25 May 2021 | BusyLamp
Legal tech data security – a checklist for in-house counsel
Buying legal technology can be overwhelming enough without adding to the mix the challenge of ensuring your preferred software meets security requirements. This is probably why, anecdotally, we hear of legal tech projects where data security requirements are raised late in the game, usually when IT becomes involved in the project.
Involving IT early in the software purchase process is advisable for several reasons, not least because stringent company-wide data protection policies can automatically rule out several vendors from the start, so you need to know what these are. It also helps if you, as the main buyers of the legal technology software, have data security in mind alongside your assessment of the core features of the product. The sensitive nature of the information that passes through legal systems means that data security should be of paramount importance.
Here is a handy checklist of data security considerations:
Legal documents contain sensitive data. Therefore, all data should be encrypted with a secure and up-to-date algorithm. Many legal tech vendors encrypt merely on the hard disk while storing unencrypted data in the database. This interpretation of at-rest-encryption is a measure that merely prevents data leaks in the unlikely event that the hard disk is stolen. BusyLamp takes at-rest-encryption to the next level by using AES256 to store customer data (including backups) with individual keys not only securely on the hard disk, but also in the database. The latter means that we apply an additional layer of security as a countermeasure for potential cyberattacks.
ENCRYPTED TRANSMISSION (“IN-TRANSIT-ENCRYPTION”)
The data must not only be stored in encrypted form but must also reach the user securely. Therefore, all communication should be encrypted. Since the methods used are often attacked, an up-to-date secure version must always be used. BusyLamp uses TLS with the version >= 1.2.
Especially with Software as a Service (SaaS) offerings, it is common for an application to be used by several customers. In this scenario it is necessary that client data is stored separately from that of other customers. This prevents access to your data by other users “by accident” (e.g. due to errors in the programming of the software). There are several ways to separate data and BusyLamp offers the most secure options. We can either offer physical separation, i.e. a customer has their own server, or the most effective logical separation, i.e. a customer owns its own database on shared servers.
DATA ACCESS RIGHTS
GDPR and other internal and external regulations often require access rights to be set at a need-to-know-level. It is therefore important that the legal software allows for data visibility to be set individually for each user. BusyLamp works according to the “principle of least privilege” – this means that the normal user can initially see nothing and then either on an individual or via group logic, specific data access for in-house and outside counsel users is activated.
Everyone is talking about the U.S. PATRIOT Act, CLOUD Act, CCPA, GDPR and similar data security regulations that can have a massive impact on our client’s data hosting strategies. BusyLamp is a German company and hence not subject to any potential claims by the U.S. government under such acts. We store data securely at your preferred geographical location.
DEALING WITH SECURITY ERRORS
To err is human. But how do we deal with these errors? When developing and operating software, legal technology vendors should learn from any mistakes. This promise is provided by having an appropriate company culture alongside procedures and processes designed to ensure this. BusyLamp GmbH has committed itself to this and has been ISO 27001 certified since 2018. The processes and policies contained therein represent for us the guideline for continuous improvement and development.
FIREWALLS AND SERVERS
Any application is only as secure as the servers it runs on. Every application connected to the Internet becomes a daily victim of automatic or targeted attacks. A well thought out strategy to defend against these attacks by the legal software operator is therefore essential to ensure the protection and integrity of your legal data. This strategy should include several measures nested in each other (the “onion technique”). First, a web application firewall protects the application itself. In addition, the server group is protected by a firewall. The last link in the chain is an optimally configured server that fends off all unauthorised access. All components should also be monitored by an independent service that actively reports any deviation from the norm. Regularly updating all systems involved should go without saying, in order to guarantee up-to-date and optimal protection.
INDEPENDENT SYSTEM PENETRATION TESTS
Precautions taken always look good on paper. But is the vendor keeping their promises? To find out, the legal software provider should have their systems tested regularly by an independent third party. This “planned attack” attempts to remove all security measures before a malicious attacker does. All vulnerabilities found are documented and submitted to the vendor so that they can be fixed immediately. BusyLamp is tested at least once a quarter by a team of experts and we can proudly say that no significant vulnerabilities have been found for several years. We also allow all BusyLamp customers to view the corresponding test protocols.
SOFTWARE PASSWORD PROTECTION
Robust passwords are essential to prevent unwanted access to the legal system. BusyLamp has configurable password settings that administrators can set to ensure user passwords are sufficiently strong and meet your company’s password policies.
DATA SECURITY RIGHT FROM THE START
The ability to mitigate the impact of any security breaches is important, but security gaps should not arise in the first place. Therefore, it is important that your chosen legal tech vendor delivers regular training to those involved in the development of the software to maintain a consistently high level of data security. When testing the software, not only the actual functions should be checked but known security holes (e.g. OWASP Top 10) should be searched for too.