Print this page

An Information Security Trans-firm-ation

Back to previous page

By Mitchell Kelly -

ABSTRACT: If the ALRC's recent Privacy Inquiry and subsequent report - the largest ever produced by the ALRC and currently forming the basis of draft legislation - is any indication, the coming decade will see vast developments in the area of Privacy Law. Add to this, the constant flow of emerging technologies, the changing face of business transactions, and the proliferation of corporate espionage, hacking and cyber crime and it becomes clear that the implementation of an Information Security Management System (ISMS) has never been more vital for law firms.

In the past, privacy legislation, with its low compensation awards and minimal other penalties, has (not surprisingly) been viewed as 'all bark and no bite'. However, the ALRC will break this misconception if their proposals go ahead. An 'at fault' data breach notification system and harsher penalties, including civil penalty provisions for serious breaches, are just a hint of their proposed reforms. The Government has indicated its willingness to crack down on data protection and Australian organisations will be forced to follow suit. A solution to compliance lies in an ISMS.

An ISMS gives companies a framework for protecting information and determining how it is processed, stored, transferred, archived and destroyed. Traditionally, ISMSs have been enforced by bodies retaining large volumes of private and confidential information, namely government agencies, financial institutions and health providers. Yet law firms have remained virtually unaware of the importance of serious information security policies; until now. In 2010, a Melbourne-based firm become the first in Australia to become ISO 27001 compliant -an international standard widely considered to be the pinnacle of ISMSs.

DUTY

Quality assurance is nothing new for lawyers. In addition to the Legal Profession Act 2004 (Vic) and the Legal Profession Regulations2005 (Vic), a common law duty exists to protect confidential information and prevent it from falling into unauthorised hands. But as technology changes, so too do the ways in which breaches can occur. Just how do you get back that client letter the clerk accidentally emailed to the defendant's lawyer? Up until now, LAW 9000 has widely been considered sufficient accreditation for quality management.  How LAW 9000 differs from an ISMS is simple. Whereas LAW 9000 ensures consistency in processes for each individual at any given time, an ISMS ensures the integrity of information as it passes from hand to hand. For example, LAW 9000 may see the creation of templates for legal letters-consistency is maintained. ISMS processes see that the template cannot be altered, specify who has access, make sure it is printed in a confidential area and posted to the correct address-integrity, confidentiality and availability are maintained. It is these three factors that form the core of any ISMS. While it can certainly work in conjunction with an ISMS, LAW 9000 on its own is no longer enough to guarantee the protection of privacy and confidential information as it does not protect organisations through principles derived directly from legislation.

Practitioners have to consider theInformation Privacy Act 2000 (Vic). Under the Act, ten information privacy principles (IPPs) stipulate how lawyers must deal with the collection, use and disclosure of confidential information. IPP 4 deals specifically with data security, stating organisations 'must take reasonable steps' to protect information and to destroy information when it is no longer needed.

Similarly, the Privacy Act 1988 (Cth) lists numerous IPPs and NPPs (National Privacy Principles) relating to data quality and security.  (It is worth noting that the ALRC seeks to replace existing IPPs and NPPs with eleven Unified Privacy Principles.) Currently, NPP 4.1 requires organisations to take 'reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure'. The Office of the Privacy Commissioner (OPC) has issued guidance on how organisations should meet this requirement, which include taking steps to implement:

  • physical security, such as locks, alarm systems and access limitations;
  • computer and network security, such as user passwords and auditing procedures;
  • communications controls, such as encryption of data; and
  • personnel security, such as staff training programs.

All of these measures are covered under an ISMS. In essence, an ISMS is a mirroring of these principles; the difference being, where the legislation takes on a legal perspective, an ISMS incorporates a business perspective.

The Privacy Act is also an easily accessible tool for consumers and clients. The OPC deals with all complaints and, if breaches have occurred, an organisation could face spending significant amounts of time and money defending the allegations. Although compensation awards under the Act have been minor to date, defending a complaint can prove much more costly than the relatively low expense attached to compliance. The need to comply with legislation has never been more crucial and yet an overwhelming number of organisations face compliance issues. A 2005 report by the Australian Chamber of Commerce and Industry

2 revealed that 47.7% of Australian businesses polled admitted to having difficulties complying with privacy legislation. The body further found that complying with thePrivacy Actwas a particular issue for small businesses.

3 The OPC has offered some reasoning behind difficulties in compliance. What is 'reasonable' to satisfy data quality and security requirements, for example, is contextual and depends on an organisation's size and activities.

4 Further complications arise for organisations operating in more than one Australian jurisdiction. The OPC is aware of cases where a single piece of information may be subject to conflicting or more onerous obligations within different states or territories.

5 Instances such as these further justify the move towards reform.

JUSTIFICATION

The reluctance for practices to implement ISMSs may stem from the belief that firms are not the target of cyber crime and hacking. While Australian practices have been able to rest easy for the most part, it is not the case in other parts of the world. Since late 2009, the FBI has identified American law firms as being high risk targets for "spear phishing" intrusions. 6 Sophisticated self-executing files arrive via emails designed to infiltrate networks, recover sensitive information and often stay embedded to recover more information at a later date. Law firms are targeted for their concentration of critical information often relating to major international deals. As the hackers usually strike from other countries, little can be done to trace or recover the information-unless adequate firewalls are in place. Without effective protection, no practice is immune from external intrusions. Conversely, an ISMS can also dramatically reduce internal misconduct and accurately pinpoint the source. This is achieved through the documentation of business processes based on accountability.

Further resistance to implement may arise from firms believing they already have sufficient security policies in place. Generally speaking, lawyers undergo years of education and training to become superior experts in handling highly sensitive information. The problem with this? Well, it is merely a generalisation. Going ahead with an ISMS, gives practices a chance to take a step back and review their information processes, observe where there are deficiencies and make modifications which will ultimately improve business efficiency on every level. Further to the improvements made to information systems, firms receive validation and recognition for their existing processes, most notably in the form of certification. This sends a clear message to third parties just how seriously the firm views information security. And while it may seem an arduous task to undertake-incorporating spreadsheet documentation, in depth methodology and multiple audits-providing complete quality assurance results in immeasurable benefits to lawyers and clients alike.

INTRODUCING ISO 27001

Published in October 2005 by the International Organization for Standardization (ISO), ISO 27001 is an internationally recognised ISMS which aims to protect security breaches relating to information held electronically, on paper or in any other form. The system's primary goal is to formally establish processes across the organisation to facilitate a proactive approach to managing security and risk. Being a formal specification mandates precise requirements and therefore organisations can be formally audited and certified based on these requirements. ISO 27001 helps develop an approach to risk management with the Plan Do Check Act (PDCA) model, which draws attention to the risk related components within an organisation.

  • PLAN

The first requirement is to systematically review information security risks by taking into account all the threats, vulnerabilities and impacts. Threats are sources of potential loss of control of secure information or potential unauthorised access. Vulnerabilities represent the shortcomings which may leave the organisation open to threats. The impact, therefore, is the effect such information may have were it to be accessed by an unauthorised party. Organising this information takes place by way of a risk matrix-a table that quantifies and rates risks based on the likelihood of a risk occurring and the consequences. This allows for the prioritising of risks and the allocation of to high risk areas first.

Evidently, the planning stage is the very establishment of the ISMS and, in addition to direct business-related processes, may include anything from interviewing and hiring procedures to granting access to cleaners entering the premises.

  • DO

The implementation and operation of the ISMS moves towards setting policies, processes and controls which are enforced across the organisation. Any risk deemed unacceptable must be addressed here. If, for example, in the planning process it was decided that access to management emails was a high risk, the installation of a computer firewall may take place in this stage of the process.

It is at this point that things can begin to snowball. For example: deciding to implement a 'clear desk policy' within a firm leads to the installation of secure filing cabinets, which leads to new locks on doors, and then surveillance cameras in the hallways and, before you know it, a new building alarm system. Because organisations shape their own management systems, they decide the significance of each identified risk and create security measures accordingly. It follows that the more extensive the security measures, the more effective the ISMS. Also, tighter security would undoubtedly bring firms into alignment with recommendations made under legislation and by the OPC.

  • CHECK

Continual monitoring and reviewing is a further requisite of ISO 27001. Ongoing measurement of the effectiveness of controls and updating residual risks is necessary. As a practical example, if a central filing system is established but problems in locating files persist, a review of controls may see a matter file log created establishing who has control of each file at any given time.

  • ACT

Organisations must adopt an overarching management process to ensure information security controls continue to meet information security needs on an ongoing basis. This requires appropriate preventative and corrective actions and the implementation of identified improvements to the ISMS. A further requirement to achieve compliance is to ensure the control of documentation and records. Specifically, risk managers must provide a description of the risk assessment methodology, risk assessment reports, risk treatment plans and the overall documented procedures.

CERTIFICATION

Becoming ISO 27001 compliant involves a three-stage audit process.

  • Stage 1 is a preliminary, informal review of the ISMS, for example checking the existence and completeness of key documentation such as the organisation's information security policy, Statement of Applicability (SoA) and Risk Treatment Plan (RTP). This stage serves to familiarise the auditors with the organisation and vice versa.
  • Stage 2 is a more detailed and formal compliance audit, independently testing the ISMS against the requirements specified in ISO 27001. The auditors will seek evidence to confirm that the management system has been properly designed and implemented, and is in fact in operation (for example by confirming that a security committee or similar management body meets regularly to oversee the ISMS). Passing this stage results in the ISMS being certified compliant with ISO 27001.
  • Stage 3  involves follow-up reviews or audits to confirm that the organisation remains in compliance with the standard. Certification maintenance requires periodic re-assessment audits to confirm that the ISMS continues to operate as specified and intended. These should happen at least annually but (by agreement with management) are often conducted more frequently, particularly while the ISMS is still maturing.

IN ACTION

Melbourne's Parke Lawyers became ISO 27001 compliant in October 2010, making them the first law firm in Australiato make a serious move towards the highest level of data protection. From the early stages, through the auditing process and following certification, the implementation had a far greater impact than ever anticipated. All employees are now fully aware of how to identify and assess threats, vulnerabilities and impacts. And most importantly, as ISO 27001 is practical and flexible, business efficiency has improved without any sacrifices to productivity. In fact, many existing processes were modified and consolidated. This was reflected most notably in the reduction of the company Business Manual from over 150 pages down to around 70.

One of the major changes they made was appointing an Administration Manager who is in charge of receiving and making digital copies of all incoming and outgoing correspondence, keeping a log of all matter files and is responsible for securing all data assets on a daily basis. To assist in overall security, alarms, cameras and network firewalls were also installed.

There are two main benefits Parke Lawyers discovered in ISO 27001. The first is how the system 'captures experience'. That is, by constantly documenting what does and doesn't work and reassessing regularly, improvements will continue to be made and mistakes will not be repeated. Secondly, is the concept of 'corporate visibility'. This means that, due to the systems in place, at any given time, the Managing Director is aware of the location of every file, has access to electronic versions of every file, and can control access to every file.

THE BOTTOMLINE 

As privacy continues to be an issue of increasing concern and with the Australian Government set to unroll the next stage of the ALRC's recommendations in mid-2011 and enact further privacy legislation, the coming years will no doubt see ISMSs become commonplace in Australian firms-and rightly so. The standard fosters a culture where strong values are promoted for the protection of client and business information. The very core of an ISMS-maintaining integrity, confidentiality and availability of information-directly enhance trust, reputation and brand of the firm. Furthermore, the standard provides accountability for actions. As a result, when selecting a firm, clients will seek out the highest level of quality assurance in those firms holding ISMS certification. The peace of mind offered to shareholders, clients, business partners and employees not only gives firms a competitive edge but the overall fluidity of business processes created by ISMS implementation, results in an unprecedented level of business efficiency and an unwavering level of integrity.

1.  Australian Law Reform Commission.  2008,  For your information : Australian privacy law and practice ; report / Australian Law Reform Commission Law Reform Commission, Canberra:   http://www.austlii.edu.au/au/other/alrc/publications/reports/108

2.  Australian Chamber of Commerce and Industry, Submission to the Taskforce on Reducing Regulatory Burdens on Business,1 November 2005, 5.

3.  Australian Chamber of Commerce and Industry, Submission PR 219,7 March 2007;   Australasian Compliance Institute, SubmissionPR 102,15 January 2007. See also Ch 39.

4.  Office of the Privacy Commissioner, Submission PR 215,28 February 2007.

5.  Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988(2005), 40.

6.  SeeFBI New E-scams & Warnings17 November 2009www.fbi.gov/scams-safety/e-scams/archived_escams

 

Author Bio: Mitchell Kelly is a Law Clerk at Parke Lawyers.