The ACC CLO 2020 Survey listed data privacy and cybersecurity — together with compliance — as the top corporate organizational focus areas. Yet despite the scrutiny in-house legal rightly applies to business activities and counsel, they are not necessarily applying this same focus when evaluating the legal technology they use within their own departments. The sensitive nature of the information that passes through legal systems means that data security should be of paramount importance.
Anecdotally, we hear of legal tech projects where data security requirements are raised late in the game, sometimes after IT become involved in the project, and can result in the favourite vendor being immediately disqualified from selection because of weak security features and policies.
This is understandable. Most lawyers and even technology-savvy legal operations managers are not data security experts. The main focus when buying legal software are the features that assist in daily work and decision making, so the “under the bonnet” functionality is not always front of mind nor do in-house counsel necessarily know the right questions to ask. The following list of security considerations will aid you in asking pointed questions so you can address system safety at the same time as the ‘core’ functional requirements of the technology. This will save you time in the selection process and make picking the right solution for you that bit easier. There is already a lot of cyber-risk that could be affecting your company, your own legal technology should not be one of these worries.
Encryption (“At-rest-encryption”)
Legal documents contain sensitive data. Therefore, all data should be encrypted with a secure and up-to-date algorithm. Many legal tech vendors encrypt merely on the hard disk while storing unencrypted data in the database. This interpretation of at-rest-encryption is a measure that merely prevents data leaks in the unlikely event that the hard disk is stolen. BusyLamp takes at-rest-encryption to the next level by using AES256 to store customer data (including backups) with individual keys not only securely on the hard disk, but also in the database. The latter means that we apply an additional layer of security as a countermeasure for potential cyberattacks.
Encrypted transmission (“In-transit-encryption”)
The data must not only be stored in encrypted form but must also reach the user securely. Therefore, all communication should be encrypted. Since the methods used are often attacked, an up-to-date secure version must always be used. BusyLamp uses TLS with the version >= 1.2.
Data separation
Especially with Software as a Service (SaaS) offerings, it is common for an application to be used by several customers. In this scenario it is absolutely necessary that client data is stored separately from that of other customers. This prevents access to your data by other users “by accident” (e.g. due to errors in the programming of the software). There are several ways to separate data and BusyLamp offers the most secure options. We can either offer physical separation, i.e. a customer has their own server, or the most effective logical separation, i.e. a customer owns its own database on shared servers.
Data access rights
GDPR and other internal and external regulations often require access rights to be set at a need-to-know-level. It is therefore important that the legal software allows for data visibility to be set individually for each user. BusyLamp works according to the “principle of least privilege” – this means that the normal user can initially see nothing and then either on an individual or via group logic, specific data access for in-house and outside counsel users is activated.
Data Location
Everyone is talking about the U.S. PATRIOT Act, CLOUD Act, CCPA, GDPR and similar data security regulations that can have a massive impact on our client’s data hosting strategies. BusyLamp is a German company and hence not subject to any potential claims by the U.S. government under such acts. We store data securely at your preferred geographical location.
Dealing with SECURITY errors
To err is human. But how do we deal with these errors? When developing and operating software, legal technology vendors should learn from any mistakes. This promise is provided by having an appropriate company culture alongside procedures and processes designed to ensure this. BusyLamp GmbH has committed itself to this and has been ISO 27001 certified since 2018. The processes and policies contained therein represent for us the guideline for continuous improvement and development.
Firewalls and servers
Any application is only as secure as the servers it runs on. Every application connected to the Internet becomes a daily victim of automatic or targeted attacks. A well thought out strategy to defend against these attacks by the legal software operator is therefore essential to ensure the protection and integrity of your legal data. This strategy should include several measures nested in each other (the “onion technique”). First, a web application firewall protects the application itself. In addition, the server group is protected by a firewall. The last link in the chain is an optimally configured server that fends off all unauthorised access. All components should also be monitored by an independent service that actively reports any deviation from the norm. Regularly updating all systems involved should go without saying in order to guarantee up-to-date and optimal protection.
Independent system penetration tests
Precautions taken always look good on paper. But is the vendor keeping their promises? To find out, the legal software provider should have their systems tested regularly by an independent third party. This “planned attack” attempts to remove all security measures before a malicious attacker does. All vulnerabilities found are documented and submitted to the vendor so that they can be fixed immediately. BusyLamp is tested at least once a quarter by a team of experts and we can proudly say that no significant vulnerabilities have been found for several years. We also allow all BusyLamp customers to view the corresponding test protocols.
SOFTWARE Password Protection
Robust passwords are essential to prevent unwanted access to the legal system. BusyLamp has configurable password settings that administrators can set to ensure user passwords are sufficiently strong and meet your company’s password policies.
DATA Security right from the start
The ability to mitigate the impact of any security breaches is important, but security gaps should not arise in the first place. Therefore, it is important that your chosen legal tech vendor delivers regular training to those involved in the development of the software to maintain a consistently high level of data security. When testing the software, not only the actual functions should be checked but known security holes (e.g. OWASP Top 10) should be searched for too.
To the best of our knowledge and based on our research, we consider BusyLamp to be the safest legal spend management solution in the market.