the unlikely event of the theft of a hard disk. Onit’s European legal spend management solution BusyLamp eBilling.Space takes at-rest encryption to the next level by using AES256 to store customer data (including backups) with individual keys securely on the hard disk and in the database. The latter means we apply an additional layer of security as a countermeasure for potential cyberattacks.

ENCRYPTED TRANSMISSION (“IN-TRANSIT-ENCRYPTION”)
The data must not only be stored in encrypted form but must also reach the user securely. Therefore, all communication should be encrypted. Since the methods are prone to attack, always use an up-to-date secure version. BusyLamp uses TLS with the version >= 1.2.

DATA SEPARATION
Especially with software as a Service (SaaS) offerings, it is common for an application to be used by several customers. In this scenario, store client data separately from that of other customers. This prevents access to your data by other users “by accident” (e.g., due to software programming errors). There are several ways to separate data, and BusyLamp offers the most secure options. We can provide physical separation, i.e., a customer has their own server, or the most effective logical separation, i.e., a customer owns its database on shared servers.

DATA ACCESS RIGHTS
GDPR and other internal and external regulations often require access rights to be set at a need-to-know level. Therefore, the legal software must allow data visibility to be set individually for each user. BusyLamp works according to the “principle of least privilege” – the normal user can initially see nothing. Then, specific data access for in-house and outside counsel users is activated on an individual or via group logic.

DATA LOCATION
Everyone is talking about the U.S. PATRIOT Act, CLOUD Act, CCPA, GDPR, and similar data security regulations that can have a massive impact on our client’s data hosting strategies. Onit’s BusyLamp legal spend management software is a German product and hence not subject to any potential claims by the U.S. government under such acts. We store data securely at your preferred geographical location.

FIREWALLS AND SERVERS
Any application is only as secure as the servers it runs on. Every application connected to the Internet becomes a daily victim of automatic or targeted attacks. Therefore, a well-thought-out strategy to defend against these attacks by the legal software operator is essential to ensure the protection and integrity of your legal data. This strategy should include several nested measures (the “onion technique”). First, a web application firewall protects the application itself. In addition, the server group gets protected by a firewall. The last link in the chain is an optimally configured server that fends off all unauthorized access. An independent service should monitor all components and actively report deviations from the norm. Regularly updating all systems involved should go without saying to guarantee up-to-date and optimal protection.

INDEPENDENT SYSTEM PENETRATION TESTS
Precautions taken always look good on paper. But is the vendor keeping their promises? To find out, the legal software provider should have their systems tested regularly by an independent third party. This “planned attack” attempts to remove all security measures before a malicious attacker does. All vulnerabilities found are documented and submitted to the vendor for an immediate fix. BusyLamp is tested at least once a quarter by a team of experts; we also allow all BusyLamp customers to view the corresponding test protocols.

SOFTWARE PASSWORD PROTECTION
Robust passwords are essential to prevent unwanted access to the legal system. BusyLamp has configurable password settings that administrators can set to ensure user passwords are sufficiently strong and meet your company’s password policies.

DATA SECURITY RIGHT FROM THE START
The ability to mitigate the impact of any security breaches is important, but security gaps should not arise in the first place. Therefore, your chosen legal tech vendor must deliver regular training to those involved in developing the software to maintain a consistently high level of data security. When testing the software, check the actual functions and search known security holes (e.g., OWASP Top 10).

Request a demo of BusyLamp eBilling.Space today.

Thank you for subscribing!