The Business Need
- Safeguard against email data breaches, since they would undermine compliance with industry regulations
- Show regulatory bodies and clients ByrneWallace had forced attachment encryption if an email was sent to the incorrect recipient
- Prompt users to confirm email recipients are correct, so information is only ever sent to the right person
- Clean metadata in order to stop inadvertent leaks of sensitive and personal data
- Force password protection on attachments to protect confidential information
- Maintain efficiency and speed in emailing with minimal pop-ups and interruptions to the end user
- Integration with iManage for simpler metadata cleaning workflows
ByrneWallace is a top-tier law firm with over 40 years of history. With a large team of over 300 professionals, including 46 experienced partners, ByrneWallace is renowned for its expertise and promotion of clients’ interests. The firm was awarded the Chambers Europe Ireland Clients Service Award 2017 and the Irish Law Awards Excellence in Client Service Award 2018. ByrneWallace is the only Top 10 law firm in Ireland with Lexcel accreditation and in 2016 became the first Irish law firm to achieve ISO 27001:2013 certification.
About ISO 27001 certification
To comply with the ISO 27001 information security standard, firms must implement and maintain a cohesive set of security controls that cover much more than just IT. These systems must address risks, threats, vulnerabilities, and impacts on a firm’s information security. In 2016 ByrneWallace became the first large firm in Ireland to have ISO 27001 certification. For certification to be given, ByrneWallace had to implement an overarching review and management process designed to address security needs on an on-going basis. In other words, it had to implement much more than quick band-aid fixes. Risk must be managed daily.
About GDPR compliance
The GDPR is the largest and most significant change to European data protection laws in the last 20 years. It requires organizations that store, manage, and use the personal data of European citizens to keep it safe from external attacks, internal threats, and accidental leaks.
Managing the risk of email data breaches
Human error is the biggest risk to information security at any firm. Mistakes like sending an email to the wrong person are the leading source of data breaches according to reports from the Information Commissioner’s Office (ICO) – the body responsible for administering the GDPR.
It’s not only who you’re sending an email to that can cause a breach. It’s also what you send. Document metadata – hidden information that can reveal a person’s identity – must be cleaned from email attachments to safeguard it against being discovered by the recipient.
John Kelly, Head of IT at ByrneWallace, explained that “metadata was always something that was discussed and always something on our radar. And then, with ISO 27001 and the GDPR in effect, we decided to actively do something about the potential it had to cause an accidental data breach.”
To keep information security at the required level for ISO 27001 certification and GDPR compliance, John described how the firm looked for a technology solution that would “prompt users to check email recipients, force password encryption and strip metadata.”
Choosing the right solution
John explained that when it came time to find a solution that would tick all the boxes, he consulted his network. “In Ireland, there is a small community of IT Trainers from top-tier law firms who meet once a quarter to compare and discuss the technology being used at their firms.” The IT Trainers would return to their firms, continued John, “and say ‘Such and such is using this product and it’s fantastic, or this other firm is using another product and doesn’t like it.” ByrneWallace’s IT Trainer discussed the available solutions with this community and, based on their feedback, decided to trial cleanDocs.
Integration with iManage, the firm’s document management system, was also an important factor in the product selection process. John said that “because of the integration with iManage, cleanDocs ultimately seemed like the best fit for us when comparing it to other products.”
ByrneWallace trialed cleanDocs with a department that handled especially sensitive personal data. “Our initial requirements when looking for a solution were recipient checking, metadata cleaning and forced password protection. cleanDocs does all three.” Members of the pilot group gave positive feedback, and cleanDocs was deployed firmwide.
“With cleanDocs, staff can check the recipients for external or public domains and see color-coded warnings, which helps them to manage risk.” On the same screen where recipients are confirmed users can clean attachments of more than 100 types of metadata. Then, they can action a series of time-saving tasks like renaming attachments, converting to Secure PDF or PDF/A, or adding password protection.
John explained that though some users were hesitant at adding a step to their email workflow, “they understand the reason we have cleanDocs and, overall, they are very happy with the product.”
The firm’s management – largely responsible for safeguarding its ISO 27001 accreditation – is also pleased with how cleanDocs is helping staff minimize risk. “After seeing how cleanDocs worked, our stakeholders didn’t have any concerns about it being rolled out to staff. It was welcomed as another layer of protection against data breaches.”
cleanDocs is tightly integrated with ByrneWallace’s email program, and its iManage document management system to ensure sensitive information is protected from the most common data breaches. Staff use email recipient checking technology to ensure sensitive information isn’t sent to the wrong person, and metadata cleaning to stop accidental information leaks by reminding users to remove it before files are sent or shared.
Since sensitive information is safeguarded and shielded from the most significant security risks, ByrneWallace is upholding their commitment to ISO 27001 certification and GDPR compliance.
When asked what advice he would give other firms when it came to keeping data safe, John recommended “implementing products like cleanDocs alongside continual education for staff on the risks of data breaches and how best to manage them.”