An article on the Legal Futures site is headed Barristers becoming as vulnerable to cyber attacks as solicitors. Its opening picks up a warning from the Bar Standards Board reporting that solicitors had already fallen victim to IT threats and cyber attacks and observing that chambers generally lack relevant resources and expertise.
The nature of lawyers’ work often involves the gathering of their clients’ “best” documents – litigation discovery documents, information about sensitive corporate transactions such as a proposed merger or acquisition, or information about the private affairs of personal clients (where the only difference between a celebrity and the rest of us is that the celebrity offers more motivation to the intruder). The attack may not necessarily involve data at all – recently, large US firm Foley & Lardner reported an intrusion which seems to have been cryptojacking or something similar rather than the exfiltration of data (registration required to read the article).
Most of the Legal Futures article is about other aspects of data management, including the technical and ethical issues that arise in handling large volumes of digital evidence. Barristers may say that they leave all that to their solicitors and to their solicitors’ outsourced contractors. That may work, up to a point, in larger commercial matters where both the compliance with the rules and the existence of secure systems is the norm. It doesn’t really help the already-struggling criminal barristers who have electronic material dumped on them just before trial, with enough on their plates just finding relevant material. They lack the systems and support to manage it and secure it, and that is before they have to grapple with the courts’ systems. Any intervention from above must take account of the reality of an underfunded system.
The recently-departed and unlamented head of the Crown Prosecution Service, Alison Saunders, admitted, rather late in the day, that the CPS had been slow to recognise the importance, as well as the prevalence, of data on mobile devices (I wrote about that here). The story of disclosure failures by police and CPS is an appalling one. The counter-stories – of information uncovered in text messages or whatever in the nick of time by hard-pressed lawyers – are at once encouraging and dispiriting. Hurrah for them – but they should not have to work like this, and there is the thought that many others – solicitors and barristers, in both civil and criminal roles – wouldn’t know where to look, or may not even think about looking at all.
Many potential breaches are more mundane and less sophisticated than hacking or other forms of cyber threat – case data on a shared computer, laptops left open on trains, papers left in taxis and so on. No amount of office security systems will manage that human factor, which we see also when people click on a link which should have given pause for thought, obey payment instructions from spoofed emails, or insert a USB key without querying its origin. It is the busiest people who are most likely to make mistakes like this.
There may well be the need for the wide policy initiatives and changes to legal practice referred to in the article. There is certainly a need for proper funding, both for the “system” and for the individuals and firms who have to engage with it. A purist view of duties is no use if it fails to reflect that reality.
As if that was not enough, there is the General Data Protection Regulation (GDPR) and its rules about the proper handling of private information. One might expect lawyers to know the law, but how do you give practical effect to the protection of private information in a business which depends entirely on keeping and creating private information? For barristers, perhaps more than anyone, the obligation to keep private information secure, and to dispose of it on the expiration of the purpose for which they acquired it, raises all kinds of issues, even before considering the time and cost involved in compliance. In this context as well, there is an obvious conflict both between the various duties expected of them, and between those duties and the resources available to them.
The BSB is reported to be looking into a different aspect of barristers’ work – winning more of it by adapting to the changing expectations of clients. There is more to technology than avoiding being hacked and fulfilling legal and ethical obligations. Technology change offers opportunity as well. Why is the management of disclosure left to solicitors? Increasingly, they are delegating that to third-party experts, retaining responsibility for supervision and (under the present rules) for certifying compliance. Is there a bigger role for barristers here? After all, it is they who need the evidence. Why should they not be involved in working with the outside service providers, not as mere reviewers, but in decision-making and direction? That may involve a leap from conventional practice but, as I understand the position as reported in the Legal Futures article, the BSB is developing and encouraging new strategic initiatives. Let this be one of them.