Introduction

The shift from brick-and-mortar to hybrid and internet-centric law practice has been gradual but certainly unstoppable. Today, discussions have well and truly intensified on such issues as artificial intelligence (AI) and the future of legal practice. The Covid-19 pandemic further intensified discussions on deployment of artificial intelligence and digital technologies in law practice. With stringent restriction laws on movements and congregations in the heat of the pandemic, law firms began to work (more) remotely, deploying teleconferencing and other digital technology components that support virtual legal practice. Consequently, resources of law firms are no longer just physical but include a large swath of cyber and virtual resources.

Undoubtedly, with the modern deployment and application of business resources comes the need for security. The need for business efficiency calls for significant reduction of liabilities and losses. This brings up the issue of cybersecurity and the legal workspace.

This discourse examines the concept of cybersecurity and makes a case for law firms to prioritise cybersecurity as much as they do the finances and core business of the organisation. This writer argues, based on the principle of strategic alignment, that a law firm is as strong as its cybersecurity policies and standards.

Background

The main laws that regulate attorney-client communication and proper collection, processing, storage, and security of the cyber resources of law firms are:

  1. The Constitution of the Federal Republic of Nigeria2.
  2. The Legal Practitioners Act3 ("LPA") and its subsidiary legislation, the Rules of Professional Conduct for Legal Practitioners 2007 (RPC).
  3. The National Information Technology Development Agency (NITDA) Act,4 and its subsidiary legislations such as the National Data Protection Regulations 2019.

Multinational law firms, or indigenous law firms with cross-border reach or pedigree may be bound by the General Data Protection Regulations 2016 (GDPR).5 For instance, where a Nigeria-based law firm provides legal advisory and representation to a German, failure to comply with relevant provisions of the GDPR may occasion liability for such Nigeria-based firm.6

Rule 19 of the RPC imposes a fiduciary duty of confidentiality on legal practitioners with respect to oral and written communication made by a client to his lawyer in the ordinary course of professional engagement. This ascribes the principle of confidentiality, integrity, and availability to professional communications, preventing unauthorized disclosure. These three principles are briefly addressed in the next segment of this discourse.

In early 2018, Facebook and political data-analytics firm named Cambridge Analytica were implicated in a massive data breach involving the improper obtainment of personal data of over 87 million Facebook users.7 Municipally, information anonymously volunteered by partners of law firms and top wigs of organisations related to the legal practice industry suggests that most organisations do not have a structured end-to-end or trackable system of information passage/circulation. From the inception of a recruit's experience to their departure, there is no organized means of either identifying cyber resources at such staff's disposal or a succession plan of transmitting such information to the next in line. More worrisome is the fact that this cyber resource challenge affects the finances and trade secrets of some organisations.

From the spectacles of a data and cybersecurity infrastructure professional, these problems faced by law firms and organisations are a result of an avoidable lack of security management planning, policy making, and implementation.

Data Protection and Cybersecurity Obligations under Nigerian Law

Section 2.6 of the NDPR places a mandatory duty on data administrators8 and data controllers9 (law firms and organisations inclusive) to develop security measures to protect data, guard information systems from malicious hackers, set up firewalls, store data securely with access granted only to specific authorized individuals,10 employ data encryption technologies, develop organizational policies for handling personal data (and other sensitive and confidential data), protect emailing systems, and organize continuous capacity building programmes for staff members.11 This indicates that law firms have a statutory obligation to formulate cybersecurity policies for handling sensitive and confidential data, and to protect emailing systems. Law firms and organisations must also organize continuous seminars and workshops for members of staff on cybersecurity.

Emphatically, to reduce the incidence of penalties and fines from non-compliance with data protection and cybersecurity requirements, paragraph 4.2(vi) of the NDPR Implementation Framework12 commends data administrators and controllers to develop and circulate an internal privacy strategy or policy to help staff and vendors to understand the data controller's direction on cybersecurity and data management.

Paragraph 4.2(vii) also commends law firms or organisations to periodically conduct Data Protection Impact Assessments (DPIAs) especially if they intend to embark on a project likely to occasion significant risks to the rights and freedoms of a data subject.

It should be noted that law firms and organisations have a duty to ensure that cybersecurity policies are aimed at complying with data protection governance laws and principles, such as the need to draw up a written contract in situations of third-party data processing13 and publicity, and to publish with clarity, data privacy policy on any medium through which confidential or sensitive personal data is collected and/or processed.14 Similarly, section 4.1(1) of the NDPR mandates all data administrators and controllers to publish their respective data protection policies in conformity with the NDPR.

These obligations imposed on law firms and organisations can be seamlessly complied with through cybersecurity management planning.

The Concept of Cybersecurity Management Planning

Earlier, the tripod principles of Confidentiality, Integrity, and Availability (CIA) were mentioned.15Confidentiality describes the assurance that information is not disclosed to unauthorized persons, processes, or devices. Confidentiality covers data in storage, during processing, and in transit. Integrity connotes that data and information systems are protected from unintentional, unauthorized, or accidental changes. Availability indicates that information, systems, and supporting infrastructure are operating and accessible when needed.

Naturally, the importance of security is hardly appreciated until it is proved pivotal (usually by destructive personal and sensual experience) to the existence and sustainability of human beings and businesses. Security should be viewed as an indispensable element of legal business management rather than merely a technical information technology (IT) concern – one to be left to the exclusive preserve of "the IT experts".

Factually, IT and security are distinct terms. While IT connotes the hardware and software that support the operations and functions of an organization, security is a business management tool that ensures the reliable, efficient, productive, and protected operation of IT, for the overall attainment of organizational objectives.

Security management planning ensures proper creation, implementation, and enforcement of a security policy. It aligns the security functions to the strategy, goals, mission, and objectives of the organization. Security management planning is inextricably linked with Cybersecurity governance documents.

Cybersecurity Through Security Management Planning

To ensure security management planning, a cybersecurity policy must be initiated, defined, and codified by the senior management personnel of the organization.16 Security policies communicate and codify management's cyber requirements and provide direction for all levels of the organisation's hierarchy. The cybersecurity policy formulated by senior management personnel is thereafter fleshed out by members of the middle management personnel into cybersecurity standards, baselines, guidelines, and procedures. It is these standards, baselines, guidelines, and procedures that the operational managers or cybersecurity professionals (the experts) are bound to implement to ensure compliance from the end-user members of staff.

This can be illustrated this way. A policy formulated by senior management may be couched thus:

"Access to all information systems which are categorized as 'sensitive' or 'protected' must be configured to use multifactor authentication".

This policy is handed down to middle management which in turn develops (specific) standards for the implementation of the policy. A standard may be couched thus:

"Factor 1: Ten-digit PIN inclusive of numbers, alphabets and special characters; no repeating characters, changed every 90 days.

Factor 2: Biometric facial recognition."

Some have opined from common practice that cybersecurity decisions are directly and exclusively made by IT experts without any or substantial input from senior management personnel. This practice is problematic for some professional reasons, one of which is the principle of strategic alignment.

Strategic alignment entails that cybersecurity infrastructure and policies are appreciated not as merely technical or IT-related but as central to the attainment of the objectives of the organization. The senior management personnel are in the best and optimal position to enact cybersecurity policies, as being the custodian of the objectives, mission, vision, financial/business projections, and core values of the organization.

Another concept embedded in cybersecurity management planning is Business Impact Assessment/Analysis (BIA). The objective of a BIA is to identify essential cybersecurity services, systems, and infrastructure. Essential in this context connotes that the absence of or disruption of services would result in significant harm – to the law firm or organization and its employees, clients, and business partners.

The outcome of a BIA is a prioritized matrix of services, systems, and infrastructure used to inform management decisions, such as:

  1. Resource prioritization
  2. Investment strategy decisions
  3. Guiding the development of incident response, disaster recovery, and business continuity plans.

Implications of Failure to Enact Security Management Planning

For organisations with trade secrets, a cyber breach or leakage of such secrets require engagement of legal advisors who may need to take legal action to recover losses that have been or may be suffered.

Furthermore, this writer belongs to an organization of data security and audit professionals who constantly liaise with NITDA to ensure compliance with data protection regulatory obligations. Security Management Planning in every organization should include compliance with data protection laws on notification and audits.17 For instance, GDPR fines can be up to a whopping 4% of annual revenue, while NDPR fines can be up to 2% of annual gross revenue18 – less but still immense!19

More so, the goodwill and reputation of law firms and organisations may significantly plummet due to unjustifiable leakage of sensitive data of clients. This can significantly affect current and future earnings from legal practice.

Conclusion

This discourse has advanced practical arguments in favour of cybersecurity management planning for law firms and organisations in the legal industry. Rather than wait until a cyber breach of database housing trade secrets, sensitive client data or sensitive insider information occurs, or for avoidable financial exposures due to fines from data protection non-compliance, engagement of DPCOs and cybersecurity professionals and advisors is highly recommended for law firms and organisations.

Footnotes

1Olukolade O. Ehinmosan, Associate, Tax, Real Estate and Succession, SPA Ajibade & Co, Lagos, Nigeria.

2. 1999 (as amended).

3. Cap. L11 LFN 2004.

4. No. 28 2007, Cap. N156 LFN 2004.

5. Regulation (EU) 2016/679 of the European Parliament and of the Council, 27th April 2016. Became enforceable in 2018 and is to-date, the most robust privacy protection law in the world. Its objective is to protect people in the EU / EEA (European Economic Area) from unlawful data collection or processing and work to increase consent requirements and to provide enhanced user rights. The GDPR also addresses the export of personal data outside the EU / EEA areas.

6. Article 3 of the GDPR provides that the GDPR applies to the processing of personal data of data

subjects who are in the European Union (EU) by a controller or processor not established in the EU, where the processing activities relate to (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (2) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Business Insider Africa, The Cambridge Analytica Timeline, 23rd August 2019, available here: <<a href="https://africa.businessinsider.com/tech/facebook-understood-how-dangerous-the-trump-linked-data-firm-cambridge-analytica/d23ghgd" target="_blank"> https://africa.businessinsider.com/tech/facebook-understood-how-dangerous-the-trump-linked-data-firm-cambridge-analytica/d23ghgd> accessed 8th December 2021 at 10:05 am.

8. Section 1.3(ix) of the NDPR defines a "Data Administrator" as a person or an organisation that processes data. Law firms and organisations are data administrators by reason of receiving, transmitting, processing, and storing sensitive personal data of clients and related persons.

9. Section 1.3(x) of the NDPR defines a "Data Controller" as a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. For a more comprehensive distinction between a data processor/administrator and a data controller, visit the website of the European Commission at <<a href="https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/%20obligations/controller-processor/what-data-controller-or-data-processor_en" target="_blank"> https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/ obligations/controller-processor/what-data-controller-or-data-processor_en> accessed on 10th December 2021 at 12:15 pm.

10. Aligned to the cybersecurity principles of confidentiality and availability.

11. Emphasis mine.

12. Version 2.2, March 2020.

13. Section 2.7 of the NDPR.

14. Section 2.5 of the NDPR.

15. Page 2, infra.

16. Compare with paragraph 4.2(ix) of the NDPR Implementation Framework 2020.

17. For instance, SPA Ajibade & Co., is a licensed Data Protection Compliance Organisation (DPCOs) that provides legal and administrative support towards full compliance with data protection laws while liaising with NITDA and other relevant data protection agencies on important updates on behalf of clients.

18. Section 2.10 of the NDPR.

19. To put this in context, Google Inc was fined 50 million Euros on 21st January 2019 for insufficient legalbasis for data processing. A cybersecurity policy by senior management coupled with engagement of data protection and cybersecurity professionals is immensely important. Visit <<a href="https://www.enforcementtracker.com/?insights" target="_blank">https://www.enforcementtracker.com/?insights> accessed on 8th December 2021 at 12:08 pm for more insight on GDPR fines and types of data protection compliance violations.

Originally published 13 December, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.